Searching for AWS Resources
Use the search tokens below to search for resources discovered. You'll need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here.
General
Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.
Example
Show findings with this account ID
account.id: 205767712438
Use a text value ##### to show connectors based on the account alias associated with the connector/ARN at the time of creation.
Example
Show connectors with this account alias
account.alias: Example_connector
subscriptionNamesubscriptionName
Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.
Example
Show connectors with this subscription name
subscriptionName: Sample Cloud Subscription
Use a date range or specific date to define when the resource was created.
Example
Show resources created within certain dates
created: [2018-01-01 ... 2018-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
created: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
created: [now-2w ... now-1s]
Show resources created on specific date
created: 2018-01-08
Use a date range or specific date to define when the resource was last updated.
Example
Show resources updated within certain dates
updated: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
updated: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
updated: [now-2w ... now-1s]
Show resources updated on specific date
updated: 2018-01-08
Use values within quotes to help you find the resource name you're looking for.
Example
Show any findings with this name
name: my-resource
Show all the findings that exactly match with this name
name: `my-resource`
Use values within quotes to help you find the resources based on the arn.
Example
Find resources with the given ARN. Use backticks or quotes when providing the ARN value.
arn: "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56"
Select the name of the cloud service provider you're interested in. Select from names in the drop-down menu.
Example
Find resources synced from Amazon AWS
provider: AWS
Select the name of the region you're interested in. Select from names in the drop-down menu.
Example
Find resources in the Singapore region
region: Singapore
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
resource.id: acl-8e5198f5
Select the type of resource you're interested in. Select from names in the drop-down menu.
Example
Show resources of type Instance
resource.type: Instance
Use a text value ##### to define the key of an AWS tag assigned to the resource (case sensitive).
Example
Show findings with key Department
tag.key: Department
Use a text value ##### to define the value of an AWS tag assigned to the resource (case sensitive).
Example
Show findings with tag value Finance
tag.value: Finance
Use a boolean query to express your query using AND logic.
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Use a boolean query to express your query using NOT logic.
Example
Show findings that are not region Hong Kong
not region: Hong Kong
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
Use a date range or specific date to find when the resource was first discovered.
Example
Show resources discovered within certain dates
firstDiscoveredOn: [2024-01-01 ... 2024-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
firstDiscoveredOn: [2024-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
firstDiscoveredOn: [now-2w ... now-1s]
Show resources created on specific date
firstDiscoveredOn: 2024-01-08
AWS: Auto Scaling Group
These tokens are available in queries with resource.type:Auto Scaling Group
autoscaling.availabilityZoneautoscaling.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Find auto scaling groups in the us-east-1a availability zone
autoscaling.availabilityZone: us-east-1a
autoscaling.createdTimeautoscaling.createdTime
Use a date range or specific date to define when the Auto Scaling group was created.
Example
Show groups discovered within certain dates
autoscaling.createdTime: [2018-01-01 ... 2018-03-01]
Show groups updated starting 2018-10-01, ending 1 month ago
autoscaling.createdTime: [2018-01-01 ... now-1m]
Show groups updated starting 2 weeks ago, ending 1 second ago
autoscaling.createdTime: [now-2w ... now-1s]
Show groups discovered on specific date
autoscaling.createdTime: 2018-01-08
autoscaling.healthCheckTypeautoscaling.healthCheckType
Select the health check type (ec2 or elb) you're interested in. Select from names in the drop-down menu.
Example
Show groups with health check type ec2
autoscaling.healthCheckType: ec2
autoscaling.instanceIdautoscaling.instanceId
Use a text value ##### to find auto scaling groups with a certain instance ID.
Example
Show findings with this instance ID
autoscaling.instanceId: i-1234567890abcdef0
autoscaling.launchConfigurationNameautoscaling.launchConfigurationName
Use a text value ##### to define the launch configuration name you're interested in.
Example
Show findings with this launch configuration name
autoscaling.launchConfigurationName: LaunchConfig-BF31WBIYCM64
autoscaling.loadBalancerNameautoscaling.loadBalancerName
Use a text value ##### to define the load balancer name you're interested in.
Example
Show findings with this load balancer name
autoscaling.loadBalancerName: AppServer ELB
AWS: IAM User
These tokens are available in queries with resource.type: IAM User
iamuser.accessKey1Activeiamuser.accessKey1Active
Use the values true | false to find IAM users with an active access key1.
Example
Show findings with access key1 active
iamuser.accessKey1Active: true
Show findings with access key1 not active
iamuser.accessKey1Active: false
iamuser.accessKey1LastRotatediamuser.accessKey1LastRotated
Use a date range or specific date to define when access key1 was last rotated.
Example
Show last rotated within certain dates
iamuser.accessKey1LastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
iamuser.accessKey1LastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
iamuser.accessKey1LastRotated: [now-2w ... now-1s]
Show last rotated on specific date
iamuser.accessKey1LastRotated: 2018-01-08
iamuser.accessKey1LastUsediamuser.accessKey1LastUsed
Use a date range or specific date to define when access key1 was last used.
Example
Show last used within certain dates
iamuser.accessKey1LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-10-01, ending 1 month ago
iamuser.accessKey1LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
iamuser.accessKey1LastUsed: [now-2w ... now-1s]
Show last used on specific date
iamuser.accessKey1LastUsed: 2018-01-08
iamuser.accessKey2Activeiamuser.accessKey2Active
Use the values true | false to find IAM users with an active access key2.
Example
Show findings with access key2 active
iamuser.accessKey2Active: true
Show finings with access key2 not active
iamuser.accessKey2Active: false
iamuser.accessKey2lastRotatediamuser.accessKey2lastRotated
Use a date range or specific date to define when access key2 was last rotated.
Example
Show last rotated within certain dates
iamuser.accessKey2lastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
iamuser.accessKey2lastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
iamuser.accessKey2lastRotated: [now-2w ... now-1s]
Show last rotated on specific date
iamuser.accessKey2lastRotated: 2018-01-08
iamuser.accessKey2LastUsediamuser.accessKey2LastUsed
Use a date range or specific date to define when access key2 was last used.
Example
Show last used within certain dates
iamuser.accessKey2LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-01-012, ending 1 month ago
iamuser.accessKey2LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
iamuser.accessKey2LastUsed: [now-2w ... now-1s]
Show last used on specific date
iamuser.accessKey2LastUsed: 2018-01-08
Use a text value ##### to define the Amazon Resource Name (ARN) of interest.
Example
Show findings with this ARN
iamuser.arn: "arn:aws:iam::383031258652:user/LOCAL_1234"
iamuser.mfaActiveiamuser.mfaActive
Use the values true | false to find IAM users with multi factor authentication enabled.
Example
Show findings with multi factor authentication enabled
iamuser.mfaActive: true
Show findings without multi factor authentication enabled
iamuser.mfaActive: false
iamuser.passwordEnablediamuser.passwordEnabled
Use the values true | false to find IAM users with the user password enabled during account creation.
Example
Show findings with password enabled
iamuser.passwordEnabled: true
Show finings without password enabled
iamuser.passwordEnabled: false
iamuser.passwordLastChangediamuser.passwordLastChanged
Use a date range or specific date to define when the password was last updated.
Example
Show passwords last updated within certain dates
iamuser.passwordLastChanged: [2018-01-01 ... 2018-03-01]
Show passwords last updated starting 2018-01-01, ending 1 month ago
iamuser.passwordLastChanged: [2018-01-01 ... now-1m]
Show passwords last updated starting 2 weeks ago, ending 1 second ago
iamuser.passwordLastChanged: [now-2w ... now-1s]
Show passwords last updated on specific date
iamuser.passwordLastChanged: 2018-01-08
iamuser.passwordLastUsediamuser.passwordLastUsed
Use a date range or specific date to define when the password was last used.
Example
Show passwords last used within certain dates
iamuser.passwordLastUsed: [2018-01-01 ... 2018-03-01]
Show passwords last used starting 2018-01-01, ending 1 month ago
iamuser.passwordLastUsed: [2018-01-01 ... now-1m]
Show passwords last used starting 2 weeks ago, ending 1 second ago
iamuser.passwordLastUsed: [now-2w ... now-1s]
Show passwords last used on specific date
iamuser.passwordLastUsed: 2018-01-08
iamuser.passwordNextRotationiamuser.passwordNextRotation
Use a date range or specific date to define the next time the password will be rotated.
Example
Show next rotation within certain dates
iamuser.passwordNextRotation: [2018-01-01 ... 2018-03-01]
Show next rotation starting 2018-01-01, ending 1 month ago
iamuser.passwordNextRotation: [2018-01-01 ... now-1m]
Show next rotation starting 2 weeks ago, ending 1 second ago
iamuser.passwordNextRotation: [now-2w ... now-1s]
Show next rotation on specific date
iamuser.passwordNextRotation: 2018-01-08
iamuser.userCreationTimeiamuser.userCreationTime
Use a date range or specific date to define when the user was created.
Example
Show users created within certain dates
iamuser.userCreationTime: [2018-01-01 ... 2018-03-01]
Show users created from starting 2018-01-01, ending 1 month ago
iamuser.userCreationTime: [2018-01-01 ... now-1m]
Show users created starting 2 weeks ago, ending 1 second ago
iamuser.userCreationTime: [now-2w ... now-1s]
Show users created on specific date
iamuser.userCreationTime: 2018-01-08
Use values within quotes to help you find IAM users with a certain user ID.
Example
Show any findings with this ID
iamuser.userId: ABCDEFGHIJ1K2
Show any findings that contain parts of ID
iamuser.userId: "ABCDEFGHIJ1K2"
iamuser.usernameiamuser.username
Use values within quotes to help you find IAM users with a certain user name.
Example
Show any findings with this name
iamuser.username: Jane
Use values within quotes to help you find IAM users with path.
Example
Show any findings with this path
iamuser.path: /
Show any findings that contain parts of path
iamuser.path: "/"
iamuser.group.nameiamuser.group.name
Use values within quotes to help you find IAM users with a certain group name.
Example
Show any findings with this group name
iamuser.group.name: Admin
iamuser.policy.arniamuser.policy.arn
Use a text value ##### to find users with the Policy Amazon Resource Name (ARN) of interest.
