On the Assets tab of the VMDR OT application, use the following tokens to search the assets in your inventory. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
Show Siemens devices of the hardware type I/O Module
hardware.vendor: `Siemens` and hardware.type: "I/O Module"
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Examples
Show the assets based on the hardware vendor but exclude the assets from Siemens
not hardware.vendor: `Siemens`
Show the assets that run Windows Server 2008 SP1 but exclude assets that have the PLC hardware type
not hardware.type: `PLC` and operatingSystem: `Windows Server 2008 SP1`
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
Show the assets from either of the hardware vendors
hardware.vendor: `Siemens` or hardware.vendor: `Rockwell`
addOn.firmwareVersionaddOn.firmwareVersion
Use text value ##### to search the assets based on the firmware version of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the firmware version of the add-on component
addOn.firmwareVersion: '30.1'
addOn.hardware.category2addOn.hardware.category2
Use text value ##### to search the assets based on hardware category 2 of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the hardware category 2 of the add-on component
addOn.hardware.category2: Communication Module
addOn.hardware.modeladdOn.hardware.model
Use text value ##### to search the assets based on hardware model of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the hardware model of the add-on component
addOn.hardware.model: SIMATIC S7-300
addOn.hardware.vendoraddOn.hardware.vendor
Use text value ##### to search the assets based on the hardware vendor of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the hardware vendor of the add-on component
addOn.hardware.vendor: Siemens
Use text value ##### to search the assets based on the order ID of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the order ID of the add-on component
addOn.orderId: '6ES7412-3HJ14-0AB0'
addOn.serialNumberaddOn.serialNumber
Use text value ##### to search the assets based on the serial number of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the serial number of the add-on component
addOn.serialNumber: '0x00991222'
addOn.slaveAddressaddOn.slaveAddress
Use text value ##### to search the assets based on the slave address of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the slave address of the add-on component
addOn.slaveAddress: 0x00000004#39
addOn.unitAddressaddOn.unitAddress
Use text value ##### to search the assets based on the unit address of the add-on component. For exact search, enclose the token value in backticks `<value>`.
Example
Show the list of assets based on the unit address of the add-on component
addOn.unitAddress: 18
Search an asset by its Qualys asset ID (UUID), assigned by an agent, or by a scanner appliance in case of Agentless Tracking. For exact search, enclose the token value in backticks `<value>`.
Example
Show the asset having UUID 56863af6-301e-3788-aa95-95b5f844ad2a
asset.assetID: '56863af6-301e-3788-aa95-95b5f844ad2a'
Use a date range or specific date to search the assets based on the date created. For exact search, enclose the token value in backticks `<value>`.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
Show the assets created on the specified date
asset.created: '2020-01-08'
Show the assets created within past 90 days (excluding day 90)
asset.created > now-90d
Show the assets created within past 90 days (including day 90)
asset.created >= now-90d
Show the assets created before past 90 days (excluding day 90)
asset.created < now-90d
Show the assets created before past 90 days (including day 90)
asset.created <= now-90d
Show the assets created within the specified date range
asset.created: [2020-01-01 .. 2020-01-10]
Show the assets created from two weeks ago till a second ago
asset.created: [now-2w .. now-1s]
Note: An asset is created in the inventory when it is discovered and scanned for the first time by a scanner appliance or when Qualys agent is installed on the asset.
asset.discovery.protocolasset.discovery.protocol
Search the assets that are inventoried via specific ICS Protocols. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets inventoried using the ENIP protocol
asset.discovery.protocol: `ENIP`
asset.hasAddOnsasset.hasAddOns
Select true or false to search assets that have add-on components.
Examples
Show the list of all assets that have any add-on components.
asset.hasAddOns: true
Note: You can use a combination of the tokens to search for the assets with rack/slot modules or add-on components.
asset.hasModules : true and asset.hasAddOns: true
asset.hasModulesasset.hasModules
Select true or false to search assets that have any rack/slot modules.
Examples
Show the list of all assets that have any add-on components.
asset.hasModules : true
Note: You can use a combination of the tokens to search for the assets that do not have rack/slot modules or add-on components.
