On the Posture tab of the enhanced Policy Compliance UI, use the QQL tokens to fetch data from the Qualys databases. For the ease of use, we’ve categorized the available search tokens into the Asset and Control data sources.
Note: As you start typing your query, the interface provides auto-suggest options only for those tokens that are valid for a particular data source.
You can build your search queries by using various combinations of these tokens. Click each token in the following lists to see the usage information.
Boolean operators | Asset tokens | Control tokens
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
control.id:1073 and posture.status:FAIL
The control instances having the ID 1073 and also showing the FAIL posture status are returned in the result.
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Examples
not tags.name:Windows
Assets with the Windows tag are excluded from search results.
not posture.status:FAIL and criticality:SERIOUS
Control instances that have SERIOUS criticality are displayed. However, control instances that show the current posture status as FAIL are excluded from the results because you used the 'not' operator before this search condition.
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
tags.name:Cloud Agent or tags.name:Windows
The assets that have the Cloud Agent tag or the Windows tag are returned in the result.
If you select the Asset data source in the query search bar, the following tokens are available for data search:
Use an integer value ##### to help you find systems with a Qualys asset ID of interest.
After the colon, enter the asset ID:
Examples:
asset.id:122855563
The search result displays findings with this asset ID.
Use this token to search the assets created on a specific date or within a particular date range. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples:
asset.created:'2020-01-08'
If you enclose the date within the single quotation marks, the assets that were created on the specified date are displayed in the result.
asset.created > now-90d
The assets that were created within past 90 days (excluding day 90) are displayed in the result.
asset.created >= now-90d
The assets that were created within past 90 days (including day 90) are displayed in the result.
asset.created < now-90d
The assets that were created before past 90 days (excluding day 90) are displayed in the result.
asset.created <= now-90d
The assets that were created before past 90 days (including day 90) are displayed in the result.
asset.created:[2020-01-01 ... 2020-01-10]
The assets that were created within the specified date range are displayed in the result.
asset.created:[now-2w ... now-1s]
The assets that were created from two weeks ago till a second ago are displayed in the result.
Note: An asset is created in the inventory when it is discovered and scanned for the first time by a scanner appliance or when Qualys agent is installed on the asset.
Use this token to search an asset by its Qualys host ID (UUID), assigned by an agent, or a scanner appliance in case of Agentless Tracking. The token value can be a specific host ID, a comma-separated list of IDs, or a range of IDs.
Examples
asset.hostId:135484
The asset having the specified host ID is returned in the result.
asset.hostId:[135484 … 145575]
The assets having the host IDs within the specified range are returned in the result.
If you enclose the range values within parentheses (round brackets), the result returns all the values between the lower limit value and the upper limit value in the range excluding both these values.
If you enclose the range values within square brackets, the result returns all the values between the lower-limit value and the upper-limit value in the range including both these values.
asset.hostId:[135484,135485,135490]
The assets having the specified host IDs are returned in the result.
asset.interface.addressasset.interface.address
Use this token to search an asset by its IP address (IPv4 or IPv6).
Examples
asset.interface.address:10.10.100.20
The asset which has the specified IPv4 address is displayed in the result.
asset.interface.address:'fe80:0:0:0:2501:b53c:4139:404b'
The asset which has the specified IPv6 address is displayed in the result. (Enclose the value in single quotation marks.)
asset.interface.hostNameasset.interface.hostName
Use this token to search assets by their host names.
Refine your search in the following ways:
Exact match: If you want the search result to exactly match your query value, enclose the value in backticks (`<value>`).
Example:
asset.interface.hostName:`xpsp2-jp-26-111`
The asset with the name “xpsp2-jp-26-111” is displayed in the result.
Partial match: If you want the search result to include one or more words from your query value, enclose the value in double quotation marks (“<value>”).
Example:
asset.interface.hostName:"xpsp2-jp-26-111"
The assets that are displayed in the result contain parts of the specified string or the entire string in their host names.
Related search: If you want to search for the terms related to your query value, type the value without double quotation marks or backtick characters.