Example
Show Users with this Policy ARN
iamuser.policy.arn: "arn:aws:iam::383031258652:user/LOCAL_1234"
iamuser.boundaryPolicyiamuser.boundaryPolicy
Use a text value ##### to find the IAM User based on the provided Boundary Policy
Example
Show users with this boundary policy
iamuser.boundaryPolicy: DelegatedBoundaries
iamuser.accesskey.idiamuser.accesskey.id
Use a text value ##### to find the IAM User based on the provided Access Key ID
Example
Show users with the specified Acess Key ID
iamuser.accesskey.Id: AKIAIOSFODNN7EXAMPLE
AWS: Policy
Select from the dropdown (AWS MANAGED, CUSTOMER MANAGED) to find policies belonging to the specified type
Example
Show policies with this type.
policy.type: CUSTOMER MANAGED
Select from the dropdown (GLOBAL, US_GOV) to find policies belonging to the specified subtype
Example
Show Policies with this sub type.
policy.subType: GLOBAL
AWS: Group
group.managedPolicy.arngroup.managedPolicy.arn
Use a text value to find groups based on their policy ARN
Example
Show policies with this arn.
group.managedPolicy.arn: aws-policy
group.inlinePolicy.policyNamegroup.inlinePolicy.policyName
Use a text value to find groups based on their Inline policy name
Example
Show policies with this name.
group.inlinePolicy.policyName: inline-aws-policy
AWS: Role
Use a text value to find roles based on their path
Example
Show roles with this path.
path: "/"
role.lastActivity.lastUsedDaterole.lastActivity.lastUsedDate
Use a date range or specific date to find when the role was used.
Example
Show roles used within certain dates
role.lastActivity.lastUsedDate: [2018-01-01 ... 2018-03-01]
Show roles used from starting 2018-01-01, ending 1 month ago
role.lastActivity.lastUsedDate: [2018-01-01 ... now-1m]
Show roles used starting 2 weeks ago, ending 1 second ago
role.lastActivity.lastUsedDate: [now-2w ... now-1s]
Show users created on specific date
role.lastActivity.lastUsedDate: 2018-01-08
AWS: VPC Endpoint
Use a text value to find VPC Endpoints by providing VPC ID
Example
Show VPC Endpoints with this VPC ID.
vpcendpoint.vpc: vpc-7b955c06
Select from the dropdown ( 'Interface', 'Gateway', 'Gateway Load Balancer') to find VPC Endpoints by providing VPC type
Example
Show VPC Endpoints with this VPC type.
vpcendpoint.vpc: Interface
Select from the dropdown ( 'Available', 'Deleted', 'Deleting', 'Pending') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints with this state.
vpcendpoint.state: Available
Use true | false to find VPC Endpoints with Private DNS Enabled.
Example
Show VPC Enpoints with private DNS Enabled.
vpcendpoint.privatednsenabled: true
Use true | false to find VPC Endpoints with VPC manage set to true/false.
Example
Show VPC Endpoints with requester manged set to True.
vpcendpoint.requestermanaged: true
Select from the dropdown ( 'ipv4', 'ipv6') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints with this IP address type.
vpcendpoint.ipaddresstype: ipv4
AWS: VPC Endpoint Service
Select from the dropdown ( 'Interface', 'Gateway', 'Gateway Load Balancer') to find VPC Endpoint Service by providing VPC type
Example
Show VPC Endpoints with this VPC type.
vpcendpointservice.type: Interface
Select from the dropdown ( 'ipv4', 'ipv6') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints service with this IP address type.
vpcendpointservice.supportedIpAddressTypee:ipv4
Use true | false to find VPC Endpoints with acceptance set to required
Example
Show VPC Endpoints with acceptance set to True.
vpcendpointservice.acceptancerequired: true
Use an integer value to find VPC Endpoint service based on the VPC owner
Example
Show VPC Endpoint services belonging to the specified owner
vpcendpointservice.owner:951386378875
AWS: Instance
These tokens are available in queries with resource.type:Instance
instance.availabilityZoneinstance.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Show findings in the us-east-1a availability zone
instance.availabilityZone: us-east-1a
instance.imageIdinstance.imageId
Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.
Example
Show findings with this image ID
instance.imageId: ami-2ea83347
instance.isDockerHostinstance.isDockerHost
Use the values true | false to define whether the instance has a docker installed on the host.
Example
Show instances with docker installed on the host
instance.isDockerHost:true
Show instances without docker installed on the host
instance.isDockerHost:false
instance.hasSensorinstance.hasSensor
Use the values true | false to define whether the instance has a Container Security Sensor installed on the host.
Example
Show instances with Container Security Sensor installed on the host
instance.hasSensor:true
Show instances without Container Security Sensor installed on the host
instance.hasSensor:false
instance.docker.versioninstance.docker.version
Use a text value ##### to define Docker version you are looking for.
Example
Show instances with specified docker version
instance.docker.version:8.2
instance.networkInterface.addressIdinstance.networkInterface.addressId
Use a text value ##### to find EC2 instances with a certain network interface address ID.
Example
Show findings with this address ID
instance.networkInterface.addressId: id-12345
instance.networkInterface.descriptioninstance.networkInterface.description
Use values within quotes to help you find network interfaces with certain keywords in the description.
Example
Show any findings with this description
instance.networkInterface.description: My Description
Show any findings that contain parts of description
instance.networkInterface.description: "My Description"
instance.networkInterface.groupIdinstance.networkInterface.groupId
Use a text value ##### to find network interfaces with a certain group ID.
Example
Show findings with this group ID
instance.networkInterface.groupId: sg-1a2b3c4d
instance.networkInterface.groupNameinstance.networkInterface.groupName
Use a text value ##### to find network interfaces with a certain group name.
Example
Show findings with this group name
instance.networkInterface.groupName: My Group
instance.networkInterface.ipv6Ipinstance.networkInterface.ipv6Ip
Use a text value ##### to find EC2 instances having network interface with a certain IPv6 IP address.
Example
Show findings with this IPv6 address
instance.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f
instance.networkInterface.privateDnsNameinstance.networkInterface.privateDnsName
Use a text value ##### to find EC2 instances having network interface with a certain private DNS name.
Example
Show findings with this private DNS name
instance.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal
instance.networkInterface.privateIpAddressinstance.networkInterface.privateIpAddress
Use a text value ##### to find EC2 instances having network interface with a certain private IP address.
Example
Show findings with this private IP
instance.networkInterface.privateIpAddress: 172.31.28.151
instance.networkInterface.publicIpinstance.networkInterface.publicIp
Use a text value ##### to find EC2 instances having network interface with a certain public IP address.
Example
Show findings with this public IP address
instance.networkInterface.publicIp: 13.126.125.189
instance.networkInterface.secondaryPrivateIpinstance.networkInterface.secondaryPrivateIp
Use a text value ##### to find EC2 instances having network interface with a certain secondary private IP address.
Example
Show findings with this secondary private IP
instance.networkInterface.secondaryPrivateIp: 10.0.0.85
instance.networkInterface.subnetIdinstance.networkInterface.subnetId
Use a text value ##### to find EC2 instances having network interface on a certain subnet.
Example
Show findings on this subnet ID
instance.networkInterface.subnetId: subnet-6f2cec07
instance.networkInterface.privateDnsNameinstance.networkInterface.privateDnsName
Use a text value ##### to find EC2 instances having a private DNS address you're interested in.
Example
Show findings with this private DNS address
instance.networkInterface.privateDnsName: ip-10-90-2-85.ec2.internal
instance.networkInterface.privateIpAddressinstance.networkInterface.privateIpAddress
Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.
Example
Show findings with this private IP address
instance.networkInterface.privateIpAddress: 10.90.0.119
instance.privateDnsNameinstance.privateDnsName
Use a text value ##### to find EC2 instances having a private DNS name you're interested in.
Example
Show findings with this private DNS name
instance.privateDnsName: ip-10-90-2-85.ec2.internal
instance.privateIpAddressinstance.privateIpAddress
Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.
Example
Show findings with this private IP address
instance.privateIpAddress: 10.90.0.119
instance.publicDnsNameinstance.publicDnsName
Use a text value ##### to find EC2 instances having a public DNS address you're interested in.
Example
Show findings with this public DNS address
instance.publicDnsName: ec2-52-70-141-154.compute-1.amazonaws.com
instance.publicIpAddressinstance.publicIpAddress
Use a text value ##### to find EC2 instances having a public IPv4 address you're interested in.
Example
Show findings with this public IP address
instance.publicIpAddress: 52.70.141.154
instance.secondaryPrivateIpAddressinstance.secondaryPrivateIpAddress
Use a text value ##### to find EC2 instances having a secondary private IPv4 address you're interested in.
Example
Show findings with this secondary private IP
instance.secondaryPrivateIpAddress: 10.90.0.119
instance.securityGroup.idinstance.securityGroup.id
Use a text value ##### to find EC2 instances having a certain security group ID.
Example
Show EC2 instances with this security group ID
instance.securityGroup.id: sg-4798a22f
instance.securityGroup.nameinstance.securityGroup.name
Use a text value ##### to find EC2 instances having a certain security group name.
Example
Show findings with this security group name
instance.securityGroup.name: Windows RDP Allow Group
instance.spotInstanceRequestIdinstance.spotInstanceRequestId
Use a text value ##### to find EC2 instances having a certain Spot Instance request ID.
Example
Show findings with this Spot Instance request ID
instance.spotInstanceRequestId: sir-08b93456
Select a state name (pending, running, shutting-down, terminated, etc) to find EC2 instances with a certain state. Select from names in the drop-down menu.
Example
Show running EC2 instances
instance.state: running
instance.statusinstance.status
Select the status (ok, impaired, insufficient-data, etc) you're interested in. Select from names in the drop-down menu.
Example
Show EC2 instances with impaired status
instance.status: impaired
instance.subnetIdinstance.subnetId
Use a text value ##### to find EC2 instances residing on a certain subnet ID.
Example
Show findings on this subnet ID
instance.subnetId: subnet-bc02c0d4
Select the type of EC2 instance you're interested in. Select from names in the drop-down menu.
Example
Show findings with this instance type
instance.type: t2.micro
Use a text value ##### to find EC2 instances having a certain VPC ID.
Example
Show findings with this VPC ID
instance.vpcId: vpc-1e37cd76
instance.profileNameinstance.profileName
Use a text value ##### to find EC2 instances having a certain profile name.
