Network Search Tokens in VMDR OT
On the Network tab of the VMDR OT application, use the following tokens to search the network traffic. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
Show the network traffic by hostname of the source and use UDP as the transport protocol
source.asset.name: `PR_HOST_11` and asset.interface.transport.protocol: UDP
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
Show the network traffic that does not have the following source hostname
not source.asset.name: PR_HOST_11
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Examples
Show the network traffic with either of the source hostname
source.asset.name: `PR_HOST_11` or source.asset.name: `PR_HOST_13`
Show the network traffic with the source asset as router or destination asset as OT Device
source.hardware.type: `router` or destination.hardware.type: `OT Device`
Network Search Tokens
Search the network traffic by the hostname of the source or destination asset.
Example
Show the network traffic with the hostname of the source or destination asset as PR_HOST_11
asset.name: `PR_HOST_11`
source.asset.namesource.asset.name
Search the network traffic by the hostname of the source.
Example
Show the network traffic with the hostname of the source as PR_HOST_11
source.asset.name: `PR_HOST_11`
destination.asset.namedestination.asset.name
Search the network traffic by the hostname of the destination.
Example
Show the network traffic with the hostname of the destination as PR_HOST_11
destination.asset.name: `PR_HOST_11`
asset.interface.addressasset.interface.address
Search the network traffic by the IP address of the source or destination.
Example
Show the network traffic with the IPv4 address of the destination as 192.0.2.0
asset.interface.address:"192.0.2.0"
Show the network traffic with the IPv6 address of the destination as 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
asset.interface.address:"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
source.interface.addresssource.interface.address
Search the network traffic by IP address of source.
Example
Show the network traffic that has IPv4 address of the source asset’s as 192.0.2.0
source.interface.address:"192.0.2.0"
Show the network traffic that has IPv6 address of the source asset’s as 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
source.interface.address:"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
destination.interface.addressdestination.interface.address
Search the network traffic by IP address of the destination.
Example
Show the network traffic that has IPv4 address of the destination asset as 192.0.2.0
destination.interface.address: "192.0.2.0"
Show the network traffic that has IPv6 address of the destination asset as 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
destination.interface.address: "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
source.hardware.typesource.hardware.type
Search the network traffic by hardware type of source asset .
Example
Show the network traffic with the source asset as HVAC Control
source.hardware.type: `HVAC Control`
destination.hardware.typedestination.hardware.type
Search the network traffic by hardware type of destination asset .
Example
Show the network traffic with the destination asset as Programmable Logic Controller (PLC)
destination.hardware.type: `Programmable Logic Controller (PLC)`
asset.interface.protocolasset.interface.protocol
Search the network traffic based on the application protocol.
Examples
Show the network traffic that uses ENIP as an application protocol
asset.interface.protocol: `enip`
Show the network traffic that uses BACnet as an application protocol
asset.interface.protocol: bacnet
Show the network traffic that uses CIP and ENIP as application protocols
asset.interface.protocol: `cip, enip`
asset.interface.transport.protocolasset.interface.transport.protocol
Search the network traffic based on the transport protocol.
Examples
Show the network traffic that uses TCP as the transport protocol
asset.interface.transport.protocol: `tcp`
Show the network traffic that uses UDP as the transport protocol
asset.interface.transport.protocol: `udp`
destination.interface.portdestination.interface.port
Search network traffic by port of the destination asset.
Examples
Show the network traffic that has the destination asset’s port as 44818
destination.interface.port: 44818
Show the network traffic that has the destination asset’s ports as 80 and 443
destination.interface.port: [80, 443]
asset.interface.macAddressasset.interface.macAddress
Search the network traffic by MAC address of the source or the destination asset.
Example
Show the network traffic with the MAC address of the source or the destination asset as 5c:88:16:9f:3b:00
asset.interface.macAddress: "5c:88:16:9f:3b:00"
source.interface.macAddresssource.interface.macAddress
Search the network traffic by MAC address of the source.
Example
Show the network traffic with MAC address of the source asset as 5c:88:16:9f:3b:00
source.interface.macAddress:"5c:88:16:9f:3b:00"
destination.interface.macAddressdestination.interface.macAddress
Search the network traffic by MAC address of the destination asset.
Example
Show the network traffic with MAC address of the destination asset as 5c:88:16:9f:3b:00
destination.interface.macAddress:"5c:88:16:9f:3b:00"
Use an integer value ##### to find network traffic based on total traffic volume.
If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.
Examples
Show network traffic with total traffic greater than 10 MB
traffic.total > 10 MB
Show network traffic with total traffic less than 10 GB
traffic.total < 10 GB
traffic.ingresstraffic.ingress
Use an integer value ##### to find network traffic based on ingress traffic volume.
If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.
Examples
Show network traffic with ingress traffic greater than 10 MB
traffic.ingress > 10 MB
Show network traffic with ingress traffic less than 10 GB
traffic.ingress < 10 GB
Use an integer value ##### to find network traffic based on egress traffic volume.