Example:
asset.interface.hostName:xpsp2-jp-26-111
asset.interface.hostName:qcentos71sqp3.rdlab.acme.com
(In this case, we’ll match super domains.)
asset.isDataTruncatedasset.isDataTruncated
On the enhanced Policy Compliance UI, we show a maximum of 1500 posture records for an asset. Any additional records are truncated. To search for assets whose posture data is truncated, use this token. Select true or false as the token value.
Example:
asset.isDataTruncated:true
The assets whose posture records are more than 1500 and hence are truncated are displayed in the result.
Use this token to search assets by their names.
Refine your search in the following ways:
Exact match: If you want the search result to exactly match your query value, enclose the value in backticks (`<value>`).
Example:
asset.name:`QK2K12QP3-65-53`
The asset with the name “QK2K12QP3-65-53” is displayed in the result.
Partial match: If you want the search result to include one or more words in your query value, enclose the value in double quotation marks (“<value>”).
Example:
asset.name:“QK2K12QP3-65-53”
The assets that are displayed in the result contain parts of the specified string or the entire string in their names.
Related search: If you want to search for the terms related to your query value, type the value without double quotation marks or backtick characters.
Example:
asset.name:QK2K12QP3-65-53
asset.trackingMethodasset.trackingMethod
Use this token to search assets by their tracking method in the asset inventory. After the colon, choose the value from the available options.
Examples:
asset.trackingMethod:IP
All the assets that are tracked by their IP addresses are displayed in the result.
asset.trackingMethod:Agent
Assets that are tracked by Agent are displayed in the result.
auth.lastComplianceSuccessDateauth.lastComplianceSuccessDate
Use this token to search assets based on the date of their last successful compliance authentication. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
auth.lastComplianceSuccessDate:'2020-01-08'
If you enclose the date within single quotation marks, the assets with last compliance authentication success on that date are displayed in the result.
auth.lastComplianceSuccessDate > now-90d
The assets whose last successful compliance authentication happened within past 90 days (excluding day 90) are displayed in the result.
auth.lastComplianceSuccessDate >= now-90d
The assets whose last successful compliance authentication happened within past 90 days (including day 90) are displayed in the result.
auth.lastComplianceSuccessDate < now-90d
The assets whose last successful compliance authentication happened before past 90 days (excluding day 90) are displayed in the result.
auth.lastComplianceSuccessDate <= now-90d
The assets whose last successful compliance authentication happened before past 90 days (including day 90) are displayed in the result.
auth.lastComplianceSuccessDate:[2020-01-01 ...
2020-01-10]
The assets with last compliance authentication success within the specified date range are displayed in the result.
auth.lastComplianceSuccessDate:[now-2w ... now-1s]
The assets whose last successful compliance authentication happened from two weeks ago till a second ago are displayed in the result.
Use an integer value ##### to help you find assets with uuid you are looking for.
After the colon, enter the asset uuid:
Examples:
asset.uuid:`26a26521-e574-42cb-8778-f798cf46c121`
The search result displays assets with uuid.
Use this token to search assets by their last authentication status. After the colon, choose the value from the available status options.
Examples:
auth.status:SUCCESS
Assets that have last authentication status as SUCCESS are returned in the result.
auth.status:FAILED
Assets that have last authentication status as FAILED are returned in the result.
Use this token to search assets by an authentication/technology type on the asset. After the colon, choose a value from the available authentication type options. We'll return assets that have the authentication/technology type that you selected and list additional technologies detected on the asset that are related to your selection.
Examples:
auth.type:Windows
Assets that have Windows authentication type are returned in the results. You'll also see Windows related technologies that were detected on the assets like Internet Explorer, Google Chrome (Windows), SharePoint Server 2013, etc.
auth.type:Unix
Assets that have Unix authentication type are returned in the result. You'll also see Unix related technologies that were detected on the assets like Apache Tomcat, PostgreSQL, IBM WebSphere, etc.
sensor.lastComplianceScanDatesensor.lastComplianceScanDate
Use this token to search assets based on when they were last scanned by the Qualys sensor appliance. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
sensor.lastComplianceScanDate:'2020-01-08'
If you enclose the date within single quotation marks, the assets with last compliance authentication success on that date are displayed in the result.
