Event Search Tokens in VMDR OT

On the Monitoring > Events tab, use the following tokens to search the events. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.

Supported Boolean Operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.

Example

Show the network traffic with the source or destination asset as an OT device and use UDP as the transport protocol

hardware.type: `OT Device` and interfaces.transport.protocol: UDP

 

notnot

Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.

Example

Show the network traffic that does not have the source or destination asset as an OT device

not hardware.type: OT Device

 

oror

Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.

Examples

Show the network traffic with the source or destination asset as router or OT Device   

hardware.type: `router` or hardware.type: `OT Device`

Show the network traffic with the source asset as router or destination asset as OT Device

source.hardware.type: `router` or destination.hardware.type: `OT Device`

Event Search Tokens

event.categoryevent.category

Use this token to search for events by their category. 

Example

Show events in the Process Integrity category.

event.category:`Process Integrity`

event.classevent.class

Use this token to search events by their class. Accepted values are OT or None.

Example

Show events with the class OT.

event.class:`OT`

event.detailevent.detail

Use this token to search events based on the event detail.

Example

Show events with detail I/O force disabled.

event.detail: `I/O force disabled`

Show events with detail Upload executable object.

event.detail:`Upload executable object`

event.lastDetectedDateevent.lastDetectedDate

Use this token to search events by their last detected timestamp. The value is in epoch time.

Example

Show events detected at a specific time.

event.lastDetectedDate:`1752562761454`

event.impactedAsset.addressevent.impactedAsset.address

Use this token to search events based on the impacted asset’s IP address.

Example

Show events for the impacted asset with IP 192.0.2.0.

event.impactedAsset.address:`192.0.2.0`

 

Show events for the impacted asset with IP 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.

event.impactedAsset.address:`2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`

event.impactedAsset.idevent.impactedAsset.id

Use this token to search events by the impacted asset’s ID.

Example

Show events for the asset ID.

event.impactedAsset.id:`a14e957e-3ec5-453c-b811-e423b012d0d3`

event.impactedAsset.macAddressevent.impactedAsset.macAddress

Use this token to search events by the impacted asset’s MAC address.

Example

Show events for the asset with the MAC address.

event.impactedAsset.macAddress:`66:7D:66:FF:CB:B6`

event.impactedAsset.hostnameevent.impactedAsset.hostname

Use this token to search events by the impacted asset’s hostname.

Example

Show events for the asset with the hostname.

event.impactedAsset.hostname:`host7936`

event.remoteAsset.addressevent.remoteAsset.address

Use this token to search events by the remote asset’s IP address.

Example

Show events for the remote asset with IP 192.0.2.0.

event.remoteAsset.address: `192.0.2.0`

 

Show events for the remote asset with IP 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.

event.remoteAsset.address: `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`

event.remoteAsset.idevent.remoteAsset.id

Use this token to search events by the remote asset’s unique ID.

Example

Show events for the remote asset ID.

event.remoteAsset.id:`a14e957e-3ec5-453c-b811-e423b012d0d3`

event.remoteAsset.macAddressevent.remoteAsset.macAddress

Use this token to search events by the remote asset’s MAC address.

Example

Show events for the remote asset with the MAC address.

event.remoteAsset.macAddress:`66:7D:66:FF:CB:B6`

event.remoteAsset.hostnameevent.remoteAsset.hostname

Use this token to search events by the remote asset’s hostname.

Example

Show events for the remote asset with the hostname.

event.remoteAsset.hostname:`host7936`

event.operationevent.operation

Use this token to search events by the operation type related to the event.

Example

Show events with the IO Forcing operation.

event.operation:`IO Forcing`

Show events with the Configuration Upload operation.

event.operation:`Configuration Upload`

event.protocolevent.protocol

Use this token to search events based on the network protocol associated with the event.

Example

Show events using the cip protocol.

event.protocol:`cip`

Show events using the s7comm protocol.

event.protocol:`s7comm`

event.portevent.port

Use this token to search events based on the port number associated with the event.

Example

Show events on port 55556.

event.port:`55556`

event.transport.protocolevent.transport.protocol

Use this token to search events based on the transport protocol associated with the event.

Example

Show events using the TCP protocol

event.transport.protocol:`tcp`

event.severityevent.severity

Use this token to search events by severity level. Common values include low, moderate, high, or critical.

Example

Show events with low severity

event.severity:`low`

Show events with high severity

event.severity:`critical`