Search Tokens for VMDR

You can use the search tokens in the Vulnerabilities tab to refine your search results. We have broadly classified the asset and vulnerability search tokens in the Vulnerabilities tab. Click each token to learn more about it.

Generic | Vulnerability | Asset | Asset InventoryAlerting |  RTIs | Threat Feed | AlibabaAWS | Microsoft Azure | GCP | IBM | OCI | Passive Scanner 

Generic

The order of precedence for the operators is NOT, AND, OR. However, you can use parenthesis to override the precedence.

notnot

Use a boolean query to express your query using NOT logic.

Example

Show assets that do not have Windows operating system
not operatingSystem: Windows

andand

Use a boolean query to express your query using AND logic.

Example

Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)

oror

Use a boolean query to express your query using OR logic.

Example

Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows

Vulnerability Tokens

Use these tokens to define search criteria for vulnerabilities.

vulnerabilities.disabledvulnerabilities.disabled

Use the values true or false to define whether vulnerabilities are disabled or enabled.

Example

Show findings with vulnerabilities disabled
vulnerabilities.disabled:TRUE

vulnerabilities.detectionScorevulnerabilities.detectionScore

Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.

Examples

  • Show vulnerabilities with detection score 80
    vulnerabilities.detectionScore:80
  • Show vulnerabilities with detection score 25
    vulnerabilities.detectionScore:25

vulnerabilities.detectionSourcevulnerabilities.detectionSource

Use a string value within quotes or backticks to find vulnerabilities with a certain source of detection.

From the drop-down, select the name of a detection source: 

Generic, Qualys, Tenable, Wiz

Examples

  • Show findings with Qualys as the detection source
    vulnerabilities.detectionSource:Qualys
  • Show findings that contain parts of the detection source
    vulnerabilities.detectionSource:"Qualys"
  • Show findings that match the exact value Qualys
    vulnerabilities.detectionSource:`Qualys`

vulnerabilities.detectionSource.namevulnerabilities.detectionSource.name

Use quotes or backticks within values to help you find the source that detected the vulnerability. Understanding the origin of vulnerability data is essential for grasping the detection's context, reliability, and scope.

Examples

  • Show findings with Qualys as the detection source
    vulnerabilities.detectionSource.name:AZURE
  • Show findings that contain parts of the detection source
    vulnerabilities.detectionSource.name:"CAR Agent"
  • Show findings that match the exact value Qualys
    vulnerabilities.detectionSource.name:`Cloud Agent`

To use this token, contact your technical account manager.

To use this token, contact your technical account manager.

vulnerabilities.detectionSource.firstFoundDatevulnerabilities.detectionSource.firstFoundDate

Use the date range or specific date to define when a vulnerability was first detected. Tracking this information helps teams analyze vulnerabilities, prioritize remediation, and identify trends. You can determine if further investigation or alternative remediation is needed by tracking the last and first found dates.

Examples

  • Show vulnerabilities first detected on a certain date
    vulnerabilities.detectionSource.firstFoundDate:[2017-10-21 ... 2017-10-30]
  • Show vulnerabilities first detected starting 2015-10-01, ending 1 month ago
    vulnerabilities.detectionSource.firstFoundDate:[2015-10-01 ... now-1M]
  • Show vulnerabilities first detected 2 weeks ago, ending 1 second ago
    vulnerabilities.detectionSource.firstFoundDate:[now-2w ... now-1s]
  • Show vulnerabilities first detected on certain date
    vulnerabilities.detectionSource.firstFoundDate:'2016-11-11'

To use this token, contact your technical account manager.

vulnerabilities.detectionSource.lastFoundDatevulnerabilities.detectionSource.lastFoundDate

Use the date range or specific date to define when a vulnerability was last detected. This helps assess whether a vulnerability is active or has reappeared after remediation. You can determine if further investigation or alternative remediation is needed by tracking the last and first found dates.

Examples

  • Show vulnerabilities last detected on a certain date
    vulnerabilities.detectionSource.lastFoundDate:[2017-10-21 ... 2017-10-30]
  • Show vulnerabilities last detected starting 2015-10-01, ending 1 month ago
    vulnerabilities.detectionSource.lastFoundDate:[2015-10-01 ... now-1M]
  • Show vulnerabilities last detected 2 weeks ago, ending 1 second ago
    vulnerabilities.detectionSource.lastFoundDate:[now-2w ... now-1s]
  • Show vulnerabilities last detected on certain date
    vulnerabilities.detectionSource.lastFoundDate:'2016-11-11'

To use this token, contact your technical account manager.

vulnerabilities.foundvulnerabilities.found

Use the values true or false to define vulnerabilities are detected or not on the assets.

Example

Show findings with vulnerabilities detected
vulnerabilities.found:TRUE

vulnerabilities.firstFoundvulnerabilities.firstFound

Use the date range or specific date to define when findings were first found.

Examples

  • Show findings first found within certain dates
    vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
  • Show findings first found starting 2015-10-01, ending 1 month ago
    vulnerabilities.firstFound:[2015-10-01 ... now-1M]
  • Show findings first found starting 2 weeks ago, ending 1 second ago
    vulnerabilities.firstFound:[now-2w ... now-1s]
  • Show findings first found on certain date
    vulnerabilities.firstFound:'2016-11-11'

vulnerabilities.hostAssetNamevulnerabilities.hostAssetName

Use quotes or backticks within values to help you find the host asset name.

Examples

  • Show any findings related to name
    vulnerabilities.hostAssetName:QK2K12QP3-65-53
  • Show any findings that contain parts of name
    vulnerabilities.hostAssetName:"QK2K12QP3-65-53"
  • Show any findings that match exact value "QK2K12QP3-65-53"
    vulnerabilities.hostAssetName:`QK2K12QP3-65-53`

vulnerabilities.hostOSvulnerabilities.hostOS

Use quotes or backticks within values to help you find the host operating system.

Examples

  • Show any findings with this OS name
    vulnerabilities.hostOS:Windows 2012
  • Show any findings that contain components of OS name
    vulnerabilities.hostOS:"Windows 2012"
  • Show any findings that match exact value "Windows 2012"
    vulnerabilities.hostOS:`Windows 2012`

vulnerabilities.ignoredvulnerabilities.ignored

Use an integer value to find vulnerabilities that have been marked as ignored.

Example

Show vulnerabilities that are marked as ignored

vulnerabilities.ignored:TRUE

vulnerabilities.instancevulnerabilities.instance

Use a text value to find vulnerabilities found on a certain instance.

Example

Show vulnerabilities found in this instance  

vulnerabilities.instance: oracle

vulnerabilities.lastFixedvulnerabilities.lastFixed

Use a date range or specific date to define when findings were last fixed.

Examples

  • Show findings last fixed within certain dates
    vulnerabilities.lastFixed:[2015-10-21 ... 2016-01-15]
  • Show findings last fixed starting 2016-01-01, ending 1 month ago
    vulnerabilities.lastFixed:[2016-01-01 ... now-1M]
  • Show findings last fixed starting 2 weeks ago, ending 1 second ago
    vulnerabilities.lastFixed:[now-2w ... now-1s]
  • Show findings last fixed on certain date
    vulnerabilities.lastFixed:'2016-01-11'
  • Show findings last fixed within certain number of days
    vulnerabilities.lastFixed: [91..180]

vulnerabilities.lastFoundvulnerabilities.lastFound

Use a date range or specific date to define when findings were last found.

Examples

  • Show findings last found within certain dates
    vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
  • Show findings last found starting 2016-01-01, ending 1 month ago
    vulnerabilities.lastFound:[2016-01-01 ... now-1M]
  • Show findings last found starting 2 weeks ago, ending 1 second ago
    vulnerabilities.lastFound:[now-2w ... now-1s]
  • Show findings last found on certain date
    vulnerabilities.lastFound:'2016-01-11'
  • Show findings last found within certain number of days
    vulnerabilities.lastFound: [91..180]
  • Show findings last found on 2017-01-12 with patch available
    vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
    vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)

 

vulnerabilities.nonExploitableConfigvulnerabilities.nonExploitableConfig

Use the values true or false to define vulnerabilities with non-exploitable configurations.

Examples

  • Show findings with non exploitable configurations
    vulnerabilities.nonExploitableConfig:TRUE
  • Show findings with exploitable configurations
    vulnerabilities.nonExploitableConfig:FALSE

vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel

Use the values true or false to view vulnerabilities found on non-running kernels.

Examples

  • Show detections found on non-running Kernal
    vulnerabilities.nonRunningKernel:TRUE
  • Show detections found on running Kernal
    vulnerabilities.nonRunningKernel:FALSE

vulnerabilities.portvulnerabilities.port

Use an integer value to find vulnerabilities found on a certain port.

Example

Show vulnerabilities found on this port

vulnerabilities.port:443

vulnerabilities.protocolvulnerabilities.protocol

Use a text value UDP or TCP to define the port protocol.

Example

Show vulnerabilities found on TCP protocol

vulnerabilities.protocol:TCP

vulnerabilities.runningServicevulnerabilities.runningService

Use the values true or false to define vulnerabilities found on a non-exploitable port/service.

Examples

  • Show vulnerabilities found on running service
    vulnerabilities.runningService:TRUE
  • Show vulnerabilities found on non-running service
    vulnerabilities.nonexploitableService:FALSE

vulnerabilities.riskFactor.cisaKEVDueDatevulnerabilities.riskFactor.cisaKEVDueDate

Use a specific date to get the list of known exploited vulnerabilities whose remediation due date is as per the CISA Catalog. The date format used is yyyy-mm-dd.

Example

List the QIDs whose CISA Due Date is 3rd May 2022

vulnerabilities.riskFactor.cisaKEVDueDate:2022-05-03

vulnerabilities.riskFactor.cisaKnownExploitsvulnerabilities.riskFactor.cisaKnownExploits

Use this token to get the list of QIDs impacted due to CISA Known Exploits. The token uses true or false as the input value.

Example

List the QIDs that are impacted due to CISA Known Exploit

vulnerabilities.riskFactor.cisaKnownExploits:TRUE

vulnerabilities.riskFactor.threatActorNamevulnerabilities.riskFactor.threatActorName

Use string as an input value to get the list of QIDs that are impacted by the threat actor.

Example

List the QIDs that are impacted by the threat actor name Labyrinth Chollima

vulnerabilities.riskFactor.threatActorName:"Labyrinth Chollima"

 

List the QIDs that are impacted by the threat actor name Insiders

vulnerabilities.riskFactor.threatActorName:"Insiders"

 

List the QIDs that are impacted by the threat actor name Senstive Information

vulnerabilities.riskFactor.threatActorName:"senstive information"

 

List the QIDs that are impacted by the threat actor name Script Kiddies

vulnerabilities.riskFactor.threatActorName:"Script kiddies"

vulnerabilities.riskFactor.malwareNamevulnerabilities.riskFactor.malwareName

Use string as an input value to get the list of QIDs that are impacted by the malware name.

Example

List the QIDs that are impacted by the malware name TROJ_PDFKA.DQ

vulnerabilities.riskFactor.malwareName:"TROJ_PDFKA.DQ"

vulnerabilities.riskFactor.exploitCodeMaturityvulnerabilities.riskFactor.exploitCodeMaturity

Use this token to get the list of QIDs that can be exploited based on the existing state of exploit techniques and code availability.

From the drop-down, select the name of an exploit technique: 

poc, weaponized

Example

List the QIDs exploited by Weaponized exploit code maturity technique

vulnerabilities.riskFactor.exploitCodeMaturity:"weaponized"

vulnerabilities.riskFactor.exploitTypevulnerabilities.riskFactor.exploitType

Use string as an input value to get the list of QIDs based on the type of exploits and its related vulnerabilities.

Example

List the QIDs that are exploited whose target vulnerabilities are in web applications

vulnerabilities.riskFactor.exploitType:"webapps"

vulnerabilities.riskFactor.exploitType:"shellcode"

vulnerabilities.riskFactor.exploitType:"remote"

vulnerabilities.riskFactor.rtivulnerabilities.riskFactor.rti

Use this token to get the list of QIDs with Real-Time Threat Indicators (RTI) related vulnerabilities.

Example

List the QIDs that are assoicated with the Denial of Service Real-Time Threat Indicator

vulnerabilities.riskFactor.rti:"Denial of Service"

vulnerabilities.riskFactor.trendingvulnerabilities.riskFactor.trending

Use this token to get the list of QIDs that are trending within a specific date range. You can select the date range from the drop-down.

Example

Show trending vulnerabilities with its QIDs within certain number of days

vulnerabilities.riskFactor.trending:[16..30]

vulnerabilities.sslvulnerabilities.ssl

Use the values true or false to define vulnerabilities found on secure socket layer (SSL).

Example

Show vulnerabilities associated with SSL

vulnerabilities.ssl:TRUE

vulnerabilities.severityvulnerabilities.severity

Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.

Example

Show findings with severity by 5

vulnerabilities.severity:5

For information about customer and Qualys severity, see Customer and Kb Severity Level

vulnerabilities.statusvulnerabilities.status

From the drop-down, select a status Active, Fixed, New, and Reopened to find vulnerabilities with certain status. 

If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

Example

Show vulnerabilities with New status

vulnerabilities.status:Fixed

vulnerabilities.hidePatchSupersededvulnerabilities.hidePatchSuperseded

Use the boolean value True to generate the list of excluded superseded QIDs and show the latest patches.

