Vulnerabilities Search Tokens in VMDR OT

On the Vulnerabilities tab of the VMDR OT application, use the following tokens to search the passively discovered vulnerabilities for the assets in your inventory. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.

Supported Boolean Operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.

Example

Show HIGH criticality vulnerabilities detected on assets running Windows 2012 operating system

finding.vulnerability.criticality: HIGH and finding.host.operatingSystem.name: `Windows 2012`

 

notnot

Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.

Examples

Exclude potential vulnerabilities from search results

not finding.typeDetected: Potential

Show the vulnerabilities detected on Windows 2012 assets but exclude the vulnerabilities with the criticality level LOW from this search condition

not finding.vulnerability.criticality: LOW and finding.host.operatingSystem.name: `Windows2012`

 

oror

Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.

Example

Show the vulnerabilities detected on either of the Windows versions

finding.host.operatingSystem.name: `Windows 2012` or finding.host.operatingSystem.name: `Windows2012 R2`

 

Search Tokens

finding.asset.namefinding.asset.name

Use the asset name as the token value to find vulnerabilities detected on a particular asset. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets name related to Car Assembly

finding.asset.name: Car Assembly

Show the vulnerabilities detected on assets containing Car or Assembly or both in their names.

finding.asset.name: "Car Assembly"

Show the vulnerabilities detected on the asset with the name ACMENVT7.

finding.asset.name: `ACMENVT7`

finding.asset.typefinding.asset.type

Find the vulnerabilities on the assets by asset type. For exact search, enclose the token value in backticks `<value>`.

Example

Show the vulnerabilities that are detected on PLC (Programmable Logic Controllers)

finding.asset.type: `PLC`

finding.asset.idfinding.asset.id

Use an asset ID as the token value to find the vulnerabilities detected on a particular asset. An asset ID is the Qualys asset ID (UUID) assigned by an agent or by a scanner appliance in case of Agentless Tracking. For exact search, enclose the token value in backticks `<value>`. You can search for an asset ID or a comma-separated list of multiple asset IDs enclosed in square brackets.

Examples

Show the vulnerabilities detected on the asset having UUID 56863af6-301e-3788-aa95-95b5f844ad2a

finding.asset.id: `56863af6-301e-3788-aa95-95b5f844ad2a`

Show the vulnerabilities detected on the specified assets

finding.asset.id: [25f90e1a-625c-3b79-b13d-ab2b46bed55a, 6b7e8400-167b-3596-a712-78377f16d3f7]

finding.firmwarefinding.firmware

Find the vulnerabilities based on a firmware version of the assets. For exact search, enclose the token value in backticks `<value>`. You can search for a single firmware version or a comma-separated list of firmware versions enclosed in square brackets.

Examples

Show the vulnerabilities detected on assets having firmware version 30.1

finding.firmware: `30.1`

Show the vulnerabilities detected on the assets having the specified firmware versions

finding.firmware: [4.003, 2.6.1]

finding.firstFoundDatefinding.firstFoundDate

Use a date range or specific date to find the vulnerabilities found on the asset for the first time.

Supported date formats: yyyy-MM-dd,yyyy-MM, yyyy

Examples

Show the vulnerabilities that were found for the first time on the specified date

finding.firstFoundDate: `2020-01-13`

Show the vulnerabilities that were found for the first time within past 90 days (excluding day 90)

finding.firstFoundDate > now-90d

Show the vulnerabilities that were found for the first time within past 90 days (including day 90)

finding.firstFoundDate >= now-90d

Show the vulnerabilities that were found for the first time before past 90 days (excluding day 90)

finding.firstFoundDate < now-90d

Show the vulnerabilities that were found for the first time before past 90 days (including day 90)

finding.firstFoundDate <= now-90d

Show the vulnerabilities that were found for the first time within the specified date range

finding.firstFoundDate: [2020-01-01 .. 2020-01-10]

Show the vulnerabilities that were found for the first time from two weeks ago till a second ago

finding.firstFoundDate: [now-2w .. now-1s]

finding.hardware.modelfinding.hardware.model

Find the vulnerabilities on assets by their hardware model name. For exact search, enclose the token value in backticks `<value>`. You can search for a single hardware model name or specify a comma-separated list of hardware models enclosed in square brackets.

