Old and New Search Token Mappings

The token standardization for the Qualys Query Language (QQL) search tokens follows a standard naming convention.

The new token format follows the syntax: entity.attribute
For example, in the new token, event.action, event is the entity, and action is the attribute.

The tokens, such as events, incidents, assets, configuration, correlation, and activity, along with tokens common to all Qualys applications, adhere to a standardized naming convention.

  • Only new tokens are displayed in the auto-suggestion in the search bars within the UI. However, if you type the old token name manually, the QQL query still works. Old token name visibility from the UI is removed.
  • The existing Dashboard widgets and Saved Search Queries will continue to support the old tokens. You can edit search queries and widgets to update the new tokens.

The following is the old and new tokens mapping list: 

Event TokensEvent Tokens

Old Token Name New Token Name
action event.action
actor.imagePath actor.imagePath
actor.process actor.process
actor.userID actor.userId
actor.userName actor.username
actor.user.impersonated actor.user.impersonated
asset.agentId agent.id
asset.agentVersion agent.version
asset.assetType asset.type
asset.created asset.created
actor.auditUserID actor.auditUserId
actor.auditUserName actor.auditUsername
actor.actualUserId actor.actualUserId
actor.actualUserName actor.actualUsername
actor.effectiveUserID actor.effectiveUserId
actor.effectiveUserName actor.effectiveUsername
asset.lastCheckedIn asset.lastCheckedIn
asset.name asset.name
asset.netbiosName asset.netbiosName
asset.system.lastBoot asset.system.lastBoot
asset.tagNames asset.tag.name
asset.tags.name asset.tag.name
asset.updated asset.updated
asset.interfaces.address asset.interfaces.address
asset.interfaces.hostname asset.interfaces.hostname
asset.interfaces.interfaceName asset.interfaces.interfaceName
asset.interfaces.macAddress asset.interfaces.macAddress
asset.lastLoggedOnUser asset.lastLoggedOnUser
asset.operatingSystem asset.operatingSystem
baseline file.baseline
class event.class
commandExecuted event.commandExecuted
container.imageName container.image.name
container.nodeName container.nodeName
container.sha container.image.sha
eventSource event.source
file.attribute.archive file.attribute.archive
file.attribute.compressed file.attribute.compressed
file.attribute.encrypted file.attribute.encrypted
file.attribute.hidden file.attribute.hidden
file.attribute.notContentIndexed file.attribute.notContentIndexed
file.attribute.readonly file.attribute.readonly
file.fullPath file.fullPath
file.hash file.hash
file.name file.name
id event.id
platform agent.platform
profile.category profile.category
profile.name profile.name
profile.rule.description profile.rule.description
profile.rule.id profile.rule.id
profile.rule.name profile.rule.name
profile.rule.type profile.rule.type
registryKey.name registryKey.name
registryKey.path registryKey.path
reputationStatus file.reputationStatus
severity event.severity
successStatus event.successStatus
profile.rule.type profile.rule.type
type event.type
trustStatus file.trustStatus
qid finding.qid
event.hostType
 event.hostType
script.name
 script.name
asset.tags asset.tag.id

Asset TokensAsset Tokens

Old Token Name New Token Name
activated asset.activated
activationDate asset.activationDate
agentService.httpStatus agent.httpStatus
agentService.osStatus agent.osStatus
agentService.status agent.status
agentService.statusCode agent.statusCode
agentService.updatedDate agent.updatedDate
agentUuid agent.uuid
agentVersion agent.version
assetId asset.id
assetType asset.type
created asset.created
netbiosName asset.netbiosName
ec2.region aws.ec2.region.name
ec2.instanceId aws.ec2.instanceId
ec2.hostname aws.ec2.hostname
ec2.availabilityZone aws.ec2.availabilityZone
interfaces.macAddress asset.interfaces.macAddress
interfaces.address asset.interfaces.address
interfaces.hostname asset.interfaces.hostname
interfaces.interfaceName asset.interfaces.interfaceName
lastLoggedOnUser asset.lastLoggedOnUser
lastCheckedIn agent.lastCheckedIn
operatingSystem operatingSystem.name
manifest.status manifest.status
manifest.id manifest.id
manifest.updatedDate manifest.updatedDate
name asset.name
system.boot system.boot
scanBasedAsset scanBasedAsset
tags.name asset.tags.name

Incident TokensIncident Tokens

Old Token Name New Token Name
approvalStatus incident.approvalStatus
changeType incident.changeType
dispositionCategory incident.dispositionCategory
id incident.id
markupStatus incident.markupStatus
name incident.name
ruleId rule.id
reviewers incident.reviewers
reviewedBy.user.name incident.reviewedBy.name
ruleName rule.name
slaDurationKey incident.slaDurationKey
slaDurationValue incident.slaDurationValue
slaRequired incident.slaRequired
status incident.status
type incident.type

Correlation Rule TokensCorrelation Rule Tokens

Old Token Name New Token Name
approvalStatus rule.approvalStatus
changeType rule.changeType
dispositionCategory rule.dispositionCategory
id rule.id
createdBy.user.id rule.createdBy.id
reviewers rule.reviewers
ruleName rule.name
slaDuationKey rule.slaDurationKey
slaDurationValue rule.slaDurationValue
slaRequired rule.slaRequired
status rule.status
approvalType rule.approvalType
createdBy.user.name rule.createdBy.name
scheduleType rule.scheduleType
updatedBy.user.id rule.updatedBy.id
updatedBy.user.name rule.updatedBy.name

Configuration TokensConfiguration Tokens

Old Token Name New Token Name
profile.name profile.name
createdBy profile.createdBy.name
registryRulesImported profile.registryRulesImported
platform profile.platform

Activity Log TokensActivity Log Tokens

Old Token Name New Token Name
action action.type
targetType activity.targetType
targetName activity.targetName

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: August, 2025