sensor.lastComplianceScanDate > now-90d
The assets that were scanned within past 90 days (excluding day 90) are displayed in the result.
sensor.lastComplianceScanDate >= now-90d
The assets that were scanned within past 90 days (including day 90) are displayed in the result.
sensor.lastComplianceScanDate < now-90d
The assets that were scanned before past 90 days (excluding day 90) are displayed in the result.
sensor.lastComplianceScanDate <= now-90d
The assets that were scanned before past 90 days (including day 90) are displayed in the result.
sensor.lastComplianceScanDate:[2020-01-01 ...
2020-01-10]
The assets that were last scanned by the Qualys sensor appliance within the specified date range are displayed in the result.
sensor.lastComplianceScanDate:[now-2w ... now-1s]
The assets that were last scanned from two weeks ago till a second ago are displayed in the result.
If you select the Control data source in the query search bar, the following tokens are available for data search:
control.categoryNamecontrol.categoryName
Use this token to search controls by their categories. After the colon, choose the category from the available options.
Examples
control.categoryName:Encryption
Controls that belong to the Encryption category are displayed in the result.
control.categoryName:`Anti-Virus/Malware`
Controls that belong to the Anti-Virus/Malware category are displayed in the result.
Use this token to search controls by their unique control IDs (CIDs). The token value can be a single control ID, or a range of IDs.
Examples
control.id:1072
The control having the specified ID is returned in the result.
control.id:[1072 … 1886]
The controls having the IDs within the specified range are returned in the result.
If you enclose the range values within parentheses (round brackets), the result includes all the values between the lower limit value and the upper limit value in the range excluding both these values.
If you enclose the range values within square brackets, the result includes all the values between the lower limit value and the upper limit value in the range including both these values.
control.statementcontrol.statement
Use this token to search for a particular control statement.
Refine your search in the following ways:
Exact match: If you want the search result to exactly match your query value, enclose the value in the backticks (`<value>`).
Example:
control.statement:`Status of the 'rsh' service`
The control statement “Status of the 'rsh' service” is displayed in the result.
Partial match: If you want the search result to include one or more words in your query value, enclose the value in double quotation marks (“<value>”).
Example:
control.statement:"rsh service"
The control statements that are displayed in the result contain parts of the specified string (‘rsh’ or ‘service’) or the entire string (‘rsh service’).
Related search: If you want to search for the terms related to your query value, type the value without double quotation marks or backtick characters.
Example:
control.statement:rsh service
control.subcategoryNamecontrol.subcategoryName
Use this token to search controls by their subcategory names. After the colon, choose the control subcategory from the available options from the drop-down menu.
Examples:
control.subcategoryName:`Authentication/Passwords`
Controls that have sub-category as Authentication/Passwords are displayed in the result.
Use this token to search System-Defined Controls (SDC) or User-Defined Controls (UDC).
After the colon, select the type of the control SDC or UDC.
Examples
control.type:SDC
SDC control instances are listed in the result.
control.type:UDC
UDC control instances are listed in the result.
Use this token to search control instances based on their criticality.
Example:
criticality:URGENT
Control instances that have URGENT criticality level are displayed in the result.
exception.expirationDateexception.expirationDate
Use this token to search exceptions by their expiration dates. The value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
exception.expirationDate:'2020-01-08'
If you enclose the date in the single quotation marks, exceptions expiring on the specified date are displayed in the result.
exception.expirationDate > now-90d
Exceptions that expired within past 90 days (excluding day 90) are displayed in the result.
exception.expirationDate >= now-90d
Exceptions that expired within past 90 days (including day 90) are displayed in the result.
exception.expirationDate < now-90d
Exceptions that expired before past 90 days (excluding day 90) are displayed in the result.
exception.expirationDate <= now-90d
Exceptions that expired before past 90 days (including day 90) are displayed in the result.
exception.expirationDate:[2020-01-01 ... 2020-01-10]
Exceptions expiring within the specified date range are displayed in the result.
exception.expirationDate:[now-2w ... now-1s]
Exceptions expiring from two weeks ago till a second ago are displayed in the result.
exception.isEvidenceBasedexception.isEvidenceBased
Use this token to check whether an exception is evidence-based or not.
