Alerting Tokens in VMDR

Use the following tokens to define alerting search criteria for Assets, RTIs, and Vulnerability in the Rule Query of the Responses tab:

Generic Tokens

The order of precedence to use the operators is NOT, AND, OR. However, you can use the parenthesis to override the precedence.

notnot

Use a boolean query to express your query using NOT logic.

Example

Show assets that don't have the Windows operating system
not operatingSystem: Windows

andand

Use a boolean query to express your query using AND logic.

Example

Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)

oror

Use a boolean query to express your query using OR logic.

Example

Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows

Alerting Tokens for Assets

assetIdassetId

Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Examples

Show this asset ID
assetId: 2918869
Show asset IDs in this range
assetId: [3546997 .. 12945655]
Show the 2 asset IDs listed
assetId: [3546997,12945655]

createdcreated

Use a date range or specific date to define when assets were created, when first scanned by a scanner appliance, or when agent was installed.

Examples

Show assets created within certain dates
created:[2016-01-01 ... 2016-01-10]
Show assets created starting 2017-10-01, ending 1 month ago
created:[2017-10-01 ... now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
created:[now-2w ... now-1s]
Show assets created on a specific date
created:'2018-01-08'

criticalityScorecriticalityScore

Use an integer value (1-5) to help you find assets based on specific criticality score.

Examples

Show assets with criticality score 5
criticalityScore:5
Show assets with criticality score 2
criticalityScore:2

interfaces.hostnameinterfaces.hostname

Use quotes or backticks within values to help you find the hostname.

Examples

Show any findings related to name
interfaces.hostname:xpsp2-jp-26-111
Show any findings that contain parts of name
interfaces.hostname:"xpsp2-jp-26-111"
Show any findings that match exact value "xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111`
Show any findings related to name (we'll match super domains)
interfaces.hostname:qcentos71sqp3.rdlab.acme.com
Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`

lastComplianceScanDatelastComplianceScanDate

Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.

Examples

Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s]
Show findings with last compliance scan on a specific date
lastComplianceScanDate:'2017-02-18'

lastVmScanDatelastVmScanDate

Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

Show findings with the last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M]
Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s]
Show findings with the last vulnerability scan on a specific date
lastVmScanDateScanner:'2017-04-10'

namename

Use quotes or backticks within values to help you find the asset name.

Examples

Show any findings related to name
name:QK2K12QP3-65-53
Show any findings that contain parts of name
name:"QK2K12QP3-65-53"
Show any findings that match exact value "QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`

netbiosNamenetbiosName

Use a text value to define the NetBIOS name.

Examples

Show assets with this exact name (case sensitive
netbiosName:EC2AMAZ-19OC2IT
Show assets with name starting with "EC2" (case sensitive
netbiosName:EC2*
Show assets with name ending with "c2it" (case insensitive
netbiosName:*c2it

operatingSystemoperatingSystem

Use quotes or backticks within values to help you find the operating system.

Examples

Show any findings with this OS name
operatingSystem:Windows 2012
Show any findings that contain components of OS name
operatingSystem:"Windows 2012"
Show any findings that match exact value "Windows 2012"
operatingSystem:`Windows 2012`

riskScoreriskScore

Use an integer value (0-1000) to help you find assets based on a specific risk score.

Examples

Show assets with risk score 60
riskScore:60
Show assets with risk score 25
riskScore:25

tags.nametags.name

Use values within quotes or backticks to help you find the asset tag you are looking for.

Example

Show any findings that match exact value "Cloud Agent"
tags.name:`Cloud Agent`

trackingMethodtrackingMethod

Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.

Examples

Show this asset tracked by IP
trackingMethod: IP
Show asset tracked by NETBIOS
trackingMethod: NETBIOS
Show assets tracked by EASM
trackingMethod: EASM

updatedupdated

Use a date range or specific date to define when assets were updated that is when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).