Example
Show all EC2 instances having ANY instance profile
instance.profileName: (*..*)
instance.profileArninstance.profileArn
Use a text value ##### to find EC2 instances having a certain profile arn.
Example
Show all EC2 instances having profile arn
instance.profileArn: abc12345arnsample
Show all EC2 instances that exactly match the specified profile arn
instance.profileArn: `abc12345arnsample`
instanceProfile.role.nameinstanceProfile.role.name
Enter the name of roles associated with the profiles to search all the EC2 instances associated with it.
Example
Show all instances NOT associated with any roles in the profile
instanceProfile.role.name is null
instanceProfile.role.arninstanceProfile.role.arn
Enter the instance profile arn to search all the EC2 instances associated with it.
Example
Show all instances associated with any arn
instanceProfile.role.arn: (*..*)
Show all instances that exactly match the arn
instanceProfile.role.arn:`1de1e0a7-4f67-4812-917d-1236853844e1`
instance.riskScoreinstance.riskScore
Use an integer value (0-1000) to search for all the EC2 instances with the specified risk score.
Example
Show all instances with a risk score greater than 125
instance.riskScore > 125
Show all instances with the risk score of 125
instance.riskScore: 125
connector.remediationEnabledconnector.remediationEnabled
Use true to view the resources associated with the connector for which remediation is enabled.
Example
Show resources associated with the connector for which remediation is enabled
connector.remediationEnabled: TRUE
Select the action status ("Sucess", "Queued", "Error") you're interested in. Select from names in the drop-down menu.
Example
Show resources with success status for remediation action
action.status: Success
instance.hasAgentinstance.hasAgent
Select (True, False) to define whether the instance has a cloud agent installed.
Example
Show findings with a cloud agent
instance.hasAgent:true
Show findings without a cloud agent
instance.hasAgent:false
instance.hasThreatsinstance.hasThreats
Select (True, False) to find instances that have or have not been associated with any detected threats.
Example
Show instances that have been associated with any detected threats
instance.hasThreats: true
Show instances that have not been associated with any detected threats
instance.hasThreats: false
hasThreat.SuspiciousComm.PortScanhasThreat.SuspiciousComm.PortScan
Select (True, False) to find assets that have or have not been detected performing port scanning activities.
Example
Show assets detected performing port scans
hasThreat.SuspiciousComm.PortScan: true
hasThreat.SuspiciousComm.AddressScanhasThreat.SuspiciousComm.AddressScan
Select (True, False) to find assets that have or have not been detected performing address scanning activities.
Example
Show assets detected performing address scans
hasThreat.SuspiciousComm.AddressScan: true
hasThreat.LateralMove.RDPHotAccounthasThreat.LateralMove.RDPHotAccount
Select (True, False) to find assets associated with RDP hot accounts, which may indicate potential lateral movement attempts.
Example
Show assets associated with RDP hot accounts
hasThreat.LateralMove.RDPHotAccount: true
hasThreat.LateralMove.RDPbruteforcehasThreat.LateralMove.RDPbruteforce
Select (True, False) to find assets that have or have not been targets of RDP brute force attempts.
Example
Show assets that have been targets of RDP brute force attempts
hasThreat.LateralMove.RDPbruteforce: true
hasThreat.LateralMove.RDPScanhasThreat.LateralMove.RDPScan
Select (True, False) to find assets that have or have not been detected performing RDP scanning activities.
Example
Show assets detected performing RDP scans
hasThreat.LateralMove.RDPScan: true
hasThreat.LateralMove.SSHbruteforcehasThreat.LateralMove.SSHbruteforce
Select (True, False) to find assets that have or have not been targets of SSH brute force attempts.
Example
Show assets that have been targets of SSH brute force attempts
hasThreat.LateralMove.SSHbruteforce: true
hasThreat.CnC.DNShasThreat.CnC.DNS
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over DNS.
Example
Show assets detected communicating with potential C&C servers over DNS
hasThreat.CnC.DNS: true
hasThreat.CnC.HTTPShasThreat.CnC.HTTPS
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over HTTPS.
Example
Show assets detected communicating with potential C&C servers over HTTPS
hasThreat.CnC.HTTPS: true
hasThreat.CnC.HTTPhasThreat.CnC.HTTP
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over HTTP.
Example
Show assets detected communicating with potential C&C servers over HTTP
hasThreat.CnC.HTTP: true
hasThreat.Exfiltration.DNShasThreat.Exfiltration.DNS
Select (True, False) to find assets that have or have not been detected potentially exfiltrating data over DNS.
Example
Show assets detected potentially exfiltrating data over DNS
hasThreat.Exfiltration.DNS: true
hasThreat.MalwarehasThreat.Malware
Select (True, False) to find assets that have or have not been detected with potential malware infections.
Example
how assets detected with potential malware infections
hasThreat.Malware: true
AWS: Secrets
secrets.rotationEnabledsecrets.rotationEnabled
Select (True, False) to find secrets with rotation enabled or disabled.
Example
Show secrets with rotation enabled
secrets.rotationEnabled: true
secrets.kmsKeyIdsecrets.kmsKeyId
Provide a string value to find secrets associated with a specific AWS Key Management Service (KMS) key ID.
Example
Find secrets using the KMS key ID "1234abcd-12ab-34cd-56ef-1234567890ab"
secrets.kmsKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
Provide a string value to find secrets with a specific Amazon Resource Name (ARN).
Example
Find a secret with the ARN "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"
secrets.arn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"
Provide a string value to find secrets with a specific name.
Example
Find secrets named "database-credentials"
secrets.name: database-credentials
AWS: SageMaker Notebook
sagemaker.notebook.arnsagemaker.notebook.arn
Provide a string value in quotes (" ") or backtick (` `) to find SageMaker Notebook instances with a specific Amazon Resource Name (ARN).
Example
Find a SageMaker Notebook instance with the ARN "arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook"
sagemaker.notebook.arn: "arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook"
sagemaker.notebook.namesagemaker.notebook.name
Provide a string value to find SageMaker Notebook instances with a specific name.
Example
Find SageMaker Notebook instances named "data-science-notebook"
sagemaker.notebook.name: data-science-notebook
sagemaker.notebook.statussagemaker.notebook.status
Select the required status from the drop-down menu (InService, Stopped, Failed, Deleting, Pending) to find SageMaker Notebook instances based on their current status..
Example
Show SageMaker Notebook instances that are currently in service
sagemaker.notebook.status: InService
AWS: CloudFront Distribution
cloudfront.distributions.idcloudfront.distributions.id
Provide a string value to find CloudFront distributions with a specific ID.
Example Find a CloudFront distribution with the ID "E2QWRUHAPOMQZL"
cloudfront.distributions.id: E2QWRUHAPOMQZL
cloudfront.distributions.domainnamecloudfront.distributions.domainname
Provide a string value to find CloudFront distributions with a specific domain name.
Example
Find CloudFront distributions with the domain name "d111111abcdef8.cloudfront.net"
cloudfront.distributions.domainname: d111111abcdef8.cloudfront.net
cloudfront.distributions.enabledcloudfront.distributions.enabled
Select (True, False) to find CloudFront distributions that are enabled or disabled.
Example
Show CloudFront distributions that are currently enabled
cloudfront.distributions.enabled: true
cloudfront.distributions.priceclasscloudfront.distributions.priceclass
Find CloudFront distributions based on their price class. Select the required class from the drop-down menu (PriceClass_100, PriceClass_200, PriceClass_All).
Example
Show CloudFront distributions with the price class PriceClass_200
cloudfront.distributions.priceclass: PriceClass_200
cloudfront.distributions.stagingcloudfront.distributions.staging
Select (True, False) to find CloudFront distributions that are in staging or production environment.
Example
Show CloudFront distributions that are in the staging environment
cloudfront.distributions.staging: true
cloudfront.distributions.arncloudfront.distributions.arn
Provide a string value to find CloudFront distributions with a specific Amazon Resource Name (ARN).
Example
Find a CloudFront distribution with the ARN "arn:aws:cloudfront::123456789012:distribution/E2QWRUHAPOMQZL"
cloudfront.distributions.arn: "arn:aws:cloudfront::123456789012:distribution/E2QWRUHAPOMQZL"
cloudfront.distributions.loggingEnabledcloudfront.distributions.loggingEnabled
Select (True, False) to find CloudFront distributions with logging enabled or disabled.
Example
Show CloudFront distributions with logging enabled
cloudfront.distributions.loggingEnabled: true
Route 53 Domains
route53.domain.autorenewroute53.domain.autorenew
Select (True, False) to find Route 53 domains based on their auto-renewal status.
Example
Show domains with auto-renewal enabled.
route53.domain.autorenew: true
Route 53 Hosted Zones
route53.hostedZone.recordnameroute53.hostedZone.recordname
Provide a string value to find Route 53 hosted zones with the specified record name.
Example
Find hosted zones with the record "www.example.com"
route53.hostedZone.recordname: www.example.com
Select (True, False) to find Route 53 hosted zones based on whether they are private or public.
Example
Show private hosted zones.
route53.hostedZone.isPrivateZone: true
Provide a string value to find Route 53 hosted zones with the specified Amazon Resource Name (ARN).
Example
Find a hosted zone with a specific ARN.
route53.hostedZone.arn: "arn:aws:route53:::hostedzone/Z1PA6795UKMFR9"
Redshift
redshift.clusteridentifierredshift.clusteridentifier
Provide a string value to find Redshift clusters with the specified cluster identifier.
Example
Find a Redshift cluster with identifier "my-redshift-cluster"
redshift.clusteridentifier: my-redshift-cluster
redshift.clusterstatusredshift.clusterstatus
Select from available options (e.g., available, creating, deleting, final-snapshot, modifying, rebooting, renaming, resizing) to find Redshift clusters with the specified status.
Example
Show Redshift clusters that are currently available.
redshift.clusterstatus: available
redshift.clusternamespacearnredshift.clusternamespacearn
Provide a string value to find Redshift clusters with the specified namespace ARN (Amazon Resource Name).
Example
Find a Redshift cluster with a specific namespace ARN.
redshift.clusternamespacearn: "arn:aws:redshift:us-west-2:123456789012:namespace:my-namespace"
redshift.kmskeyidredshift.kmskeyid
Provide a string value to find Redshift clusters using the specified KMS (Key Management Service) key ID for encryption.