Examples

Show the vulnerabilities detected on the assets having the specified hardware model

finding.hardware.model: `6ES7511-1AK01-0AB0`

Show the vulnerabilities detected on assets having the specified hardware models

finding.hardware.model: [1766-L32BXBA, 6ES7511-1AK01-0AB0]

finding.hardware.productfinding.hardware.product

Find the vulnerabilities on the assets by their hardware product name. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets related to the hardware product name.

finding.hardware.product: Allen-Bradley FLEX I/O EtherNet/IP Adapter Module

Show the vulnerabilities detected on assets containing any part of the hardware product name

finding.hardware.product: "Allen-Bradley FLEX I/O EtherNet/IP Adapter Module"

Show the vulnerabilities detected on assets having Allen-Bradley FLEX I/O EtherNet/IP Adapter Module as their hardware product

finding.hardware.product: `Allen-Bradley FLEX I/O EtherNet/IP Adapter Module`

finding.hardware.typefinding.hardware.type

Find the vulnerabilities on the assets by their hardware type. For exact search, enclose the token value in backticks `<value>`.

Example

Show the vulnerabilities identified on the PLC assets

finding.hardware.type: `PLC`

finding.hardware.manufacturerfinding.hardware.manufacturer

Find the vulnerabilities on assets by their hardware vendor. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets related to hardware vendor Schneider Electric

finding.hardware.manufacturer: Schneider Electric

Show the vulnerabilities detected on assets that contain Schneider or Electric, or both in their hardware vendor name

finding.hardware.manufacturer: "Schneider Electric"

Show the vulnerabilities detected on assets having Siemens as their hardware vendor

finding.hardware.manufacturer: `Siemens`

finding.hardware.versionfinding.hardware.version

Find the vulnerabilities on the assets by their hardware version. For exact search, enclose the token value in backticks `<value>`. You can search a single hardware version or a comma-separated list of hardware versions enclosed in square brackets.

Examples

Show the vulnerabilities detected on assets having hardware version 5

finding.hardware.version: `5`

Show the vulnerabilities detected on assets having the specified hardware versions

finding.hardware.version: [3, 5]

finding.host.operatingSystem.namefinding.host.operatingSystem.name

Find the vulnerabilities identified on a particular host operating system. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities identified on assets related to Windows 2012

finding.host.operatingSystem.name: Windows 2012

Show the vulnerabilities identified on assets running any version of Windows Server 2012 (for example, Standard, Enterprise Edition, Datacenter) with any service pack installed

finding.host.operatingSystem.name: "Windows 2012"

Show the vulnerabilities identified on assets running Windows 2012

finding.host.operatingSystem.name: `Windows 2012`

finding.asset.interface.addressfinding.asset.interface.address

Use an IP address as the token value to find vulnerabilities detected on that interface. You can search a single IP address or a comma-separated list of IP addresses enclosed in square brackets.

Examples

Show the vulnerabilities detected on the specified interface IPv4 address

finding.asset.interface.address: `192.168.1.10`

Show the vulnerabilities detected on the specified IPv4 address range

finding.asset.interface.address: [172.168.0.1..192.168.1.51]

Show the vulnerabilities detected on the specified interface IPv6 address

finding.asset.interface.address: `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`

Show the vulnerabilities detected on the specified IPv6 address range

finding.asset.interface.address: [2001:db8:abcd:12::/64]

finding.asset.interface.macAddressfinding.asset.interface.macAddress

Use MAC address as the token value to find vulnerabilities detected on a specific interface. For exact search, enclose the token value in backticks `<value>`.

Example

Show the vulnerabilities detected on the specified MAC address

finding.asset.interface.macAddress: `5C:88:16:A9:73:5A`

finding.lastFoundDatefinding.lastFoundDate

Use a date range or specific date to find the vulnerabilities found last time on the asset .