Example

Show all the excluded superseded QIDs and the latest patches.

vulnerabilities.hidePatchSuperseded:True

vulnerabilities.ttr.firstFoundvulnerabilities.ttr.firstFound

Use the number of days to determine the findings based on the Total and First Found time to remediate. The token accepts range input as number of days. You can also customize the range input.

Examples

  • Show vulnerabilities findings based on total and first found calculation
    vulnerabilities.ttr.firstFound:[61..90]
  • Use custom query to see the vulnerabilities findings based on total and first found calculation
    vulnerabilities.ttr.firstFound:[0..90]

vulnerabilities.tags.namevulnerabilities.tags.name

Use quotes or backticks within values to help you find the vulnerabilities tag.

Examples

  • Show any findings related to this tag name
    vulnerabilities.tags.name: Microsoft Security Update
  • Show any findings that contain "Ubuntu" or "2021" in name
    vulnerabilities.tags.name:"Ubuntu 2021"
  • Show any findings that match exact value "centOS_security"
    vulnerabilities.tags.name:`centOS_security`

This token is available only to limited customers (in Beta phase).

vulnerabilities.typeDetectedvulnerabilities.typeDetected

From the drop-down, select a detection type, such as, Confirmed, Potential, and Information to find assets with vulnerabilities of this type. 

Example

Show findings with this type

vulnerabilities.typeDetected:Confirmed

vulnerabilities.vulnerability.authTypesvulnerabilities.vulnerability.authTypes

From the drop-down, select the name, such as, WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH  of an authentication type. 

Example

Show findings with Windows auth type

vulnerabilities.vulnerability.authTypes:WINDOWS_AUTH

vulnerabilities.vulnerability.bugTraqIdsvulnerabilities.vulnerability.bugTraqIds

Use a text value to find a BugTraq number.

Example

Show findings with BugTraq ID 22211

vulnerabilities.vulnerability.bugTraqIds:22211

vulnerabilities.vulnerability.categoryvulnerabilities.vulnerability.category

From the drop-down, select a category, such as, `CGI`, `Database`, `DNS`, `BIND`, `Custom QID` to find vulnerabilities with this category.

Example

  • Show findings with category `CGI`
    vulnerabilities.vulnerability.category:`CGI`

vulnerabilities.vulnerability.compliance.descriptionvulnerabilities.vulnerability.compliance.description

Use quotes or backticks within values to help you find the compliance description.

Examples

  • Show any findings related to this description
    vulnerabilities.vulnerability.compliance.description:malicious software
  • Show any findings that contain "malicious" or "software" in description
    vulnerabilities.vulnerability.compliance.description:"malicious software"
  • Show any findings that match exact value "malicious software"
    vulnerabilities.vulnerability.compliance.description:`malicious software`

vulnerabilities.vulnerability.compliance.sectionvulnerabilities.vulnerability.compliance.section

Use quotes or backticks within values to help you find the compliance section.

Examples

  • Show any findings related to this section
    vulnerabilities.vulnerability.compliance.section:164.308
  • Show any findings that contain parts of section
    vulnerabilities.vulnerability.compliance.section:"164.308"
  • Show any findings that match exact value "164.308"
    vulnerabilities.vulnerability.compliance.section:`164.308`

vulnerabilities.vulnerability.compliance.typevulnerabilities.vulnerability.compliance.type

From the drop-down, select the name of a compliance type: 

COBIT, HIPAA, GLBA, SOX, PCI

Example

Show findings with the compliance type HIPAA

vulnerabilities.vulnerability.compliance.type:HIPAA

 

Show findings with the compliance type SOX

vulnerabilities.vulnerability.compliance.type:SOX

 

Show findings with the compliance type COBIT

vulnerabilities.vulnerability.compliance.type:COBIT

vulnerabilities.vulnerability.impactvulnerabilities.vulnerability.impact

Use quotes or backtick within values to find the impact.

Examples

  • Show any findings related to impact
    vulnerabilities.vulnerability.impact:sensitive information
  • Show any findings that contain "identity" or "theft" in consequence
    vulnerabilities.vulnerability.impact:"identity theft"
  • Show any findings that match exact value "financial loss"
    vulnerabilities.vulnerability.impact:`financial loss`

vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds

Use a text value to find the CVE name.

Example

Show findings with CVE name CVE-2015-0313

vulnerabilities.vulnerability.cveIds:CVE-2015-0313

Note: The CVE in the query is case sensitive and must be used in capital case.

vulnerabilities.vulnerability.cvss3_1Info.basescorevulnerabilities.vulnerability.cvss3_1Info.basescore

Use an integer value to find the CVSSv3.1 base score.

Example

Show assets with this score

vulnerabilities.vulnerability.cvss3_1Info.basescore:7.8

vulnerabilities.vulnerability.cvss3_1Info.temporalScorevulnerabilities.vulnerability.cvss3_1Info.temporalScore

Use an integer value tofind the CVSSv3.1 temporal score.

Example

Show assets with this score

vulnerabilities.vulnerability.cvss3_1Info.temporalScore:6.4

vulnerabilities.vulnerability.cvss2Info.accessVectorvulnerabilities.vulnerability.cvss2Info.accessVector

Select the name of a CVSS2 access vector, for example, UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK. Select from names in the drop-down menu.

Example

Show findings with this name

vulnerabilities.vulnerability.cvss2Info.accessVector:NETWORK

vulnerabilities.vulnerability.cvss2Info.baseScorevulnerabilities.vulnerability.cvss2Info.baseScore

Use an integer value to help you find the CVSS2 base score.

Example

Show assets with this score

vulnerabilities.vulnerability.cvss2Info.baseScore:7.8

vulnerabilities.vulnerability.cvss2Info.temporalScorevulnerabilities.vulnerability.cvss2Info.temporalScore

Use an integer value to help you find the CVSS2 temporal score.

Example

Show assets with this score

vulnerabilities.vulnerability.cvss2Info.temporalScore:6.4

vulnerabilities.vulnerability.discoveryTypesvulnerabilities.vulnerability.discoveryTypes

Select a discovery type (Remote or Authenticated) to find assets with vulnerabilities having this discovery type. Select from names in the drop-down menu.

Example

Show findings with Remote discovery type

vulnerabilities.vulnerability.discoveryTypes:REMOTE

vulnerabilities.vulnerability.exploitabilityvulnerabilities.vulnerability.exploitability

Use quotes or backticks within values to find known exploit description.

Examples

Show any findings related to this description

vulnerabilities.vulnerability.exploitability:GIF Parser Heap

Show any findings that contain "GIF", "Parser" or "Heap" in description

vulnerabilities.vulnerability.exploitability:"GIF Parser Heap"

Show any findings that match exact value "GIF Parser Heap"

vulnerabilities.vulnerability.exploitability:`GIF Parser Heap`

vulnerabilities.vulnerability.flagsvulnerabilities.vulnerability.flags

Use a text value to find the Qualys defined vulnerability property, for example, REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc.

Example

Show findings with this flag

vulnerabilities.vulnerability.flags:PCI_RELATED

vulnerabilities.vulnerability.mitre.attack.tactic.idvulnerabilities.vulnerability.mitre.attack.tactic.id

Use the text value within quotes or backticks for the tactics id that represents the why of the ATT&CK technique or sub-technique. 

Example

Show findings with the Tactic ID TA0007

vulnerabilities.vulnerability.mitre.attack.tactic.id:`TA0007`

vulnerabilities.vulnerability.mitre.attack.tactic.namevulnerabilities.vulnerability.mitre.attack.tactic.name

Use the text value within quotes or backticks to view for the tactics name that represents it's respective tactic id.

Example

Show findings with the tactic name inital-access

vulnerabilities.vulnerability.mitre.attack.tactic.name:`inital-access`

vulnerabilities.vulnerability.mitre.attack.technique.idvulnerabilities.vulnerability.mitre.attack.technique.id

Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.

Example

Show findings with the Technique ID T1562.010

vulnerabilities.vulnerability.mitre.attack.technique.id:"T1562.010"

vulnerabilities.vulnerability.mitre.attack.technique.namevulnerabilities.vulnerability.mitre.attack.technique.name

Use the text value within quotes or backticks to view for the technique name that represents it's respective technique id.

Example

Show findings with the tactic name Downgrade Attack

vulnerabilities.vulnerability.mitre.attack.technique.name:"Downgrade Attack"

vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os

Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.

Examples

Show any findings related to this OS value

vulnerabilities.vulnerability.os:windows

Show any findings that contain parts of OS value

vulnerabilities.vulnerability.os:"windows"

Show any findings that match exact value "windows"

vulnerabilities.vulnerability.os:`windows`

vulnerabilities.vulnerability.patchAvailable vulnerabilities.vulnerability.patchAvailable

Use the values true |false to define vulnerabilities with patch available.

Examples

Show findings with patch available

vulnerabilities.vulnerability.patchAvailable:TRUE

Show findings with no patch available

vulnerabilities.vulnerability.patchAvailable:FALSE

vulnerabilities.vulnerability.pcivulnerabilities.vulnerability.pci

Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).

Examples

Show PCI vulnerabilities

vulnerabilities.vulnerability.pci:TRUE

Do not show PCI vulnerabilities

vulnerabilities.vulnerability.pci:FALSE

vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired

Use the values true | false to find vulnerabilities that need reboot.

Examples

Show vulnerabilities that need reboot.

vulnerabilities.vulnerability.rebootRequired: TRUE

vulnerabilities.vulnerability.qidvulnerabilities.vulnerability.qid

Use an integer value to define the QID in question.

Example

Show findings with QID 90405

vulnerabilities.vulnerability.qid: 90405

vulnerabilities.vulnerability.ransomware.namevulnerabilities.vulnerability.ransomware.name

Use quotes or backticks within values to help you find the ransomware name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show findings with this name

vulnerabilities.vulnerability.ransomware.name: Locky

Show findings that match exact value

vulnerabilities.vulnerability.ransomware.name: Locky

vulnerabilities.vulnerability.scaTechnologiesvulnerabilities.vulnerability.scaTechnologies

Use the SCA technology values like Python or Java for listing vulnerabilities associated with assets on which any of the software components are identified.

Example

List the vulnerabilities that have SCA Technology as Python

vulnerabilities.vulnerability.scaTechnologies: Python

vulnerabilities.vulnerability.sans20Categoriesvulnerabilities.vulnerability.sans20Categories

Use a text value to find vulnerabilities in the SANS 20 category, for example, Anti-virus Software, Backup Software, etc.

Example

Show findings with this category name

vulnerabilities.vulnerability.sans20Categories:Media Players

vulnerabilities.vulnerability.severityvulnerabilities.vulnerability.severity

Use an integer value to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.

Example

Show findings with severity set by Qualys as 5

vulnerabilities.vulnerability.severity:5

For information about customer and Qualys severity, see Customer and Kb Severity Level

vulnerabilities.vulnerability.solutionvulnerabilities.vulnerability.solution

Use quotes or backticks within values to help you find the solution.

Examples

Show any findings related to this solution

vulnerabilities.vulnerability.solution:Bulletin MS10-006

Show any findings that contain parts of solution

vulnerabilities.vulnerability.solution:"Bulletin MS10-006"

Show any findings that match exact value "Bulletin MS10-006"

vulnerabilities.vulnerability.solution:`Bulletin MS10-006`

vulnerabilities.vulnerability.supportedByvulnerabilities.vulnerability.supportedBy

Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.

Example

Show vulnerabilities supported by Linux Agent

vulnerabilities.vulnerability.supportedBy:CA-Linux Agent

vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title

Use quotes or backticks within values to help you find the title.

Examples

Show any findings related to this title

vulnerabilities.vulnerability.title:Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title:"Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title:`Remote Code`

vulnerabilities.vulnerability.typesvulnerabilities.vulnerability.types

Select a detection type (e.g. Vulnerability, Potential, Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.

Example

Show findings with this type

vulnerabilities.vulnerability.types:VULNERABILITY

vulnerabilities.vulnerability.vendorRefsvulnerabilities.vulnerability.vendorRefs

Use a text value to find the vendor reference.

Example

Show this vendor reference

vulnerabilities.vulnerability.vendorRefs:KB3021953

vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName

Use a text value to find the vendor product name.

Example

Show findings with this vendor product name

vulnerabilities.vulnerability.vendors.productName:Windows

vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName

Use a text value to find the vendor name.

Example

Show findings with this vendor name

vulnerabilities.vulnerability.vendors.vendorName:Adobe

vulnerabilities.nonExploitableKernelvulnerabilities.nonExploitableKernel

Use the values true | false to define vulnerabilities that exist on non exploitable kernels.

Examples

Show findings on non-exploitable kernels

vulnerabilities.nonExploitableKernel:TRUE

vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService

`Use the values true | false to define vulnerabilities that exist on non exploitable services.

Examples

Show findings on non-exploitable services

vulnerabilities.nonExploitableService:TRUE

vulnerabilities.vulnerability.patchReleasedvulnerabilities.vulnerability.patchReleased

Use a date range or specific date to define when patch was available.

Examples

Show findings last found within certain dates

vulnerabilities.vulnerability.patchReleased:[2018-10-21 ... 2019-01-15]

Show findings last found starting 2020-01-01, ending 1 month ago

vulnerabilities.vulnerability.patchReleased:[2020-01-01 ... now-1M]

Show findings last found starting 2 weeks ago, ending 1 second ago

vulnerabilities.vulnerability.patchReleased:[now-2w ... now-1s]

Show findings last found on certain date

vulnerabilities.vulnerability.patchReleased:'2020-01-02'

vulnerabilities.timesFoundvulnerabilities.timesFound

Show findings that were detected for the specified number of times.