Example
Find Redshift clusters using a specific KMS key.
redshift.kmskeyid: 1234abcd-12ab-34cd-56ef-1234567890ab
Elastic Container Registry
Provide a string value to find ECR repositories associated with the specified registry ID.
Example
Find ECR repositories in registry "123456789012" ecr.registryId: 123456789012
Provide a string value to find ECR repositories with the specified Amazon Resource Name (ARN).
Example
Find an ECR repository with a specific ARN
ecr.arn: arn:aws:ecr:us-west-2:123456789012:repository/my-repo
ecr.encryptionConfigurations.encryptionTypeecr.encryptionConfigurations.encryptionType
Select from available options (e.g., AES256, KMS) to find ECR repositories with the specified encryption type.
Example
Show ECR repositories using KMS encryption.
ecr.encryyptionConfigurations.encryptionType: KMS
ecr.imageTagMutabilityecr.imageTagMutability
Select from available options (MUTABLE, IMMUTABLE) to find ECR repositories with the specified image tag mutability setting.
Example
Show ECR repositories with immutable tags. ecr.imageTagMutability: IMMUTABLE
ecr.imageScanningConfiguration.scanOnPushecr.imageScanningConfiguration.scanOnPush
Select (True, False) to find ECR repositories based on whether they're configured to scan images on push.
Example
Show ECR repositories with scan on push enabled.
ecr.imageScanningConfiguration.scanOnPush: true
ecr.imageDigestecr.imageDigest
Provide a string value to find ECR images with the specified image digest.
Example
Find an ECR image with a specific digest ecr.imageDigest: sha256:a1b2c3d4e5f6...
ecr.repositoryUriecr.repositoryUri
Provide a string value to find ECR repositories with the specified URI.
Example
Find an ECR repository with URI "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo"
ecr.repositoryUri: 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo
Vulnerability Tokens
These tokens are available in queries with resource.type:vulnerability
vulnerability.qidvulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
vulnerability.qid:90405
vulnerability.severityvulnerability.severity
Select a severity (1-5) to find assets having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
vulnerability.severity:4
vulnerability.customerSeverityvulnerability.customerSeverity
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
vulnerability.customerSeverity:3
vulnerability.exploitabilityvulnerability.exploitability
Use values within quotes or backticks to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this description
vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerability.exploitability: `GIF Parser Heap`
vulnerability.patchAvailablevulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patch available.
Example
Show findings with patch available
vulnerability.patchAvailable: "true"
Show findings with no patch available
vulnerability.patchAvailable: "false"
vulnerability.firstFoundvulnerability.firstFound
Use a date range or specific date to define when findings were first found.
Example
Show findings first found within certain dates
vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
vulnerability.firstFound:'2015-11-11'
vulnerability.lastFoundvulnerability.lastFound
Use a date range or specific date to define when findings were last found.
Example
Show findings last found within certain dates
vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerability.titlevulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this title
vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerability.title: `Remote Code`
vulnerability.descriptionvulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to description
vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerability.description: `remote code execution`
vulnerability.cveIdsvulnerability.cveIds
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
vulnerability.cveIds: CVE-2015-0313
vulnerability.categoryvulnerability.category
Select a category (CGI, Database, DNS, BIND, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
vulnerability.category: "CGI"
vulnerability.cvss3Info.baseScorevulnerability.cvss3Info.baseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show assets with this score
vulnerability.cvss3Info.baseScore: 7.8
vulnerability.cvss3Info.temporalScorevulnerability.cvss3Info.temporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show assets with this score
vulnerability.cvss3Info.temporalScore: 6.4
vulnerability.cvssInfo.accessVectorvulnerability.cvssInfo.accessVector
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
vulnerability.cvssInfo.accessVector: "NETWORK"
vulnerability.portvulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
vulnerability.port: 80
vulnerability.protocolvulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Example
Show findings found on TCP
vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
vulnerability.hostOSvulnerability.hostOS
Use quotes or backticks within values to help you find the instance operating system you're interested in.
Example
Show any findings with this OS name
vulnerability.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerability.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerability.hostOS:`Windows 2012`
vulnerability.typeDetectedvulnerability.typeDetected
Select a detection type (e.g. Confirmed, Potential, Information) to find instances with vulnerabilities of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerability.typeDetected:Confirmed
vulnerability.PCIvulnerability.PCI
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Example
Show PCI vulnerabilities
vulnerability.PCI:TRUE
Do not show PCI vulnerabilities
vulnerability.PCI:FALSE
vulnerability.authTypesvulnerability.authTypes
Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.
Example
Show findings with Windows auth type
vulnerability.authTypes:WINDOWS_AUTH
vulnerability.bugTraqIdsvulnerability.bugTraqIds
Use a text value ##### to find a BugTraq number you're interested in.
Example
Show findings with BugTraq ID 22211
vulnerability.bugTraqIds:22211
vulnerability.compliance.descriptionvulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description you're looking for.
Example
Show any findings related to this description
vulnerability.compliance.description:malicious software
Show any findings that contain "malicious" or "software" in description
vulnerability.compliance.description:"malicious software"
Show any findings that match exact value "malicious software"
vulnerability.compliance.description:`malicious software`
vulnerability.compliance.sectionvulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section you're looking for.
Example
Show any findings related to this section
vulnerability.compliance.section:164.308
Show any findings that contain parts of section
vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
vulnerability.compliance.section:`164.308`
vulnerability.compliance.typevulnerability.compliance.type
Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.
Example
Show findings with the compliance type HIPAA
vulnerability.compliance.type:HIPAA
vulnerability.consequencevulnerability.consequence
Use quotes or backticks within values to help you find the consequence you're looking for.
Example
Show any findings related to consequence
vulnerability.consequence:sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerability.consequence:"sensitive information"
Show any findings that match exact value "sensitive information"
vulnerability.consequence:`sensitive information`
vulnerability.flagsvulnerability.flags
Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc).
Example
Show findings with this flag
vulnerability.flags:PCI_RELATED
vulnerability.listsvulnerability.lists
Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
vulnerability.lists:SANS_20
vulnerability.patchesvulnerability.patches
Use an integer value ##### to help you find the patch QID you're interested in.
Example
Show assets with this patch QID
vulnerability.patches:90753
vulnerability.publishedvulnerability.published
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Example
Show findings for vulnerabilities published within certain dates
vulnerability.published:[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerability.published:[2017-01-01 ... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerability.published:[now-2w ... now-1s]
Show findings for vulnerabilities published on certain date
vulnerability.published:'2018-01-15'
vulnerability.riskvulnerability.risk
Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerability.risk:50
vulnerability.osvulnerability.os
Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.
Example
Show any findings related to this OS value
vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerability.os:`windows`
vulnerability.cvssInfo.baseScorevulnerability.cvssInfo.baseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show instances with this score
vulnerability.cvssInfo.baseScore:7.8
vulnerability.cvssInfo.temporalScorevulnerability.cvssInfo.temporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show instances with this score
vulnerability.cvssInfo.temporalScore:6.4
vulnerability.discoveryTypesvulnerability.discoveryTypes
Select a discovery type (Remote or Authenticated) to find instances with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerability.discoveryTypes:REMOTE
vulnerability.sans20Categoriesvulnerability.sans20Categories
Use a text value ##### to find vulnerabilities in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).
Example
Show findings with this category name
vulnerability.sans20Categories:Media Players
vulnerability.solutionvulnerability.solution
Use quotes or backticks within values to help you find the solution you're looking for.
Example
Show any findings related to this solution
vulnerability.solution:Bulletin MS10-006
Show any findings that contain parts of solution
vulnerability.solution:"Bulletin MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerability.solution:`Bulletin MS10-006`
vulnerability.statusvulnerability.status
Select the vulnerability status (ACTIVE, FIXED, NEW, REOPENED) you're interested in. Select from names from the drop-down menu.
Example
Show vulnerabilities with ACTIVE status
vulnerability.status:ACTIVE
vulnerability.supportedByvulnerability.supportedBy
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
vulnerability.supportedBy:LINUX_AGENT
vulnerability.vendorRefsvulnerability.vendorRefs
Use a text value ##### to find the vendor reference you're interested in.
Example
Show this vendor reference
vulnerability.vendorRefs:KB3021953
vulnerability.vendors.productNamevulnerability.vendors.productName
Use a text value ##### to find the vendor product name you're interested in.
Example
Show findings with this vendor product name
vulnerability.vendors.productName:Windows
vulnerability.vendors.vendorNamevulnerability.vendors.vendorName
Use a text value ##### to find the vendor name you're interested in.
Example
Show findings with this vendor name
vulnerability.vendors.vendorName:Adobe
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
vulnerability.threatIntel.activeAttacksvulnerability.threatIntel.activeAttacks
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
vulnerability.threatIntel.activeAttacks: "true"
vulnerability.threatIntel.denialOfServicevulnerability.threatIntel.denialOfService
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
vulnerability.threatIntel.denialOfService: "true"
vulnerability.threatIntel.easyExploitvulnerability.threatIntel.easyExploit
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
vulnerability.threatIntel.easyExploit: "true"
vulnerability.threatIntel.exploitKitvulnerability.threatIntel.exploitKit
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
vulnerability.threatIntel.exploitKit: "true"
vulnerability.threatIntel.exploitKitNamevulnerability.threatIntel.exploitKitName
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
vulnerability.threatIntel.exploitKitName: `Angler`
vulnerability.threatIntel.highDataLossvulnerability.threatIntel.highDataLoss
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
vulnerability.threatIntel.highDataLoss: "true"
vulnerability.threatIntel.highLateralMovementvulnerability.threatIntel.highLateralMovement
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
vulnerability.threatIntel.highLateralMovement: "true"
vulnerability.threatIntel.malwarevulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
vulnerability.threatIntel.malware: "true"
vulnerability.threatIntel.malwareNamevulnerability.threatIntel.malwareName
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerability.threatIntel.noPatchvulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
vulnerability.threatIntel.noPatch: "true"
vulnerability.threatIntel.publicExploitvulnerability.threatIntel.publicExploit
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
vulnerability.threatIntel.publicExploit: "true"
vulnerability.threatIntel.publicExploitNamevulnerability.threatIntel.publicExploitName
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerability.threatIntel.zeroDayvulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
vulnerability.threatIntel.zeroDay: "true"
AWS: Internet Gateway
These tokens are available in queries with resource.type:Internet Gateway
internetgateway.stateinternetgateway.state
Use a text value ##### to find internet gateways having a certain state.