If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.
Examples
Show network traffic with egress traffic greater than 10 MB
traffic.egress > 10 MB
Show network traffic with egress traffic less than 10 GB
traffic.egress < 10 GB
traffic.external.addresstraffic.external.address
Use the string value ##### to find network traffic using a tracked external IP.
Examples
Show network traffic with external IPv4 address 192.0.2.0
traffic.external.address:"192.0.2.0"
Show network traffic with external IPv6 address 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
traffic.external.address:"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
Alert Specific Network Tokens
The following tokens can be used only for alert creation:
If a token value contains a colon (:) character, enclose the value in double quotes (“..”).
source.asset.idsource.asset.id
Use this token to search network traffic by the source asset ID.
Example
Show network traffic from the following source asset ID
source.asset.id: "56863af6-301e-3788-aa95-95b5f844ad2a"
source.asset.riskScoresource.asset.riskScore
Use this token to search traffic by the TruRisk™ score of the source asset.
Example
Show the assets with a risk score of 9
remoteAsset.riskScore: 9
Show the assets for which risk score is not yet calculated
remoteAsset.riskScore is null
Show the assets with a valid risk score
not remoteAsset.riskScore is null
source.firmwareVersionsource.firmwareVersion
Use this token to search traffic by the firmware version of the source asset.
Example
Show network traffic by the firmware version of the source asset
source.firmwareVersion: "3.1.2"
source.software.versionsource.software.version
Use this token to search traffic by software version running on the source asset.
Example
Show network traffic by software version running on the source asset
source.software.version: "2.4.8"
source.asset.importancesource.asset.importance
Use this token to search traffic based on the business importance of the source asset.
Example
Find network traffic originating from high-importance assets.
source.asset.importance: "High"
source.asset.createdDatesource.asset.createdDate
Use this token to search traffic by the creation date of the source asset.
Example
Find network traffic from assets created on a specific date.
source.asset.createdDate: "2024-06-01"
source.asset.lastUpdatedDatesource.asset.lastUpdatedDate
Use this token to search traffic by the last updated date of the source asset.
Example
Find network traffic from assets updated recently.
source.asset.lastUpdatedDate: "2025-01-20"
source.asset.typesource.asset.type
Use this token to search traffic by the type of the source asset.
Example
Find network traffic originating from a specific asset type.
source.asset.type: "PLC"
source.hardware.vendorsource.hardware.vendor
Use this token to search traffic by the hardware vendor of the source asset.
Example
Find network traffic from assets manufactured by a specific vendor.
source.hardware.vendor: "Siemens"
source.hardware.modelsource.hardware.model
Use this token to search network traffic by the hardware model of the source asset.
Example
Find network traffic from assets with a specific hardware model.
source.hardware.model: "S7-1200"
source.inventory.scannerIdsource.inventory.scannerId
Use this token to search network traffic by the scanner ID that discovered the source asset.
Example
Find network traffic from assets discovered by a specific scanner.
source.inventory.scannerId: "SCN-1024"
source.inventory.sensorIdsource.inventory.sensorId
Use this token to search network traffic by the sensor ID that discovered the source asset.
Example
Find network traffic detected by a specific sensor.
source.inventory.sensorId: "032589611212:1638792150:574815:701:1638792150:574815:701"
source.asset.vulnerability.countsource.asset.vulnerability.count
Use this token to search network traffic by the number of vulnerabilities detected on the source asset.
Example
Find network traffic from assets with multiple vulnerabilities.
source.asset.vulnerability.count: "5"
source.asset.statesource.asset.state
Use this token to search network traffic by the state of the source asset.
Example
Find network traffic from assets in an active state.
source.asset.state: "Active"
source.asset.discovery.protocolsource.asset.discovery.protocol
Use this token to search network traffic by the discovery protocol used for the source asset.
Example
Find network traffic from assets discovered using a specific protocol.
source.asset.discovery.protocol: "Modbus"
source.asset.serialNumbersource.asset.serialNumber
Use this token to search network traffic by the serial number of the source asset.
Example
Find network traffic from an asset with a specific serial number.
source.asset.serialNumber: "SN-987654"
source.asset.orderIdsource.asset.orderId
Use this token to search network traffic by the order ID associated with the source asset.
Example
Find network traffic related to assets with a specific order ID.
source.asset.orderId: "ORD-45012"
source.hardware.versionsource.hardware.version
Use this token to search network traffic by the hardware version of the source asset.
Example
Find network traffic from assets running a specific hardware version.
source.hardware.version: "v1.4"
source.hardware.categorysource.hardware.category
Use this token to search network traffic by the hardware category of the source asset.
Example
Find network traffic from assets belonging to a specific hardware category.
source.hardware.category: "Controller"
source.asset.purdueLevelsource.asset.purdueLevel
Use this token to search network traffic by the Purdue level of the source asset.
