Network Search Tokens
Click to view navigation pane


Network Search Tokens in VMDR OT

On the Network tab of the VMDR OT application, use the following tokens to search the network traffic. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.

Supported Boolean operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.

Example

Show the network traffic with the source or destination asset as an OT device and use UDP as the transport protocol

hardware.type: `OT Device` and interfaces.transport.protocol: UDP

 

notnot

Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.

Example

Show the network traffic that does not have the source or destination asset as an OT device

not hardware.type: OT Device

 

oror

Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.

Examples

Show the network traffic with the source or destination asset as router or OT Device   

hardware.type: `router` or hardware.type: `OT Device`

Show the network traffic with the source asset as router or destination asset as OT Device

source.hardware.type: `router` or destination.hardware.type: `OT Device`

 

 

Search tokens

asset.nameasset.name

Search the network traffic by the hostname of the source or destination asset. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the hostname of the source or destination asset as PR_HOST_11

asset.name: `PR_HOST_11`

 

source.asset.namesource.asset.name

Search the network traffic by the hostname of the source. For exact search, enclose the token value in backticks `<value>`

Example

Show the network traffic with the hostname of the source as PR_HOST_11  

source.asset.name: `PR_HOST_11`

 

destination.asset.namedestination.asset.name

Search the network traffic by the hostname of the destination. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the hostname of the destination as PR_HOST_11

destination.asset.name: `PR_HOST_11`

 

interfaces.addressinterfaces.address

Search the network traffic by IP address of source or destination. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the IP address of the destination as 10.113.14.15

interfaces.address: `10.113.14.15`

 

source.interfaces.addresssource.interfaces.address

Search the network traffic by IP address of source. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic that has IP address of the source asset’s as 10.113.14.15

source.interfaces.address: `10.113.14.15`

 

destination.interfaces.addressdestination.interfaces.address

Search the network traffic by IP address of the destination. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic that has IP address of the destination asset as 10.114.15.16

destination.interfaces.address: `10.114.15.16`

 

hardware.typehardware.type

Search the network traffic by hardware type of source or destination asset. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the source or destination asset as HVAC Control

hardware.type: `HVAC Control`

 

source.hardware.typesource.hardware.type

Search the network traffic by hardware type of source asset . For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the source asset as HVAC Control

source.hardware.type: `HVAC Control`

 

destination.hardware.typedestination.hardware.type

Search the network traffic by hardware type of destination asset . For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the destination asset as Programmable Logic Controller (PLC)

destination.hardware.type: `Programmable Logic Controller (PLC)`

 

interfaces.protocolinterfaces.protocol

Search the network traffic based on the application protocol. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the network traffic that uses ENIP as an application protocol

interfaces.protocol: `enip`

Show the network traffic that uses BACnet as an application protocol

interfaces.protocol: bacnet

Show the network traffic that uses CIP and ENIP as application protocols

interfaces.protocol: `cip, enip`

 

interfaces.transport.protocolinterfaces.transport.protocol

Search the network traffic based on the transport protocol. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the network traffic that uses TCP as the transport protocol

interfaces.transport.protocol: `tcp`

Show the network traffic that uses UDP as the transport protocol

interfaces.transport.protocol: `udp`

 

destination.interfaces.portdestination.interfaces.port

Search network traffic by port of the destination asset. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the network traffic that has the destination asset’s port as 44818

destination.interfaces.port: 44818

Show the network traffic that has the destination asset’s ports as 80 and 443

destination.interfaces.port: [80, 443]

 

interfaces.macAddressinterfaces.macAddress

Search the network traffic by MAC address of the source or the destination asset. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with the MAC address of the source or the destination asset  as 5c:88:16:9f:3b:00

interfaces.macAddress: `5c:88:16:9f:3b:00`

 

source.interfaces.macAddresssource.interfaces.macAddress

Search the network traffic by MAC address of the source. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with MAC address of the source asset as  5c:88:16:9f:3b:00

source.interfaces.macAddress: `5c:88:16:9f:3b:00`

 

destination.interfaces.macAddressdestination.interfaces.macAddress

Search the network traffic by MAC address of the destination asset. For exact search, enclose the token value in backticks `<value>`.

Example

Show the network traffic with MAC address of the destination asset as 5c:88:16:9f:3b:00

destination.interfaces.macAddress: `5c:88:16:9f:3b:00`

 

traffic.totaltraffic.total

Use an integer value ##### to find network traffic based on total traffic volume.

If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.

Examples

Show network traffic with total traffic equal to 10 GB

traffic.total: 10 GB

Show network traffic with total traffic greater than 10 MB

traffic.total > 10 MB

Show network traffic with total traffic greater than or equal to 10 MB

traffic.total >= 10 KB

Show network traffic with total traffic less than 10 GB

traffic.total < 10 GB

Show network traffic with total traffic less than or equal to 10 MB

traffic.total <= 10 MB

Show network traffic with total traffic not equal to 10 KB

traffic.total != 10 KB

Show network traffic with total traffic equal to 1048576 Bytes

traffic.total = 1048576

 

traffic.ingresstraffic.ingress

Use an integer value ##### to find network traffic based on ingress traffic volume.

If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.

Examples

Show network traffic with ingress traffic equal to 10 GB

traffic.ingress: 10 GB

Show network traffic with ingress traffic greater than 10 MB

traffic.ingress > 10 MB

Show network traffic with ingress traffic greater than or equal to 10 MB

traffic.ingress >= 10 KB

Show network traffic with ingress traffic less than 10 GB

traffic.ingress < 10 GB

Show network traffic with ingress traffic less than or equal to 10 MB

traffic.ingress <= 10 MB

Show network traffic with ingress traffic not equal to 10 KB

traffic.ingress!= 10 KB

Show network traffic with ingress traffic equal to 1048576 Bytes

traffic.ingress = 1048576

 

traffic.egresstraffic.egress

Use an integer value ##### to find network traffic based on egress traffic volume.

If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.

Examples

Show network traffic with egress traffic equal to 10 GB

traffic.egress: 10 GB

Show network traffic with egress traffic greater than 10 MB

traffic.egress > 10 MB

Show network traffic with egress traffic greater than or equal to 10 MB

traffic.egress >= 10 KB

Show network traffic with egress traffic less than 10 GB

traffic.egress < 10 GB

Show network traffic with egress traffic less than or equal to 10 MB

traffic.egress <= 10 MB

Show network traffic with egress traffic not equal to 10 KB

traffic.egress != 10 KB

Show network traffic with egress traffic equal to 1048576 Bytes

traffic.egress = 1048576

 

 

For information about search tokens on the Assets tab, see Assets Search Tokens.

For information about search tokens on the Vulnerabilities tab, see Vulnerabilities Search Tokens.

For information about search tokens on the Import Asset tab, see Import Asset Search Tokens.

 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.