Example
Show findings with this state
internetgateway.state: available
internetgateway.vpcIdinternetgateway.vpcId
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
internetgateway.vpcId: vpc-1e37cd76
AWS: Load Balancer
These tokens are available in queries with resource.type:Load Balancer
elb.availabilityZoneelb.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Find resources in the us-east-1a availability zone
elb.availabilityZone: us-east-1a
elb.createdTimeelb.createdTime
Use a date range or specific date to define when the resource was created.
Example
Show resources created within certain dates
elb.createdTime: [2018-01-01 ... 2018-03-01]
Show resources created from starting 2018-01-01, ending 1 month ago
elb.createdTime: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
elb.createdTime: [now-2w ... now-1s]
Show resources created on specific date
elb.createdTime: 2018-01-08
Use a text value ##### to find load balancers with a certain DNS name.
Example
Show findings with this DNS name
elb.dnsName: load-balancer-12345.elb.us-west.amazonaws.com
Use a text value ##### to find resources with a certain instance ID.
Example
Show resources with this instance ID
elb.instanceId: 10.90.0.119
elb.ipAddressTypeelb.ipAddressType
Use a text value ##### to find load balancers with certain IP address type.
Example
Show findings with this IP address type
elb.ipAddressType: ipv4
elb.listener.instancePortelb.listener.instancePort
Use a text value ##### to find load balancer listeners on a certain instance port.
Example
Show load balancers on this instance port
elb.listener.instancePort: 200
elb.listener.instanceProtocolelb.listener.instanceProtocol
Select the load balancer listener instance protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.
Example
Show findings with this instance protocol
elb.listener.instanceProtocol: HTTPS
elb.listener.loadBalancerPortelb.listener.loadBalancerPort
Use a text value ##### to find load balancer listeners on a certain load balancer port.
Example
Show findings on this load balancer port
elb.listener.loadBalancerPort: 200
elb.listener.protocolelb.listener.protocol
Select the load balancer listener protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.
Example
Show findings running on this listener protocol
elb.listener.protocol: HTTP
Use a text value ##### to find load balancer listeners with a certain scheme.
Example
Show findings with this scheme
elb.scheme: internet-facing
elb.securityGroupIdelb.securityGroupId
Use a text value ##### to find resources in a certain security group.
Example
Show findings with this security group ID
elb.securityGroupId: sg-1a2b3c4d
Select the load balancer state you're interested in. Select from names in the drop-down menu.
Example
Show findings with this load balancer state
elb.state: active
Use a text value ##### to find load balancers having a certain type.
Example
Show findings with this load balancer type
elb.type: classic
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
elb.vpcId: vpc-1e37cd76
Use a text value ##### to find load balancers in a certain subnet.
Example
Show findings in this subnet
elb.subnet: subnet-cc96efa8
AWS: Network ACL
These tokens are available in queries with resource.type:Network ACL
networkacl.association.subnetIdnetworkacl.association.subnetId
Use a text value ##### to define resources having an association with a certain subnet.
Example
Show findings with this ID
networkacl.association.subnetId: subnet-6f2cec07
networkacl.cidrBlocknetworkacl.cidrBlock
Use a text value ##### to find network ACLs having a certain IPv4 CIDR range.
Example
Show findings with this IPv4 CIDR block
networkacl.cidrBlock: 172.31.0.0/16
networkacl.defaultAclnetworkacl.defaultAcl
Use the values true | false to find a network ACL that is the default network ACL for the VPC.
Example
Show findings with the default network ACL
networkacl.defaultAcl: true
Show findings not defined with default network ACL
networkacl.defaultAcl: false
networkacl.egressnetworkacl.egress
Use the values true | false to find a network ACL that applies (or doesn't apply) to egress traffic.
Example
Show findings where the network ACL does apply to egress traffic
networkacl.egress: true
Show findings where it does not apply to egress traffic
networkacl.egress: false
networkacl.ipv6CidrBlocknetworkacl.ipv6CidrBlock
Use a text value ##### to define the IPv6 CIDR range associated with the network ACL.
Example
Show findings with this IPv6 CIDR block
networkacl.ipv6CidrBlock: 2001:db8::/32
networkacl.portRange.fromnetworkacl.portRange.from
Use an integer value ##### to define the start of the port range specified in the network ACL rule entry.
Example
Show findings with rules with port range starting at 1024
networkacl.portRange.from: 1024
networkacl.portRange.tonetworkacl.portRange.to
Use an integer value ##### to define the end of the port range specified in the network ACL rule entry.
Example
Show findings with rules with port range ending at 65535
networkacl.portRange.to: 65535
networkacl.protocolnetworkacl.protocol
Use a text value ##### to define the protocol (tcp, udp, etc) specified in the network ACL rule entry.
Example
Show findings with rules for protocol tcp
networkacl.protocol: tcp
networkacl.ruleActionnetworkacl.ruleAction
Use a text value ##### to find network ACLs with a certain rule action (allow or deny).
Example
Show findings with rules that allow matching traffic
networkacl.ruleAction: allow
networkacl.ruleNumbernetworkacl.ruleNumber
Use an integer value ##### to find network ACLs with a certain rule number.
Example
Show findings with rule number 130
networkacl.ruleNumber: 130
networkacl.vpcIdnetworkacl.vpcId
Use a text value ##### to define the ID of the VPC for the network ACL.
Example
Show findings with this VPC ID
networkacl.vpcId: vpc-1e37cd76
networkacl.association.idnetworkacl.association.id
Use a text value ##### to find network ACLs with a certain association ID.
Example
Show findings with this association ID
networkacl.association.id: aclassoc-3999875b
networkacl.association.networkAclIdnetworkacl.association.networkAclId
Use a text value ##### to find network ACLs having an association with a certain network ACL ID.
Example
Show findings with this ID
networkacl.association.networkAclId: acl-211bf848
AWS: Route Table
These tokens are available in queries with resource.type:Route Table
routetable.mainroutetable.main
Use the values true | false to find the main route table for the VPC.
Example
Show findings for the main route table
routetable.main: true
Show findings that are not the main route table
routetable.main: false
routetable.route.destinationCidrBlockroutetable.route.destinationCidrBlock
Use a text value ##### to find route tables having routes with a certain IPv4 CIDR range used for destination match.
Example
Show findings with this IPv4 CIDR range
routetable.route.destinationCidrBlock: 10.0.0.0/16
routetable.route.stateroutetable.route.state
Select a route state (active or blackhole) to help you find route tables having routes with this state. Select from names in the drop-down menu.
Example
Show findings with this route state
routetable.route.state: active
routetable.subnetIdroutetable.subnetId
Use a text value ##### to define resources having an association with a certain subnet ID.
Example
Show findings with this ID
routetable.subnetId: subnet-6f2cec07
routetable.vpcIdroutetable.vpcId
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
routetable.vpcId: vpc-1e37cd76
routetable.association.idroutetable.association.id
Use a text value ##### to find route tables with a certain association ID.
Example
Show findings with this ID
routetable.association.id: rtbassoc-781d0d1a
routetable.association.routeTableIdroutetable.association.routeTableId
Use a text value ##### to find route tables having a certain route table ID involved in the association between route table and subnet.
Example
Show findings for this ID
routetable.association.routeTableId: rtb-ffbe1297
routetable.route.destinationIpv6CidrBlockroutetable.route.destinationIpv6CidrBlock
Use a text value ##### to find route tables having routes with a certain IPv6 CIDR range used for destination match.
Example
Show findings with this IPv6 CIDR range
routetable.route.destinationIpv6CidrBlock: 2001:db8::/32
routetable.route.destinationPrefixroutetable.route.destinationPrefix
Use a text value ##### to find route tables having routes with a certain ID (prefix) of the AWS service.
Example
Show findings with this prefix list ID
routetable.route.destinationPrefix: pl-63a5400a
routetable.route.egressInternetGatewayIdroutetable.route.egressInternetGatewayId
Use a text value ##### to find route tables having routes with a certain egress-only Internet gateway ID.
Example
Show findings with this ID
routetable.route.egressInternetGatewayId: pl-eigw-1234567890
routetable.route.gatewayIdroutetable.route.gatewayId
Use a text value ##### to find route tables having routes with a certain virtual private gateway ID.
Example
Show findings with this virtual private gateway ID
routetable.route.gatewayId: igw-12345678
routetable.route.instanceIdroutetable.route.instanceId
Use a text value ##### to find route tables having routes with a certain NAT instance ID.
Example
Show findings with this ID
routetable.route.instanceId: rtb-f8805e91
routetable.route.instanceOwnerIdroutetable.route.instanceOwnerId
Use a text value ##### to find route tables having routes with a NAT instance that has a certain owner.
Example
Show findings with this AWS account ID
routetable.route.instanceOwnerId: aws-acct-id
routetable.route.natGatewayIdroutetable.route.natGatewayId
Use a text value ##### to find route tables having routes with a certain NAT gateway ID.
Example
Show findings with this ID
routetable.route.natGatewayId: local
routetable.route.networkInterfaceIdroutetable.route.networkInterfaceId
Use a text value ##### to find route tables having routes with a certain network interface ID.
Example
Show findings with this ID
routetable.route.networkInterfaceId: eni-12345
routetable.route.vpcPeeringIdroutetable.route.vpcPeeringId
Use a text value ##### to find route tables having routes with a certain VPC peering connection.
Example
Show findings with this ID
routetable.route.vpcPeeringId: pcx-00197469
AWS: S3 Bucket
These tokens are available in queries with resource.type:S3 Bucket
s3.creationDates3.creationDate
Use a date range or specific date to define when the S3 bucket was created.
Example
show S3 buckets created within certain dates
s3.creationDate: [2018-01-01 ... 2018-03-01]
Show S3 bucketscreated from starting 2018-01-01, ending 1 month ago
s3.creationDate: [2018-01-01 ... now-1m]
Show S3 bucketscreated starting 2 weeks ago, ending 1 second ago
s3.creationDate: [now-2w ... now-1s]
Show S3 buckets created on specific date
s3.creationDate: 2018-01-08
s3.isPubliclyAccessibles3.isPubliclyAccessible
Use the values true | false to find s3 buckets that are (or aren't) publicly accessible.
