Search Tokens for Azure Assets

Syntax help displayed in UI for tokens. Click each token to learn more about it.

Use these tokens when searching Microsoft Azure assets in the tag creation wizard (Dynamic tag > Cloud Asset Search rule).

Note:

- For all the date-related tokens, the date search is evaluated only for UTC format. The actual search results might show you the date as per your time zone.

- For the range searches, remember that the QQL search tokens are case-sensitive. Hence, make sure that you enter the correct token syntax. For more information, see Range Searches.

azure.tagsazure.tags

Use a text value ##### to find Azure instances with a certain tag name and value. Both are case insensitive.

Example

Find Azure instances with a tag with name "abc" and value "xyz"

azure.tags: (name:abc and value:xyz)

azure.tags.nameazure.tags.name

Use a text value ##### to find Azure instances with a certain tag name (case insensitive).

Examples

Find Azure instances with name "devops"

azure.tags.name: devops

Find Azure instances with name starting "dev"

azure.tags.name: dev*

Find Azure instances with name ending "ops"

azure.tags.name: *ops

azure.tags.valueazure.tags.value

Use a text value ##### to find Azure instances with a certain tag value (case insensitive).

Examples

Find Azure instances with tag value "dailybuild"

azure.tags.value: dailybuild

Find Azure instances with tag value starting "daily"

azure.tags.value: daily*

Find Azure instances with tag value ending "build"

azure.tags.value: *build

azure.vm.imageOfferazure.vm.imageOffer

Use a text value ##### to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.

Examples

Find Azure instances related to name

azure.vm.imageOffer: UbuntuServer

Find Azure instances that match exact value

azure.vm.imageOffer: `UbuntuServer`

azure.vm.imagePublisherazure.vm.imagePublisher

Use a text value ##### to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).

Examples

Find Azure instances related to name

azure.vm.imagePublisher: Canonical

Find Azure instances that match exact value

azure.vm.imagePublisher: `Canonical`

azure.vm.imageVersionazure.vm.imageVersion

Use a text value ##### to define the version of the Azure virtual machine image sku you're interested in.

Example

Find Azure instances with this sku version

azure.vm.imageVersion: 16.04.201708030

azure.vm.locationazure.vm.location

Use a text value ##### to define the region you're interested in.

Example

Find Azure instances in this location

azure.vm.location: westus

azure.vm.macAddressazure.vm.macAddress

Use a text value ##### to define the MAC address you're interested in.

Example

Find Azure instances with this MAC address

azure.vm.macAddress: '000D3A36DDED'

azure.vm.nameazure.vm.name

Use a text value ##### to find the Azure virtual machine name you're looking for.

Examples

Find Azure instances related to name

azure.vm.name: avset2

Find Azure instances that match exact value

azure.vm.name: `avset2`

azure.vm.platformazure.vm.platform

Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.

Example

Find Azure instances on Windows platform

azure.vm.platform: Windows

azure.vm.privateIpAddressazure.vm.privateIpAddress

Use a text value ##### to define a private IPv4 address or range of IPs you're interested in.

Examples

Find Azure instances with this private IP

azure.vm.privateIpAddress: 10.1.2.5

Find Azure instances within this IP range

azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]

azure.vm.publicIpAddressazure.vm.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.

Examples

Find Azure instances with this public IP

azure.vm.publicIpAddress: 13.126.125.189

Find Azure instances within this IP range

azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]

azure.vm.resourceGroupNameazure.vm.resourceGroupName

Use a text value ##### to define the name of the resource group you're interested in.

Examples

Find Azure instances related to name

azure.vm.resourceGroupName: my-eastus-rg

Find Azure instances that match exact value

azure.vm.resourceGroupName: `my-eastus-rg`

azure.vm.sizeazure.vm.size

Use a text value ##### to help you find Azure VM instances with a certain virtual machine size.

Example

Find Azure instances with this size

azure.vm.size: Standard_D1

azure.vm.stateazure.vm.state

Select the name of the instance state (DEALLOCATED, DEALLOCATING, DELETED, RUNNING, STARTING, STOPPED, STOPPING) you're interested in. Select from names in the drop-down menu.

Example

Find running Azure instances

azure.vm.state: RUNNING

azure.vm.subnetazure.vm.subnet

Use a text value ##### to define the Azure virtual machine subnet you're interested in.

Example

Find Azure instances with this subnet

azure.vm.subnet: 10.1.2.0

azure.vm.subscriptionIdazure.vm.subscriptionId

Use a text value ##### to define the subscription ID of the Azure virtual machine subscription.

Example

Find Azure instances with this subscription ID

azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409

azure.vm.vmIdazure.vm.vmId

Use a text value ##### to define the Azure virtual machine ID you're looking for.

Example

Find Azure instances with this ID

azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21

azure.vm.virtualNetworkazure.vm.virtualNetwork

Use a text value ##### to define the operating system platform (Linux or Windows) of the Azure virtual machine.

Examples

Find Azure instances related to virtual network

azure.vm.virtualNetwork: cli-vnet

Find Azure instances that match exact value of virtual network

azure.vm.virtualNetwork: `cli-vnet`

azure.vm.hasAgentazure.vm.hasAgent

Use the values true | false to define whether the Azure virtual machine you're looking for has a cloud agent installed on it.

Example

Find Azure instances with agents

azure.vm.hasAgent: "true"

Supported Boolean Operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.

Example

asset.status: Enrolled and asset.assetID: 122855563

The asset having the ID 122855563 and with status as Enrolled is returned in the result.

notnot

Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.

Example

not tags.name: Windows

Assets with the Windows tag are excluded from search results.

oror

Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.

Example

tags.name:Cloud Agent or tags.name:Windows

The assets that have the Cloud Agent tag or the Windows tag are returned in the result.