Examples

Show findings last found 3 times

vulnerabilities.timesFound:3

vulnerabilities.vulnerability.kbAgevulnerabilities.vulnerability.kbAge

Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was published by Qualys in the Knowledge Base. The kbAge is the published date for the QIDs. Select the number of days from the drop-down menu.

Example

Show findings/QIDs that were recently published (in the last 30 days)

vulnerabilities.vulnerability.kbAge:[00..30]

vulnerabilities.detectionAgevulnerabilities.detectionAge

Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.

Example

Show findings that were detected in the last 30 days.

vulnerabilities.detectionAge:[00..30]

vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description

Use quotes or backticks within values to help you find the vulnerability description.

Examples

Show any findings related to description

vulnerabilities.vulnerability.description:remote code execution

Show any findings that contain "remote" or "code" in description

vulnerabilities.vulnerability.description:"remote code execution"

Show any findings that match exact value "remote code execution"

vulnerabilities.vulnerability.description:`remote code execution`

vulnerabilities.vulnerability.listsvulnerabilities.vulnerability.lists

Use a text value to find the vulnerability list of interest, for example, SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).

Example

Show findings with vulnerabilities in SANS Top 20

vulnerabilities.vulnerability.lists:SANS_20

vulnerabilities.vulnerability.patchesvulnerabilities.vulnerability.patches

Use an integer value to help you find the patch QID.

Example

Show assets with this patch QID

vulnerabilities.vulnerability.patches:90753

vulnerabilities.vulnerability.publishedvulnerabilities.vulnerability.published

Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.

Examples

Show findings for vulnerabilities published within certain dates

vulnerabilities.vulnerability.published:[2015-10-21 ... 2016-01-15]

Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago

vulnerabilities.vulnerability.published:[2017-01-01 ... now-1M]

Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago

vulnerabilities.vulnerability.published:[now-2w ... now-1s]

Show findings for vulnerabilities published on certain date

vulnerabilities.vulnerability.published:'2018-01-15'

vulnerabilities.vulnerability.riskvulnerabilities.vulnerability.risk

Use an integer value to define the vulnerability risk rating. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.

Example

Show findings with risk 50

vulnerabilities.vulnerability.risk:50

vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable

Use the values true | false to define that can be patched at Qualys.

Examples

Show vulnerabilities with patch available at Qualys

vulnerabilities.vulnerability.qualysPatchable: "true"

Show vulnerabilities with patch not available at Qualys

vulnerabilities.vulnerability.qualysPatchable: "false"

vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality

Select a criticality (e.g. "CRITICAL","HIGH","MEDIUM","LOW","NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu.

If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes the priority.

The following list of criticality defines the CVSS Score from 0.0 to 10.0:

  • None: 0.0
  • Low: 0.1-3.9
  • Medium: 4.0-6.9
  • High: 7.0-8.9
  • Critical: 9.0-10.0

Examples

Show vulnerabilities with HIGH criticality

vulnerabilities.vulnerability.criticality: "HIGH"

vulnerabilities.vulnerability.updatedvulnerabilities.vulnerability.updated

Use a date range or specific date to define when vulnerabilities were updated in the KnowledgeBase.

Examples

Show vulnerabilities updated within certain dates

vulnerabilities.vulnerability.updated:[2017-10-21 ... 2017-10-30]

Show vulnerabilities updated starting 2017-11-01, ending 1 month ago

vulnerabilities.vulnerability.updated:[2017-11-01 ... now-1M]

Show vulnerabilities updated stating 2 weeks ago, ending 1 second ago

vulnerabilities.vulnerability.updated:[now-2w ... now-1s]

Show vulnerabilities updated on certain date

vulnerabilities.vulnerability.updated:'2018-03-08'

vulnerabilities.mitigationDetectedvulnerabilities.mitigationDetected

Use this token to filter vulnerabilities where the "PCControl" mitigation has been detected.

Example

Show PCControl mitigated data

vulnerabilities.mitigationDetected:PCControl

vulnerabilities.qualysPatchablevulnerabilities.qualysPatchable

Use the values true | false to indicate whether Qualys can patch a detected vulnerability.

Example

Show findings with vulnerabilities that can be patched

vulnerabilities.qualysPatchable:TRUE

vulnerabilities.qualysMitigablevulnerabilities.qualysMitigable

Use the values true | false to indicate whether Qualys can mitigate a detected vulnerability.

Example

Show findings with vulnerabilities that can be mitigated

vulnerabilities.qualysMitigable:TRUE

This QQL is dependent on other modules. To use this QQL, ensure that all prerequisites are met.
Patch Management v3.0.0 and higher | Mitigation - v3.0 | ARSC Services - v1.10.0

vulnerabilities.mitigated.statevulnerabilities.mitigated.state

Use this token to filter vulnerabilities based on their mitigation status.

Example

Show vulnerabilities that have been completely fixed

vulnerabilities.mitigated.state:Complete

To use this token, contact your technical account manager.

vulnerabilities.mitigated.methodvulnerabilities.mitigated.method

Use this token to filter and identify vulnerabilities based on the specific method used to mitigate them. From the drop-down, select a method: TruRiskMitigate, PCControl, TruRiskIsolate

Example

Show vulnerabilities mitigated by applying risk-based mitigation actions through the TruRisk approach

vulnerabilities.mitigated.method:TruRiskMitigate

Show vulnerabilities mitigated by implementing compliance controls or configurations as defined in the Policy Compliance module

vulnerabilities.mitigated.method:PCControl

Show vulnerabilities mitigated by isolating the associated asset or threat

vulnerabilities.mitigated.method:TruRiskIsolate

To use this token, contact your technical account manager.

vulnerabilities.mitigatedvulnerabilities.mitigated

Use the values true or false to filter vulnerabilities based on whether they have been mitigated.

Example

Show all mitigated vulnerabilities

vulnerabilities.mitigated:true

To use this token, contact your technical account manager.

vulnerabilities.qualysMitigableTypevulnerabilities.qualysMitigableType

Use the values fix or mitigate to vulnerabilities based on the type of mitigation that Qualys can recommend or facilitate. This token helps identify actionable vulnerabilities through specific Qualys features, such as patching, configuration changes, or compensating controls.

Example

Show all fix vulnerabilities

vulnerabilities.qualysMitigableType:Fix

To use this token, contact your technical account manager.

vulnerabilities.riskAcceptancevulnerabilities.riskAcceptance

Use the token to indicate different statuses for how a vulnerability is being handled or categorized.

You can choose from the following options: RISK_ACCEPTED, FALSE_POSITIVE

Example

Show vulnerabilities where associated risks have been accepted without immediate remediation

vulnerabilities.riskAcceptance:RISK_ACCEPTED

Show vulnerabilities that were identified as a false positive, meaning it does not exist or are incorrectly flagged

vulnerabilities.riskAcceptance:FALSE_POSITIVE

To use this token, contact your technical account manager.

vulnerabilities.riskAcceptanceIdvulnerabilities.riskAcceptanceId

Use this token to see vulnerabilities associated with a unique identifier that links it to a corresponding risk acceptance record.

Example

Show vulnerabilities associated with RiskAcceptanceID 12345

vulnerabilities.riskAcceptanceId:12345

To use this token, contact your technical account manager.

Asset Tokens

The following asset tokens will list all the assets mentioned in the QQL. You can filter the search results using other token options such as Generic, Search by Field, Search without field tokens.

accounts.usernameaccounts.username

Use a text value to find the username.

Example

Show assets with the username Administrator

accounts.username:Administrator

activatedForModulesactivatedForModules

Select the name of an activated module. Select from names in the drop-down menu.

Examples

Show assets activated for VM

activatedForModules:VM

Show assets activated for VM and FIM

activatedForModules:VM AND activatedForModules:FIM

agent.activations.keyagent.activations.key

Use a text value to define the agent activation key.

Example

Show assets with agents activated using key-value

agent.activations.key:key-value

agent.activations.statusagent.activations.status

Use a text value (ACTIVE or INACTIVE) to define agent activation status.

Example

Show assets with active agents

agent.activations.status:ACTIVE

agent.agentIDagent.agentID

Use a text value to find an agent ID of interest.

Example

Show the asset with this agent ID

agent.agentID:f0xxx82-exxx-4e7d-xxx-0c905xxxxx4

agent.swCAIdealCandidateagent.swCAIdealCandidate

Use the values true or false to find assets on which at least one of the software components—Ruby, Node.js, Go, Rust, PHP, Python, Java Platform, and Standard Edition (Java SE), is identified.

Example

List the assets that have software components identified

agent.swCAIdealCandidate: true

agent.versionagent.version

Use a text value to find the agent version.

Example

Show findings with agent version 1.5.6.46

agent.version:1.5.6.46

agentPlatformagentPlatform

Use this token to identify the operating system on which a Qualys Cloud Agent is installed and actively running.

Example

Show endpoints where the Qualys Cloud Agent is installed on Windows OS

agentPlatform:`Windows`

assetIdassetId

Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Examples

Show this asset ID

assetId: 2918869

Show asset IDs in this range

assetId: [3546997 .. 12945655]

Show the 2 asset IDs listed

assetId: [3546997,12945655]

asset.hostingCategory1asset.hostingCategory1

Use a value to filter your assets based on the hosting category. The supported values are CDN, Cloud, OnPrem, and ThirdParty.

Example

Show findings with hosting catagory CDN

asset.hostingCategory1:"CDN"

agent.configurationProfileagent.configurationProfile

Use quotes or backticks within values to help you find the agent configuration profile.

Examples

Show any findings related to profile name

agent.configurationProfile:Initial Profile

Show any findings that contain parts of profile name

agent.configurationProfile:"Initial Profile"

Show any findings that match exact value "Initial Profile"

agent.configurationProfile:`Initial Profile`

agent.connectedFromagent.connectedFrom

Use a text value to define the external IP address a cloud agent is connected from.

Example

Show findings for an external IP address that an agent connected from

agent.connectedFrom:10.0.100.11

businessApp.businessCriticalitybusinessApp.businessCriticality

Use values within quotes or backticks to help you find the business application.

Examples

Show any findings that contain parts of name

businessApp:(businessCriticality:"1 - most")

Show any findings that match exact value "1 - most critical"

businessApp:(businessCriticality:`1 - most critical`)

businessApp.environmentbusinessApp.environment

Use a text value to help you find business application based on environment.

Example

Show assets with business application environment as Production

businessApp:(environment:Production)

businessApp.idbusinessApp.id

Use a text value to help you find business application using unique ID.

Example

Show findings with business app ID as APP007

businessApp:(id:APP007)

businessApp.managedBybusinessApp.managedBy

Use values within quotes or backticks to help you find business applications managed by user.

Examples

Show any findings that contain parts of name

businessApp:(managedBy:"Byron")

businessApp:(managedBy:`Byron Fortuna`)

businessApp.namebusinessApp.name

Use values within quotes or backticks to help you find the business application name.

Examples

Show any findings that contain parts of name

businessApp:(managedBy:"HR")

businessApp:(managedBy:`HR Intranet`)

businessApp.operationalStatusbusinessApp.operationalStatus

Use a text value to help you find business applications based on operational status.

Example

Show business applications with operational status as Installed

businessApp:(operationalStatus:Installed)

businessApp.ownedBybusinessApp.ownedBy

Use values within quotes or backticks to help you find business applications owned by user.

Examples

Show any findings that contain parts of name

businessApp:(ownedBy:"Joey")

Show any findings that match exact value "Joey Bolick"

businessApp:(ownedBy:"Joey Bolick")

businessApp.supportedBybusinessApp.supportedBy

Use values within quotes or backticks to help you find business applications supported by user.

Examples

Show any findings that contain parts of name

businessApp:(supportedBy:"Joe")

Show any findings that match exact value `Joey Doe`

businessApp:(supportedBy:`Joe Doe`)

businessApp.supportGroupbusinessApp.supportGroup

Use a text value to help you find business applications with support group.

Example

Show assets with business application support group as Security.

businessApp:(supportGroup:"Security")

connectors.connector.nameconnectors.connector.name

Use a text value to define the connector name.

Example

Show findings detected by connector myec2

connectors.connector.name:myec2

connectors.firstDiscoveredconnectors.firstDiscovered

Use a date range or specific date to define when the connectors were first discovered.

Example

Show findings for connectors that were first discovered within certain dates

connectors.firstDiscovered:[2015-10-21 ... 2016-01-15]

Show findings for connectors that were first discovered starting 2017-01-01, ending 1 month ago

connectors.firstDiscovered:[2017-01-01 ... now-1M]

Show findings for connectors that were first discovered starting 2 weeks ago, ending 1 second ago

connectors.firstDiscovered:[now-2w ... now-1s]

Show findings for connectors that were first discovered on certain date

connectors.firstDiscovered:'2018-01-15'

Show findings for connectors that were first discovered before a certain date

connectors.firstDiscovered <'2018-01-15'

Show findings for connectors that were first discovered after a  certain date

connectors.firstDiscovered >'2018-01-15'

connectors.lastDiscoveredconnectors.lastDiscovered

Use a date range or specific date to define when the connectors were last discovered.

Example

Show findings for connectors last discovered within certain dates

connectors.lastDiscovered:[2015-10-21 ... 2016-01-15]

Show findings for connectors last discovered starting 2017-01-01, ending 1 month ago

connectors.lastDiscovered:[2017-01-01 ... now-1M]

Show findings for connectors last discovered starting 2 weeks ago, ending 1 second ago

connectors.lastDiscovered:[now-2w ... now-1s]

Show findings for connectors last discovered on certain date

connectors.lastDiscovered:'2018-01-15'

Show findings for connectors last discovered before a certain date

connectors.lastDiscovered <'2018-01-15'

Show findings for connectors last discovered after a  certain date

connectors.lastDiscovered >'2018-01-15'

connectors.connectorIdconnectors.connectorId

Show assets sourced from a specific connector created by the user

Example

Show assets for the following connector id:

connectors.connectorId:1278237

cpuCountcpuCount

Use an integer value to help you find assets with some number of CPUs.

