Looking for a listing of search fields? Click here
Search by Field | String matching | Exact matching | Full Text Search | Is Null Queries | Range searches | Date searches | Match multiple values | Boolean operators | Nested Queries | Limitations | Include or Exclude OS Patches
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
netbiosName: WIN7PATCH69-85
lastLoggedOnUser: .\Administrator
installedPatchId: MS12-004
Use single quotes or double quotes around your query to match a string.
Examples:
tags.name: "Cloud Agent"
operatingSystem: 'Microsoft Windows'
systemManufacturer: "Dell"
Example using wildcard: If you want to search for exact count you should use asterisk (*). For example to find assets with name starting with WINDOWS2008 use this query:
name:WINDOWS2008*
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
operatingSystem: `Windows 7 Ultimate Service Pack 1`
systemManufacturer: `dell`
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Examples:
Show any findings with this OS name
operatingSystem: Windows
Show any findings that contain components of OS name
operatingSystem: "Windows 2008 r2 service pack 2"
Show any findings that match exact value "Windows 2002"
operatingSystem: `Windows 2002`
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem is null
cve is null
product is null
Ranges can be specified with the [lower .. upper]
syntax using () and/or [] as follows. This is supported for numeric and date fields.
Example:
endDateTime: [2018-08-01 .. 2018-09-01] // Between August 1st and September 1st 2018
Range options:
endDateTime:(date1 .. date2)
// Greater than but not equal to date1 and less than but not equal to date2
endDateTime:(date1 .. date2]
// Greater than but not equal to date1 and less than or equal to date2
endDateTime:[date1.. date2)
// Greater than or equal to date1 and less than but not equal to date2
endDateTime:[date1 .. date2]
// Greater than but or equal to date1 and less than or equal to date2
endDateTime > date1
// Greater than date1
endDateTime >= date1
// Greater than or equal to date1
endDateTime < date1
// Less than date1
endDateTime <= date1
// Less than or equal to date1
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
modifiedDate: "2018-10-20"
modifiedDate <= "2018-11-20"
modifiedDate: ["2018-10-20" .. "2018-10-24"]
modifiedDate: [now-3d .. now-1s]
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Examples:
Find assets with at least one of these three CVE IDs:
cve:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]
Find patches last modified on date: 2018-08-31 or 2018-09-12
NOT modifiedDate: ["2018-08-31","2018-09-12"]
Supported date formats:
YYYY example: endDateTime:["2017","2018"]
// in 2017 or 2018
YYYY-MM example: endDateTime:["2018-08","2018-09"]
// in month of Aug or Sept
YYYY-MM-DD example: endDateTime:["2018-10-30","2018-11-05"]
// on one of exact dates
Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth, using NOT with vulnerability queries.
Examples:
Show findings that have one of these operating systems:
operatingSystem: `Windows 2002` OR operatingSystem: `Windows 7 Ultimate Service Pack 1`
Show patches not last modified on or before date:
AND NOT modifiedDate <= "2018-11-05"
Use a single nested query, using parentheses, to include multiple fields in your query. This is supported only for the tags token, fields tags.name and tags.id, per below.
Example:
Find assets having a certain tag name or ID:
tags: (name: `Cloud Agent` or id: `79eb654f-6eca-4922-9adf-0d39bd7cf3f2`)
When you select an asset tag during job creation, corresponding child tags get automatically selected for that job. However you can search assets, patches, and jobs only using parent tags. Child tag search in not supported.
1. If you want to include the macOS update patches:
Add the "vendor is null" QQL token along with your original QQL using the OR operator.
Example: vendor:`Apple` OR vendor is null
2. If you want to exclude the macOS update patches:
Add the "not vendor is null" QQL token along with your original QQL using the AND operator.
Example: not vendor:`Apple` AND not vendor is null