Vulnerabilities Search Tokens in VMDR OT

On the Vulnerabilities tab of the VMDR OT application, use the following tokens to search the passively discovered vulnerabilities for the assets in your inventory. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.

Supported Boolean operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.

Example

Show HIGH criticality vulnerabilities detected on assets running Windows 2012 operating system

vulnerabilities.vulnerability.criticality: HIGH and vulnerabilities.hostOS: `Windows 2012`

 

notnot

Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.

Examples

Exclude potential vulnerabilities from search results

not vulnerabilities.typeDetected: Potential

Show the vulnerabilities detected on Windows 2012 assets but exclude the vulnerabilities with the criticality level LOW from this search condition

not vulnerabilities.vulnerability.criticality: LOW and vulnerabilities.hostOS: `Windows2012`

 

oror

Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.

Example

Show the vulnerabilities detected on either of the Windows versions

vulnerabilities.hostOS: `Windows 2012` or vulnerabilities.hostOS:  `Windows2012 R2`

 

 

Search tokens

vulnerabilities.asset.namevulnerabilities.asset.name

Use the asset name as the token value to find vulnerabilities detected on a particular asset. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets name related to Car Assembly

vulnerabilities.asset.name: Car Assembly

Show the vulnerabilities detected on assets containing Car or Assembly or both in their names.

vulnerabilities.asset.name: “Car Assembly”

Show the vulnerabilities detected on the asset with the name ACMENVT7.

vulnerabilities.asset.name: `ACMENVT7`

 

vulnerabilities.asset.typevulnerabilities.asset.type

Find the vulnerabilities on the assets by asset type. For exact search, enclose the token value in backticks `<value>`.

Example

Show the vulnerabilities that are detected on PLC (Programmable Logic Controllers)

vulnerabilities.asset.type: `PLC`

 

vulnerabilities.assetIDvulnerabilities.assetID

Use an asset ID as the token value to find the vulnerabilities detected on a particular asset. An asset ID is the Qualys asset ID (UUID) assigned by an agent or by a scanner appliance in case of Agentless Tracking. For exact search, enclose the token value in backticks `<value>`. You can search for an asset ID or a comma-separated list of multiple asset IDs enclosed in square brackets.

Examples

Show the vulnerabilities detected on the asset having UUID 56863af6-301e-3788-aa95-95b5f844ad2a

vulnerabilities.assetID: `56863af6-301e-3788-aa95-95b5f844ad2a`

Show the vulnerabilities detected on the specified assets

vulnerabilities.assetID: [25f90e1a-625c-3b79-b13d-ab2b46bed55a, 6b7e8400-167b-3596-a712-78377f16d3f7]

 

vulnerabilities.firmwarevulnerabilities.firmware

Find the vulnerabilities based on a firmware version of the assets. For exact search, enclose the token value in backticks `<value>`. You can search for a single firmware version or a comma-separated list of firmware versions enclosed in square brackets.

Examples

Show the vulnerabilities detected on assets having firmware version 30.1  

vulnerabiliites.firmware: `30.1`

Show the vulnerabilities detected on the assets having the specified firmware versions

vulnerabiliites.firmware: [4.003, 2.6.1]

 

vulnerabilities.firstFoundvulnerabilities.firstFound

Use a date range or specific date to find the vulnerabilities found on the asset for the first time.

Supported date formats: yyyy-MM-dd,yyyy-MM, yyyy

Examples

Show the vulnerabilities that were found for the first time on the specified date

vulnerabilities.firstFound: `2020-01-13`

Show the vulnerabilities that were found for the first time within past 90 days (excluding day 90)

vulnerabilities.firstFound > now-90d

Show the vulnerabilities that were found for the first time within past 90 days (including day 90)

vulnerabilities.firstFound >= now-90d

Show the vulnerabilities that were found for the first time before past 90 days (excluding day 90)

vulnerabilities.firstFound < now-90d

Show the vulnerabilities that were found for the first time before past 90 days (including day 90)

vulnerabilities.firstFound <= now-90d

Show the vulnerabilities that were found for the first time within the specified date range

vulnerabilities.firstFound: [2020-01-01 .. 2020-01-10]

Show the vulnerabilities that were found for the first time from two weeks ago till a second ago

vulnerabilities.firstFound: [now-2w .. now-1s]

 

vulnerabilities.hardware.modelvulnerabilities.hardware.model

Find the vulnerabilities on assets by their hardware model name. For exact search, enclose the token value in backticks `<value>`. You can search for a single hardware model name or specify a comma-separated list of hardware models enclosed in square brackets.