Example

Show assets that have 2 CPUs

cpuCount:2

createdcreated

Use a date range or specific date to define when assets were created, that is, when first scanned by a scanner appliance, or when agent was installed.

Examples

Show assets created within certain dates

created:[2016-01-01 ... 2016-01-10]

Show assets created starting 2017-10-01, ending 1 month ago

created:[2017-10-01 ... now-1M]

Show assets created starting 2 weeks ago, ending 1 second ago

created:[now-2w ... now-1s]

Show assets created on specific date

created:'2018-01-08'

criticalityScorecriticalityScore

Use an integer value (1-5) to help you find assets based on specific criticality score.

Examples

Show assets with criticality score 5

criticalityScore:5

Show assets with criticality score 2

criticalityScore:2

customAttributes.keycustomAttributes.key

Provide the value to identify your assets based on the key entered as part of the custom attribute.

Example

Find assets with "Department" as part of the key name

customAttributes:(key:"Department")

The result includes assets with the 'Department' custom attribute key.

Note: If 'Department' is part of the key name, such as Department 1, Department A-C, or Department US, those assets are also included in the result.

customAttributes.valuecustomAttributes.value

Provide the value to identify your assets based on the value entered as part of the custom attribute.

Example

Find assets with "DEVOPS" as part of the key value

customAttributes:(value:"DEVOPS")

The result includes assets with the 'DEVOPS' custom attribute value.

Note: If 'DEVOPS' is part of the value name, such as DEVOPS CSAM, DEVOPS CA, or DEVOPS PM, those assets are also included in the result.

docker.dockerVersiondocker.dockerVersion

Use a text value to define a Docker version.

Example

Show findings with this Docker version

docker.dockerVersion:17.3

docker.noOfContainersdocker.noOfContainers

Use an integer value to help you find assets with some number of Docker containers. .

Example

Show findings with 2 Docker containers

docker.noOfContainers:2

docker.noOfImagesdocker.noOfImages

Use an integer value to help you find assets with some number of Docker images.

Example

Show findings with 5 Docker images

docker.noOfImages:5

easm.tags.nameeasm.tags.name

Provide the value to filter assets based on tags discovered through EASM.

Example

Find assets with "cloud" tag.

easm.tags.name:cloud

isDockerHostisDockerHost

Use the values true | false to choose whether to show docker hosts or not (only when the hosts have been scanned).

Examples

Show docker hosts

isDockerHost:true

Do not show docker hosts

isDockerHost:false

interfaces.addressinterfaces.address

Use a text value to define an IP address (IPv4 of IPv6).

Examples

Show the asset with IPv4 address

interfaces.address:10.10.100.20

Show the asset with IPv6 address (enclose value in single quotes)

interfaces.address:'fe80:0:0:0:2501:b53c:4139:404b'

interfaces.dnsAddressinterfaces.dnsAddress

Use a text value to define a DNS address.

Example

Show the asset with DNS address 10.0.100.11

interfaces.dnsAddress:10.0.100.11

interfaces.gatewayAddressinterfaces.gatewayAddress

Use a text value to help you find assets with a certain default gateway address.

Example

Show assets with this default gateway address

interfaces.gatewayAddress:10.11.65.1

interfaces.hostnameinterfaces.hostname

Use quotes or backticks within values to help you find the hostname.

Examples

Show any findings related to name

interfaces.hostname:xpsp2-jp-26-111

Show any findings that contain parts of name

interfaces.hostname:"xpsp2-jp-26-111"

Show any findings that match exact value "xpsp2-jp-26-111"

interfaces.hostname:`xpsp2-jp-26-111`

Show any findings related to name (we'll match super domains)

interfaces.hostname:qcentos71sqp3.rdlab.acme.com

Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"

interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`

interfaces.interfaceNameinterfaces.interfaceName

Use a text value to help you find a certain interface name.

Example

Show the asset with name PRO/1000

interfaces.interfaceName:PRO/1000

interfaces.macAddressinterfaces.macAddress

Use values within quotes to help you find a MAC address.

Example

Show the asset with this MAC address

interfaces.macAddress:"00-50-56-A9-73-5A"

agent.lastCheckedInagent.lastCheckedIn

Use a date range or specific date to define when agents last checked in to the platform. The last checked in date will be updated after agent provisioning, agent inventory and agent scan.

Examples

Show findings with last check in within a specific date range.

agent.lastCheckedIn:[2020-01-01 ... 2020-01-10]

Show findings with last check in starting 2019-11-01, ending 1 month ago.

agent.lastCheckedIn:[2019-11-01 ... now-1M]

Show findings with last check in starting 2 weeks ago, ending 1 second ago

agent.lastCheckedIn:[now-2w ... now-1s]

Show findings with last check in on a specific date

agent.lastCheckedIn:'2020-02-11'

Show findings with last check in before (older than) last 30 days.

agent.lastCheckedIn<now-30d

Note: We recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d...now-2s]. See 'QQL Best Practices' topic in the Unified Dashboard online Help.

Show findings with last check in within last 30 days excluding day 30

agent.lastCheckedIn>now-30d

Show findings with last check in within last 30 days including day 30

agent.lastCheckedIn>=now-30d

Show findings with last check in which is older than last 30 days excluding day 30

agent.lastCheckedIn<now-30d

Show findings with last check in which is older than last 30 days including day 30

agent.lastCheckedIn<=now-30d

lastLocation.namelastLocation.name

Use a text value to help you find assets based on last location.

Examples

Show assets with last location as Redwood City, California - United States

lastLocation.name: `Redwood City, California - United States`

Show assets with last location with exact string

lastLocation.name: `Redwood City, California - United States`

lastLocation.continentlastLocation.continent

Use a text value to help you find assets based on continent of the last location.

Examples

Show assets with last location continent as North America

lastLocation.continent: `North America`

Show assets with last location with exact string

lastLocation.continent: `North America`

lastLocation.countrylastLocation.country

Use a text value to help you find assets based on country of the last location.

Example

Show assets with last location country as United States

lastLocation.country:United States

lastLocation.statelastLocation.state

Use a text value to help you find assets based on state of the last location.

Example

Show assets with last location state as California

lastLocation.state: California

lastLocation.citylastLocation.city

Use a text value to help you find assets with city of the last location.

Example

Show assets with last location state as Miami

lastLocation.city: Miami

lastLocation.postallastLocation.postal

Use a text value to help you find assets based on postal of the last location.

Example

Show assets with last location postal as 94065

lastLocation.postal: 94065

lastVmScanDatelastVmScanDate

Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

Show findings with last vulnerability scan within certain dates

lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]

Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago

lastVmScanDateScanner: [2016-11-01 ... now-1M]

Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago

lastVmScanDateScanner: [now-2w ... now-1s]

Show findings with last vulnerability scan on specific date

lastVmScanDateScanner:'2017-04-10'

lastVmScanDateScanner lastVmScanDateScanner

Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

Show findings with last vulnerability scan within certain dates

lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]

Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago

lastVmScanDateScanner: [2016-11-01 ... now-1M]

Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago

lastVmScanDateScanner: [now-2w ... now-1s]

Show findings with last vulnerability scan on specific date

lastVmScanDateScanner:'2017-04-10'

lastVmScanDateAgentlastVmScanDateAgent

Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

Show findings with last vulnerability scan within certain dates

lastVmScanDateAgent: [2017-01-01 ... 2017-02-10]

Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago

lastVmScanDateAgent: [2016-11-01 ... now-1M]

Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago

lastVmScanDateAgent: [now-2w ... now-1s]

Show findings with last vulnerability scan on specific date

lastVmScanDateAgent:'2017-04-10'

lastPcScanDateAgentlastPcScanDateAgent

Use a date range or specific date to define when compliance scans were last conducted. In case of a full Policy Compliance scan all QIDs are triggered. For custom Policy Compliance scan specific QIDs are triggered.

Examples

Show findings with last compliance scan within certain dates

lastPcScanDateAgent: [2017-01-01 ... 2017-02-10]

Show findings with last compliance scan starting 2016-11-01, ending 1 month ago

lastPcScanDateAgent: [2016-11-01 ... now-1M]

Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago

lastPcScanDateAgent: [now-2w ... now-1s]

Show findings with last compliance scan on specific date

lastPcScanDateAgent:'2017-04-10'

lastPcScanDateScannerlastPcScanDateScanner

Use a date range or specific date to define when Policy Compliance scans were last conducted by the scanner. In case of a full Policy Compliance scan all QIDs are triggered. For custom Policy Compliance scan specific QIDs are triggered.

Examples

Show findings with last compliance scan within certain dates

lastPcScanDateScanner: [2017-01-01 ... 2017-02-10]

Show findings with last compliance scan starting 2016-11-01, ending 1 month ago

lastPcScanDateScanner: [2016-11-01 ... now-1M]

Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago

lastPcScanDateScanner: [now-2w ... now-1s]

Show findings with last compliance scan on specific date

lastPcScanDateScanner:'2017-04-10'

lastComplianceScanDatelastComplianceScanDate

Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.

Examples

Show findings with last compliance scan within certain dates

lastComplianceScanDate: [2017-01-01 ... 2017-03-31]

Show findings with last compliance scan starting 2016-10-15, ending 1 month ago

lastComplianceScanDate: [2016-10-15 ... now-1M]

Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago

lastComplianceScanDate: [now-2w ... now-1s]

Show findings with last compliance scan on specific date

lastComplianceScanDate:'2017-02-18'

lastFullScanlastFullScan

Use a date range or specific date to define when full scans were last conducted on an agent or a scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

Show findings with last full scan within certain dates

lastFullScan:[2018-01-01 ... 2018-01-10]

Show findings with last full scan starting 2017-11-01, ending 1 month ago

lastFullScan:[2017-11-01 ... now-1M]

Show findings with last full scan starting 2 weeks ago, ending 1 second ago

lastFullScan:[now-2w ... now-1s]

Show findings with last full scan on a specific date

lastFullScan:'2018-02-08'

middlewareManifestVersionmiddlewareManifestVersion

Use the manifest version to find host assets, where middleware scan is performed using the specific manifest version.

Example

Show host assets, where middleware scan is performed with the specified manifest version

middlewareManifestVersion: "VULNSIGS-MIDDLEWARE-SCAN-2.5.884-2"

agent.lastInventoryagent.lastInventory

Use a date range or specific date to define when inventory scans were last conducted by agents.

Examples

Show findings with last inventory scan within certain dates

agent.lastInventory:[2018-01-12 ... 2018-01-20]

Show findings with last inventory scan starting 2018-01-01, ending 1 month ago

agent.lastInventory:[2018-01-01 ... now-1M]

Show findings with last inventory scan starting 3 weeks ago, ending 1 second ago

agent.lastInventory:[now-3w ... now-1s]

Show findings with last inventory scan on specific date

agent.lastInventory:'2018-02-10'

lastLoggedOnUserlastLoggedOnUser

Use a text value to help you find assets last logged into by a user of interest.

Examples

Show assets with last logon by user asmith

lastLoggedOnUser:asmith

agent.lastActivityagent.lastActivity

Use a date range or specific date to define when the last activity on the agent occurred. The last activity date will be updated after agent provisioning, and agent inventory. The date will not be updated after agent scan.

Examples

Show findings with last activity within certain dates

agent.lastActivity: [2016-01-01 ... 2016-01-10]

Show findings with last activity starting 2015-10-01, ending 1 month ago

agent.lastActivity: [2015-10-01 ... now-1M]

Show findings with last activity starting 2 weeks ago, ending 1 second ago

agent.lastActivity: [now-2w ... now-1s]

Show findings with last activity on a specific date

agent.lastActivity:'2015-12-01'

namename

Use quotes or backticks within values to help you find the asset name.

Examples

Show any findings related to name

name:QK2K12QP3-65-53

Show any findings that contain parts of name

name:"QK2K12QP3-65-53"

Show any findings that match exact value "QK2K12QP3-65-53"

name:`QK2K12QP3-65-53`

netbiosNamenetbiosName

Use a text value to define the NetBIOS name.

Examples

Show assets with this exact name (case sensitive)

netbiosName: EC2AMAZ-19OC2IT

Show assets with name starting with "EC2" (case sensitive)

netbiosName: EC2*

Show assets with name ending with "c2it" (case insensitive)

netbiosName: *c2it

openPorts.descriptionopenPorts.description

Use quotes or backticks within values to help you find the service description detected on an open port.

Examples

Show any findings with this description

openPorts.description:Windows Remote Desktop

Show any findings that contain parts of description

openPorts.description:"Windows Remote Desktop"

Show any findings that match exact value "Windows Remote Desktop"

openPorts.description:`Windows Remote Desktop`

openPorts.detectedServiceopenPorts.detectedService

Use quotes or backticks within values to help you find the detected service.

Examples

Show any findings with this service name

openPorts.detectedService:win_remote_desktop

Show any findings that contain parts of name

openPorts.detectedService:"win_remote_desktop"

Show any findings that match exact value "win_remote_desktop"

openPorts.detectedService:`win_remote_desktop`

openPorts.firstFoundopenPorts.firstFound

Use a date range or specific date to define when open ports were first found.