Example
Find network traffic from assets operating at a specific Purdue level.
source.asset.purdueLevel: "Level 1"
source.inventory.sensorNamesource.inventory.sensorName
Use this token to search network traffic by the sensor name that discovered the source asset.
Example
Find network traffic detected by a specific sensor.
source.inventory.sensorName: "OT-Sensor-East"
source.hardware.mappedsource.hardware.mapped
Search the events for source whose hardware information is catalogued or uncatalogued. Select Cataloged or Uncataloged as the token value.
Example
Find network traffic from assets with Cataloged hardware.
source.hardware.mapped: "Cataloged"
source.asset.isModifiedsource.asset.isModified
Use this token to search network traffic by the modification status of the source asset.
Example
Find network traffic from assets that have not been modified.
source.asset.isModified: "false"
source.asset.lastModifiedDatesource.asset.lastModifiedDate
Use this token to search network traffic by the last modified date of the source asset.
Example
Find network traffic from assets modified on a specific date.
source.asset.lastModifiedDate: "2025-01-22"
source.asset.inventory.sourcesource.asset.inventory.source
Use this token to search network traffic by the inventory source of the source asset.
Example
Find network traffic from assets discovered using a specific inventory source.
source.asset.inventory.source: "Passive"
source.asset.inventory.fileHashsource.asset.inventory.fileHash
Use this token to search network traffic by the inventory file hash of the source asset.
Example
Find network traffic from assets with a specific inventory file hash.
source.asset.inventory.fileHash: "c9d0c6e534b51a733ff64e1fd3c4141"
source.asset.inventory.filenamesource.asset.inventory.filename
Use this token to search network traffic by the inventory file name of the source asset.
Example
Find network traffic from assets associated with a specific inventory file.
source.asset.inventory.filename: "Germany_Plant_1"
source.asset.tag.idsource.asset.tag.id
Use this token to search network traffic by the tag ID assigned to the source asset.
Example
Find network traffic from assets with a specific tag ID.
source.asset.tag.id: "38970492"
source.asset.tag.namesource.asset.tag.name
Use this token to search network traffic by the tag name assigned to the source asset.
Example
Find network traffic from assets with a specific tag name.
source.asset.tag.name: "Production"
source.asset.tag.businessImpactsource.asset.tag.businessImpact
Use this token to search network traffic by the business impact defined for the source asset tag.
Example
Find network traffic from assets tagged with a specific business impact.
source.asset.tag.businessImpact: "High"
source.hardware.manufacturersource.hardware.manufacturer
Use this token to search network traffic by the hardware manufacturer of the source asset.
Example
Find network traffic from assets manufactured by a specific vendor.
source.hardware.manufacturer: "Rockwell Automation"
source.passiveSensor.idsource.passiveSensor.id
Use this token to search network traffic by the passive sensor ID associated with the source asset.
Example
Find network traffic monitored by a specific passive sensor.
source.passiveSensor.id: "032589611212:1638792150:574815:701:1638792150:574815:701"
source.passiveSensor.namesource.passiveSensor.name
Use this token to search network traffic by the passive sensor name associated with the source asset.
Example
Find network traffic detected by a specific passive sensor.
source.passiveSensor.name: "OT-Passive-Sensor-01"
source.passiveSensor.locationsource.passiveSensor.location
Use this token to search network traffic by the location of the passive sensor monitoring the source asset.
Example
Find network traffic monitored from a specific sensor location.
source.passiveSensor.location: "Plant Floor A"
source.hardware.classsource.hardware.class
Use this token to search network traffic by the hardware class of the source asset.
Example
Find network traffic originating from a specific hardware class.
source.hardware.class: "OT"
source.asset.hasModulessource.asset.hasModules
Use this token to search network traffic by whether the source asset has enabled modules.
Example
Find network traffic from assets with modules enabled.
source.asset.hasModules: "true"
source.asset.hasAddOnssource.asset.hasAddOns
Use this token to search network traffic by whether the source asset has add-ons installed.
Example
Find network traffic from assets with add-ons installed.
source.asset.hasAddOns: "true"
source.addOn.hardware.modelsource.addOn.hardware.model
Use this token to search network traffic by the hardware model of an add-on connected to the source asset.
Example
Find network traffic involving a specific add-on hardware model.
source.addOn.hardware.model: "IO-Module-X1"
source.addOn.hardware.manufacturersource.addOn.hardware.manufacturer
Use this token to search network traffic by the hardware manufacturer of an add-on connected to the source asset.
Example
Find network traffic involving add-ons from a specific manufacturer.
source.addOn.hardware.manufacturer: "Schneider Electric"
source.addOn.hardware.category2source.addOn.hardware.category2
Use this token to search network traffic by the secondary hardware category of an add-on connected to the source asset.
Example
Find network traffic involving add-ons of a specific category.
source.addOn.hardware.category2: "I/O Module"
source.addOn.firmwareVersionsource.addOn.firmwareVersion
Use this token to search network traffic by the firmware version of an add-on connected to the source asset.