Examples

Show assets updated within certain dates
updated:[2017-12-01 ... 2018-01-10]
Show assets updated starting 2017-10-01, ending 3 months ago
updated:[2017-10-01 ... now-3M]
Show assets updated starting 2 weeks ago, ending 1 second ago
updated:[now-2w ... now-1s]
Show assets updated on a specific date
updated:'2018-03-10'

Alerting Tokens for Real-Time Threat Indicators (RTI)

vulnerabilities.vulnerability.threatIntel.activeAttacksvulnerabilities.vulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Examples

Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks: true
Show assets that don't have threats due to active attack
vulnerabilities.vulnerability.threatIntel.activeAttacks: false

vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulnsvulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns

Use the values true | false to define real-time threats due to CISA Exploits.

Examples

Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true
Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false

vulnerabilities.vulnerability.threatIntel.denialOfServicevulnerabilities.vulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Examples

Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: true
Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: false

vulnerabilities.vulnerability.threatIntel.easyExploitvulnerabilities.vulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Examples

Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: true
Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: false

vulnerabilities.vulnerability.threatIntel.exploitKitvulnerabilities.vulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to the exploit kit.

Examples

Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: true
Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: false

vulnerabilities.vulnerability.threatIntel.exploitKitNamevulnerabilities.vulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match the exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`

vulnerabilities.vulnerability.threatIntel.highDataLossvulnerabilities.vulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Examples

Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: true
Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: false

vulnerabilities.vulnerability.threatIntel.highLateralMovementvulnerabilities.vulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Examples

Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement: true
Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement: false

vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Examples

Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: true
Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: false

vulnerabilities.vulnerability.threatIntel.malwareNamevulnerabilities.vulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Examples

Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: true
Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: false

vulnerabilities.vulnerability.threatIntel.publicExploitvulnerabilities.vulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Examples

Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: true
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: false

vulnerabilities.vulnerability.threatIntel.publicExploitNamevulnerabilities.vulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Examples

Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: true
Show assets that don't have threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: false

vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable

Use the values true | false to define real-time wormable threats.

Example

Show assets with wormable threats
vulnerabilities.vulnerability.threatIntel.wormable: "true"

vulnerabilities.vulnerability.threatIntel.predictedHighRiskvulnerabilities.vulnerability.threatIntel.predictedHighRisk

Use the values true | false to define real-time threats due to predicted high risk.

Example

Show assets with predicted high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"

vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitationvulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation

Use the values true | false to define real-time threats due to unauthenticated exploitation risk.

Example

Show assets with unauthenticated exploitation threat
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"

vulnerabilities.vulnerability.threatIntelremoteCodeExecutionvulnerabilities.vulnerability.threatIntelremoteCodeExecution

Use the values true | false to define real-time threats due to remote code execution risk.

Example

Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"

vulnerabilities.vulnerability.threatIntel.ransomwarevulnerabilities.vulnerability.threatIntel.ransomware

Use the values true | false to define real-time threats due to ransomeware vulnerability.

Example

Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.ransomware: "true"

vulnerabilities.vulnerability.threatIntel.privilegeEscalationvulnerabilities.vulnerability.threatIntel.privilegeEscalation

Use the values true | false to define real-time threats due to privilege escalation risk.

Example

Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"

vulnerabilities.vulnerability.threatIntel.solorigateSunburstvulnerabilities.vulnerability.threatIntel.solorigateSunburst

Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.

Example

Show assets with Solorigate/Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"

Alerting Tokens for Vulnerability

vulnerabilities.detectionScorevulnerabilities.detectionScore

Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.

Examples

Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80
Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25

vulnerabilities.disabledvulnerabilities.disabled

Use the values true | false to define vulnerabilities are disabled or enabled.

Example

Show findings with vulnerabilities disabled
vulnerabilities.disabled:TRUE

vulnerabilities.firstFoundvulnerabilities.firstFound

Use the date range or specific date to define when findings were first found.

Examples

Show findings first found within certain date
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
Show findings first found starting 2015-10-01, ending 1 month ag
vulnerabilities.firstFound:[2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:[now-2w ... now-1s]
Show findings first found on certain dat
vulnerabilities.firstFound:'2016-11-11'

vulnerabilities.ignoredvulnerabilities.ignored

Use an integer value to help you find vulnerabilities that have been marked as ignored.