Examples

Show findings with open ports first found within certain dates

openPorts.firstFound:[2017-06-15 ... 2017-06-30]

Show findings with open ports first found starting 2017-06-22, ending 1 month ago

openPorts.firstFound: [2017-06-22 ... now-1M]

Show findings with open ports first found starting 2 weeks ago, ending 1 second ago

openPorts.firstFound:[now-2w ... now-1s]

Show findings with open ports first found on specific date

openPorts.firstFound:'2017-06-14'

openPorts.lastUpdatedopenPorts.lastUpdated

Use a date range or specific date to define when open ports were last updated.

Examples

Show findings with open ports last updated within certain dates

openPorts.lastUpdated:[2017-06-15 ... 2017-06-30]

Show findings with open ports last updated starting 2017-06-22, ending 1 month ago

openPorts.lastUpdated:[2017-06-22 ... now-1M]

Show findings with open ports last updated starting 2 weeks ago, ending 1 second ago

openPorts.lastUpdated:[now-2w ... now-1s]

Show findings with open ports last updated on specific date

openPorts.lastUpdated:'2018-01-14'

openPorts.portopenPorts.port

Use an integer value to help you find assets with some open port.

Example

Show assets with open port 80

openPorts.port:80

openPorts.protocolopenPorts.protocol

Use a text value (UDP or TCP) to define the port protocol.

Examples

Show findings found on TCP

openPorts.protocol:TCP

Show findings found on port 80 and TCP

openPorts:(port:80 AND protocol:TCP)

operatingSystemoperatingSystem

Use quotes or backticks within values to help you find the operating system.

Examples

Show any findings with this OS name

operatingSystem:Windows 2012

how any findings that contain components of OS name

operatingSystem:"Windows 2012"

Show any findings that match exact value "Windows 2012"

operatingSystem:`Windows 2012`

pendingActivationForModulespendingActivationForModules

Select the name of a module that's pending activation. Select from names in the drop-down menu.

Examples

Show assets pending activation for VM

pendingActivationForModules:VM

Show assets pending activation for VM and FIM

pendingActivationForModules:VM AND pendingActivationForModules:FIM

pcManifestVersionpcManifestVersion

Use the manifest version to find host assets, where PC scan is performed using the specific manifest version.

Example

Show host assets, where PC scan is performed with the specified manifest version.

pcManifestVersion: "VULNSIGS-PC-2.5.889-6"

platformplatform

Use a text value to find assets on Windows or Linux platform.

Example

Show assets on Windows platform

platform:Windows

providerprovider

Select the name of a cloud service provider.

Examples

Show assets synced from Amazon AWS

provider: AWS

processors.descriptionprocessors.description

Use quotes or backticks within values to help you find the processor description.

Examples

Show any findings with this description

processors.description:intel

Show any findings that contain parts of description

processors.description:"intel"

Show any findings that match exact value "intel"

processors.description:`intel`

processors.speedprocessors.speed

Use an integer value to help you find assets with a certain processor speed.

Example

Show assets with this processor speed

processors.speed:1995

processors.threadsPerCoreprocessors.threadsPerCore

Use an integer value to show the number of threads per core.

Example

Show number of threads per core

processors.threadsPerCore:1

processors.coresPerSocketprocessors.coresPerSocket

Use an integer value to show the number of cores per socket.

Example

Show number of cores per socket

processors.coresPerSocket:2

processors.numberOfSocketsprocessors.numberOfSockets

Use an integer value to show the number of sockets.

Example

Show number of sockets

processors.numberofSockets:2

processors.numberOfCpuprocessors.numberOfCpu

Use an integer value to show the number of CPUs.

Example

Show the CPUs

processors.numberofCpu:4

processors.multithreadingStatusprocessors.multithreadingStatus

Use a string value to determine the multithreading status of the processor.

Example

Show multi-threading status

processors.multithreadingStatus:"ENABLED"

QIDQID

Use an integer value to define the QID.

Example

Show findings with QID 90405

QID: 90405

Note: The QID token shows all assets that have the specific QID. The exclude vulnerabilities filters are not applicable for the QID token.

qualysCorrelationIDqualysCorrelationID

Use a text value #### to show assets with specific Qualys Correlation ID.

Example

Show assets with this Qualys Correlation ID

qualysCorrelationID: 0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058

Show assets without any Qualys Correlation ID

qualysCorrelationID: UNIDENTIFIED

Show assets all assets with Qualys Correlation ID

qualysCorrelationID: *

riskScoreriskScore

Use an integer value (0-1000) to help you find assets based on specific risk score.

Examples

Show assets with risk score 60

riskScore:60

Show assets with risk score 25

riskScore:25

scaManifestVersionscaManifestVersion

Use the manifest version to find host assets, where SCA scan is performed using the specific manifest version.

Example

Show host assets, where SCA scan is performed with the specified manifest version

scaManifestVersion: "VULNSIGS-SCA-2.5.891-2"

sensors.firstEasmScanDatesensors.firstEasmScanDate

Show a list of External Attack Surface discovered assets based on their first scan date in YYYY-MM-DD format.

Examples

Show a list of External Attack Surface discovered assets scanned for the first time on or after 2022-10-04

sensors.firstEasmScanDate >='2022-10-04'

Show a list of External Attack Surface discovered assets that are scanned for the first time before 2022-10-04

sensors.firstEasmScanDate <'2022-10-04'

Show a list of External Attack Surface discovered assets that are scanned for the first time after 2022-10-04

sensors.firstEasmScanDate > '2022-10-04'

Show a list of External Attack Surface discovered assets that are scanned for the first time on 2022-10-04

sensors.firstEasmScanDate = '2022-10-04'

sensors.lastEasmScanDatesensors.lastEasmScanDate

Shows a list of externally exposed assets based on their latest scan date in YYYY-MM-DD format.

Examples

Show a list of externally exposed assets from the latest scan on or after 2023-06-04

sensors.lastEasmScanDate >='2023-06-04'

Show a list of externally exposed assets from the latest scan before 2023-06-04

sensors.lastEasmScanDate <='2023-06-04'

Show a list of externally exposed assets from the latest scan after 2023-06-04

sensors.lastEasmScanDate >'2023-06-04'

Show a list of externally exposed assets from the latest scan on 2023-06-04

sensors.lastEasmScanDate = '2023-06-04'

services.descriptionservices.description

Use quotes or backticks within values to help you find the service description.

Examples

Show any findings with this description

services.description:Windows Event Log

Show any findings that contain parts of description

services.description:"Windows Event Log"

Show any findings that match exact value "Windows Event Log"

services.description:`Windows Event Log`

services.nameservices.name

Use quotes or backticks within values to help you find the service name.

Examples

Show any findings with this name

services.name:eventlog

Show any findings that contain parts of name

services.name:"eventlog"

Show any findings that match exact value "eventlog"

services.name:`eventlog`

services.statusservices.status

Use quotes or backticks within values to help you find the service status.

Examples

Show any findings with this status

services.status:running

Show any findings that contain parts of name

services.status:"running"

Show any findings that match exact value running

services.status:`running`

software.firstFoundsoftware.firstFound

Use a date range or specific date to define when software was first found.

Examples

Show assets with software first found within certain dates

software:(firstFound:[2017-10-15 ... 2017-10-30]

Show assets with software first found starting 2017-06-22, ending 1 month ago

software:(firstFound:[2017-06-22 ... now-1M]

Show assets with software first found starting 2 weeks ago, ending 1 second ago

software:(firstFound:[now-2w ... now-1s]

Show assets with software first found on specific date

software:(firstFound:'2017-08-14'

software.lastUpdatedsoftware.lastUpdated

Use a date range or specific date to define when software was last updated in Qualys database.

Examples

Show assets with software last updated within certain dates

software:(lastUpdated:[2018-01-15 ... 2018-03-12]

Show assets with software last updated starting 2018-01-22, ending 1 month ago

software:(lastUpdated:[2018-01-22 ... now-1M]

Show assets with software last updated starting 2 weeks ago, ending 1 second ago

software:(lastUpdated:[now-2w ... now-1s]

Show assets with software last updated on specific date

software:(lastUpdated:'2018-02-16'

software.installedDatesoftware.installedDate

Use a date range or specific date to define when software was installed.

Examples

Show assets with software installed within certain dates

software:(installedDate:[2018-01-15 ... 2018-03-12]

Show assets with software installed starting 2018-01-22, ending 1 month ago

software:(installedDate:[2018-01-22 ... now-1M]

Show assets with software installed starting 2 weeks ago, ending 1 second ago

software:(installedDate:[now-2w ... now-1s]

Show assets with software installed on specific date

software:(installedDate:'2018-02-16'

software:(isPackageComponentsoftware:(isPackageComponent

Use the values true or false to define whether software is a package component.

Example

Show software that is a package component

software:(isPackageComponent:"true")

software.namesoftware.name

Use quotes or backticks within values to help you find the software name.

Examples

Show any findings with this name

software.name:VMware Tools

Show any findings that contain parts of name

software.name:"VMware Tools"

Show any findings that match exact value "VMware Tools"

software.name:`VMware Tools`

Find assets with certain tag and software installed

tags.name:`Cloud Agent` AND software:(name:`Cisco AnyConnect Secure Mobility Client` AND version:`3.1.12345`)

software.versionsoftware.version

Use a text value to define the software version.

Example

Show findings with this version

software.version: 8.6.10

Find assets with certain tag and software installed

tags.name:`Cloud Agent` AND software: (name:`Cisco AnyConnect Secure Mobility Client` AND version:`3.1.12345`)

system.biosDescriptionsystem.biosDescription

Use quotes or backticks within values to help you find the BIOS description.

Examples

Show any findings with this description

system.biosDescription: Phoenix Technologies

Show any findings that contain parts of name

system.biosDescription: "Phoenix Technologies"

Show any findings that match exact value "Phoenix Technologies"

system.biosDescription: `Phoenix Technologies`

system.lastBootsystem.lastBoot

Use a date range or specific date to define when assets were last booted.

Examples

Show assets last booted within certain dates

system.lastBoot:[2018-01-11 ... 2018-01-23]

Show assets last booted starting 2017-10-01, ending 1 month ago

system.lastBoot:[2017-10-01 ... now-1M]

Show assets last booted starting 2 weeks ago, ending 1 second ago

system.lastBoot:[now-2w ... now-1s]

Show assets last booted on a specific date

system.lastBoot:'2018-03-08'

system.manufacturersystem.manufacturer

Use quotes or backticks within values to help you find the system manufacturer.

Examples

Show any findings with this name

system.manufacturer:dell

Show any findings that contain parts of name

system.manufacturer:"dell"

Show any findings that match exact value "dell"

system.manufacturer:`dell`

system.modelsystem.model

Use quotes or backticks within values to help you find the system model.

Examples

Show any findings with this name

system.model: optiplex

Show any findings that contain parts of name

system.manufacturer: "optiplex"

Show any findings that match exact value "optiplex"

system.manufacturer: `optiplex`

system.timezonesystem.timezone

Use a text value in quotes to find assets with a certain timezone set.

Example

Show assets with this timezone

system.timezone:-08:00

system.totalMemorysystem.totalMemory

Use an integer value to help you find assets with a certain total system memory.

Example

Show assets with this total system memory

system.totalMemory:1024

tags.businessImpacttags.businessImpact

Select a criticality e.g. "CRITICAL","HIGH","MEDIUM","LOW","MINOR" to find tags of this type. Select from names in the drop-down menu.

Example

Show tags names with critical business impact

tags.businessImpact:Critical

tags.nametags.name

Use values within quotes or backticks to help you find the asset tag you are looking for.

Example

Show any findings that match exact value "Cloud Agent"

tags.name:`Cloud Agent`

trackingMethodtrackingMethod

Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.

Examples

Show this assets tracked by IP

trackingMethod: IP

Show asset tracked by NETBIOS

trackingMethod: NETBIOS

Show assets tracked by EASM

trackingMethod: EASM

udcManifestVersionudcManifestVersion

Use the manifest version to find host assets, where UDC scan is performed using the specific manifest version.

Example

Show host assets, where UDC scan is performed with the specified manifest version

udcManifestVersion: "UDCVULNSIGS-1014"

updatedupdated

Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the Enterprise TruRisk™  Platform by an agent).

Examples

Show assets updated within certain dates

updated:[2017-12-01 ... 2018-01-10]

Show assets updated starting 2017-10-01, ending 3 months ago

updated:[2017-10-01 ... now-3M]

Show assets updated starting 2 weeks ago, ending 1 second ago

updated:[now-2w ... now-1s]

Show assets updated on a specific date

updated:'2018-03-10'

vmManifestVersionvmManifestVersion

Use the manifest version to find host assets, where VM scan is performed using the specific manifest version.

Example

Show host assets, where VM scan is performed with the specified manifest version

vmManifestVersion: "VULNSIGS-VM-0.49.0.0-18"

volumes.freevolumes.free

Use an integer value to help you find assets with a certain free volume space.

Example

Show assets with this free volume space

volumes.free:448312320

volumes.namevolumes.name

Use a text value to find assets with a certain volume name.

Example

Show assets with this volume name

volumes.name:/boot

volumes.sizevolumes.size

Use an integer value to help you find assets with a certain volume size.

Example

Show assets with this volume size

volumes.size:481529856

vulnerabilitiesvulnerabilities

Choose the value * to find assets with vulnerabilities.

Example

Show all findings that have vulnerabilities

vulnerabilities:*

Asset Inventory

Use search tokens to refine your search for assets based on different asset properties.

hardware.categoryhardware.category

Use quotes or backticks within values to help you find the hardware.