Select true or false as the token value.
Examples:
exception.isEvidenceBased:true
Control instances with exception that reopens on change of evidence are displayed in the result.
exception.isEvidenceBased:false
Control instances with exception that do not reopen on change of evidence are displayed in the result.
exception.numberexception.number
Use this token to search exceptions by their numbers.
The token value can be a single number, or a range of numbers.
Examples
exception.number:35
The exception having the specified number is displayed in the result.
exception.number:[32 .. 40]
The exceptions having the numbers within the specified range are returned in the result.
If you enclose the range values within parentheses (round brackets), the result includes all the values between the lower limit value and the upper limit value in the range excluding both these values.
If you enclose the range values within square brackets, the result includes all the values between the lower limit value and the upper limit value in the range including both these values.
Know more about smart use of brackets and parentheses in QQL queries.
exception.requestedDateexception.requestedDate
Use this token to search compliance exceptions based on when they were last requested. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples:
exception.requestedDate:'2020-01-08'
If you enclose the date in the single quotation marks, the exceptions requested on that specified date are displayed in the result.
exception.requestedDate > now-90d
Exceptions requested within past 90 days (excluding day 90) are displayed in the result.
exception.requestedDate >= now-90d
Exceptions requested within past 90 days (including day 90) are displayed in the result.
exception.requestedDate < now-90d
Exceptions requested before past 90 days (excluding day 90) are displayed in the result.
exception.requestedDate <= now-90d
Exceptions requested before past 90 days (including day 90) are displayed in the result.
exception.requestedDate:[2020-01-01 ... 2020-01-10]
Exceptions requested within the specified date range are displayed in the result.
exception.requestedDate:[now-2w ... now-1s]
The exceptions requested from two weeks ago till a second ago are displayed in the result.
exception.statusexception.status
Use this token to search control instances based on their exception status.
After the colon, select the status from the available options from the drop-down menu:
Examples:
exception.status:EXPIRED
Control instances that have the EXPIRED exception status are displayed in the result.
exception.status:[PENDING, APPROVED]
Control instances that have the exception status as PENDING or APPROVED are displayed in the result.
mitreAttack.tacticIdmitreAttack.tacticId
Use this token to search for controls associated with a particular Mitre Tactic Id.
After the colon, enter the Mitre Tactic Id:
Examples:
mitreAttack.tacticId:`TA0001`
The search result displays controls associated with Tactic Id, TA0001.
mitreAttack.tacticNamemitreAttack.tacticName
Use this token to search for controls associated with a particular Mitre Tactic name.
After the colon, enter the Mitre Tactic name:
Examples:
mitreAttack.tacticName:`Collection`
The search result displays controls associated with the Tactic name, Collection.
mitreAttack.techniqueIdmitreAttack.techniqueId
Use this token to search for controls associated with a particular Mitre Technique Id
After the colon, enter the Mitre Technique Id:
Examples:
mitreAttack.techniqueId:`T1001`
The search result displays controls associated with Technique Id, T1001
mitreAttack.techniqueNamemitreAttack.techniqueName
Use this token to search for controls associated with a particular Mitre Technique name.
After the colon, enter the Mitre Technique name:
Examples:
mitreAttack.techniqueName:`Abuse Elevation Control Mechanism`
The search result displays controls associated with Technique name, Abuse Elevation Control Mechanism
mitreAttack.subTechniqueIdmitreAttack.subTechniqueId
Use this token to search for controls associated with a particular Mitre Sub Technique Id.
After the colon, enter the Mitre Sub Technique Id:
Examples:
mitreAttack.subTechniqueId:`T1001.001`
The search result displays controls associated with Sub Technique Id, T1001.001.
mitreAttack.subTechniqueNamemitreAttack.subTechniqueName
Use this token to search for controls associated with a particular Mitre Sub Technique name.