Example
Find network traffic involving add-ons running a specific firmware version.
source.addOn.firmwareVersion: "1.0.3"
source.addOn.lastScanDatesource.addOn.lastScanDate
Use this token to search network traffic by the last scanned date of an add-on connected to the source asset.
Example
Find network traffic involving add-ons scanned on a specific date.
source.addOn.lastScanDate: "2025-01-15"
source.addOn.orderIdsource.addOn.orderId
Use this token to search network traffic by the order ID of an add-on connected to the source asset.
Example
Find network traffic related to add-ons with a specific order ID.
source.addOn.orderId: "ADD-9001"
source.addOn.serialNumbersource.addOn.serialNumber
Use this token to search network traffic by the serial number of an add-on connected to the source asset.
Example
Find network traffic involving add-ons with a specific serial number.
source.addOn.serialNumber: "ASN-778899"
source.addOn.slaveAddresssource.addOn.slaveAddress
Use this token to search network traffic by the slave address of an add-on connected to the source asset.
Example
Find network traffic involving add-ons with a specific slave address.
source.addOn.slaveAddress: "0x00000004#39"
source.addOn.unitAddresssource.addOn.unitAddress
Use this token to search network traffic by the unit address of an add-on connected to the source asset.
Example
Find network traffic involving add-ons with a specific unit address.
source.addOn.unitAddress: "3"
source.finding.hardware.typesource.finding.hardware.type
Use this token to search network traffic by the hardware type identified in a finding on the source asset.
Example
Find network traffic associated with findings on specific hardware types.
source.finding.hardware.type: "Controller"
source.finding.vulnerability.categorysource.finding.vulnerability.category
Use this token to search network traffic by the vulnerability category identified in a finding on the source asset.
Example
Find network traffic associated with findings in a specific vulnerability category.
source.finding.vulnerability.category: "Configuration"
source.finding.typeDetectedsource.finding.typeDetected
Use this token to search network traffic based on the vulnerability detection type. Select the type from the available options (Confirmed, Information, Potential).
Example
Find network traffic associated with a detection type.
source.finding.typeDetected: "Confirmed"
source.finding.asset.typesource.finding.asset.type
Use this token to search network traffic by the asset type associated with the finding on the source asset.
Example
Find network traffic associated with findings on a specific asset type.
source.finding.asset.type: "PLC"
source.finding.statussource.finding.status
Use this token to search network traffic based on the vulnerability status. Select the status from the available options (ACTIVE, FIXED, NEW, REOPENED).
Example
Find network traffic associated with findings in a specific status.
source.finding.status: "NEW"
source.finding.asset.idsource.finding.asset.id
Use this token to search network traffic by the asset ID associated with the finding on the source asset.
Example
Find network traffic associated with a specific asset ID.
source.finding.asset.id: "56863af6-301e-3788-aa95-95b5f844ad2a"
source.finding.vulnerability.qidsource.finding.vulnerability.qid
Use this token to search network traffic by the vulnerability QID identified in a finding on the source asset.
Example
Find network traffic associated with a specific vulnerability QID.
source.finding.vulnerability.qid: "105432"
source.finding.vulnerability.cveIdsource.finding.vulnerability.cveId
Use this token to search network traffic by the CVE ID identified in a finding on the source asset.
Example
Find network traffic associated with a specific CVE ID.
source.finding.vulnerability.cveId: "CVE-2024-12345"
source.finding.vulnerability.isPatchAvailablesource.finding.vulnerability.isPatchAvailable
Use this token to search network traffic by patch availability for the vulnerability identified on the source asset.
Example
Find network traffic associated with vulnerabilities with available patches.
source.finding.vulnerability.isPatchAvailable: "true"
source.finding.vulnerability.titlesource.finding.vulnerability.title
Use this token to search network traffic by the vulnerability title identified in a finding on the source asset.
Example
Find network traffic associated with vulnerabilities with a specific title.
source.finding.vulnerability.title: "Unauthorized Access"
source.finding.severitysource.finding.severity
Use this token to search network traffic by the severity of a finding on the source asset.
Example
Find network traffic associated with findings of a specific severity.
source.finding.severity: "Critical"
source.finding.firstFoundDatesource.finding.firstFoundDate
Use this token to search network traffic by the first detection date of a finding on the source asset.
Example
Find network traffic associated with findings detected on a specific date.
source.finding.firstFoundDate: "2024-10-05"
source.finding.lastFoundDatesource.finding.lastFoundDate
Use this token to search network traffic by the most recent detection date of a finding on the source asset.
Example
Find network traffic associated with findings detected on a specific date.
source.finding.lastFoundDate: "2025-01-12"
source.finding.asset.namesource.finding.asset.name
Use this token to search network traffic by the asset name associated with the finding on the source asset.