Examples

Show any findings that contain parts of value

hardware.category:"Computer/Server"

Show any findings that match exact value

hardware.category:`Computer/Server`

hardware.category1hardware.category1

Use quotes or backticks within values to find assets with hardware category 1 value.

Example

Show any findings that match exact value

hardware.category1:`Computer`

hardware.category2hardware.category2

Use quotes or backticks within values to find assets with hardware category 2 value.

Example

Show any findings that match exact value

hardware.category2:`Server`

hardware.lifecycle.gahardware.lifecycle.ga

Use a date range or specific date to define a hardware general availability.

Examples

Show findings with hardware GA date in this date range

hardware.lifecycle.ga:[2019-01-01 ... 2019-01-15]

Show findings with hardware GA date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.ga:[2019-01-15 ... now-1M]

Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.ga:[now-2w ... now-1s]

Show findings with this hardware GA date

hardware.lifecycle.ga:'2019-03-18'

hardware.lifecycle.introhardware.lifecycle.intro

Use a date range or specific date to define a hardware introduction date.

Examples

Show findings with hardware introduction date in this date range

hardware.lifecycle.intro:[2019-01-01 ... 2019-01-15]

Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.intro:[2019-01-15 ... now-1M]

Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.intro:[now-2w ... now-1s]

Show findings with this hardware introduction date

hardware.lifecycle.intro:'2019-03-18'

hardware.lifecycle.eoshardware.lifecycle.eos

Use a date range or specific date to define a hardware End-of-Sale date.

Examples

Show findings with hardware End-of-Sale date in this date range

hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]

Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.eos:[2019-01-15 ... now-1M]

Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.eos:[now-2w ... now-1s]

Show findings with this hardware End-of-Sale date

hardware.lifecycle.eos:'2019-03-18'

hardware.lifecycle.obshardware.lifecycle.obs

Use a date range or specific date to define a hardware obsolete date.

Examples

Show findings with hardware obsolete date in this date range

hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]

Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago

hardware.lifecycle.obs:[2019-01-15 ... now-1M]

Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago

hardware.lifecycle.obs:[now-2w ... now-1s]

Show findings with this hardware obsolete date

hardware.lifecycle.obs:'2019-03-18'

hardware.lifecycle.stagehardware.lifecycle.stage

Use a text value in quotes to define the hardware lifecycle stage (INTRO, GA, EOS, OBS)

Example

Show End-of-Sale hardware

hardware.lifecycle.stage:"EOS"

hardware.manufacturerhardware.manufacturer

Use quotes or backticks within values to find assets having a certain hardware manufacturer.

Example

Show any findings that match exact value "Dell"

hardware.manufacturer:`Dell`

hardware.modelhardware.model

Use quotes or backticks within values to find assets having a certain hardware model.

Example

Show any findings that match exact value "e7470"

hardware.model:`De7470`

hardware.producthardware.product

Use quotes or backticks within values to find assets having a certain hardware product.

Example

Show any findings that match exact value "Latitude"

hardware.product:`Latitude`

operatingSystem.architectureoperatingSystem.architecture

Use quotes or backticks within values to help you find the operating system architecture that is 32-Bit or 64-Bit.

Example

Show any findings that match exact value

operatingSystem.architecture:`64-Bit`

operatingSystem.categoryoperatingSystem.category

Use quotes or backticks within values to help you find the full operating system category name that is Windows, Unix, Linux, Mac and more.

Example

Show any findings that match exact value

operatingSystem.category:`Windows`

operatingSystem.category1operatingSystem.category1

Use quotes or backticks within values to help you find the operating system category 1 value.

Example

Show any findings that match exact value

operatingSystem.category1:`Windows`

operatingSystem.category2operatingSystem.category2

Use quotes or backticks within values to help you find the operating system category 1 value.

Example

Show any findings that match exact value

operatingSystem.category2:`Client`

operatingSystem.editionoperatingSystem.edition

Use quotes or backticks within values to help you find the operating system edition.

Example

Show any findings that match exact value

operatingSystem.edition:`Enterprise`

operatingSystem.lifecycle.gaoperatingSystem.lifecycle.ga

Use a date range or specific date to define an OS general availability date.

Examples

Show findings with OS GA date in this date range

operatingSystem.lifecycle.ga:[2019-01-01 ... 2019-01-15]

Show findings with OS GA date starting 2019-01-15, ending 1 month ago

operatingSystem.lifecycle.ga:[2019-01-15 ... now-1M]

Show findings with OS GA date starting 2 weeks ago, ending 1 second ago

operatingSystem.lifecycle.ga:[now-2w ... now-1s]

Show findings with this OS GA date

operatingSystem.lifecycle.ga:'2019-03-18'

operatingSystem.lifecycle.eoloperatingSystem.lifecycle.eol

Use a date range or specific date to define an operating system End-of-Life date.

Examples

Show findings with operating system End-of-Life date in this date range

operatingSystem.lifecycle.eol:[2019-01-01 ... 2019-01-15]

Show findings with operating system End-of-Life date starting 2019-01-15, ending 1 month ago

operatingSystem.lifecycle.eol:[2019-01-15 ... now-1M]

Show findings with operating system End-of-Life date starting 2 weeks ago, ending 1 second ago

operatingSystem.lifecycle.eol:[now-2w ... now-1s]

Show findings with this operating system End-of-Life date

operatingSystem.lifecycle.eol:'2019-03-18'

operatingSystem.lifecycle.eosoperatingSystem.lifecycle.eos

Use a date range or specific date to define an operating system End-of-Support date.

Examples

Show findings with operating system End-of-Support date in this date range

operatingSystem.lifecycle.eos:[2019-01-01 ... 2019-01-15]

Show findings with operating system End-of-Support date starting 2019-01-15, ending 1 month ago

operatingSystem.lifecycle.eos:[2019-01-15 ... now-1M]

Show findings with operating system End-of-Support date starting 2 weeks ago, ending 1 second ago

operatingSystem.lifecycle.eos:[now-2w ... now-1s]

Show findings with this operating system End-of-Support date

operatingSystem.lifecycle.eos:'2019-03-18'

operatingSystem.lifecycle.stageoperatingSystem.lifecycle.stage

Use a text value to define an OS lifecycle stage that is, active, eol, obsolete.

Examples

Show findings having this OS lifecycle stage

operatingSystem.lifecycle.stage:eol

Show findings with OS category Windows and OS lifecycle stage "active"

operatingSystem:(category:Windows AND lifecycle.stage:eol)

operatingSystem.marketVersionoperatingSystem.marketVersion

Use quotes or backticks within values to help you find the operating system market version, e.g. Windows OS.

Example

Show any findings that match exact value

operatingSystem.marketVersion:`7`

operatingSystem.osIdoperatingSystem.osId

Use quotes or backticks within values to help you find the operating system ID.

Example

Show any findings that match exact value

operatingSystem.osId:`96426`

operatingSystem.nameoperatingSystem.name

Use quotes or backticks within values to help you find the operating system brand name, for example, Windows OS.

Example

Show any findings that match exact value

operatingSystem.name:`Windows 10`

operatingSystem.publisheroperatingSystem.publisher

Use a text value to define an operating system manufacturer.

Example

Show findings with this exact software publisher

operatingSystem.publisher:`Microsoft`

operatingSystem.updateoperatingSystem.update

Use a text value to define an OS update version.

Example

Show findings with this exact OS update version

operatingSystem.update:`SP2`

operatingSystem.versionoperatingSystem.version

Use a text value to define the OS version you're interested in.

Example

Show findings with this exact OS version

operatingSystem.version:`16.1`

software.architecturesoftware.architecture

Use quotes or backticks within values to help you find the software architecture, that is, 32-Bit or 64-Bit.

Example

Show any findings that match exact value

software:(architecture:`64-Bit`)

software.categorysoftware.category

Use quotes or backticks within values to help you find a software category.

Example

Show any findings that match exact value

software:(category:`Productivity > Productivity Suites`)

software.category1software.category1

Use quotes or backticks within values to help you find the software category 1 value.

Example

Show any findings that match exact value

software:(category1:`Productivity`)

software.category2software.category2

Use quotes or backticks within values to help you find the software category 2 value.

Example

Show any findings that match exact value

software:(category2:`Productivity Suites`)

software.editionsoftware.edition

Use quotes or backticks within values to help you find the software edition.

Example

Show any findings that match exact value

software:(edition:`Professional`)

software.lifecycle.gasoftware.lifecycle.ga

Use a date range or specific date to define a software general availability date.

Examples

Show findings with software GA date in this date range

software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])

Show findings with woftware GA date starting 2019-01-15, ending 1 month ago

software:(lifecycle.ga:[2019-01-15 ... now-1M])

Show findings with software GA date starting 2 weeks ago, ending 1 second ago

software:(lifecycle.ga:[now-2w ... now-1s])

Show findings with this software GA date

software:(lifecycle.ga:'2019-03-18')

software.lifecycle.eolsoftware.lifecycle.eol

Use a date range or specific date to define an software End-of-Life date.

Examples

Show findings with software End-of-Life date in this date range

software:(lifecycle.eol:[2019-01-01 ... 2019-01-15]

Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago

software:(lifecycle.eol:[2019-01-15 ... now-1M]

Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago

software:(lifecycle.eol:[now-2w ... now-1s]

Show findings with this software End-of-Life date

software:(lifecycle.eol:'2019-03-18'

software.lifecycle.eossoftware.lifecycle.eos

Use a date range or specific date to define an software End-of-Support date.

Examples

Show findings with software End-of-Support date in this date range

software:(lifecycle.eos:[2019-01-01 ... 2019-01-15]

Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago

software:(lifecycle.eos:[2019-01-15 ... now-1M]

Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago

software:(lifecycle.eos:[now-2w ... now-1s]

Show findings with this software End-of-Support date

software:(lifecycle.eos:'2019-03-18'

software.lifecycle.stagesoftware.lifecycle.stage

Use a text value to define a software lifecycle stage that is, active, eol, obsolete.

Examples

Show findings having this software lifecycle stage

software:(lifecycle.stage:eol)

Show findings having software category Windows and software lifecycle stage "active"

software:(category:Windows AND lifecycle.stage:eol)

software.license.categorysoftware.license.category

Use text value to help you find a software license category, i.e. Open Source, Commercial.

Example

Show any findings that match exact value

software:(license.category:`Open Source`)

software.marketVersionsoftware.marketVersion

Use quotes or backticks within values to help you find a software market version, e.g. Windows OS.

Example

Show any findings that match exact value

software:(marketVersion:`7`)

software.productsoftware.product

Use a text value to define a software product name.

Example

Show findings with this exact product name

software:(product:`Office`)

software.publishersoftware.publisher

Use a text value to define a software manufacturer.

Example

Show findings with this exact software publisher

software:(publisher:`Microsoft`)

software.typesoftware.type

Use a text value to define a software type.

Example

Show findings having this software type

software:(type:`Installer Package`)

software.updatesoftware.update

Use a text value to define a software update version.

Example

Show findings with this exact software update version

software:(update:`16.0.1.2`)

software.license.subCategorysoftware.license.subCategory

Use text value to help you find a software license subCategory, i.e. GPL, Apache 2.0, BSD.

Example

Show any findings that match exact value

software:(license.subCategory:Apache 2.0)

Alerting

assetIdassetId

Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Examples

  • Show this asset ID
    assetId: 2918869
  • Show asset IDs in this range
    assetId: [3546997 .. 12945655]
  • Show the 2 asset IDs listed
    assetId: [3546997,12945655]

criticalityScorecriticalityScore

Use an integer value (1-5) to help you find assets based on specific criticality score.

Examples

  • Show assets with criticality score 5
    criticalityScore:5
  • Show assets with criticality score 2
    criticalityScore:2

interfaces.hostnameinterfaces.hostname

Use quotes or backticks within values to help you find the hostname.

Examples

  • Show any findings related to name
    interfaces.hostname:xpsp2-jp-26-111
  • Show any findings that contain parts of name
    interfaces.hostname:"xpsp2-jp-26-111"
  • Show any findings that match exact value "xpsp2-jp-26-111"
    interfaces.hostname:`xpsp2-jp-26-111`
  • Show any findings related to name (we'll match super domains)
    interfaces.hostname:qcentos71sqp3.rdlab.acme.com
  • Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
    interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`

lastComplianceScanDatelastComplianceScanDate

Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.

Examples

  • Show findings with last compliance scan within certain dates
    lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
  • Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
    lastComplianceScanDate: [2016-10-15 ... now-1M]
  • Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
    lastComplianceScanDate: [now-2w ... now-1s]
  • Show findings with last compliance scan on a specific date
    lastComplianceScanDate:'2017-02-18'

lastVmScanDatelastVmScanDate

Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

  • Show findings with the last vulnerability scan within certain dates
    lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
  • Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
    lastVmScanDateScanner: [2016-11-01 ... now-1M]
  • Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
    lastVmScanDateScanner: [now-2w ... now-1s]
  • Show findings with the last vulnerability scan on a specific date
    lastVmScanDateScanner:'2017-04-10'

namename

Use quotes or backticks within values to help you find the asset name.

Examples

  • Show any findings related to name
    name:QK2K12QP3-65-53
  • Show any findings that contain parts of name
    name:"QK2K12QP3-65-53"
  • Show any findings that match exact value "QK2K12QP3-65-53"
    name:`QK2K12QP3-65-53`

netbiosNamenetbiosName

Use a text value to define the NetBIOS name.