Example

Show vulnerabilities that are marked as ignore
vulnerabilities.ignored:TRUE

vulnerabilities.instancevulnerabilities.instance

Use a text value to help you find vulnerabilities found on a certain instance.

Example

Show vulnerabilities found in this instance
vulnerabilities.instance:oracle

vulnerabilities.lastFoundvulnerabilities.lastFound

Use a date range or specific date to define when findings were last found.

Examples

Show findings last found within certain dates
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound:[2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:[now-2w ... now-1s]
Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11'
Show findings last found within certain number of days
vulnerabilities.lastFound: [91..180]
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)

vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService

Use the values true | false to define vulnerabilities that exist on non-exploitable services.

Example

Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE

vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel

Use the values true | false to view vulnerabilities found on the non-running kernel.

Examples

Show detections found on non-running Kernel
vulnerabilities.nonRunningKernel:TRUE
Show detections found on running Kernel
vulnerabilities.nonRunningKernel:FALSE

vulnerabilities.portvulnerabilities.port

Use an integer value to help you find vulnerabilities found on a certain port.

Example

Show vulnerabilities found on this port
vulnerabilities.port:443

vulnerabilities.protocolvulnerabilities.protocol

Use a text value (UDP or TCP) to define the port protocol.

Example

Show vulnerabilities found on TCP protoco
vulnerabilities.protocol:TCP

vulnerabilities.severityvulnerabilities.severity

Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.

Example

Show findings with severity by 5
vulnerabilities.severity:5

vulnerabilities.statusvulnerabilities.status

Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.

If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

Example

Show vulnerabilities with Fixed status
vulnerabilities.status:FIXED

vulnerabilities.typeDetectedvulnerabilities.typeDetected

Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.

Example

Show findings with this type
vulnerabilities.typeDetected:Confirmed

vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality

Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.

The following list of criticality defines the CVSS Score from 0.0 to 10.0:

None: 0.0
Low: 0.1-3.9
Medium: 4.0-6.9
High: 7.0-8.9
Critical: 9.0-10.0

Example

Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"

vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds

Use a text value to find the CVE name.

The CVE in the query is case-sensitive and must be used in capital case.

Example

Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveIds:CVE-2015-0313

vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description

Use quotes or backticks within values to help you find the vulnerability description.

Examples

Show any findings related to description
vulnerabilities.vulnerability.description:remote code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote code execution"
Show any findings that match exact value "remote code execution
vulnerabilities.vulnerability.description:`remote code execution`

vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os

Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.

Examples

Show any findings related to this OS value
vulnerabilities.vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerabilities.vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerabilities.vulnerability.os:`windows`

vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable

Use the values true | false to define vulnerabilities with patches available.

Examples

Show findings with patch available
vulnerabilities.vulnerability.patchAvailable:TRUE
Show findings with no patch available
vulnerabilities.vulnerability.patchAvailable:FALSE

vulnerabilities.vulnerabilty.qidvulnerabilities.vulnerabilty.qid

Use an integer value to define the QID.

Example

Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405

vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable

Use the values true | false to define that can be patched at Qualys.

Examples

Show vulnerabilities with patches available at Qualys
vulnerabilities.vulnerability.qualysPatchable:"TRUE"
Show vulnerabilities with patches not available at Qualys
vulnerabilities.vulnerability.qualysPatchable:"FALSE"

vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired

Use the values true | false to find vulnerabilities that need a reboot.

Example

Show vulnerabilities that need reboot
vulnerabilities.vulnerability.rebootRequired: TRUE

vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title

Use quotes or backticks within values to help you find the title.

Examples

Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`

vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName

Use a text value to find the vendor product name.

Example

Show findings with this vendor product name
vulnerabilities.vulnerability.vendors.productName:Windows

vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName

Use a text value to find the vendor name.

Example

Show findings with this vendor name
vulnerabilities.vulnerability.vendors.vendorName:Adobe