Examples

Show the vulnerabilities detected on the assets having the specified hardware model

vulnerabilities.hardware.model: `6ES7511-1AK01-0AB0`  

Show the vulnerabilities detected on assets having the specified hardware models

vulnerabilities.hardware.model: [1766-L32BXBA, 6ES7511-1AK01-0AB0]

vulnerabilities.hardware.productvulnerabilities.hardware.product

Find the vulnerabilities on the assets by their hardware product name. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets related to the hardware product name.

vulnerabilities.hardware.product: Allen-Bradley FLEX I/O EtherNet/IP Adapter Module

Show the vulnerabilities detected on assets containing any part of the hardware product name

vulnerabilities.hardware.product: “Allen-Bradley FLEX I/O EtherNet/IP Adapter Module”

Show the vulnerabilities detected on assets having Allen-Bradley FLEX I/O EtherNet/IP Adapter Module as their hardware product

vulnerabilities.hardware.product: `Allen-Bradley FLEX I/O EtherNet/IP Adapter Module`

 

vulnerabilities.hardware.typevulnerabilities.hardware.type

Find the vulnerabilities on the assets by their hardware type. For exact search, enclose the token value in backticks `<value>`.

Example

Show the vulnerabilities identified on the PLC assets

vulnerabilities.hardware.type: `PLC`

 

vulnerabilities.hardware.vendorvulnerabilities.hardware.vendor

Find the vulnerabilities on assets by their hardware vendor. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets related to hardware vendor Schneider Electric

vulnerabilities.hardware.vendor: Schneider Electric

Show the vulnerabilities detected on assets that contain Schneider or Electric, or both in their hardware vendor name

vulnerabilities.hardware.vendor: “Schneider Electric”

Show the vulnerabilities detected on assets having Siemens as their hardware vendor

vulnerabilities.hardware.vendor: `Siemens`

 

vulnerabilities.hardware.versionvulnerabilities.hardware.version

Find the vulnerabilities on the assets by their hardware version. For exact search, enclose the token value in backticks `<value>`. You can search a single hardware version or a comma-separated list of hardware versions enclosed in square brackets.

Examples

Show the vulnerabilities detected on assets having hardware version 5

vulnerabilities.hardware.version: `5`

Show the vulnerabilities detected on assets having the specified hardware versions

vulnerabilities.hardware.version: [3, 5]

vulnerabilities.hostOSvulnerabilities.hostOS

Find the vulnerabilities identified on a particular host operating system. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities identified on assets related to Windows 2012

vulnerabilities.hostOS: Windows 2012

Show the vulnerabilities identified on assets running any version of Windows Server 2012 (for example, Standard, Enterprise Edition, Datacenter) with any service pack installed

vulnerabilities.hostOS: “Windows 2012”

Show the vulnerabilities identified on assets running Windows 2012

vulnerabilities.hostOS: `Windows 2012`

 

vulnerabilities.interfaces.addressvulnerabilities.interfaces.address

Use an IP address as the token value to find vulnerabilities detected on that interface. You can search a single IP address or a comma-separated list of IP addresses enclosed in square brackets.

Examples

Show the vulnerabilities detected on the specified interface address

vulnerabilities.interfaces.address: 192.168.1.10 

Show the vulnerabilities detected on the specified IP address range

vulnerabilities.interfaces.address: [172.168.0.1..192.168.1.51]

 

vulnerabilities.interfaces.macaddressvulnerabilities.interfaces.macaddress

Use MAC address as the token value to find vulnerabilities detected on a specific interface. For exact search, enclose the token value in backticks `<value>`.

Example

Show the vulnerabilities detected on the specified MAC address

vulnerabilities.interfaces.macaddress: `5C-88-16-A9-73-5A`

 

vulnerabilities.lastFoundvulnerabilities.lastFound

Use a date range or specific date to find the vulnerabilities found last time on the asset .

Supported date formats: yyyy-MM-dd,yyyy-MM, yyyy

Examples

Show the vulnerabilities last found on the specified date

vulnerabilities.lastFound: `2020-01-13`

Show the vulnerabilities last found within past 90 days (excluding day 90)

vulnerabilities.lastFound > now-90d

Show the vulnerabilities last found within past 90 days (including day 90)

vulnerabilities.lastFound >= now-90d

Show the vulnerabilities last found before past 90 days (excluding day 90)

vulnerabilities.lastFound < now-90d

Show the vulnerabilities last found before past 90 days (including day 90)

vulnerabilities.lastFound <= now-90d

Show the vulnerabilities last found within the specified date range

vulnerabilities.lastFound: [2020-01-01 .. 2020-01-10]

Show the vulnerabilities last found from two weeks ago till a second ago

vulnerabilities.lastFound: [now-2w .. now-1s]

 

vulnerabilities.protocolvulnerabilities.protocol

Find the vulnerabilities on assets having a specific discovery protocol. Assets are inventoried in Qualys VMDR OT by using ICS protocols. For exact search, enclose the token value in backticks `<value>`.