Example
Show s3 buckets that are publicly accessible
s3.isPubliclyAccessible: true
Show s3 buckets that are not publicly accessible
s3.isPubliclyAccessible: false
Use a text value ##### to define S3 bucket owner ID of interest.
Example
Show findings with this owner ID
s3.ownerId: a3a33997d333416174cb4c27fa89364a2f31b12498ffc
Use values within quotes to help you find the S3 bucket owner name of interest.
Example
Show any findings with this name
s3.ownerName: Andrew Smith
Show any findings that contain parts of name
s3.ownerName: "Andrew Smith"
AWS: Security Group
These tokens are available in queries with resource.type:Security Group
securitygroup.descriptionsecuritygroup.description
Use values within quotes to help you find security groups with certain keywords in the security group description.
Example
Show any findings with this description
securitygroup.description: Allow RDP to Windows Machines
Show any findings that contain parts of description
securitygroup.description: "Allow RDP to Windows Machines"
securitygroup.inboundRule.fromPortsecuritygroup.inboundRule.fromPort
Use an integer value ##### to find security groups having inbound rules with a certain from port.
Example
Show findings with this from port
securitygroup.inboundRule.fromPort: 200
securitygroup.inboundRule.ipProtocolsecuritygroup.inboundRule.ipProtocol
Select an IP protocol (tcp, udp, icmp) to find security groups having inbound rules with a certain IP protocol. Select from names in the drop-down menu.
Example
Show findings with the tcp protocol
securitygroup.inboundRule.ipProtocol: tcp
securitygroup.inboundRule.ipv4Rangesecuritygroup.inboundRule.ipv4Range
Use a text value ##### to find security groups having inbound rules with a certain IPv4 range.
Example
Show findings with this range
securitygroup.inboundRule.ipv4Range: 203.0.113.0/24
securitygroup.inboundRule.ipv6Rangesecuritygroup.inboundRule.ipv6Range
Use a text value ##### to find security groups having inbound rules with a certain IPv6 range.
Example
Show findings with this range
securitygroup.inboundRule.ipv6Range: 2001:db8::/32
securitygroup.inboundRule.toPortsecuritygroup.inboundRule.toPort
Use an integer value ##### to find security groups having inbound rules with a certain to port.
Example
Show findings with this group ID
securitygroup.inboundRule.toPort: 200
securitygroup.namesecuritygroup.name
Use a text value ##### to find security groups with a certain group name in an inbound security group rule.
Example
Show findings with this group name
securitygroup.name: Windows RDP Allow Group
securitygroup.outboundRule.fromPortsecuritygroup.outboundRule.fromPort
Use an integer value ##### to find security groups having outbound rules with a certain from port.
Example
Show findings with this from port
securitygroup.outboundRule.fromPort: 200
securitygroup.outboundRule.ipProtocolsecuritygroup.outboundRule.ipProtocol
Select an IP protocol (tcp, udp, icmp) to find security groups having outbound rules with a certain IP protocol. Select from names in the drop-down menu.
Example
Show findings with the tcp protocol
securitygroup.outboundRule.ipProtocol: tcp
securitygroup.outboundRule.ipv4Rangesecuritygroup.outboundRule.ipv4Range
Use a text value ##### to find security groups having outbound rules with a certain IPv4 range.
Example
Show findings with this range
securitygroup.outboundRule.ipv4Range: 203.0.113.0/24
securitygroup.outboundRule.ipv6Rangesecuritygroup.outboundRule.ipv6Range
Use a text value ##### to find security groups having outbound rules with a certain IPv6 range.
Example
Show findings with this range
securitygroup.outboundRule.ipv6Range: 2001:db8::/32
securitygroup.outboundRule.toPortsecuritygroup.outboundRule.toPort
Use an integer value ##### to find security groups having outbound rules with a certain to port.
Example
Show findings with this to port
securitygroup.outboundRule.toPort: 151
securitygroup.vpcIdsecuritygroup.vpcId
Use an integer value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
securitygroup.vpcId: vpc-1e37cd76
AWS: Vulnerability Tokens
association.instances.vulnerability.qidassociation.instances.vulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
association.instances.vulnerability.qid:90405
association.instances.vulnerability.severityassociation.instances.vulnerability.severity
Select a severity (1-5) to find resources having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
association.instances.vulnerability.severity:4
Select a severity (1-5) to find resources having vulnerabilities with this customizedseverity. Select from values in the drop-down menu.
Example
Show findings with severity 3
association.instances.vulnerability.customerSeverity:3
association.instances.vulnerability.exploitabilityassociation.instances.vulnerability.exploitability
Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this description
association.instances.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
association.instances.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
association.instances.vulnerability.exploitability: `GIF Parser Heap`
association.instances.vulnerability.patchAvailableassociation.instances.vulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patch available.
Example
Show findings with patch available
association.instances.vulnerability.patchAvailable: "true"
Show findings with no patch available
association.instances.vulnerability.patchAvailable: "false"
association.instances.vulnerability.firstFoundassociation.instances.vulnerability.firstFound
Use a date range or specific date to define when findings were first found.
Example
Show findings first found within certain dates
association.instances.vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
association.instances.vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
association.instances.vulnerability.firstFound:'2015-11-11'
association.instances.vulnerability.lastFoundassociation.instances.vulnerability.lastFound
Use a date range or specific date to define when findings were last found.
Example
Show findings last found within certain dates
association.instances.vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
association.instances.vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
association.instances.vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND association.instances.vulnerability.patchAvailable: "true")
association.instances.vulnerability.titleassociation.instances.vulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this title
association.instances.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
association.instances.vulnerability.title: "Remote Code"
Show any findings that match exact value
association.instances.vulnerability.title: `Remote Code`
association.instances.vulnerability.descriptionassociation.instances.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to description
association.instances.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
association.instances.vulnerability.description: "remote code execution"
Show any findings that match exact value
association.instances.vulnerability.description: `remote code execution`
association.instances.vulnerability.cveIdsassociation.instances.vulnerability.cveIds
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
association.instances.vulnerability.cveIds: CVE-2015-0313
association.instances.vulnerability.categoryassociation.instances.vulnerability.category
Select a category (CGI, Database, Debian, OEL, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
association.instances.vulnerability.category: "CGI"
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.baseScore: 7.8
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.temporalScore: 6.4
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
association.instances.vulnerability.cvssInfo.accessVector: "NETWORK"
instance.securityGroup.nameinstance.securityGroup.name
Use a text value ##### to find the security group name you're looking for.
Example
Find security group related to name
instance.securityGroup.name: abc.qualys.com
Find security group that match exact value
instance.securityGroup.name: `abc.qualys.com`
association.instances.publicIpAddressassociation.instances.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Example
Find security groups with this public IP address
association.instances.publicIpAddress: 52.70.141.154
Find security groups within this IP range
association.instances.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
association.instances.vulnerability.portassociation.instances.vulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
association.instances.vulnerability.port: 80
association.instances.vulnerability.protocolassociation.instances.vulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Example
Show findings found on TCP
association.instances.vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
association.instances.vulnerability.threatIntel.activeAttacks: "true"
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
association.instances.vulnerability.threatIntel.denialOfService: "true"
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
association.instances.vulnerability.threatIntel.easyExploit: "true"
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
association.instances.vulnerability.threatIntel.exploitKit: "true"
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
association.instances.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
association.instances.vulnerability.threatIntel.exploitKitName: `Angler`
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
association.instances.vulnerability.threatIntel.highDataLoss: "true"
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
association.instances.vulnerability.threatIntel.highLateralMovement: "true"
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
association.instances.vulnerability.threatIntel.malware: "true"
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
association.instances.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
association.instances.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
association.instances.vulnerability.threatIntel.noPatch: "true"
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
association.instances.vulnerability.threatIntel.publicExploit: "true"
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
association.instances.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
association.instances.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
association.instances.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
association.instances.vulnerability.threatIntel.zeroDay: "true"
AWS: Subnet
These tokens are available in queries with resource.type:Subnet
subnet.autoAssignIpv6Addresssubnet.autoAssignIpv6Address
Use the values true | false to find a subnet with auto-assign IPv6 addresses enabled.
Example
Show subnets with auto-assign IPv6 address
subnet.autoAssignIpv6Address: true
Show subnets without auto-assign IPv6 address
subnet.autoAssignIpv6Address: false
subnet.autoAssignPublicIpsubnet.autoAssignPublicIp
Use the values true | false to find subnets where a public IPv4 address is assigned on launch.
Example
Show subnets with public IP address assigned on launch
subnet.autoAssignPublicIp: true
Show subnets without public IP address assigned on launch
subnet.autoAssignPublicIp: false
subnet.availabilityZonesubnet.availabilityZone
Use a text value ##### to find subnets by availability zone.
Example
Show findings in the us-east-1a availability zone
subnet.availabilityZone: us-east-1a
subnet.availableIpCountsubnet.availableIpCount
Use a text value ##### to find subnets by available IP count.
Example
Show findings with this available IP count
subnet.availableIpCount: 4091
subnet.cidrBlocksubnet.cidrBlock
Use a text value ##### to find resources having a certain IPv4 CIDR block.
Example
Show findings with this IPv4 CIDR block
subnet.cidrBlock: 172.31.0.0/16
subnet.defaultSubnetsubnet.defaultSubnet
Use the values true | false to find the default subnet.
Example
Show subnets that are the default
subnet.defaultsubnet: true
Show subnets that are not the default
subnet.defaultSubnet: false
subnet.ipv6CidrBlocksubnet.ipv6CidrBlock
Use a text value ##### to find resources having a certain IPv6 CIDR block.
Example
Show findings with this IPv6 CIDR block
subnet.ipv6CidrBlock: 2001:db8::/32
Use a text value ##### to find resources with a certain VPC ID.
Example
Show findings with this VPC ID
subnet.vpcId: vpc-1e37cd76
AWS: VPC
These tokens are available in queries with resource.type:VPC
Use a text value ##### to help you find resources (VPCs/subnets) having a certain IPv4 CIDR block.
Example
Show findings with this IPv4 CIDR block
vpc.cidrBlock: 172.31.0.0/16
Use the values true | false to find the default VPC.
Example
Show VPCs that are the default
vpc.defaultVpc: true
Show VPCs that are not the default
vpc.defaultVpc: false
vpc.instanceTenancyvpc.instanceTenancy
Use values within quotes to find VPCs with certain instance tenancy.
