Use the following tokens to define alerting search criteria for Assets, RTIs, and Vulnerability in the Rule Query of the Responses tab:
The order of precedence to use the operators is NOT, AND, OR. However, you can use the parenthesis to override the precedence.
Use a boolean query to express your query using NOT logic.
Example
not operatingSystem: Windows
Use a boolean query to express your query using AND logic.
Example
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)
Use a boolean query to express your query using OR logic.
Example
tags.name:Cloud Agent or tags.name
:Windows
Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Examples
assetId: 2918869
assetId: [3546997 .. 12945655]
assetId: [3546997,12945655]
Use a date range or specific date to define when assets were created, when first scanned by a scanner appliance, or when agent was installed.
Examples
created:[2016-01-01 ... 2016-01-10]
created:[2017-10-01 ... now-1M]
created:[now-2w ... now-1s]
created:'2018-01-08'
criticalityScorecriticalityScore
Use an integer value (1-5) to help you find assets based on specific criticality score.
Examples
criticalityScore:5
criticalityScore:2
interfaces.hostnameinterfaces.hostname
Use quotes or backticks within values to help you find the hostname.
Examples
interfaces.hostname:xpsp2-jp-26-111
interfaces.hostname:"xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111`
interfaces.hostname:qcentos71sqp3.rdlab.acme.com
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`
lastComplianceScanDatelastComplianceScanDate
Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.
Examples
lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
lastComplianceScanDate: [2016-10-15 ... now-1M]
lastComplianceScanDate: [now-2w ... now-1s]
lastComplianceScanDate:'2017-02-18'
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
lastVmScanDateScanner: [2016-11-01 ... now-1M]
lastVmScanDateScanner: [now-2w ... now-1s]
lastVmScanDateScanner:'2017-04-10'
Use quotes or backticks within values to help you find the asset name.
Examples
name:QK2K12QP3-65-53
name:"QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`
Use a text value to define the NetBIOS name.
Examples
netbiosName:EC2AMAZ-19OC2IT
netbiosName:EC2*
netbiosName:*c2it
Use an integer value (0-1000) to help you find assets based on a specific risk score.
Examples
riskScore:60
riskScore:25
Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.
Examples
trackingMethod: IP
trackingMethod: NETBIOS
trackingMethod: EASM
Use a date range or specific date to define when assets were updated that is when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).
Examples
updated:[2017-12-01 ... 2018-01-10]
updated:[2017-10-01 ... now-3M]
updated:[now-2w ... now-1s]
updated:'2018-03-10'
Use the values true | false to define real-time threats due to active attacks.
Examples
vulnerabilities.vulnerability.threatIntel.activeAttacks: true
vulnerabilities.vulnerability.threatIntel.activeAttacks: false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false
Use the values true | false to define real-time threats due to denial of service.
Examples
vulnerabilities.vulnerability.threatIntel.denialOfService: true
vulnerabilities.vulnerability.threatIntel.denialOfService: false
Use the values true | false to define real-time threats due to easy exploit.
Examples
vulnerabilities.vulnerability.threatIntel.easyExploit: true
vulnerabilities.vulnerability.threatIntel.easyExploit: false
Use the values true | false to define real-time threats due to the exploit kit.
Examples
vulnerabilities.vulnerability.threatIntel.exploitKit: true
vulnerabilities.vulnerability.threatIntel.exploitKit: false
Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.
Examples
vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler
vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`
Use the values true | false to define real-time threats due to high data loss.
Examples
vulnerabilities.vulnerability.threatIntel.highDataLoss: true
vulnerabilities.vulnerability.threatIntel.highDataLoss: false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
vulnerabilities.vulnerability.threatIntel.highLateralMovement: true
vulnerabilities.vulnerability.threatIntel.highLateralMovement: false
vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Examples
vulnerabilities.vulnerability.threatIntel.malware: true
vulnerabilities.vulnerability.threatIntel.malware: false
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Examples
vulnerabilities.vulnerability.threatIntel.noPatch: true
vulnerabilities.vulnerability.threatIntel.noPatch: false
Use the values true | false to define real-time threats due to public exploit.
Examples
vulnerabilities.vulnerability.threatIntel.publicExploit: true
vulnerabilities.vulnerability.threatIntel.publicExploit: false
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Examples
vulnerabilities.vulnerability.threatIntel.zeroDay: true
vulnerabilities.vulnerability.threatIntel.zeroDay: false
vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable
Use the values true | false to define real-time wormable threats.