After the colon, enter the Mitre Sub Technique name:
Examples:
mitreAttack.subTechniqueName:`Abuse Elevation Control Mechanism: Bypass User Account Control`
The search result displays controls associated with Sub Technique name, Abuse Elevation Control Mechanism: Bypass User Account Control.
mitreAttack.mappingmitreAttack.mapping
Use this search token to display controls based on their association with Mitre.
After the colon, select true or false:
Examples:
mitreAttack.mapping:true
The search result displays controls associated with Mitre.
mitreAttack.mapping:false
The search result displays controls not associated with Mitre.
policy.evaluatedDatepolicy.evaluatedDate
Use this token to search control instances (and policies containing those controls) used in evaluation of assets on a particular date or within a date range. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples:
policy.evaluatedDate:'2020-01-08'
If you enclose the date in single quotation marks, policies that were used in compliance scans on that specified date are displayed in the result.
policy.evaluatedDate > now-90d
Policies used in compliance scans within past 90 days (excluding day 90) are displayed in the result.
policy.evaluatedDate >= now-90d
Policies used in compliance scans within past 90 days (including day 90) are displayed in the result.
policy.evaluatedDate < now-90d
Policies used in compliance scans before past 90 days (excluding day 90) are displayed in the result.
policy.evaluatedDate <= now-90d
Policies used in compliance scans before past 90 days (including day 90) are displayed in the result.
policy.evaluatedDate:[2020-01-01 ... 2020-01-10]
Controls (or policies) that were used in compliance scans within the specified date range are displayed in the result.
policy.evaluatedDate:[now-2w ... now-1s]
Controls that were used in compliance scans from two weeks ago till a second ago are displayed in the result.
Use this token to search policies by their IDs.
The token value can be a single policy ID, comma-separated-list of multiple IDs, or a range of IDs.
Examples:
policy.id:37796
The policy having the specified ID is returned in the result.
policy.id:[37796,1457852,523695]
All the specified policies in the comma-separated list are returned in the result.
policy.id:[37796 … 38143]
The policies having the IDs within the specified range are returned in the result.
If you enclose the range values within parentheses (round brackets), the result includes all the values between the lower limit value and the upper limit value in the range excluding both these values.
If you enclose the range values within square brackets, the result includes all the values between the lower limit value and the upper limit value in the range including both these values.
policy.labelNamepolicy.labelName
Use this token to search policies by their label names.
After the colon, select the label from the available options from the drop-down menu. You can select multiple options as well.
Examples
policy.labelName:CIS
Policies with the label name CIS are displayed in the result.
policy.labelName:[OCA, DISA STIG]
Policies with the label name as OCA or DISA STIG are displayed in the result.
policy.lockTypepolicy.lockType
Use this token to search policies based on their lock status. After the colon, select the lock type from the available options from the drop-down menu.
To read more about locked or unlocked policies, see Manage Your Policies.
Examples:
policy.lockType:UNLOCKED
Policies that have the Unlocked status are displayed in the result.
policy.lockType:LOCKED AT IMPORT
Policies that have the Locked at import status are displayed in the result.
Use this token to search policies by their names.
Refine your search in the following ways:
Exact match: If you want the search result to exactly match your query value, enclose the value in the backticks (`<value>`).
Example:
policy.name:`Minimum Security Hygiene for Windows
Remote Endpoints v.2.0`
The policy with the specified name is displayed in the result.
Partial match: If you want the search result to include one or more words in your query value, enclose the value in double quotation marks (“<value>”).
Example:
policy.name:“CIS Windows 10”
The policy names that are displayed in the result contain parts of the specified string or the entire string.
Related search: If you want to search for the terms related to your query value, type the value without double quotation marks or backtick characters.
Example:
policy.name:CIS Windows 10
posture.controlReferenceposture.controlReference
Use this token to search the control instances by their policy control reference.
Refine your search in the following ways:
Exact match: If you want the search result to exactly match your query value, enclose the value in the backticks (`<value>`).
Example:
posture.controlReference:`3.1`
The control instances that are displayed in the result have 3.1 in the control reference number field in Policy Editor.
Partial match: If you want the search result to include one or more words in your query value, enclose the value in double quotation marks (“<value>”).
