Looking for a listing of search fields? Click here
Search by Field | String matching | Exact matching | Full Text Search | Is Null Queries | Range searches | Date searches | Match multiple values | Suffix Matching | Prefix Matching | Boolean operators | Nested Queries
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
asset.netbiosName: WIN7PATCH69-85
asset.lastLoggedOnUser: .\Administrator
asset.hostID: 43954857
Use single quotes or double quotes around your query to match a string.
Examples:
operatingSystem: "Windows 7 SP2 Enterprise"
services.description: "Certificate Propagation"
Example using wildcard: If you want to search for exact count you should use asterisk (*). For example to find assets with name starting with WINDOWS2008 use this query:
asset.name: WINDOWS2008*
Note: The string matching works as expected for prefix search. In some cases, for intermediate sub-string searches, the string matching might not provide the correct result. This issue is due to the elastic search limitation.
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
operatingSystem: `Windows 7 Ultimate Service Pack 1`
hardware: `Dell Latitude e7470`
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Examples:
Show any findings with this OS name
operatingSystem: Windows
Show any findings that contain components of OS name
operatingSystem: "Windows 2008 r2 service pack 2"
Show any findings that match exact value "Windows 2002"
operatingSystem: `Windows 2002`
Note: You can add multiple values in []. However, it's important to understand that partial values are not supported. You must enter the exact match value.
- Example with correct syntax - interfaces:(hostname: [win7-181, bridge.vuln.qa.qualys.com])
- Example with incorrect syntax - interfaces:(hostname: [win7, bridge.vuln.qa])
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem is null
interfaces.macAddress is null
asset.biosDescription is null
Ranges can be specified with the [lower .. upper]
syntax using () and/or [] as follows. This is supported for numeric and date fields.
Example:
inventory.created: [2018-08-01 .. 2018-09-01] // Between August 1st and September 1st 2018
Range options:
inventory.created:(date1 .. date2)
// Greater than but not equal to date1 and less than but not equal to date2
inventory.created:(date1 .. date2]
// Greater than but not equal to date1 and less than or equal to date2
inventory.created:[date1.. date2)
// Greater than or equal to date1 and less than but not equal to date2
inventory.created:[date1 .. date2]
// Greater than but or equal to date1 and less than or equal to date2
inventory.created > date1
// Greater than date1
inventory.created >= date1
// Greater than or equal to date1
inventory.created < date1
// Less than date1
inventory.created <= date1
// Less than or equal to date1
In the case of range searches, the QQL search tokens support the following time units for use in time-based queries.
- s: seconds
- m: minutes
- h: hours
- d: days
- w: weeks
- M: months
- y: years
Note that the QQL search tokens are case-sensitive. Consider one of the scenarios where Capital S is not supported.
Example 1: Some of the QQL tokens used in other applications, such as Vulnerability Management, Detection and Response (VMDR) are also supported in CSAM.
- Correct QQL token syntax: vulnerabilites.lastFound:[now-2M ... now-1s]
- Incorrect QQL token syntax: vulnerabilites.lastFound:[now-2M ... now-1S]
Example 2: Some of the QQL tokens used in GAV might be supported in other applications as well.
- Correct QQL token syntax: asset.lastUpdated:[now-2w ... now-1s]
- Incorrect QQL token syntax: asset.lastUpdated:[now-2w ... now-1S]
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
openPorts.lastFound: "2018-10-20"
openPorts.lastFound <= "2018-11-20"
openPorts.lastFound: ["2018-10-20" .. "2018-10-24"]
openPorts.lastFound: [now-3d .. now-1s]
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Examples:
Find assets with at least one of these three scanner appliance locations:
inventory.scannerLocation: [SanJose1, SanJose2, SanJose3]
Find assets not last booted on date: 2018-08-31 or 2018-09-12
NOT asset.lastBoot: ["2018-08-31","2018-09-12"]
Supported date formats:
YYYY example: asset.lastBoot:["2017","2018"]
// in 2017 or 2018
YYYY-MM example: asset.lastBoot:["2018-08","2018-09"]
// in month of Aug or Sept
YYYY-MM-DD example: asset.lastBoot:["2018-10-30","2018-11-05"]
// on one of exact dates
Note: You can add multiple values in []. However, it's important to understand that partial values are not supported. You must enter the exact match value.
- Example with correct syntax - interfaces:(hostname: [win7-181, bridge.vuln.qa.qualys.com])
- Example with incorrect syntax - interfaces:(hostname: [win7, bridge.vuln.qa])
Suffix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for suffix matching for quicker results. All you need to do is, type the wildcard character '*' followed by the string you are looking for. The search returns name values ending with the string that you specify after '*'. Matches are not case-sensitive.
Examples:
To find asset names ending with 110, form the following query:
name: *110
The query returns asset names such as bw2012-35-110 or vsweblogic12110 or stvsp2-32-110 and so on.
To find assets based on tag names ending with 'region east,' form the following query:
tags.name:*Region East
The query returns assets having tag names ending with Region East, region east, or Region EAST.
Suffix and domain matching is supported for the token interfaces.hostname but the syntax is different.
interfaces.hostname:qualys.com
interfaces.hostname:sjc01.qualys.com
interfaces.hostname:eng.sjc01.qualys.com
interfaces.hostname:*lys.com
Prefix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for prefix matching for quicker results. All you need to do is, type the string you are looking for followed by the wildcard character '*'. The search returns name values beginning with the string that you specify before '*'. Matches are case-sensitive.
Example: This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.
name:xp*
Example: This query matches assets with tag names starting with "Win" like Windows XP, Windows 2012, Windows Hosts.
tags.name:Win*
Example: This query matches assets with a hostname starting with "com-pa30" like com-pa3020-36.eng.sjc01.qualys.com.
interfaces.hostname:com-pa30*
Example: This query matches assets with an operating system starting with "Lin" like Linux 2.4-2.6.
operatingSystem:Lin*
Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth, using NOT with vulnerability queries.
Examples:
Show findings that have one of these operating systems:
operatingSystem: `Windows 2002` OR operatingSystem: `Windows 7 Ultimate Service Pack 1`
Show assets not created on or before date:
AND NOT inventory.created <= "2018-11-05"
Use a single nested query, using parentheses, to include multiple fields in your query. This is supported only for certain tokens like "asset", "hardware", "interfaces", etc.
Example:
Find assets last booted on certain date and have 2 CPUs:
asset: (lastBoot: '2018-10-10' AND cpuCount: 2)
Learn more about the behavior in the case of the QQL that is run from the Inventory > Software tab.
While using the nested QQL queries using the 'not' operator and using multiple values in [], the placement of 'not' is very important.
Correct QQL example: software:(not authorization:[`Unauthorized`,`Authorized`,`Needs Review`])
Result: You get the software that does not match the above authorization criteria.
Whereas, refer to the following query, which is used to filter out assets that do not match authorization. Although this query is correct, it behaves differently on the software inventory screen.
not software:(authorization:[`Unauthorized`,`Authorized`,`Needs Review`])