Examples

  • Show assets with this exact name (case sensitive
    netbiosName:EC2AMAZ-19OC2IT
  • Show assets with name starting with "EC2" (case sensitive
    netbiosName:EC2*
  • Show assets with name ending with "c2it" (case insensitive
    netbiosName:*c2it

operatingSystemoperatingSystem

Use quotes or backticks within values to help you find the operating system.

Examples

  • Show any findings with this OS name
    operatingSystem:Windows 2012
  • Show any findings that contain components of OS name
    operatingSystem:"Windows 2012"
  • Show any findings that match exact value "Windows 2012"
    operatingSystem:`Windows 2012`

openPorts.portopenPorts.port

Use an integer value to help you find assets with some open port.

Example

Show assets with open port 80

openPorts.port:80

riskScoreriskScore

Use an integer value (0-1000) to help you find assets based on a specific risk score.

Examples

  • Show assets with risk score 60
    riskScore:60
  • Show assets with risk score 25
    riskScore:25

tags.nametags.name

Use values within quotes or backticks to help you find the asset tag you are looking for.

Example

  • Show any findings that match exact value "Cloud Agent"
    tags.name:`Cloud Agent`

trackingMethodtrackingMethod

Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.

Examples

  • Show this asset tracked by IP
    trackingMethod: IP
  • Show asset tracked by NETBIOS
    trackingMethod:NETBIOS
  • Show assets tracked by EASM
    trackingMethod:EASM

vulnerabilities.riskFactor.cisaKEVDueDatevulnerabilities.riskFactor.cisaKEVDueDate

Use a specific date to get the list of known exploited vulnerabilities whose remediation due date is as per the CISA Catalog. The date format used is yyyy-mm-dd.

Example

List the QIDs whose CISA Due Date is 3rd May 2022

vulnerabilities.riskFactor.cisaKEVDueDate:2022-05-03

vulnerabilities.vulnerability.threatIntel.activeAttacksvulnerabilities.vulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Examples

  • Show assets with threats due to active attacks
    vulnerabilities.vulnerability.threatIntel.activeAttacks: true
  • Show assets that don't have threats due to active attack
    vulnerabilities.vulnerability.threatIntel.activeAttacks: false

vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulnsvulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns

Use the values true | false to define real-time threats due to CISA Exploits.

Examples

  • Show assets with threats due to CISA exploit
    vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true
  • Show assets that don't have threats due to CISA exploit
    vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false

vulnerabilities.vulnerability.threatIntel.denialOfServicevulnerabilities.vulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Examples

  • Show assets with threats due to denial of service
    vulnerabilities.vulnerability.threatIntel.denialOfService: true
  • Show assets that don't have threats due to denial of service
    vulnerabilities.vulnerability.threatIntel.denialOfService: false

vulnerabilities.vulnerability.threatIntel.easyExploitvulnerabilities.vulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Examples

  • Show assets with threats due to easy exploit
    vulnerabilities.vulnerability.threatIntel.easyExploit: true
  • Show assets that don't have threats due to easy exploit
    vulnerabilities.vulnerability.threatIntel.easyExploit: false

vulnerabilities.vulnerability.threatIntel.exploitKitvulnerabilities.vulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to the exploit kit.

Examples

  • Show assets with threats due to exploit kit
    vulnerabilities.vulnerability.threatIntel.exploitKit: true
  • Show assets that don't have threats due to exploit kit
    vulnerabilities.vulnerability.threatIntel.exploitKit: false

vulnerabilities.vulnerability.threatIntel.exploitKitNamevulnerabilities.vulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.

Examples

  • Show any findings with this name
    vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler
  • Show any findings that match the exact value
    vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`

vulnerabilities.vulnerability.threatIntel.highDataLossvulnerabilities.vulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Examples

  • Show assets with threats due to high data loss
    vulnerabilities.vulnerability.threatIntel.highDataLoss: true
  • Show assets that don't have threats due to high data loss
    vulnerabilities.vulnerability.threatIntel.highDataLoss: false

vulnerabilities.vulnerability.threatIntel.highLateralMovementvulnerabilities.vulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Examples

  • Show assets with threats due to high lateral movement
    vulnerabilities.vulnerability.threatIntel.highLateralMovement: true
  • Show assets that don't have threats due to high lateral movement
    vulnerabilities.vulnerability.threatIntel.highLateralMovement: false

vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Examples

  • Show assets with threats due to malware
    vulnerabilities.vulnerability.threatIntel.malware: true
  • Show assets that don't have threats due to malware
    vulnerabilities.vulnerability.threatIntel.malware: false

vulnerabilities.vulnerability.threatIntel.malwareNamevulnerabilities.vulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.

Examples

  • Show any findings with this name
    vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
  • Show any findings that match exact value
    vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Examples

  • Show assets with threats due to no patch available
    vulnerabilities.vulnerability.threatIntel.noPatch: true
  • Show assets that don't have threats due to no patch available
    vulnerabilities.vulnerability.threatIntel.noPatch: false

vulnerabilities.vulnerability.threatIntel.publicExploitvulnerabilities.vulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Examples

  • Show assets with threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploit: true
  • Show assets that don't have threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploit: false

vulnerabilities.vulnerability.threatIntel.publicExploitNamevulnerabilities.vulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Examples

  • Show any findings with this name
    vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
  • Show assets that don't have threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
  • Show assets that don't have threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Examples

  • Show assets with threats due to zero day exploit
    vulnerabilities.vulnerability.threatIntel.zeroDay: true
  • Show assets that don't have threats due to zero day exploit
    vulnerabilities.vulnerability.threatIntel.zeroDay: false

vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable

Use the values true | false to define real-time wormable threats.

Example

  • Show assets with wormable threats
    vulnerabilities.vulnerability.threatIntel.wormable: "true"

vulnerabilities.vulnerability.threatIntel.predictedHighRiskvulnerabilities.vulnerability.threatIntel.predictedHighRisk

Use the values true | false to define real-time threats due to predicted high risk.

Example

  • Show assets with predicted high risk threat
    vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"

vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitationvulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation

Use the values true | false to define real-time threats due to unauthenticated exploitation risk.

Example

  • Show assets with unauthenticated exploitation threat
    vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"

vulnerabilities.vulnerability.threatIntel.remoteCodeExecutionvulnerabilities.vulnerability.threatIntel.remoteCodeExecution

Use the values true | false to define real-time threats due to remote code execution risk.

Example

  • Show assets with remote code execution threat
    vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"

vulnerabilities.vulnerability.threatIntel.ransomwarevulnerabilities.vulnerability.threatIntel.ransomware

Use the values true | false to define real-time threats due to ransomeware vulnerability.

Example

  • Show assets with ransomeware threat
    vulnerabilities.vulnerability.threatIntel.ransomware: "true"

vulnerabilities.vulnerability.threatIntel.privilegeEscalationvulnerabilities.vulnerability.threatIntel.privilegeEscalation

Use the values true | false to define real-time threats due to privilege escalation risk.

Example

  • Show assets with privilege escalation threat
    vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"

vulnerabilities.vulnerability.threatIntel.solorigateSunburstvulnerabilities.vulnerability.threatIntel.solorigateSunburst

Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.

Example

  • Show assets with Solorigate/Sunburst threat
    vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"

vulnerabilities.detectionScorevulnerabilities.detectionScore

Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.

Examples

  • Show vulnerabilities with detection score 80
    vulnerabilities.detectionScore:80
  • Show vulnerabilities with detection score 25
    vulnerabilities.detectionScore:25

vulnerabilities.disabledvulnerabilities.disabled

Use the values true | false to define vulnerabilities are disabled or enabled.

Example

  • Show findings with vulnerabilities disabled
    vulnerabilities.disabled:TRUE

vulnerabilities.firstFoundvulnerabilities.firstFound

Use the date range or specific date to define when findings were first found.

Examples

  • Show findings first found within certain date
    vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
  • Show findings first found starting 2015-10-01, ending 1 month ag
    vulnerabilities.firstFound:[2015-10-01 ... now-1M]
  • Show findings first found starting 2 weeks ago, ending 1 second ago
    vulnerabilities.firstFound:[now-2w ... now-1s]
  • Show findings first found on certain dat
    vulnerabilities.firstFound:'2016-11-11'

vulnerabilities.ignoredvulnerabilities.ignored

Use an integer value to help you find vulnerabilities that have been marked as ignored.

Example

  • Show vulnerabilities that are marked as ignore
    vulnerabilities.ignored:TRUE

vulnerabilities.instancevulnerabilities.instance

Use a text value to help you find vulnerabilities found on a certain instance.

Example

  • Show vulnerabilities found in this instance
    vulnerabilities.instance:oracle

vulnerabilities.lastFoundvulnerabilities.lastFound

Use a date range or specific date to define when findings were last found.

Examples

  • Show findings last found within certain dates
    vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
  • Show findings last found starting 2016-01-01, ending 1 month ago
    vulnerabilities.lastFound:[2016-01-01 ... now-1M]
  • Show findings last found starting 2 weeks ago, ending 1 second ago
    vulnerabilities.lastFound:[now-2w ... now-1s]
  • Show findings last found on certain date
    vulnerabilities.lastFound:'2016-01-11'
  • Show findings last found within certain number of days
    vulnerabilities.lastFound: [91..180]
  • Show findings last found on 2017-01-12 with patch available
    vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
    vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)

vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService

Use the values true | false to define vulnerabilities that exist on non-exploitable services.

Example

  • Show findings on non-exploitable services
    vulnerabilities.nonExploitableService:TRUE

vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel

Use the values true | false to view vulnerabilities found on the non-running kernel.

Examples

  • Show detections found on non-running Kernel
    vulnerabilities.nonRunningKernel:TRUE
  • Show detections found on running Kernel
    vulnerabilities.nonRunningKernel:FALSE

vulnerabilities.portvulnerabilities.port

Use an integer value to help you find vulnerabilities found on a certain port.

Example

  • Show vulnerabilities found on this port
    vulnerabilities.port:443

vulnerabilities.protocolvulnerabilities.protocol

Use a text value (UDP or TCP) to define the port protocol.

Example

  • Show vulnerabilities found on TCP protoco
    vulnerabilities.protocol:TCP

vulnerabilities.severityvulnerabilities.severity

Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.

Example

vulnerabilities.statusvulnerabilities.status

Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.

If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

Example

  • Show vulnerabilities with Fixed status
    vulnerabilities.status:FIXED

vulnerabilities.typeDetectedvulnerabilities.typeDetected

Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.

Example

  • Show findings with this type
    vulnerabilities.typeDetected:Confirmed

vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality

Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.

The following list of criticality defines the CVSS Score from 0.0 to 10.0:

  • None: 0.0
  • Low: 0.1-3.9
  • Medium: 4.0-6.9
  • High: 7.0-8.9
  • Critical: 9.0-10.0

Example

  • Show vulnerabilities with HIGH criticality
    vulnerabilities.vulnerability.criticality: "HIGH"

vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds

Use a text value to find the CVE name.

The CVE in the query is case-sensitive and must be used in capital case.

Example

  • Show findings with CVE name CVE-2015-0313
    vulnerabilities.vulnerability.cveIds:CVE-2015-0313

 

vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description

Use quotes or backticks within values to help you find the vulnerability description.

Examples

  • Show any findings related to description
    vulnerabilities.vulnerability.description:remote code execution
  • Show any findings that contain "remote" or "code" in description
    vulnerabilities.vulnerability.description:"remote code execution"
  • Show any findings that match exact value "remote code execution
    vulnerabilities.vulnerability.description:`remote code execution`

vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os

Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.

Examples

  • Show any findings related to this OS value
    vulnerabilities.vulnerability.os:windows
  • Show any findings that contain parts of OS value
    vulnerabilities.vulnerability.os:"windows"
  • Show any findings that match exact value "windows"
    vulnerabilities.vulnerability.os:`windows`

vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable

Use the values true | false to define vulnerabilities with patches available.

Examples

  • Show findings with patch available
    vulnerabilities.vulnerability.patchAvailable:TRUE
  • Show findings with no patch available
    vulnerabilities.vulnerability.patchAvailable:FALSE

vulnerabilities.vulnerabilty.qidvulnerabilities.vulnerabilty.qid

Use an integer value to define the QID.

Example

  • Show findings with QID 90405
    vulnerabilities.vulnerability.qid: 90405

vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable

Use the values true | false to define that can be patched at Qualys.

Examples

  • Show vulnerabilities with patches available at Qualys
    vulnerabilities.vulnerability.qualysPatchable:"TRUE"
  • Show vulnerabilities with patches not available at Qualys
    vulnerabilities.vulnerability.qualysPatchable:"FALSE"

vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired

Use the values true | false to find vulnerabilities that need a reboot.

Example

  • Show vulnerabilities that need reboot
    vulnerabilities.vulnerability.rebootRequired: TRUE

vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title

Use quotes or backticks within values to help you find the title.

Examples

  • Show any findings related to this title
    vulnerabilities.vulnerability.title:Remote Code Execution
  • Show any findings that contain "Remote" or "Code" in title
    vulnerabilities.vulnerability.title:"Remote Code"
  • Show any findings that match exact value "Remote Code"
    vulnerabilities.vulnerability.title:`Remote Code`

vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName

Use a text value to find the vendor product name.

Example

Show findings with this vendor product name

vulnerabilities.vulnerability.vendors.productName:Windows

vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName

Use a text value to find the vendor name.

Example

Show findings with this vendor name

vulnerabilities.vulnerability.vendors.vendorName:Adobe

vulnerabilities.detectionSource.namevulnerabilities.detectionSource.name

Use quotes or backticks within values to help you find the source that detected the vulnerability. Understanding the origin of vulnerability data is essential for grasping the detection's context, reliability, and scope.