Example
Find network traffic associated with a specific asset name.
source.finding.asset.name: "PLC-Line-01"
source.finding.firmwaresource.finding.firmware
Use this token to search network traffic by the firmware identified in a finding on the source asset.
Example
Find network traffic associated with findings running a specific firmware version.
source.finding.firmware: "v3.2.1"
source.finding.hardware.versionsource.finding.hardware.version
Use this token to search network traffic by the hardware version identified in a finding on the source asset.
Example
Find network traffic associated with findings running a specific hardware version.
source.finding.hardware.version: "v2.1"
source.finding.hardware.productsource.finding.hardware.product
Use this token to search network traffic by the hardware product identified in a finding on the source asset.
Example
Find network traffic associated with findings running a specific hardware product.
source.finding.hardware.product: "CompactLogix"
source.finding.hardware.modelsource.finding.hardware.model
Use this token to search network traffic by the hardware model identified in a finding on the source asset.
Example
Find network traffic associated with findings running a specific hardware model.
source.finding.hardware.model: "1769-L33ER"
source.finding.protocolsource.finding.protocol
Use this token to search network traffic by the protocol identified in a finding on the source asset.
Example
Find network traffic associated with findings using a specific protocol.
source.finding.protocol: "EtherNet/IP"
source.finding.hardware.manufacturersource.finding.hardware.manufacturer
Use this token to search network traffic by the hardware manufacturer identified in a finding on the source asset.
Example
Find network traffic associated with findings from a specific hardware manufacturer.
source.finding.hardware.manufacturer: "Rockwell Automation"
source.finding.vulnerability.vendorNamesource.finding.vulnerability.vendorName
Use this token to search network traffic by the vendor name associated with the vulnerability identified on the source asset.
Example
Find network traffic associated with vulnerabilities from a specific vendor.
source.finding.vulnerability.vendorName: "Siemens"
source.finding.vulnerability.threatIntelsource.finding.vulnerability.threatIntel
Use this token to search network traffic by threat intelligence context associated with the vulnerability identified on the source asset.
Example
Find network traffic associated with vulnerabilities with a specific threat intelligence context.
source.finding.vulnerability.threatIntel: "Exploitable"
source.finding.vulnerability.criticalitysource.finding.vulnerability.criticality
Use this token to search network traffic by the criticality assigned to the vulnerability identified on the source asset.
Example
Find network traffic associated with vulnerabilities with a specific criticality.
source.finding.vulnerability.criticality: "High"
destination.asset.iddestination.asset.id
Use this token to search network traffic by the destination asset ID.
Example
Find network traffic associated with a specific destination asset ID.
destination.asset.id: "56863af6-301e-3788-aa95-95b5f844ad2a"
destination.asset.riskScoredestination.asset.riskScore
Use this token to search network traffic by the risk score of the destination asset.
Example
Show the assets with a risk score of 9
remoteAsset.riskScore: 9
Show the assets for which risk score is not yet calculated
remoteAsset.riskScore is null
Show the assets with a valid risk score
not remoteAsset.riskScore is null
destination.firmwareVersiondestination.firmwareVersion
Use this token to search network traffic by the firmware version of the destination asset.
Example
Find network traffic associated with a specific destination asset firmware version.
destination.firmwareVersion: "2.5.0"
destination.software.versiondestination.software.version
Use this token to search network traffic by the software version running on the destination asset.
Example
Find network traffic associated with a specific destination asset software version.
destination.software.version: "4.1.3"
destination.asset.namedestination.asset.name
Use this token to search network traffic by the name of the destination asset.
Example
Find network traffic associated with a specific destination asset name.
destination.asset.name: "HMI-Panel-02"
destination.asset.importancedestination.asset.importance
Use this token to search network traffic by the business importance of the destination asset.
Example
Find network traffic associated with a specific destination asset business importance.
destination.asset.importance: "Medium"
destination.asset.createdDatedestination.asset.createdDate
Use this token to search network traffic by the creation date of the destination asset.
Example
Find network traffic associated with a specific destination asset creation date.
destination.asset.createdDate: "2023-09-10"
destination.asset.lastUpdatedDatedestination.asset.lastUpdatedDate
Use this token to search network traffic by the last updated date of the destination asset.
Example
Find network traffic associated with a specific destination asset last updated date.
destination.asset.lastUpdatedDate: "2025-01-19"
destination.asset.typedestination.asset.type
Use this token to search network traffic by the type of the destination asset.
Example
Find network traffic associated with a specific destination asset type.
destination.asset.type: "HMI"
destination.hardware.vendordestination.hardware.vendor
Use this token to search network traffic by the hardware vendor of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware vendor.
destination.hardware.vendor: "Schneider Electric"
destination.hardware.modeldestination.hardware.model
Use this token to search network traffic by the hardware model of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware model.
destination.hardware.model: "Magelis GTU"
destination.hardware.typedestination.hardware.type
Use this token to search network traffic by the hardware type of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware type.
destination.hardware.type: "Panel"
destination.inventory.scannerIddestination.inventory.scannerId
Use this token to search network traffic by the scanner ID that discovered the destination asset.