Example
Show any findings with this tenancy
vpc.instanceTenancy: default
Show findings that contain parts of tenancy
vpc.instanceTenancy: "default"
vpc.ipv6CidrBlockvpc.ipv6CidrBlock
Use a text value ##### to find resources (VPCs/subnets) with a certain IPv6 CIDR block.
Example
Show findings with this IPv6 CIDR block
vpc.ipv6CidrBlock: 2001:db8::/32
AWS: RDS
These tokens are available in queries with resource.type:RDS
rds.dbInstanceIdentifierrds.dbInstanceIdentifier
Use a text value ##### to help you find resources (RDS) having a certain DB instance name.
Example
Show RDS resources with this DB instance name
rds.dbInstanceIdentifier: RDSdatabasename
rds.endpoint.portrds.endpoint.port
Use a text value ##### to find RDS resources with specified port as endpoint.
Example
Show RDS resources that use this port as endpoint
rds.endpoint.port: 5432
Use values within quotes to find resources with certain engine name.
Example
Show RDS resources with this engine name
rds.engine: mysql
rds.instanceClassrds.instanceClass
Use a text value ##### to find resources (RDS) with a certain size.
Example
Show RDS resources with this size
rds.instanceClass: db.t2.micro
rds.publiclyAccessiblerds.publiclyAccessible
Use the values true | false to find if the resource is publicly accessible or not.
Example
Show RDS resources that are the accessible
rds.publiclyAccessible: true
Show RDS resources that are not publicly accessible
rds.publiclyAccessible: false
rds.securityGroup.idrds.securityGroup.id
Use a text value ##### to find RDS resources with specified security group Id.
Example
Show RDS resources with this security group Id.
rds.securityGroup.id: sg-3abe5246
Use a text value ##### to find resources (RDS) with a certain state.
Example
Show RDS resources that are available
rds.status: available
rds.subnetGroup.dbSubnetVpcIdrds.subnetGroup.dbSubnetVpcId
Use a text value ##### to find resources (RDs) with a certain VPC Id .
Example
Show RDS resources with this VPC Id
rds.subnetGroup.dbSubnetVpcId: vpc-1e37cd7e
AWS: EBS Volume
These tokens are available in queries with resource.type:EBS Volume
ebsvolume.encryptedebsvolume.encrypted
Use the values true | false to know if the resource is encrypted or not.
Example
Show EBS volume resources that are encrypted.
ebsvolume.encrypted: true
ebsvolume.instanceebsvolume.instance
Use a text value ##### to find EBS Volume resources with a certain instance ID.
Example
Show resources with this instance ID
ebsvolume.instance: i-045d8dd17d8a2a96f
ebsvolume.stateebsvolume.state
Use available or in-use state to find EBS volume instances with a certain state.
Example
Show running EBS volume instances
ebsvolume.state: in-use
ebsvolume.volumeIdebsvolume.volumeId
Use a text value ##### to find resources (EBS volumne) with a certain volumeId.
Example
Show resources with this volumeId
ebsvolume.volumeId: vol-0ac36138436791ca5
AWS: Lambda Function
lambda.tracingConfiglambda.tracingConfig
Use the values Active or Passthrough to decide if we can sample and trace a subset of incoming requests with AWS X-Ray.
Example
Show resources which allow to sample and trace incoming requests with AWS X-Ray. Use Active to achieve this.
lambda.tracingConfig: Active
Use a numberic value ##### in seconds to find resources (Lambda function) with a certain timeout value. Timeout is the amount of time that Lambda allows a function to run before stopping it. By default, it is 3 seconds. Maximum allowable timeout value is 900 seconds.
Example
Show resources with this volumeId
lambda.timeout: vol-0ac36138436791ca5
Use a text value ##### to find resources (Lambda function) with a certain role name.
Example
Show resources with role name as sample_role_lambda
lambda.role: sample_role_lambda
Use a text value ##### to find resources (Lambda function) based on the programming language used to write the lambda function.
Example
Show resources that are written in Python 2.7
lambda.runtime: python2.7
lambda.functionNamelambda.functionName
Use a text value ##### to find resources (Lambda function) with a certain name.
Example
Show resources with exact name match as sample_lambda_function
lambda.functionName: sample_lambda_function
lambda.memorySizelambda.memorySize
Use a numeric value ##### to find resources (Lambda function) based on memory size (in MB) assigned to lambda function for execution.
Example
Show resources with 128 MB memory allocated for execution
lambda.memorySize: 128
lambda.trigger.arnlambda.trigger.arn
Use a value ##### to define the Amazon Resource Name (ARN) that would trigger the Lambda function.
Example
Show resources that are triggered on specified ARN
lambda.trigger.arn: arn:aws:iam::383031258652:user/LOCAL_1234
lambda.trigger.typelambda.trigger.type
Use a text value ##### to define the type of trigger to be initiated when to execute Lambda function.
Example
Show resources that triggered on s3 type
lambda.trigger.type: s3
lambda.layer.namelambda.layer.name
Use a text value ##### to find resources (Lambda function) with name of layer assigned to the lambda function.
Example
Show resources with this name assigned to the layer
lambda.layer.name: Sample_layer_name
Use a text value ##### to find resources (Lambda function) associated with a certain VPCID.
Example
Show resources with this VPCID
lambda.vpcId: vpc-4bd3013
Use a text value ##### to define the key of an AWS or Azure tag assigned to the Lambda function (case sensitive).
Example
Show resources with key Department
tag.key: Department
Use a text value ##### to define the value of an AWS or Azure tag assigned to the resource (case sensitive).
Example
Show resources with tag value Finance
tag.value: Finance
AWS: EKS Cluster
ekscluster.nameekscluster.name
Use a text value ##### to find resources (EKS Cluster) with specific name.
Example
Show resources with specific name.
ekscluster.name: testCluster
ekscluster.statusekscluster.status
Use to search for EKS Clusters with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Cluster you're interested in.
Example
Show resources with ACTIVE status
ekscluster.status: ACTIVE
ekscluster.versionekscluster.version
Use Kubernetes versions such as 1.15. 1.16, 1.18 etc to find EKS Clusters with the specified Kubernetes version.
Example
Show resources with specified Kubernetes version
ekscluster.version: 1.18
ekscluster.platformVersionekscluster.platformVersion
Use a text value ##### to find resources (EKS Cluster) with specified EKS Cluster platform version.
Example
Show resources with specified platform version
ekscluster.platformVersion: eks.3
ekscluster.endpointPublicAccessekscluster.endpointPublicAccess
Use the values true | false to define whether the EKS Cluster has a API server public endpoint access.
Example
Show resources with public endpoint access of API server
ekscluster.endpointPublicAccess: true
ekscluster.endpointPrivateAccessekscluster.endpointPrivateAccess
Use the values true | false to define whether the EKS Cluster has a API server private endpoint access.
Example
Show resources with private endpoint access of API server
ekscluster.endpointPrivateAccess: true
ekscluster.endpointekscluster.endpoint
Use a text value ##### to find resources (EKS Cluster) with certain API server endpoint.
Example
Show resources with specified API server endpoint
ekscluster.endpoint: https://F41FF93B0AF978CF32886442BF14945B.sk1.ap-south-1.eks.amazonaws.com
ekscluster.role.nameekscluster.role.name
Use a text value ##### to find resources (EKS Cluster) with IAM role name.
Example
Show resources with specified IAM role name
ekscluster.role.name: eksclusterrole
ekscluster.eksnodegroup.nameekscluster.eksnodegroup.name
Use a text value ##### to find resources (EKS Cluster) with the associated node group name.
Example
Show resources with specified associated node group name
ekscluster.eksnodegroup.name: testNodeGroup
ekscluster.fargateprofile.nameekscluster.fargateprofile.name
Use a text value ##### to find resources (EKS Cluster) with the associated Fargate Profile name.
Example
Show resources with specified associated Fargate Profile name
ekscluster.fargateprofile.name: testFargate
ekscluster.vpcIdekscluster.vpcId
Use a text value ##### to find resources (EKS Cluster) with a VPC Id.
Example
Show resources with specified VPC Id
ekscluster.vpcId: vpc-b00ce2db
ekscluster.subnetIdekscluster.subnetId
Use a text value ##### to find resources (EKS Cluster) with a subnet Id.
Example
Show resources with specified subnet Id
ekscluster.subnetId: subnet-d17cf3aa
AWS: EKS Node Group
eksnodegroup.nameeksnodegroup.name
Use a text value ##### to find resources (EKS Node Group) with specific name.
Example
Show resources with specific name.
eksnodegroup.name: testNodeGroup
eksnodegroup.statuseksnodegroup.status
Use to search for EKS Node Group with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Node Group you're interested in.
Example
Show resources with ACTIVE status
eksnodegroup.status: ACTIVE
eksnodegroup.versioneksnodegroup.version
Use Kubernetes versions such as 1.15. 1.16, 1.18 etc to find EKS Node Group with the specified Kubernetes version.
Example
Show resources with specified Kubernetes version
eksnodegroup.version: 1.18
eksnodegroup.desiredSizeeksnodegroup.desiredSize
Use a number to find resources (EKS Node Group) with desired node size.
Example
Show resources with specified node size
eksnodegroup.desiredSize: 1
eksnodegroup.amiTypeeksnodegroup.amiType
Use a text value ##### to find resources (EKS Node Group) with the ami type of the EKS worker nodes.
Example
Show resources with specified ami type of EKS worker nodes
eksnodegroup.amiType: AL2_x86_64
eksnodegroup.instanceTypeeksnodegroup.instanceType
UUse a text value ##### to find resources (EKS Node Group) with certain instance type.
Example
Show resources with specified instance type
eksnodegroup.instanceType: t3.micro
eksnodegroup.diskSizeeksnodegroup.diskSize
Use a disk Size value to find resources (EKS Node Group) with certain disk Size.
Example
Show resources with specified disk size value
eksnodegroup.diskSize: 20
eksnodegroup.minSizeeksnodegroup.minSize
Use a number to find resources (EKS Node Group) with minimum node group size.
Example
Show resources with specified minimum node group size
eksnodegroup.minSize: 1
eksnodegroup.maxSizeeksnodegroup.maxSize
Use a number to find resources (EKS Node Group) with maximum node group size.