Examples

Show the vulnerabilities detected on assets having Modbus TCP discovery protocol

vulnerabilities.protocol: `Modbus TCP`

Show the vulnerabilities detected on assets having Ethernet/IP discovery protocol

vulnerabilities.protocol: `ENIP`

 

vulnerabilities.severityvulnerabilities.severity

Find vulnerabilities by their severity levels. Choose the severity level from 1 to 5 from the available option.

Example

Show the vulnerabilities having a severity level of 5

vulnerabilities.severity: 5

 

vulnerabilities.statusvulnerabilities.status

Find the vulnerabilities by their status. Choose the status from the available options (ACTIVE, FIXED, NEW, REOPENED).

Examples

Show the vulnerabilities detected for the first time by a scan

vulnerabilities.status: NEW

Show the vulnerabilities that are verified by the recent scan as fixed

vulnerabilities.status: FIXED

 

vulnerabilities.typeDetectedvulnerabilities.typeDetected

Find the vulnerabilities based on their detection type. Choose the type from the available options (Confirmed, Information, Potential).

Example

Show the vulnerabilities of the type Confirmed

vulnerabilities.typeDetected: Confirmed

 

vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality

Find the assets with vulnerabilities according to their criticality level. Choose the criticality level from the available options (CRITICAL, HIGH, MEDIUM, LOW, NONE).

Examples

Show the vulnerabilities with HIGH criticality

vulnerabilities.vulnerability.criticality: HIGH

Show the vulnerabilities with MEDIUM criticality

vulnerabilities.vulnerability.criticality: MEDIUM

 

vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds

Find the vulnerabilities by their CVE IDs. You can search for a single CVE ID or a comma-separated list of multiple CVE IDs enclosed in square brackets.

The CVE in the query is case-sensitive and must be used in the capital case.

Examples

Show the vulnerability having the specified CVE ID

vulnerabilities.vulnerability.cveIds: CVE-2019-19281

Show the vulnerability having the specified CVE IDs

vulnerabilities.vulnerability.cveIds: [CVE-2016-8672, CVE-2016-9158, CVE-2019-19281]

 

vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable

Select TRUE or FALSE to search vulnerabilities by the availability of patches.

Examples

Show the vulnerabilities for which patches are available

vulnerabilities.vulnerability.patchAvailable: TRUE

Show the vulnerabilities for which patches are not available

vulnerabilities.vulnerability.patchAvailable: FALSE

 

vulnerabilities.vulnerability.qidvulnerabilities.vulnerability.qid

Find the vulnerabilities by their Qualys IDs. You can search for a single QID or a comma-separated list of multiple QIDs enclosed in square brackets.

Examples

Show the vulnerability having the specified QID

vulnerabilities.vulnerability.qid: 42405

Show the vulnerability having the specified QIDs

vulnerabilities.vulnerability.qid: [42405, 42413, 42414]

 

vulnerabilities.vulnerability.threatIntelvulnerabilities.vulnerability.threatIntel

Find the vulnerabilities with Real-time Threat Indicators. Choose the threat indicators from the available options (Active Attacks, Denial of Service, Easy Exploit, Remote Code Execution, etc.)

Examples

Show assets with vulnerabilities due to Active Attacks

vulnerabilities.vulnerability.threatIntel: Active Attacks

Show assets with vulnerabilities due to Denial of Service

Vulnerabilities.vulnerability.threatIntel: Denial of Service

Show assets with vulnerabilities due to Remote Code Execution

vulnerabilities.vulnerability.threatIntel: Remote Code Execution

 

vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title

Find the vulnerabilities by their titles.  For exact search, enclose the token value in backticks` <value>`.

Examples

Show the vulnerabilities that are related to Remote Code Execution

vulnerabilities.vulnerability.title: Remote Code Execution

Show the vulnerabilities that contain “Remote,” “Code,” “Execution,” or "Remote Code Execution" in any combination in their titles

vulnerabilities.vulnerability.title: "Remote Code Execution"

Show the vulnerability having the specified title

vulnerabilities.vulnerability.title: `Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03)`

 

For information about search tokens on the Assets tab, see Assets Search Tokens.

For information about search tokens on the Network tab, see Network Search Tokens.

For information about search tokens on the Import Asset tab, see Import Asset Search Tokens.