Supported date formats: yyyy-MM-dd,yyyy-MM, yyyy

Examples

Show the vulnerabilities last found on the specified date

finding.lastFoundDate: `2020-01-13`

Show the vulnerabilities last found within past 90 days (excluding day 90)

finding.lastFoundDate > now-90d

Show the vulnerabilities last found within past 90 days (including day 90)

finding.lastFoundDate >= now-90d

Show the vulnerabilities last found before past 90 days (excluding day 90)

finding.lastFoundDate < now-90d

Show the vulnerabilities last found before past 90 days (including day 90)

finding.lastFoundDate <= now-90d

Show the vulnerabilities last found within the specified date range

finding.lastFoundDate: [2020-01-01 .. 2020-01-10]

Show the vulnerabilities last found from two weeks ago till a second ago

finding.lastFoundDate: [now-2w .. now-1s]

finding.protocolfinding.protocol

Find the vulnerabilities on assets having a specific discovery protocol. Assets are inventoried in Qualys VMDR OT by using ICS protocols. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets having Modbus TCP discovery protocol

finding.protocol: `Modbus TCP`

Show the vulnerabilities detected on assets having Ethernet/IP discovery protocol

finding.protocol: `ENIP`

finding.severityfinding.severity

Find vulnerabilities by their severity levels. Choose the severity level from 1 to 5 from the available option.

Example

Show the vulnerabilities having a severity level of 5

finding.severity: 5

finding.statusfinding.status

Find the vulnerabilities by their status. Choose the status from the available options (ACTIVE, FIXED, NEW, REOPENED).

Examples

Show the vulnerabilities detected for the first time by a scan

finding.status: NEW

Show the vulnerabilities that are verified by the recent scan as fixed

finding.status: FIXED

finding.typeDetectedfinding.typeDetected

Find the vulnerabilities based on their detection type. Choose the type from the available options (Confirmed, Information, Potential).

Example

Show the vulnerabilities of the type Confirmed

finding.typeDetected: Confirmed

finding.vulnerability.criticalityfinding.vulnerability.criticality

Find the assets with vulnerabilities according to their criticality level. Choose the criticality level from the available options (CRITICAL, HIGH, MEDIUM, LOW, NONE).

Examples

Show the vulnerabilities with HIGH criticality

finding.vulnerability.criticality: HIGH

Show the vulnerabilities with MEDIUM criticality

finding.vulnerability.criticality: MEDIUM

finding.vulnerability.cveIdfinding.vulnerability.cveId

Find the vulnerabilities by their CVE IDs. You can search for a single CVE ID or a comma-separated list of multiple CVE IDs enclosed in square brackets.

The CVE in the query is case-sensitive and must be used in the capital case.

Examples

Show the vulnerability having the specified CVE ID

finding.vulnerability.cveId: CVE-2019-19281

Show the vulnerability having the specified CVE IDs

finding.vulnerability.cveId: [CVE-2016-8672, CVE-2016-9158, CVE-2019-19281]

finding.vulnerability.isPatchAvailablefinding.vulnerability.isPatchAvailable

Select TRUE or FALSE to search vulnerabilities by the availability of patches.

Examples

Show the vulnerabilities for which patches are available

finding.vulnerability.isPatchAvailable: TRUE

Show the vulnerabilities for which patches are not available

finding.vulnerability.isPatchAvailable: FALSE

finding.vulnerability.qidfinding.vulnerability.qid

Find the vulnerabilities by their Qualys IDs. You can search for a single QID or a comma-separated list of multiple QIDs enclosed in square brackets.

Examples

Show the vulnerability having the specified QID

finding.vulnerability.qid: 42405

Show the vulnerability having the specified QIDs

finding.vulnerability.qid: [42405, 42413, 42414]

finding.vulnerability.threatIntelfinding.vulnerability.threatIntel

Find the vulnerabilities with Real-time Threat Indicators. Choose the threat indicators from the available options (Active Attacks, Denial of Service, Easy Exploit, Remote Code Execution, etc.)

Examples

Show assets with vulnerabilities due to Active Attacks

finding.vulnerability.threatIntel: Active Attacks

Show assets with vulnerabilities due to Denial of Service

finding.vulnerability.threatIntel: Denial of Service

Show assets with vulnerabilities due to Remote Code Execution

finding.vulnerability.threatIntel: Remote Code Execution

finding.vulnerability.titlefinding.vulnerability.title

Find the vulnerabilities by their titles. For exact search, enclose the token value in backticks` <value>`.

Examples

Show the vulnerabilities that are related to Remote Code Execution

finding.vulnerability.title: Remote Code Execution

Show the vulnerabilities that contain "Remote," "Code," "Execution," or "Remote Code Execution" in any combination in their titles

finding.vulnerability.title: "Remote Code Execution"

Show the vulnerability having the specified title

finding.vulnerability.title: `Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03)`

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: October, 2025