Example
vulnerabilities.vulnerability.threatIntel.wormable: "true"
Use the values true | false to define real-time threats due to predicted high risk.
Example
vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Example
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"
Use the values true | false to define real-time threats due to remote code execution risk.
Example
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Example
vulnerabilities.vulnerability.threatIntel.ransomware: "true"
Use the values true | false to define real-time threats due to privilege escalation risk.
Example
vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Example
vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
vulnerabilities.detectionScore:80
vulnerabilities.detectionScore:25
vulnerabilities.disabledvulnerabilities.disabled
Use the values true | false to define vulnerabilities are disabled or enabled.
Example
vulnerabilities.disabled:TRUE
vulnerabilities.firstFoundvulnerabilities.firstFound
Use the date range or specific date to define when findings were first found.
Examples
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
vulnerabilities.firstFound:[2015-10-01 ... now-1M]
vulnerabilities.firstFound:[now-2w ... now-1s]
vulnerabilities.firstFound:'2016-11-11'
vulnerabilities.ignoredvulnerabilities.ignored
Use an integer value to help you find vulnerabilities that have been marked as ignored.
Example
vulnerabilities.ignored:TRUE
vulnerabilities.instancevulnerabilities.instance
Use a text value to help you find vulnerabilities found on a certain instance.
Example
vulnerabilities.instance:oracle
vulnerabilities.lastFoundvulnerabilities.lastFound
Use a date range or specific date to define when findings were last found.
Examples
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
vulnerabilities.lastFound:[2016-01-01 ... now-1M]
vulnerabilities.lastFound:[now-2w ... now-1s]
vulnerabilities.lastFound:'2016-01-11'
vulnerabilities.lastFound: [91..180]
vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)
vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService
Use the values true | false to define vulnerabilities that exist on non-exploitable services.
Example
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel
Use the values true | false to view vulnerabilities found on the non-running kernel.
Examples
vulnerabilities.nonRunningKernel:TRUE
vulnerabilities.nonRunningKernel:FALSE
vulnerabilities.portvulnerabilities.port
Use an integer value to help you find vulnerabilities found on a certain port.
Example
vulnerabilities.port:443
vulnerabilities.protocolvulnerabilities.protocol
Use a text value (UDP or TCP) to define the port protocol.
Example
vulnerabilities.protocol:TCP
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
vulnerabilities.severity:5
vulnerabilities.statusvulnerabilities.status
Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
vulnerabilities.status:FIXED
vulnerabilities.typeDetectedvulnerabilities.typeDetected
Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
Example
vulnerabilities.typeDetected:Confirmed
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
Example
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds
Use a text value to find the CVE name.
The CVE in the query is case-sensitive and must be used in capital case.
Example
vulnerabilities.vulnerability.cveIds:CVE-2015-0313
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
vulnerabilities.vulnerability.description:remote code execution
vulnerabilities.vulnerability.description:"remote code execution"
vulnerabilities.vulnerability.description:`remote code execution`
vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os
Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.
Examples
vulnerabilities.vulnerability.os:windows
vulnerabilities.vulnerability.os:"windows"
vulnerabilities.vulnerability.os:`windows`
vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patches available.
Examples
vulnerabilities.vulnerability.patchAvailable:TRUE
vulnerabilities.vulnerability.patchAvailable:FALSE
vulnerabilities.vulnerabilty.qidvulnerabilities.vulnerabilty.qid
Use an integer value to define the QID.
Example
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable
Use the values true | false to define that can be patched at Qualys.
Examples
vulnerabilities.vulnerability.qualysPatchable:"TRUE"
vulnerabilities.vulnerability.qualysPatchable:"FALSE"
vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired
Use the values true | false to find vulnerabilities that need a reboot.
Example
vulnerabilities.vulnerability.rebootRequired: TRUE
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
vulnerabilities.vulnerability.title:Remote Code Execution
vulnerabilities.vulnerability.title:"Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName
Use a text value to find the vendor product name.
Example
vulnerabilities.vulnerability.vendors.productName:Windows
vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName
Use a text value to find the vendor name.
Example
vulnerabilities.vulnerability.vendors.vendorName:Adobe