Show list of standalone assets.
asset.hasModules : false and asset.hasAddOns: false
asset.lastModifiedasset.lastModified
Use a date range or specific date to search for assets that were last modified by the user.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
Show the assets last modified by the user on a specified date
asset.lastModified: '2022-01-01'
Show the assets last modified by the user within the past 90 days (excluding day 90)
asset.lastModified > now-90d
Show the assets last modified by the user within past 90 days (including day 90)
asset.lastModified >= now-90d
Show the lassets ast modified by the user before past 90 days (excluding day 90)
asset.lastModified < now-90d
Show the assets last modified by the user before past 90 days (including day 90)
asset.lastModified <= now-90d
Show the assets last modified by the user within the specified date range
asset.lastModified: [2021-01-01 .. 2022-01-01]
Show the assets last modified by the user from two weeks ago till a second ago
asset.lastModified: [now-2w .. now-1s]
asset.lastUpdatedasset.lastUpdated
Use a date range or specific date to search when the assets were last updated in the inventory. The update date changes whenever the asset is rescanned or an agent uploads the host data to the cloud platform.
Supported date formats: yyyy-MM-dd, yyyy-MM, yyyy
Examples
Show assets last updated on a specified date
asset.lastUpdated: '2020-01-08'
Show the assets last updated within past 90 days (excluding day 90)
asset.lastUpdated > now-90d
Show the assets last updated within past 90 days (including day 90)
asset.lastUpdated >= now-90d
Show the assets last updated before past 90 days (excluding day 90)
asset.lastUpdated < now-90d
Show the assets last updated before past 90 days (including day 90)
asset.lastUpdated <= now-90d
Show the assets last updated within the specified date range
asset.lastUpdated : [2020-01-01 .. 2020-01-10]
Show the assets last updated from two weeks ago till a second ago
asset.lastUpdated : [now-2w .. now-1s]
Search the assets that are modified by the user. Select true or false as the token value.
Example
Show the assets that are modified by the user
asset.modified: true
Use a text value ##### to search the assets by their name. For exact search, enclose the token value in backticks `<value>`.
Examples
Show any findings related to the asset name
asset.name: Car Assembly
Show any findings that contain parts of the asset name
asset.name: “Car Assembly”
Show any findings that match the exact name ACMENVT7
asset.name: `ACMENVT7`
Use text value ##### to search the assets by their order ID. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets that have order ID 6ES7412-3HJ14-0AB0
asset.orderid: '6ES7412-3HJ14-0AB0'
Note: All Siemens devices have an Order number attached to them. This is also known as Article Number or Market Facing Number. Each character or number in the string represents the device's characteristics or attributes.It is a 16-digit alpha-numeric string represents the device's characteristics or attributes
Use an integer as the token value to search assets by their risk scores.
Examples
Show the assets with a risk score of 9
asset.risk: 9
Show the assets for which risk score is not yet calculated
asset.risk is null
Show the assets with a valid risk score
not asset.risk is null
Note: Assets with a risk score between 0 to 10 are displayed.
asset.serialnumberasset.serialnumber
Search the assets by their serial numbers. For exact search, enclose the token value in backticks `<value>`.
Example
Show the asset that has the serial number 0x00991222 .
asset.serialnumber: '0x00991222'
Use text value ##### to search assets based on their state.
Example
Show the assets with the state RUN_P
asset.state: RUN_P
asset.vulnerabilities.countasset.vulnerabilities.count
Use an integer to search the assets by the number of total vulnerabilities detected.
Example
Show the assets having 6 or less vulnerabilities
asset.vulnerabilities.count <= 6
firmwareversionfirmwareversion
Search assets by their firmware version. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets having firmware version 30.1
firmwareversion: `30.1`
hardware.category1hardware.category1
Search the assets based on their hardware category 1 value. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets with high-level category as Field Instruments
hardware.category1: Field Instruments
hardware.category2hardware.category2
Search the assets by their hardware category 2 value. For exact search, enclose the token value in backticks `<value>`.
