Looking for listing of event fields? Click here
Search by Field | String matching | Exact matching | Full Text Search | Suffix matching | Is Null Queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested Queries | Suffix matching for Events tab | Prefix matching for Events tab
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
openPorts.port: 80
accounts.username: administrator
operatingSystem: win*
Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.
Examples:
tags.name: "Cloud Agent"
operatingSystem: 'Microsoft Windows'
vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
operatingSystem: `Windows 7 Ultimate Service Pack 1`
interfaces.hostname: `xpsp2-jp-26-111`
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Examples:
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title: `Remote Code`
Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.
vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")
Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.
Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.
name:*53
Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.
tags.name:*Region East
Suffix matching is also supported for the field "interfaces.hostname" but the syntax is different.
Example: These queries match assets with the hostname "T100.qualys.corp.com".
interfaces.hostname:com
interfaces.hostname:corp.com
interfaces.hostname:qualys.corp.com
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem is null
interfaces.macAddress is null
aws.ec2.accountId is null
Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.
Examples:
Greater than or equal to 123 and less than or equal to 1234 - uses square brackets
elb.listener.loadBalancerPort:[123 .. 1234]
Greater than but not equal to 123 and less than but not equal to 1234 - uses parenthesis
elb.listener.loadBalancerPort:(123 .. 1234)
Greater than or equal to 123 and less than but not equal to 1234
elb.listener.loadBalancerPort:[123 .. 1234)
Greater than but not equal to 123 and less than or equal to 1234
elb.listener.loadBalancerPort:(123 .. 1234]
Greater than 123
elb.listener.loadBalancerPort > 123
Greater than or equal to 123
elb.listener.loadBalancerPort >= 123
Less than 1234
elb.listener.loadBalancerPort < 1234
Less than or equal to 1234
elb.listener.loadBalancerPort <= 1234
Between January 1st and April 1st 2018
updated: [2018-01-01 .. 2018-04-01]
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
updated: "2017-11-20"
updated <= "2017-11-20"
updated: ["2017-11-20" .. "2017-11-24"]
updated: [now-3d .. now-1s]
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Examples:
Find assets with at least one of these three CVE IDs:
vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]
Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12
NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]
In 2016 or 2015
vulnerabilities.firstFound:["2016","2015"]
In month of Aug or Sept
vulnerabilities.firstFound:["2016-08","2015-07"]
On one of these exact dates:
vulnerabilities.firstFound:["2016-08-31","2016-08-30"]
Analyzed fields (i.e. full text search fields) are not supported such as:
vulnerabilities.vulnerability.description
vulnerabilities.vulnerability.solution
vulnerabilities.vulnerability.consequence
Use keywords AND, OR, NOT to narrow or broaden your search.
Examples:
operatingSystem: windows OR operatingSystem: linux
(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)
NOT operatingSystem: windows
Use a single nested query, using parentheses, to include multiple fields in your query per examples below.
Examples:
Find vulnerabilities that are patchable and are confirmed
vulnerabilities: (vulnerability.patchAvailable: "true" AND typeDetected: "Confirmed")
Find vulnerabilities that are patchable, have Easy Exploit RTI, and first found in the last 5 days:
vulnerabilities: (vulnerability.patchAvailable: "true" AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)
Find assets on port 80 and TCP
openPorts: (port: 80 AND protocol: TCP)
Find assets that have Windows Time service that is running
service: (name: Windows Time AND status: running)
Suffix matching is supported for searching events for the fields: asset.name, asset.netbiosName, asset.operatingSystem, actor.userID, actor.process, profile.name, profile.rule.name, registryKey.name, file.name. You can match event fields "ending in" a string you specify - using a string that starts with *.
Note: Matches are case insensitive.
Example: This query matches events with an asset name ending in "122", example - WIN10-122.
asset.name:*122
Example: This query matches events with file name ending in exe, example - Explorer.exe.
file.name:*.exe
Suffix based searches are applicable only for Events tab in FIM.
Prefix matching is supported for searching events using certain text fields such as: asset.name, asset.netbiosName, asset.operatingSystem, actor.userID, actor.process, profile.name, profile.rule.name, registryKey.name, file.name. You can match event values "starting with" a string you specify - using a string that ends with *.
Note: Matches are case sensitive.
Example: This query matches events with an asset name starting with "xp", example - xpsp2-jp-26-111.
asset.name:xp*
Example: This query matches events with file name starting with "Expl" example - Explorer.exe.
file.name:Expl*
Example: This query matches events with assets having operating system starting with "Lin", example - Linux 2.4-2.6.
asset.operatingSystem:Lin*
Note: Wildcards can only be used for prefix and suffix matching (as described above). Substring wildcards are not supported, that is, you cannot search for a string in the middle of another string.
Prefix based searches are applicable only for Events tab in FIM.
Search path QQL tokens such as file.fullPath, actor.imagePath, and registryKey.path must not include a '\' at the end of the token.
Example: file.fullPath:'F:\INTERNAL\Incoming'