How to Search in VMDR

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot-separated.

Examples:

openPorts.port: 80
accounts.username: administrator
operatingSystem: win*

Search without Field

When your query doesn’t have a field name, we perform the broadest possible search across the attributes of all fields included in the Asset Index (100+ field names).

The Asset Index does not include some fields like tag name and vulnerability title. For these fields, you need to search by field name.

How it works:- A search for `win` without a field name will return assets where `win` appears in the asset name, hostname, operating system, software name, and so on.
Syntax help:- Use single quotes or double quotes around your query to match a string. Using wildcards, you can perform prefix matching or suffix matching.

String Matching

Use single or double quotes around your query to match a string with more than one word. Note that interfaces.address and software.version are text fields and support string matching.

Examples:

tags.name: "Cloud Agent"
operatingSystem: 'Microsoft Windows'
interfaces.address: 10.10.10.10
software.version: 2.1.7
vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"
If you want to search for the exact count, use an asterisk (*). Find asset names starting with WINDOWS2008 use:
name:WINDOWS2008*

Wildcards can only be used for prefix and suffix matching. We do not support sub-string wildcards, which means you cannot search for a string in the middle of another string.

Exact Matching

Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.

Examples:

operatingSystem:`Windows 7 Ultimate Service Pack 1`
interfaces.hostname:`xpsp2-jp-26-111`

Full-Text Search

Many asset fields containing text allow you to use full-text and advanced search capabilities. We'll perform the broadest search if your query does not include single or double quotes.

Learn more >>

Examples:

Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote Code"
Show any findings that match the exact value of "Remote Code."
vulnerabilities.vulnerability.title: `Remote Code`
Show any findings that match the nested query. Both sub-fields must match for an asset to be returned.
vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")

Suffix matching

Suffix matching is supported when searching assets on your Assets list for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case-insensitive.

Examples:

This query matches assets with an asset name ending in "53," like QKxxxxP3-65-53.
name:*53
This query matches assets with tag names ending in "region east," like Region East, a region east, or Region EAST.
tags.name:*Region East

Suffix matching is also supported for the field "interfaces.hostname," but the syntax differs.

Example:

These queries match assets with the hostname "com-pa3xxx-36.xxx.xxx.qualys.com".
interfaces.hostname:qualys.com
interfaces.hostname:xxx01.qualys.co
interfaces.hostname:eng.xxx01.qualys.co
interfaces.hostname:*lys.com

Prefix matching

Prefix matching is supported when searching assets (on your Assets list) using specific text fields. Match asset values "starting with" a string you specify - using a string that ends with *. Matches are case-sensitive.

Examples:

This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.
name:xp*
This query matches assets with tag names starting with "Win," like Windows XP, Windows 2012, and Windows Hosts.
tags.name:Win*
This query matches assets with a hostname starting with "com-pa30" like com-pa3xxx-36.xxx.xxx01.qualys.com.
interfaces.hostname:com-pa30*
This query matches assets with an operating system starting with "Lin" like Linux 2.4-2.6.
operatingSystem:Lin*

Is Null Queries

Want to match an empty/null value for a field? You must remove the colon and then write "is null." For example, quickly find assets where the OS has not been identified.

Examples:

operatingSystem is null
interfaces.macAddress is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

interfaces.address and software.version are text fields and not numeric fields). You cannot perform range searches for these. See String matching to search text fields.

Examples:

Greater than but not equal to 123 and less than but not equal to 1234.
openPorts.port:(123 .. 1234)
Greater than but not equal to 123 and less than or equal to 1234.
openPorts.port:(123 .. 1234]
Greater than or equal to 123 and less than but not equal to 1234.
openPorts.port:[123 .. 1234
Greater than but or equal to 123 and less than or equal to 1234.
openPorts.port:[123 .. 1234
Greater than 123.
openPorts.port > 123
Greater than or equal to 123.
openPorts.port >= 123
Less than 1234.
openPorts.port < 1234
Less than or equal to 1234.
openPorts.port <= 1234
Between January 1st and April 1st 2018.
vulnerabilities.firstFound: [2018-01-01 .. 2018-04-01

Date Searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Learn more >>

Examples:

updated:"2018-11-20"
updated <= "2018-10-20"
updated:["2018-11-20" .. "2018-11-24"]
updated:[now-3d .. now-1s]

Multiple values (In)

Use to match values "In" fields. You'll include a comma-separated list of values within square brackets. Available for all fields except analyzed fields (i.e. full-text search fields). Values must match exactly. Matches are case-sensitive.

Examples:

Find all assets with an operating system value that exactly matches one listed:
operatingSystem:["Cisco IOS Version 12.4(19)","Windows Server 2003 Service Pack 2",Windows]
Find all assets with a name value that matches exactly:
name:[MACMINI-ACA70B,2k8r2-u-10-11,10.10.10.43]
Find all assets with an asset ID value that matches exactly:
assetId:[5301908,10233,2345]
Find all assets with at least one of the CVE IDs listed:
vulnerabilities.vulnerability.cveIds:[CVE-2003-0818,CVE-2002-0126,CVE-1999-1058]
Supported date formats:
- YYYY example: ["2017", "2018"]
- YYYY-MM example: ["2018-08","2018-09"]
- YYYY-MM-DD example: ["2018-08-31","2018-08-30"]
Analyzed fields (i.e. full-text search fields) are not supported, such as:
- vulnerabilities.vulnerability.description
- vulnerabilities.vulnerability.solution
- vulnerabilities.vulnerability.consequence

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search. Click Learn more for information on maximum query depth.

Learn more >>

Examples:

activatedForModules:"TRUE" AND NOT agentActivations.status:"INACTIVE"
(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080) NOT operatingSystem: windows

The NOT operator can be used only with Asset search tokens. Vulnerability search tokens do not support the NOT operator.

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per the examples below.

Learn more >>

Examples

Show findings having vulnerabilities with a patch available and that require Windows authentication
vulnerabilities.vulnerability:(patchAvailable:"TRUE" AND authTypes:"WINDOWS_AUTH")
Find assets on port 80 and TCP
openPorts:(port:80 AND protocol:TCP)
Find assets that have Windows Time service that is running
service:(name:Windows Time AND status: running)

Query Limits

Maximum query length allowed: 4096 characters
Maximum field value length allowed: 256 characters
Good to know:
- If your query exceeds a limit, an error message is shown, and you won't get search results.
- These query limits apply to queries created using these apps: AV, TP, CA, and VM dashboard.
- Spaces in between characters are counted as characters.