Example
Find network traffic associated with a specific destination asset scanner ID.
destination.inventory.scannerId: "SCN-2048"
destination.inventory.sensorIddestination.inventory.sensorId
Use this token to search network traffic by the sensor ID that discovered the destination asset.
Example
Find network traffic associated with a specific destination asset sensor ID.
destination.inventory.sensorId: "032589611212:1638792150:574815:701:1638792150:574815:701"
destination.asset.vulnerability.countdestination.asset.vulnerability.count
Use this token to search network traffic by the number of vulnerabilities detected on the destination asset.
Example
Find network traffic associated with a specific destination asset vulnerability count.
destination.asset.vulnerability.count: "3"
destination.asset.statedestination.asset.state
Use this token to search network traffic by the state of the destination asset.
Example
Find network traffic associated with a specific destination asset state.
destination.asset.state: "Active"
destination.asset.discovery.protocoldestination.asset.discovery.protocol
Use this token to search network traffic by the discovery protocol used for the destination asset.
Example
Find network traffic associated with a specific destination asset discovery protocol.
destination.asset.discovery.protocol: "Profinet"
destination.asset.serialNumberdestination.asset.serialNumber
Use this token to search network traffic by the serial number of the destination asset.
Example
Find network traffic associated with a specific destination asset serial number.
destination.asset.serialNumber: "SN-445566"
destination.asset.orderIddestination.asset.orderId
Use this token to search network traffic by the order ID associated with the destination asset.
Example
Find network traffic associated with a specific destination asset order ID.
destination.asset.orderId: "ORD-778899"
destination.hardware.versiondestination.hardware.version
Use this token to search network traffic by the hardware version of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware version.
destination.hardware.version: "v1.8"
destination.hardware.categorydestination.hardware.category
Use this token to search network traffic by the hardware category of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware category.
destination.hardware.category: "Operator Interface"
destination.asset.purdueLeveldestination.asset.purdueLevel
Use this token to search network traffic by the Purdue level of the destination asset.
Example
Find network traffic associated with a specific destination asset Purdue level.
destination.asset.purdueLevel: "Level 2"
destination.inventory.sensorNamedestination.inventory.sensorName
Use this token to search network traffic by the sensor name that discovered the destination asset.
Example
Find network traffic associated with a specific destination asset sensor name.
destination.inventory.sensorName: "OT-Sensor-West"
destination.hardware.mappeddestination.hardware.mapped
Search the network traffic for assets whose hardware information is catalogued or uncatalogued. Select Cataloged or Uncataloged as the token value.
Example
Find network traffic associated with a cataloged hardware inforamtion.
destination.hardware.mapped: "Cataloged"
destination.asset.isModifieddestination.asset.isModified
Use this token to search network traffic by the modification status of the destination asset.
Example
Find network traffic associated with a specific destination asset modification status.
destination.asset.isModified: "false"
destination.asset.lastModifiedDatedestination.asset.lastModifiedDate
Use this token to search network traffic by the last modified date of the destination asset.
Example
Find network traffic associated with a specific destination asset last modified date.
destination.asset.lastModifiedDate: "2025-01-21"
destination.asset.inventory.sourcedestination.asset.inventory.source
Use this token to search network traffic by the inventory source of the destination asset.
Example
Find network traffic associated with a specific destination asset inventory source.
destination.asset.inventory.source: "Passive"
destination.asset.inventory.fileHashdestination.asset.inventory.fileHash
Use this token to search network traffic by the inventory file hash of the destination asset.
Example
Find network traffic associated with a specific destination asset inventory file hash.
destination.asset.inventory.fileHash: "c9d0c6e534b51a733ff64e1fd3c4141"
destination.asset.inventory.filenamedestination.asset.inventory.filename
Use this token to search network traffic by the inventory file name of the destination asset.
Example
Find network traffic associated with a specific destination asset inventory file name.
destination.asset.inventory.filename: "Germany_Plant_1"
destination.asset.tag.iddestination.asset.tag.id
Use this token to search network traffic by the tag ID assigned to the destination asset.
Example
Find network traffic associated with a specific destination asset tag ID.
destination.asset.tag.id: "38970492"
destination.asset.tag.namedestination.asset.tag.name
Use this token to search network traffic by the tag name assigned to the destination asset.
Example
Find network traffic associated with a specific destination asset tag name.
destination.asset.tag.name: "Control-Network"
destination.asset.tag.businessImpactdestination.asset.tag.businessImpact
Use this token to search network traffic by the business impact defined for the destination asset tag.