Example:
posture.controlReference:“3.1”
The control instances that are displayed in the result contain parts of the specified string or the entire string in the control reference number field in Policy Editor.
Related search: If you want to search for the terms related to your query value, type the value without double quotation marks or backtick characters.
Example:
posture.controlReference:3.1
posture.evaluatedDateposture.evaluatedDate
Use this token to search control instances based on when they were last evaluated to assess the compliance posture of host assets. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples:
posture.evaluatedDate:'2020-01-08'
If you enclose the date in the single quotation marks, the control instances that were evaluated on that specified date are displayed in the result.
posture.evaluatedDate > now-90d
Control instances evaluated within past 90 days (excluding day 90) are displayed in the result.
posture.evaluatedDate >= now-90d
Control instances evaluated within past 90 days (including day 90) are displayed in the result.
posture.evaluatedDate < now-90d
Control instances evaluated before past 90 days (excluding day 90) are displayed in the result.
posture.evaluatedDate <= now-90d
Control instances evaluated before past 90 days (including day 90) are displayed in the result.
posture.evaluatedDate:[2020-01-01 ... 2020-01-10]
Control instances that were evaluated within the specified date range are displayed in the result.
posture.evaluatedDate:[now-2w ... now-1s]
Control instances that were evaluated from two weeks ago till a second ago are displayed in the result.
posture.failFirstFoundDateposture.failFirstFoundDate
Use this token to search control instances based on when they failed for the first time in compliance evaluation. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
posture.failFirstFoundDate:'2020-01-08'
If you enclose the date in the single quotation marks, the control instances for which the FAIL posture was found for the first time on the specified date are displayed in the result.
posture.failFirstFoundDate > now-90d
Control instances for which the FAIL posture was found for the first time within past 90 days (excluding day 90) are displayed in the result.
posture.failFirstFoundDate >= now-90d
Control instances for which the FAIL posture was found for the first time within past 90 days (including day 90) are displayed in the result.
posture.failFirstFoundDate < now-90d
Control instances for which the FAIL posture was found for the first time before past 90 days (excluding day 90) are displayed in the result.
posture.failFirstFoundDate <= now-90d
Control instances for which the FAIL posture was found for the first time before past 90 days (including day 90) are displayed in the result.
posture.failFirstFoundDate:[2020-01-01 ... 2020-01-10]
Control instances for which the FAIL posture was found for the first time within the specified date range are displayed in the result.
posture.failFirstFoundDate:[now-2w ... now-1s]
Control instances for which the FAIL posture was found for the first time from two weeks ago till a second ago are displayed in the result.
posture.failLastFoundDateposture.failLastFoundDate
Use this token to search control instances based on when they last failed in compliance evaluation. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
posture.failLastFoundDate:'2020-01-08'
If you enclose the date in single quotation marks, control instances for which the FAIL posture was last found on the specified date are displayed in the result.
posture.failLastFoundDate > now-90d
Control instances for which the FAIL posture was last found within past 90 days (excluding day 90) are displayed in the result.
posture.failLastFoundDate >= now-90d
Control instances for which the FAIL posture was last found within past 90 days (including day 90) are displayed in the result.
posture.failLastFoundDate < now-90d
Control instances for which the FAIL posture was last found before past 90 days (excluding day 90) are displayed in the result.
posture.failLastFoundDate <= now-90d
Control instances for which the FAIL posture was found for the first time before past 90 days (including day 90) are displayed in the result.
posture.failLastFoundDate:[2020-01-01 ... 2020-01-10]
Control instances for which the FAIL posture was last found within the specified date range are displayed in the result.
posture.failLastFoundDate:[now-2w ... now-1s]
Control instances for which the FAIL posture was last found from two weeks ago till a second ago are displayed in the result.
posture.firstEvaluatedDateposture.firstEvaluatedDate
Use this token to search control instances based on when they were used in evaluation for the first time. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
posture.firstEvaluatedDate:'2020-01-08'
If you enclose the date in single quotation marks, control instances that were used in asset evaluation for the first time on the specified date are displayed in the result.
