How to Search in FIM

Search by Field | String matching | Exact matching | Full Text Search | Suffix matching | Is Null Queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested Queries | Suffix matching for Events tab | Prefix matching for Events tab

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot separated.

Examples:

openPorts.port: 80
accounts.username: administrator
operatingSystem: win*

String matching

Use single quotes or double quotes around your query to match a string. Your results include any asset that contains the string.

Examples:

tags.name: "Cloud Agent"
operatingSystem: 'Microsoft Windows'
vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"

Exact matching

Use backticks to exactly match a string. Your results include any asset with the EXACT value returned.

Examples:

operatingSystem: `Windows 7 Ultimate Service Pack 1`
interfaces.hostname: `xpsp2-jp-26-111`

Full Text Search

Many asset fields containing text allow you to use full text search and advanced search capabilities.

Learn more >>

Examples:

Show any findings related to this title

vulnerabilities.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title: "Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title: `Remote Code`

Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.

vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")

Suffix matching

Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.

Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.

name:*53

Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.

tags.name:*Region East

Suffix matching is also supported for the field "interfaces.hostname" but the syntax is different.

Example: These queries match assets with the hostname "T100.qualys.corp.com".

interfaces.hostname:com
interfaces.hostname:corp.com
interfaces.hostname:qualys.corp.com

Is Null Queries

Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.

Examples:

operatingSystem is null
interfaces.macAddress is null
aws.ec2.accountId is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

Examples:

Greater than or equal to 123 and less than or equal to 1234 - uses square brackets

elb.listener.loadBalancerPort:[123 .. 1234]

Greater than but not equal to 123 and less than but not equal to 1234 - uses parenthesis

elb.listener.loadBalancerPort:(123 .. 1234)

Greater than or equal to 123 and less than but not equal to 1234

elb.listener.loadBalancerPort:[123 .. 1234)

Greater than but not equal to 123 and less than or equal to 1234

elb.listener.loadBalancerPort:(123 .. 1234]

Greater than 123

elb.listener.loadBalancerPort > 123

Greater than or equal to 123

elb.listener.loadBalancerPort >= 123

Less than 1234

elb.listener.loadBalancerPort < 1234

Less than or equal to 1234

elb.listener.loadBalancerPort <= 1234

Between January 1st and April 1st 2018

updated: [2018-01-01 .. 2018-04-01]

Date searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Learn more >>

Examples:

updated: "2017-11-20"
updated <= "2017-11-20"
updated: ["2017-11-20" .. "2017-11-24"]
updated: [now-3d .. now-1s]

Multiple values (In, Not In)

Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).

Examples:

Find assets with at least one of these three CVE IDs:

vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]

Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12

NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]

In 2016 or 2015

vulnerabilities.firstFound:["2016","2015"]

In month of Aug or Sept

vulnerabilities.firstFound:["2016-08","2015-07"]

On one of these exact dates:

vulnerabilities.firstFound:["2016-08-31","2016-08-30"]

Analyzed fields (i.e. full text search fields) are not supported such as:

vulnerabilities.vulnerability.description
vulnerabilities.vulnerability.solution
vulnerabilities.vulnerability.consequence

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search.

Examples:

operatingSystem: windows OR operatingSystem: linux
(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)
NOT operatingSystem: windows

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Learn more >>

Examples:

Find vulnerabilities that are patchable and are confirmed

vulnerabilities: (vulnerability.patchAvailable: "true" AND typeDetected: "Confirmed")

Find vulnerabilities that are patchable, have Easy Exploit RTI, and first found in the last 5 days:

vulnerabilities: (vulnerability.patchAvailable: "true" AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)

Find assets on port 80 and TCP

openPorts: (port: 80 AND protocol: TCP)

Find assets that have Windows Time service that is running

service: (name: Windows Time AND status: running)

Suffix matching for Events tab

Suffix matching is supported for searching events for the fields: asset.name, asset.netbiosName, asset.operatingSystem, actor.userID, actor.process, profile.name, profile.rule.name, registryKey.name, file.name. You can match event fields "ending in" a string you specify - using a string that starts with *.

Note: Matches are case insensitive.

Example: This query matches events with an asset name ending in "122", example - WIN10-122.

asset.name:*122

Example: This query matches events with file name ending in exe, example - Explorer.exe.

file.name:*.exe

Suffix based searches are applicable only for Events tab in FIM.

Prefix matching for Events tab

Prefix matching is supported for searching events using certain text fields such as: asset.name, asset.netbiosName, asset.operatingSystem, actor.userID, actor.process, profile.name, profile.rule.name, registryKey.name, file.name. You can match event values "starting with" a string you specify - using a string that ends with *.

Note: Matches are case sensitive.

Example: This query matches events with an asset name starting with "xp", example - xpsp2-jp-26-111.

asset.name:xp*

Example: This query matches events with file name starting with "Expl" example - Explorer.exe.

file.name:Expl*

Example: This query matches events with assets having operating system starting with "Lin", example - Linux 2.4-2.6.

asset.operatingSystem:Lin*

Note: Wildcards can only be used for prefix and suffix matching (as described above). Substring wildcards are not supported, that is, you cannot search for a string in the middle of another string.

Prefix based searches are applicable only for Events tab in FIM.

Search by Path

Search path QQL tokens such as file.fullPath, actor.imagePath, and registryKey.path must not include a '\' at the end of the token.

Example: file.fullPath:'F:\INTERNAL\Incoming'

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.