Example
Find network traffic associated with a specific destination asset tag business impact.
destination.asset.tag.businessImpact: "High"
destination.hardware.manufacturerdestination.hardware.manufacturer
Use this token to search network traffic by the hardware manufacturer of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware manufacturer.
destination.hardware.manufacturer: "ABB"
destination.passiveSensor.iddestination.passiveSensor.id
Use this token to search network traffic by the passive sensor ID associated with the destination asset.
Example
Find network traffic associated with a specific destination asset passive sensor ID.
destination.passiveSensor.id: "032589611212:1638792150:574815:701:1638792150:574815:701"
destination.passiveSensor.namedestination.passiveSensor.name
Use this token to search network traffic by the passive sensor name associated with the destination asset.
Example
Find network traffic associated with a specific destination asset passive sensor name.
destination.passiveSensor.name: "OT-Passive-Sensor-02"
destination.passiveSensor.locationdestination.passiveSensor.location
Use this token to search network traffic by the location of the passive sensor monitoring the destination asset.
Example
Find network traffic associated with a specific destination asset passive sensor location.
destination.passiveSensor.location: "Control Room"
destination.hardware.classdestination.hardware.class
Use this token to search network traffic by the hardware class of the destination asset.
Example
Find network traffic associated with a specific destination asset hardware class.
destination.hardware.class: "OT"
destination.asset.hasModulesdestination.asset.hasModules
Use this token to search network traffic by whether the destination asset has enabled modules.
Example
Find network traffic associated with a specific destination asset has modules.
destination.asset.hasModules: "true"
destination.asset.hasAddOnsdestination.asset.hasAddOns
Use this token to search network traffic by whether the destination asset has add-ons installed.
Example
Find network traffic associated with a specific destination asset has add-ons.
destination.asset.hasAddOns: "false"
destination.addOn.hardware.modeldestination.addOn.hardware.model
Use this token to search network traffic by the hardware model of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset hardware model.
destination.addOn.hardware.model: "Remote-IO-X2"
destination.addOn.hardware.manufacturerdestination.addOn.hardware.manufacturer
Use this token to search network traffic by the hardware manufacturer of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset hardware manufacturer.
destination.addOn.hardware.manufacturer: "Siemens"
destination.addOn.hardware.category2destination.addOn.hardware.category2
Use this token to search network traffic by the secondary hardware category of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset hardware category2.
destination.addOn.hardware.category2: "I/O Module"
destination.addOn.firmwareVersiondestination.addOn.firmwareVersion
Use this token to search network traffic by the firmware version of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset firmware version.
destination.addOn.firmwareVersion: "1.2.4"
destination.addOn.lastScanDatedestination.addOn.lastScanDate
Use this token to search network traffic by the last scanned date of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset last scanned date.
destination.addOn.lastScanDate: "2025-01-16"
destination.addOn.orderIddestination.addOn.orderId
Use this token to search network traffic by the order ID of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset order ID.
destination.addOn.orderId: "ADD-3007"
destination.addOn.serialNumberdestination.addOn.serialNumber
Use this token to search network traffic by the serial number of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset serial number.
destination.addOn.serialNumber: "ASN-445577"
destination.addOn.slaveAddressdestination.addOn.slaveAddress
Use this token to search network traffic by the slave address of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset slave address.
destination.addOn.slaveAddress: "0x00000004#39"
destination.addOn.unitAddressdestination.addOn.unitAddress
Use this token to search network traffic by the unit address of an add-on connected to the destination asset.
Example
Find network traffic associated with a specific destination asset unit address.
destination.addOn.unitAddress: "4"
destination.finding.hardware.typedestination.finding.hardware.type
Use this token to search network traffic by the hardware type identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset hardware type.
destination.finding.hardware.type: "Controller"
destination.finding.vulnerability.categorydestination.finding.vulnerability.category
Use this token to search network traffic by the vulnerability category identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset vulnerability category.
destination.finding.vulnerability.category: "Configuration"
destination.finding.typeDetecteddestination.finding.typeDetected
Use this token to search network traffic based on the vulnerability detected on the destination asset. Select the type from the available options (Confirmed, Information, Potential).
Example
Find network traffic associated with confirmed vulnerability.
destination.finding.typeDetected: "Confirmed"
destination.finding.asset.typedestination.finding.asset.type
Use this token to search network traffic by the asset type associated with the finding on the destination asset.
Example
Find network traffic associated with a specific source asset asset type.
destination.finding.asset.type: "HMI"
destination.finding.statusdestination.finding.status
Use this token to search network traffic based on the vulnerability status on the destination asset. Select the status from the available options (ACTIVE, FIXED, NEW, REOPENED).
Example
Find network traffic with specific vulnerability status.
destination.finding.status: "NEW"
destination.finding.asset.iddestination.finding.asset.id
Use this token to search network traffic by the asset ID associated with the finding on the destination asset.