Example
Show resources with specified maximum node group size
eksnodegroup.maxSize: 1
eksnodegroup.labels.keyeksnodegroup.labels.key
Use a text value ##### to find resources (EKS Node Group) with the Kubernetes label key.
Example
Show resources with specified Kubernetes label key
eksnodegroup.labels.key: testLabelKey
eksnodegroup.labels.valueeksnodegroup.labels.value
Use a text value ##### to find resources (EKS Node Group) with the Kubernetes label value.
Example
Show resources with specified Kubernetes label value
eksnodegroup.labels.value: testLabelValue
eksnodegroup.role.nameeksnodegroup.role.name
Use a text value ##### to find resources (EKS Node Group) with IAM role name.
Example
Show resources with specified IAM role name
eksnodegroup.role.name: nodeGroupRole
eksnodegroup.subnetIdeksnodegroup.subnetId
Use a text value ##### to find resources (EKS Node Group) with a subnet Id.
Example
Show resources with specified subnet Id
eksnodegroup.subnetId: subnet-d17cf3aa
eksnodegroup.autoScalingGroup.Nameeksnodegroup.autoScalingGroup.Name
Use a text value ##### to find resources (EKS Node Group) with the associated auto scaling group.
Example
Show resources with specified auto scaling group name
eksnodegroup.autoScalingGroup.Name: eks-ecbbcabe-6a2c-9e3b-41a9-0670c6d325a1
eksnodegroup.ekscluster.nameeksnodegroup.ekscluster.name
Use a text value ##### to find resources (EKS Node Group) with associated EKS cluster name.
Example
Show resources with specified EKS cluster name
eksnodegroup.ekscluster.name: testCluster
eksnodegroup.securityGroupeksnodegroup.securityGroup
Use a text value ##### to find resources (EKS Node Group) with associated security group.
Example
Show resources with specified security group
eksnodegroup.securityGroup: nodeGroupRole
AWS: EKS Fargate Profile
eksfargateprofile.nameeksfargateprofile.name
Use a text value ##### to find resources (EKS Fargate Profile) with specific name.
Example
Show resources with specific name.
eksfargateprofile.name: testNodeGroup
eksfargateprofile.statuseksfargateprofile.status
Use to search for EKS Fargate Profile resources with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Node Group you're interested in.
Example
Show resources with ACTIVE status
eksfargateprofile.statuss: ACTIVE
eksfargateprofile.selectors.namespace.nameeksfargateprofile.selectors.namespace.name
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace.
Example
Show resources with specified associated selector namespace
eksfargateprofile.selectors.namespace.name: testSelectorNameSpace
eksfargateprofile.selectors.namespace.labels.keyeksfargateprofile.selectors.namespace.labels.key
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace's key.
Example
Show resources with specified key of the associated selector namespace
eksfargateprofile.selectors.namespace.labels.key: testLabelKey
eksfargateprofile.selectors.namespace.labels.valueeksfargateprofile.selectors.namespace.labels.value
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace's value.
Example
Show resources with specified value of the associated selector namespace
eksfargateprofile.selectors.namespace.labels.value: testLabelValue
eksfargateprofile.role.nameeksfargateprofile.role.name
Use a text value ##### to find resources (Fargate Profile) with IAM role name.
Example
Show resources with specified IAM role name
eksfargateprofile.role.name: fargateRole
eksfargateprofile.subnetIdeksfargateprofile.subnetId
Use a text value ##### to find resources (Fargate Profile) with a subnet Id.
Example
Show resources with specified subnet Id
eksfargateprofile.subnetId: subnet-d17cf3aa
eksfargateprofile.ekscluster.nameeksfargateprofile.ekscluster.name
Use a text value ##### to find resources (Fargate Profile) with associated EKS cluster name.
Example
Show resources with specified EKS cluster name
eksfargateprofile.ekscluster.name: testCluster
AWS: Elastic Container Service (ECS)
ecs.cluster.arnecs.cluster.arn
Provide a string value to find ECS clusters with the specified ARN.
Example
Find an ECS cluster with ARN "arn:aws:ecs:us-west-2:123456789012:cluster/my-cluster"
ecs.cluster.arn: "arn:aws:ecs:us-west-2:123456789012:cluster/my-cluster"
ecs.cluster.nameecs.cluster.name
Provide a string value to find ECS clusters with the specified name.
Example
Find an ECS cluster named "my-cluster"
ecs.cluster.name: my-cluster
ecs.cluster.statusecs.cluster.status
Select from available options (e.g., ACTIVE, PROVISIONING, DEPROVISIONING, FAILED, INACTIVE) to find ECS clusters with the specified status.
Example
Show active ECS clusters.
ecs.cluster.status: ACTIVE
ecs.cluster.namespaceecs.cluster.namespace
Provide a partial string value to find ECS clusters with matching namespace.
Example
Find ECS clusters with namespace containing "prod"
ecs.cluster.namespace: prod
AWS: Elastic Network Interface (ENI)
Provide a string value to find ENIs with the specified ID.
Example
Find an ENI with ID "eni-1234567890abcdef0"
id: eni-1234567890abcdef0
networkinterfaces.statusnetworkinterfaces.status
Select from available options (e.g., available, attaching, in-use, detaching) to find ENIs with the specified status.
Example
Show in-use ENIs.
networkinterfaces.status: in-use
networkinterfaces.interfaceTypenetworkinterfaces.interfaceType
Select from available options (e.g., interface, nat_gateway) to find ENIs of the specified type.
Example
Show standard interface ENIs.
networkinterfaces.interfaceType: interface
networkinterfaces.availabilityZonenetworkinterfaces.availabilityZone
Provide a partial string value to find ENIs in matching availability zones.
Example
Find ENIs in availability zones containing "us-west"
networkinterfaces.availabilityZone: us-west
networkinterfaces.sourceDestChecknetworkinterfaces.sourceDestCheck
Select (True, False) to find ENIs based on their source/destination check setting.
Example
how ENIs with source/destination check enabled.
networkinterfaces.sourceDestCheck: true
networkinterfaces.requesterManagednetworkinterfaces.requesterManaged
Select (True, False) to find ENIs based on whether they are requester-managed.
Example
Show requester-managed ENIs.
networkinterfaces.requesterManaged: true
networkinterfaces.operator.managednetworkinterfaces.operator.managed
Select (True, False) to find ENIs based on whether they are operator-managed.
Example
Show operator-managed ENIs.
networkinterfaces.operator.managed: true
networkinterfaces.association.natEnablednetworkinterfaces.association.natEnabled
Select (True, False) to find ENIs based on whether NAT is enabled for their association.
Example
Show ENIs with NAT enabled.
networkinterfaces.association.natEnabled: true
AWS: Elastic File System (EFS)
Provide a string value to find EFS file systems with the specified name.
Example
Find an EFS named "my-efs"
aws.efs.name: my-efs
Provide a string value to find EFS file systems with the specified ARN.
Example
Find an EFS with specified ARN.
aws.efs.arn: arn:aws:elasticfilesystem:us-west-2:123456789012:file-system/fs-12345678
Select from available options (e.g., available, creating, deleting, deleted) to find EFS file systems in the specified state.
Example
Show available EFS file systems.
efs.state: available
Provide a string value to find EFS file systems in the specified AWS region.
Example
Find EFS file systems in the us-west-2 region
aws.efs.region: us-west-2
AWS: Custom Domain Names
customdomainnames.statuscustomdomainnames.status
Select from available options (e.g., AVAILABLE, PENDING, DELETING) to find custom domain names with the specified status.
Example
Show available custom domain names.
customdomainnames.status: AVAILABLE
customdomainnames.tlsVersioncustomdomainnames.tlsVersion
Select from available options (e.g., TLS_1_0, TLS_1_2) to find custom domain names with the specified security policy.
Example
Show custom domains using TLS 1.2.
customdomainnames.tlsVersion: TLS_1_2
customdomainnames.apiEndpointTypecustomdomainnames.apiEndpointType
Select from available options (e.g., REGIONAL, EDGE) to find custom domain names with the specified endpoint type.
Example
Show regional custom domain names.
customdomainnames.apiEndpointType: REGIONAL
AWS: Step Function (State Machine)
statemachine.namestatemachine.name
Provide a string value to find state machines with the specified name.
Example
Find a state machine named "my-workflow"
statemachine.name: my-workflow
statemachine.statemachinearnstatemachine.statemachinearn
Provide a string value to find state machines with the specified ARN.
Example
Find a state machine with ARN "arn:aws:states:us-west-2:123456789012:stateMachine:my-workflow"
statemachine.statemachinearn: "arn:aws:states:us-west-2:123456789012:stateMachine:my-workflow"
statemachine.typestatemachine.type
Select from available options (e.g., STANDARD, EXPRESS) to find state machines of the specified type.
Example
Show standard state machines.
statemachine.type: STANDARD
statemachine.statusstatemachine.status
Select from available options (e.g., ACTIVE, DELETE) to find state machines with the specified status.
Example
Show active state machines.
statemachine.status: ACTIVE
statemachine.tracingEnabledstatemachine.tracingEnabled
Select (True, False) to find state machines based on whether tracing is enabled.
Example
Show state machines with tracing enabled.
statemachine.tracingEnabled: true
statemachine.loggingLevelstatemachine.loggingLevel
Select from available options (e.g., OFF, ERROR, ALL) to find state machines with the specified logging level.
Example
Show state machines with all logging enabled.
statemachine.loggingLevel: ALL
AWS: Simple Notification Service (SNS)
sns.topic.isFifosns.topic.isFifo
Select (True, False) to find SNS topics based on whether they are FIFO topics.
Example
Show FIFO SNS topics.
sns.topic.isFifo: true
AWS: Simple Queue Service (SQS)
sqs.queue.isFifosqs.queue.isFifo
Select (True, False) to find SQS queues based on whether they are FIFO queues.
Example
Show FIFO SQS queues.
sqs.queue.isFifo: true
AWS: API Gateway
apigateway.deploymentIdapigateway.deploymentId
Provide a string value to find API Gateway resources with the specified deployment ID.
Example
Find an API Gateway with deployment ID "a1b2c3d4e5"
apigateway.deploymentId: a1b2c3d4e5
apigateway.ipv6apigateway.ipv6
Select (True, False) to find API Gateway resources based on whether IPv6 is enabled.
Example
Show API Gateways with IPv6 enabled.
apigateway.ipv6: true