posture.firstEvaluatedDate > now-90d
Control instances that were used in asset evaluation for the first time within past 90 days (excluding day 90) are displayed in the result.
posture.firstEvaluatedDate >= now-90d
Control instances that were used in asset evaluation for the first time within past 90 days (including day 90) are displayed in the result.
posture.firstEvaluatedDate < now-90d
Control instances that were used in asset evaluation for the first time before past 90 days (excluding day 90) are displayed in the result.
posture.firstEvaluatedDate <= now-90d
Control instances that were used in asset evaluation for the first time before past 90 days (including day 90) are displayed in the result.
posture.firstEvaluatedDate:[2020-01-01 ... 2020-01-10]
Control instances that were used in asset evaluation for the first time within the specified date range are displayed in the result.
posture.firstEvaluatedDate:[now-2w ... now-1s]
Control instances that were evaluated for the first time from two weeks ago till a second ago are displayed in the result.
posture.hasExceptionposture.hasException
Use this token to search control instances with or without exceptions.
Select true or false as the token value.
Examples
posture.hasException:true
Control instances that have exceptions are displayed in the result.
posture.hasException:false
Control instances that do not have exceptions are displayed in the result.
posture.instanceposture.instance
Use this token to search control instances by the OS or technology instances that are evaluated using those controls. An instance can be an OS instance or an OS-based technology such as Internet Explorer, Google Chrome, Mozilla Firefox, or it can be a middleware technology such as a web server, a database server or an application server.
Refine your search in the following ways:
Exact match: If you want the search result to exactly match your query value, enclose the value in the backticks (`<value>`).
Example:
posture.instance:`/opt/IBM/WebSphere4/AppServer`
The control instances evaluating the specified instance are displayed in the result.
Partial match: If you want the search result to include one or more words in your query value, enclose the value in double quotation marks (“<value>”).
Example:
posture.instance:“27019 admin”
The OS or technology instances that are displayed in the result contain parts of the specified string or the entire string.
Related search: If you want to search for the terms related to your query value, type the value without double quotation marks or backtick characters.
Example:
posture.instance:27019 admin
posture.modifiedDateposture.modifiedDate
Use this token to search control instances based on when their compliance posture was modified. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
posture.modifiedDate:'2020-01-08'
If you enclose the date in single quotation marks, control instances for which compliance posture was modified on the specified date are displayed in the result.
posture.modifiedDate > now-90d
Control instances for which compliance posture was modified within past 90 days (excluding day 90) are displayed in the result.
posture.evaluatedDate >= now-90d
Control instances for which compliance posture was modified within past 90 days (including day 90) are displayed in the result.
posture.evaluatedDate < now-90d
Control instances for which compliance posture was modified before past 90 days (excluding day 90) are displayed in the result.
posture.evaluatedDate <= now-90d
Control instances for which compliance posture was modified before past 90 days (including day 90) are displayed in the result.
posture.modifiedDate:[2020-01-01 ... 2020-01-10]
Control instances for which compliance posture was modified within the specified date range are displayed in the result.
posture.modifiedDate:[now-2w ... now-1s]
Control instances for which compliance posture was modified from two weeks ago till a second ago are displayed in the result.
posture.passFirstFoundDateposture.passFirstFoundDate
Use this token to search control instances for which the PASS posture was found for the first time in compliance evaluation on the specified date or within the specified date range. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
posture.passFirstFoundDate:'2020-01-08'
If you enclose the date in single quotation marks, control instances for which the PASS posture was found for the first time on the specified date are displayed in the result.
posture.passFirstFoundDate > now-90d
Control instances for which the PASS posture was found for the first time within past 90 days (excluding day 90) are displayed in the result.
posture.passFirstFoundDate >= now-90d
Control instances for which the PASS posture was found for the first time within past 90 days (including day 90) are displayed in the result.
posture.passFirstFoundDate < now-90d
Control instances for which the PASS posture was found for the first time before past 90 days (excluding day 90) are displayed in the result.
posture.passFirstFoundDate <= now-90d
Control instances for which the PASS posture was found for the first time before past 90 days (including day 90) are displayed in the result.