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category2: Laser
Search the assets based on their hardware class value. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets with hardware class as OT
hardware.class: OT
hardware.manufacturerhardware.manufacturer
Search the assets by their hardware manufacturer. For exact search, enclose the token value in backticks '<value>`.
Examples
Show the assets related to hardware manufacturer Schneider Electric
hardware.manufacturer: Schneider Electric
Show the assets that contain Schneider or Electric, or both in their hardware manufacturer name
hardware.manufacturer: "Schneider Electric"
Show the assets that have Siemens as their hardware manufacturer name
hardware.manufacturer: `Siemens`
hardware.mappedhardware.mapped
Search the assets for which the hardware information is catalogued or uncatalogued. Select Cataloged or Uncataloged as the token value.
Example
Show the assets for which the hardware information is cataloged
hardware.mapped: Cataloged
Use a text value ##### to search the assets based on their hardware model. For exact search, enclose the token value in backticks `<value>`.
Examples
Show assets related to the hardware model name
hardware.model: SIMATIC S7-300
Show the assets that have Dell or Latitude, or both in their hardware model name
hardware.model: "Dell Latitude"
Show assets that haveDell Latitude as their hardware model name
hardware.model: `Dell Latitude`
hardware.versionhardware.version
Use an integer as the token value to search assets by their hardware version. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets having hardware version 5
hardware.version: `5`
interfaces.addressinterfaces.address
Use text value ##### to search an asset by its IP address.
Example
Show the asset which has the specified IP address
interfaces:(address: 192.168.1.10)
interfaces.macAddressinterfaces.macAddress
Use text value ##### to search an asset by its MAC address. For exact search, enclose the MAC address in backticks `<value>`.
Example
Show the asset which has the specified MAC address
interfaces:(macAddress: `5C-88-16-A9-73-5A`)
inventory.fileHashinventory.fileHash
Search the assets created from the source Industrial OCA using the hash of a file. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets from Industrial OCA using this hash value
inventory.fileHash: `c9d0c6e534b51a733ff64e1fd3c4141`
inventory.fileNameinventory.fileName
Search the assets created from the source Industrial OCA using the name of a file. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets that belong to the file with the name Germany_Plant_1
inventory.fileName: `Germany_Plant_1`
interfaces.protocolinterfaces.protocol
Search the assets by their interface protocol. Specify the protocol name as the token value. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets that have identified MODBUS TCP protocol on their interfaces
interfaces.protocol: `MODBUS TCP`
inventory.sourceinventory.source
Search the assets created from the source. Select the value from the option Passive Sensor or Industrial OCA. For exact search, enclose the token value in backticks `<value>`.
Example
Show the assets from Passive Sensor
inventory.source: `Passive Sensor`
Show the assets from Industrial OCA
inventory.source: `Industrial OCA`
passiveSensor.idpassiveSensor.id
Use a string value ##### to search assets sensed by a certain sensor ID.
Example
Show the assets discovered by the sensor with the specific ID
passiveSensor.id: "032589611212:1638792150:574815:701:1638792150:574815:701"
passiveSensor.locationpassiveSensor.location
Use a text value ##### to search assets based on specific sensor location. For exact search, enclose the token value in backticks `<value>`.
Example
Show assets with sensor location (appliance location label) as SanJose1
passiveSensor.location: "SanJose1"
passiveSensor.namepassiveSensor.name
Use a text value ##### to find assets based on specific sensor name. For exact search, enclose the token value in backticks `<value>`.
Example
Show assets with sensor name as ICS-PS-P27-IN03-218-238
passiveSensor.name: `ICS-PS-P27-IN03-218-238`
Search the assets that belong to a Purdue level.
Examples
Show the assets that belong to Purdue Level 0
purdue.level: `Level 0`
Show the assets for which Purdue level is not defined or mapped
purdue.level is null
Show the assets that are mapped with a valid Purdue level
not purdue.level is null
Note: Assets belonging to the Purdue level between Level 0 and Level 5 are displayed.
For information about search tokens on the Vulnerabilities tab, see Vulnerabilities Search Tokens.
For information about search tokens on the Network tab, see Network Search Tokens.
For information about search tokens on the Import Asset tab, see Import Asset Search Tokens.