Event Search Tokens in VMDR OT
On the Monitoring > Events tab, use the following tokens to search the events. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
Show the network traffic with the source or destination asset as an OT device and use UDP as the transport protocol
hardware.type: `OT Device` and interfaces.transport.protocol: UDP
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
Show the network traffic that does not have the source or destination asset as an OT device
not hardware.type: OT Device
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Examples
Show the network traffic with the source or destination asset as router or OT Device
hardware.type: `router` or hardware.type: `OT Device`
Show the network traffic with the source asset as router or destination asset as OT Device
source.hardware.type: `router` or destination.hardware.type: `OT Device`
Event Search Tokens
Use this token to search for events by their category.
Example
Show events in the Process Integrity category.
event.category:`Process Integrity`
Use this token to search events by their class. Accepted values are OT or None.
Example
Show events with the class OT.
event.class:`OT`
Use this token to search events based on the event detail.
Example
Show events with detail I/O force disabled.
event.detail: `I/O force disabled`
Show events with detail Upload executable object.
event.detail:`Upload executable object`
event.lastDetectedDateevent.lastDetectedDate
Use this token to search events by their last detected timestamp. The value is in epoch time.
Example
Show events detected at a specific time.
event.lastDetectedDate:`1752562761454`
event.impactedAsset.addressevent.impactedAsset.address
Use this token to search events based on the impacted asset’s IP address.
Example
Show events for the impacted asset with IP 192.0.2.0.
event.impactedAsset.address:`192.0.2.0`
Show events for the impacted asset with IP 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
event.impactedAsset.address:`2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`
event.impactedAsset.idevent.impactedAsset.id
Use this token to search events by the impacted asset’s ID.
Example
Show events for the asset ID.
event.impactedAsset.id:`a14e957e-3ec5-453c-b811-e423b012d0d3`
event.impactedAsset.macAddressevent.impactedAsset.macAddress
Use this token to search events by the impacted asset’s MAC address.
Example
Show events for the asset with the MAC address.
event.impactedAsset.macAddress:`66:7D:66:FF:CB:B6`
event.impactedAsset.hostnameevent.impactedAsset.hostname
Use this token to search events by the impacted asset’s hostname.
Example
Show events for the asset with the hostname.
event.impactedAsset.hostname:`host7936`
event.remoteAsset.addressevent.remoteAsset.address
Use this token to search events by the remote asset’s IP address.
Example
Show events for the remote asset with IP 192.0.2.0.
event.remoteAsset.address: `192.0.2.0`
Show events for the remote asset with IP 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
event.remoteAsset.address: `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`
event.remoteAsset.idevent.remoteAsset.id
Use this token to search events by the remote asset’s unique ID.
Example
Show events for the remote asset ID.
event.remoteAsset.id:`a14e957e-3ec5-453c-b811-e423b012d0d3`
event.remoteAsset.macAddressevent.remoteAsset.macAddress
Use this token to search events by the remote asset’s MAC address.
Example
Show events for the remote asset with the MAC address.
event.remoteAsset.macAddress:`66:7D:66:FF:CB:B6`
event.remoteAsset.hostnameevent.remoteAsset.hostname
Use this token to search events by the remote asset’s hostname.
Example
Show events for the remote asset with the hostname.
event.remoteAsset.hostname:`host7936`
event.operationevent.operation
Use this token to search events by the operation type related to the event.
Example
Show events with the IO Forcing operation.
event.operation:`IO Forcing`
Show events with the Configuration Upload operation.
event.operation:`Configuration Upload`
Use this token to search events based on the network protocol associated with the event.
Example
Show events using the cip protocol.
event.protocol:`cip`
Show events using the s7comm protocol.
event.protocol:`s7comm`
Use this token to search events based on the port number associated with the event.
Example
Show events on port 55556.
event.port:`55556`
event.transport.protocolevent.transport.protocol
Use this token to search events based on the transport protocol associated with the event.
Example
Show events using the TCP protocol
event.transport.protocol:`tcp`
Use this token to search events by severity level. Common values include low, moderate, high, or critical.
Example
Show events with low severity
event.severity:`low`
Show events with high severity
event.severity:`critical`