posture.passFirstFoundDate:[2020-01-01 ... 2020-01-10]
Control instances for which the PASS posture was found for the first time within the specified date range are displayed in the result.
posture.passFirstFoundDate:[now-2w ... now-1s]
Control instances for which the PASS posture was found for the first time from two weeks ago till a second ago are displayed in the result.
posture.passLastFoundDateposture.passLastFoundDate
Use this token to search control instances based on when they last passed in compliance evaluation. The token value can be a date, a date range, or a year.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
posture.passLastFoundDate:'2020-01-08'
If you enclose the date in the single quotation marks, the control instances for which the PASS posture was last found on the specified date are displayed in the result.
posture.passLastFoundDate > now-90d
Control instances for which the PASS posture was last found within past 90 days (excluding day 90) are displayed in the result.
posture.passLastFoundDate >= now-90d
Control instances for which the PASS posture was last found within past 90 days (including day 90) are displayed in the result.
posture.passLastFoundDate < now-90d
Control instances for which the PASS posture was last found before past 90 days (excluding day 90) are displayed in the result.
posture.passLastFoundDate <= now-90d
Control instances for which the PASS posture was found for the first time before past 90 days (including day 90) are displayed in the result.
posture.passLastFoundDate:[2020-01-01 ... 2020-01-10]
Control instances for which the PASS posture was last found within the specified date range are displayed in the result.
posture.passLastFoundDate:[now-2w ... now-1s]
Control instances for which the PASS posture was last found from two weeks ago till a second ago are displayed in the result.
posture.previousStatusposture.previousStatus
Use this token to search control instances by their previous posture status.
After the colon, select the desired status from the available options from the drop-down menu. You can also select multiple status options.
Examples
posture.previousStatus:FAIL
Control instances with previous status as FAIL are displayed in the result.
posture.previousStatus:[FAIL, ERROR]
Control instances with previous status as FAIL or ERROR are displayed in the result.
Use this token to search control instances by their current posture status.
After the colon, select the desired status from the available options from the drop-down menu. You can also select multiple status options.
Examples
posture.status:FAIL
Control instances having the FAIL status are displayed in the result.
posture.status:[FAIL, ERROR]
Control instances having the FAIL or the ERROR status are displayed in the result.
posture.subStatusposture.subStatus
Use this token to search control instances by their current posture sub-status. After the colon, select the desired sub-status from the available options from the drop-down menu. You can also select multiple status options.
Examples
posture.subStatus:PASS WITH EXCEPTION
Control instances having the PASS WITH EXCEPTION sub-status are displayed in the result.
posture.subStatus:[`PASS WITH EXCEPTION`,`FAIL
PENDING EXCEPTION`]
Control instances having the PASS WITH EXCEPTION or the FAIL PENDING EXCEPTION sub-status are displayed in the result. Please note the use of backticks (`<value>`) for exact search in this example.
technology.categoryNametechnology.categoryName
Use this token to search control instances based on the technology categories for which they are used for evaluation.
After the colon, select the technology category from the available options from the drop-down menu. You can also select multiple categories.
Examples
technology.categoryName:Middleware
Control instances that have Middleware as the technology category are displayed in the result.
technology.categoryName:[`Middleware`,`Network
Device`]
Control instances that have Middleware or Network Device as technology category are displayed in the result. Please note the use of backticks (`<value>`) for exact search in this example.
technology.nametechnology.name
Use this token to search control instances based on technologies that they evaluate.
Example:
technology.name:Windows 10
Control instances that have Windows 10 as technology are displayed in the result.
technology.subcategoryNametechnology.subcategoryName
Use this token to search control instances based on the technology subcategories for which they are used for evaluation. After the colon, select the technology subcategory from the available options from the drop-down menu. You can also select multiple categories.
Examples:
technology.subcategoryName:Unix OS
Control instances that have Unix OS as the technology sub-category are displayed in the result.
technology.subcategoryName:[`Windows OS`,`Unix
OS`]
Control instances that have Windows OS or Unix OS as the technology sub-category are displayed in the result.