Example
Find network traffic associated with a specific source asset asset ID.
destination.finding.asset.id: "56863af6-301e-3788-aa95-95b5f844ad2a"
destination.finding.vulnerability.qiddestination.finding.vulnerability.qid
Use this token to search network traffic by the vulnerability QID identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset vulnerability QID.
destination.finding.vulnerability.qid: "160012"
destination.finding.vulnerability.cveIddestination.finding.vulnerability.cveId
Use this token to search network traffic by the CVE ID identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset CVE ID.
destination.finding.vulnerability.cveId: "CVE-2023-77881"
destination.finding.vulnerability.isPatchAvailabledestination.finding.vulnerability.isPatchAvailable
Use this token to search network traffic by patch availability for the vulnerability identified on the destination asset.
Example
Find network traffic associated with a specific source asset patch availability.
destination.finding.vulnerability.isPatchAvailable: "false"
destination.finding.vulnerability.titledestination.finding.vulnerability.title
Use this token to search network traffic by the vulnerability title identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset vulnerability title.
destination.finding.vulnerability.title: "Weak Authentication"
destination.finding.severitydestination.finding.severity
Use this token to search network traffic by the severity of a finding on the destination asset.
Example
Find network traffic associated with a specific source asset severity.
destination.finding.severity: "High"
destination.finding.firstFoundDatedestination.finding.firstFoundDate
Use this token to search network traffic by the first detection date of a finding on the destination asset.
Example
Find network traffic associated with a specific source asset first detection date.
destination.finding.firstFoundDate: "2024-08-19"
destination.finding.lastFoundDatedestination.finding.lastFoundDate
Use this token to search network traffic by the most recent detection date of a finding on the destination asset.
Example
Find network traffic associated with a specific source asset most recent detection date.
destination.finding.lastFoundDate: "2025-01-09"
destination.finding.asset.namedestination.finding.asset.name
Use this token to search network traffic by the asset name associated with the finding on the destination asset.
Example
Find network traffic associated with a specific source asset asset name.
destination.finding.asset.name: "HMI-Panel-02"
destination.finding.firmwaredestination.finding.firmware
Use this token to search network traffic by the firmware identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset firmware.
destination.finding.firmware: "v2.0.1"
destination.finding.hardware.versiondestination.finding.hardware.version
Use this token to search network traffic by the hardware version identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset hardware version.
destination.finding.hardware.version: "v1.6"
destination.finding.hardware.product destination.finding.hardware.product
Use this token to search network traffic by the hardware product identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset hardware product.
destination.finding.hardware.product: "CompactLogix"
destination.finding.hardware.model destination.finding.hardware.model
Use this token to search network traffic by the hardware model identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset hardware model.
destination.finding.hardware.model: "1769-L33ER"
destination.finding.protocol destination.finding.protocol
Use this token to search network traffic by the protocol identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset protocol.
destination.finding.protocol: "EtherNet/IP"
destination.finding.hardware.manufacturer destination.finding.hardware.manufacturer
Use this token to search network traffic by the hardware manufacturer identified in a finding on the destination asset.
Example
Find network traffic associated with a specific source asset hardware manufacturer.
destination.finding.hardware.manufacturer: "Rockwell Automation"
destination.finding.vulnerability.vendorName destination.finding.vulnerability.vendorName
Use this token to search network traffic by the vendor name associated with the vulnerability identified on the destination asset.
Example
Find network traffic associated with a specific source asset vendor name.
destination.finding.vulnerability.vendorName: "Schneider Electric"
destination.finding.vulnerability.threatIntel destination.finding.vulnerability.threatIntel
Use this token to search network traffic by threat intelligence context associated with the vulnerability identified on the destination asset.
Example
Find network traffic associated with a specific source asset threat intelligence context.
destination.finding.vulnerability.threatIntel: "Exploitable"
destination.finding.vulnerability.criticality destination.finding.vulnerability.criticality
Use this token to search network traffic by the criticality assigned to the vulnerability identified on the destination asset.
Example
Find network traffic associated with a specific source asset criticality.
destination.finding.vulnerability.criticality: "Critical"
source.hardware.category1source.hardware.category1
Use this token to search network traffic by the primary hardware category of the source asset.
Example
Find traffic originating from a specific primary hardware category.
source.hardware.category1: "Controller"
source.hardware.category2source.hardware.category2
Use this token to search network traffic by the secondary hardware category of the source asset.
Example
Find traffic originating from a specific secondary hardware category.
source.hardware.category2: "PLC"
destination.hardware.category1destination.hardware.category1
Use this token to search network traffic by the primary hardware category of the destination asset.
Example
Find traffic targeting a specific primary hardware category.
destination.hardware.category1: "Network Device"
destination.hardware.category2destination.hardware.category2
Use this token to search network traffic by the secondary hardware category of the destination asset.
Example
Find traffic targeting a specific secondary hardware category.
destination.hardware.category2: "Firewall"
source.hardware.type source.hardware.type
Use this token to search network traffic by the hardware type of the source asset.
Example
Find network traffic originating from a specific hardware type.
source.hardware.type: "PLC"