Examples

Show findings with Qualys as the detection source

vulnerabilities.detectionSource.name: AZURE

Show findings that contain parts of the detection source

vulnerabilities.detectionSource.name: CAR Agent

Show findings that match the exact value Qualys

vulnerabilities.detectionSource.name: Cloud Agent

vulnerabilities.riskFactor.cisaKnownExploitsvulnerabilities.riskFactor.cisaKnownExploits

Use this token to get the list of QIDs impacted due to CISA Known Exploits. The token uses true or false as the input value.

Example

List the QIDs that are impacted due to CISA Known Exploit

vulnerabilities.riskFactor.cisaKnownExploits: TRUE

vulnerabilities.riskFactor.exploitCodeMaturityvulnerabilities.riskFactor.exploitCodeMaturity

Use this token to get the list of QIDs that can be exploited based on the existing state of exploit techniques and code availability.

From the drop-down, select the name of an exploit technique: 

poc, weaponized

Example

List the QIDs exploited by Weaponized exploit code maturity technique

vulnerabilities.riskFactor.exploitCodeMaturity: "weaponized"

vulnerabilities.riskFactor.rtivulnerabilities.riskFactor.rti

Use this token to get the list of QIDs with Real-Time Threat Indicators (RTI) related vulnerabilities.

Example

List the QIDs that are assoicated with the Denial of Service Real-Time Threat Indicator

vulnerabilities.riskFactor.rti:"Denial of Service"

vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds

Use a text value to find the CVE name.

Example

Show findings with CVE name CVE-2015-0313

vulnerabilities.vulnerability.cveIds:CVE-2015-0313

Note: The CVE in the query is case sensitive and must be used in capital case.

vulnerabilities.vulnerability.cvss2Info.baseScorevulnerabilities.vulnerability.cvss2Info.baseScore

Use an integer value to help you find the CVSS2 base score.

Example

Show assets with this score

vulnerabilities.vulnerability.cvss2Info.baseScore:7.8

vulnerabilities.vulnerability.mitre.attack.tactic.idvulnerabilities.vulnerability.mitre.attack.tactic.id

Use the text value within quotes or backticks for the tactics id that represents the why of the ATTACK technique or sub-technique. 

Example

Show findings with the Tactic ID TA0007

vulnerabilities.vulnerability.mitre.attack.tactic.id:`TA0007`

vulnerabilities.vulnerability.mitre.attack.technique.idvulnerabilities.vulnerability.mitre.attack.technique.id

Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved. 

Example

Show findings with the Technique ID T1562.010

vulnerabilities.vulnerability.mitre.attack.tactic.id:"T1562.010"

vulnerabilities.vulnerability.pcivulnerabilities.vulnerability.pci

Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).

Examples

Show PCI vulnerabilities

vulnerabilities.vulnerability.pci:TRUE

Do not show PCI vulnerabilities

vulnerabilities.vulnerability.pci:FALSE

vulnerabilities.vulnerability.qidvulnerabilities.vulnerability.qid

Use an integer value to define the QID in question.

Example

Show findings with QID 90405

vulnerabilities.vulnerability.qid:90405

vulnerabilities.vulnerability.ransomware.namevulnerabilities.vulnerability.ransomware.name

Use quotes or backticks within values to help you find the ransomware name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show findings with this name

vulnerabilities.vulnerability.ransomware.name:Locky

Show findings that match exact value

vulnerabilities.vulnerability.ransomware.name:Locky

vulnerabilities.vulnerability.severityvulnerabilities.vulnerability.severity

Use an integer value to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.

Example

Show findings with severity set by Qualys as 5

vulnerabilities.vulnerability.severity:5

For information about customer and Qualys severity, see Customer and Kb Severity Level.

activatedForModulesactivatedForModules

Select the name of an activated module. Select from names in the drop-down menu.

Examples

Show assets activated for VM

activatedForModules:VM

Show assets activated for VM and FIM

activatedForModules:VM AND activatedForModules:FIM

openPorts.firstFoundopenPorts.firstFound

Use a date range or specific date to define when open ports were first found.

Examples

Show findings with open ports first found within certain dates

openPorts.firstFound:[2017-06-15 ... 2017-06-30]

Show findings with open ports first found starting 2017-06-22, ending 1 month ago

openPorts.firstFound:[2017-06-22 ... now-1M]

Show findings with open ports first found starting 2 weeks ago, ending 1 second ago

openPorts.firstFound:[now-2w ... now-1s]

Show findings with open ports first found on specific date

openPorts.firstFound:'2017-06-14'

openPorts.lastUpdatedopenPorts.lastUpdated

Use a date range or specific date to define when open ports were last updated.

Examples

Show findings with open ports last updated within certain dates

openPorts.lastUpdated:[2017-06-15 ... 2017-06-30]

Show findings with open ports last updated starting 2017-06-22, ending 1 month ago

openPorts.lastUpdated:[2017-06-22 ... now-1M]

Show findings with open ports last updated starting 2 weeks ago, ending 1 second ago

openPorts.lastUpdated:[now-2w ... now-1s]

Show findings with open ports last updated on specific date

openPorts.lastUpdated:'2018-01-14'

openPorts.protocolopenPorts.protocol

Use a text value (UDP or TCP) to define the port protocol.

Examples

Show findings found on TCP

openPorts.protocol:TCP

Show findings found on on port 80 and TCP

openPorts:(port:80 AND protocol:TCP)

notnot

Use a boolean query to express your query using NOT logic.

Example

Show assets that do not have Windows operating system
not operatingSystem: Windows

andand

Use a boolean query to express your query using AND logic.

Example

Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)

oror

Use a boolean query to express your query using OR logic.

Example

Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows

RTIs

Use these tokens for searching Real-Time Threat Indicator (RTI) related vulnerabilities.

vulnerabilities.vulnerability.threatIntel.activeAttacksvulnerabilities.vulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Examples

Show assets with threats due to active attacks

vulnerabilities.vulnerability.threatIntel.activeAttacks: true

Show assets that don't have threats due to active attacks

vulnerabilities.vulnerability.threatIntel.activeAttacks: false

vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulnsvulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns

Use the values true | false to define real-time threats due to CISA Exploits.

Examples

Show assets with threats due to CISA exploit

vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true

Show assets that don't have threats due to CISA exploit

vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false

vulnerabilities.vulnerability.threatIntel.denialOfServicevulnerabilities.vulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Examples

Show assets with threats due to denial of service

vulnerabilities.vulnerability.threatIntel.denialOfService: true

Show assets that don't have threats due to denial of service

vulnerabilities.vulnerability.threatIntel.denialOfService: false

vulnerabilities.vulnerability.threatIntel.easyExploitvulnerabilities.vulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Examples

Show assets with threats due to easy exploit

vulnerabilities.vulnerability.threatIntel.easyExploit: true

Show assets that don't have threats due to easy exploit

vulnerabilities.vulnerability.threatIntel.easyExploit: false

vulnerabilities.vulnerability.threatIntel.exploitKitvulnerabilities.vulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to exploit kit.

Examples

Show assets with threats due to exploit kit

vulnerabilities.vulnerability.threatIntel.exploitKit: true

Show assets that don't have threats due to exploit kit

vulnerabilities.vulnerability.threatIntel.exploitKit: false

vulnerabilities.vulnerability.threatIntel.exploitKitNamevulnerabilities.vulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler

Show any findings that match exact value

vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`

vulnerabilities.vulnerability.threatIntel.highDataLossvulnerabilities.vulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Examples

Show assets with threats due to high data loss

vulnerabilities.vulnerability.threatIntel.highDataLoss: true

Show assets that don't have threats due to high data loss

vulnerabilities.vulnerability.threatIntel.highDataLoss: false

vulnerabilities.vulnerability.threatIntel.highLateralMovementvulnerabilities.vulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Examples

Show assets with threats due to high lateral movement

vulnerabilities.vulnerability.threatIntel.highLateralMovement: true

Show assets that don't have threats due to high lateral movement

vulnerabilities.vulnerability.threatIntel.highLateralMovement: false

vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Examples

Show assets with threats due to malware

vulnerabilities.vulnerability.threatIntel.malware: true

Show assets that don't have threats due to malware

vulnerabilities.vulnerability.threatIntel.malware: false

vulnerabilities.vulnerability.threatIntel.malwareNamevulnerabilities.vulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ

Show any findings that match exact value

vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Examples

Show assets with threats due to no patch available

vulnerabilities.vulnerability.threatIntel.noPatch: true

Show assets that don't have threats due to no patch available

vulnerabilities.vulnerability.threatIntel.noPatch: false

vulnerabilities.vulnerability.threatIntel.publicExploitvulnerabilities.vulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Example

Show assets with threats due to public exploit

vulnerabilities.vulnerability.threatIntel.publicExploit: true

Show assets that don't have threats due to public exploit

vulnerabilities.vulnerability.threatIntel.publicExploit: false

vulnerabilities.vulnerability.threatIntel.publicExploitNamevulnerabilities.vulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass

Show any findings that contain parts of name

vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"

Show any findings that match exact value

vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Examples

Show assets with threats due to zero day exploit

vulnerabilities.vulnerability.threatIntel.zeroDay: true

Show assets that don't have threats due to zero day exploit

vulnerabilities.vulnerability.threatIntel.zeroDay: false

vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable

Use the values true | false to define real-time wormable threats.

Examples

Show assets with wormable threats

vulnerabilities.vulnerability.threatIntel.wormable: "true"

vulnerabilities.vulnerability.threatIntel.predictedHighRiskvulnerabilities.vulnerability.threatIntel.predictedHighRisk

Use the values true | false to define real-time threats due to predicted high risk.

Examples

Show assets with predicted high risk threat

vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"

vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitationvulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation

Use the values true | false to define real-time threats due to unauthenticated exploitation risk.

Examples

Show assets with unauthenticated exploitation threat

vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"

vulnerabilities.vulnerability.threatIntel.remoteCodeExecutionvulnerabilities.vulnerability.threatIntel.remoteCodeExecution

Use the values true | false to define real-time threats due to remote code execution risk.

Examples

Show assets with  remote code execution threat

vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"

vulnerabilities.vulnerability.threatIntel.ransomwarevulnerabilities.vulnerability.threatIntel.ransomware

Use the values true | false to define real-time threats due to ransomeware vulnerability.

Examples

Show assets with ransomeware threat

vulnerabilities.vulnerability.threatIntel.ransomware: "true"

vulnerabilities.vulnerability.threatIntel.privilegeEscalationvulnerabilities.vulnerability.threatIntel.privilegeEscalation

Use the values true | false to define real-time threats due to privilege escalation risk.

Examples

Show assets with privilege escalation threat

vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"

vulnerabilities.vulnerability.threatIntel.solorigateSunburstvulnerabilities.vulnerability.threatIntel.solorigateSunburst

Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.

Examples

Show assets with Solorigate/Sunburst threat

vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"

Threat Feed

Use the and/or tokens combined with these tokens for searching a threat feed.

categoriescategories

Use a text value to find threat feed based on categories.

Examples

Find categories that match any CVE.

categories: CVE:2020-8591

contentscontents

Use a text value to find threat feed based on contents.

Examples

Find content that match a product.

contents: Google

publishDatepublishDate

Use a date to find threat feed based publish date.

Examples

Find threat feeds that match a publish date.

publishDate: [2020-10-21 ... 2021-01-15]

Alibaba

Use these tokens when searching Alibaba assets on the Assets list.

alibaba.instance.accountIdalibaba.instance.accountId

Use a text value to define the instance id of the Alibaba cloud account.

Example

Find Alibaba instances with following account ID

alibaba.instance.accountId: 1609xxxx

alibaba.instance.dnsServeralibaba.instance.dnsServer

Use an integer value to define the Domain Name System (DNS) configurations of the instance.

Example

Find Alibaba instances of the following DNS

alibaba.instance.dnsServer: 100.xxx.x.xxx

alibaba.instance.hasAgentalibaba.instance.hasAgent

Use the boolean value, true | false to define whether the Alibaba instance has a cloud agent installed on it.

Example

Find Alibaba instances with agents

alibaba.instance.hasAgent: `true`

alibaba.instance.hostNamealibaba.instance.hostName

Use a text value to find Alibaba hostname.

Example

Find instances related to name

alibaba.instance.hostName: abc.qualys.com

alibaba.instance.imageIdalibaba.instance.imageId

Use a text value to find id of the image used during the instance creation process.

Example

Find instances related to image id

alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd

alibaba.instance.instanceIdalibaba.instance.instanceId

Use a text value to define the Alibaba instance id.

Example

Find Alibaba instances with this instance ID

alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax

alibaba.instance.instanceTypealibaba.instance.instanceType

Use a text value to define the instance type.

Example

Find Alibaba instances with this instance type

alibaba.instance.instanceType: ecs.g6e.large

alibaba.instance.interfaceIdalibaba.instance.interfaceId

Use a text value to define the identifier of the NIC.

Example

Find Alibaba instances of the following interface id

alibaba.instance.interfaceId: eni-a2dxxxxaixxxtux572

alibaba.instance.instanceStatealibaba.instance.instanceState

Use a text value to define the state of the Alibaba instance. The state of the instance can be, Running, Terminated, and Stopped.

Example

Find Alibaba instances for the following state

alibaba.instance.instanceState: Running

alibaba.instance.macAddressalibaba.instance.macAddress

Use a text value to define the MAC address.

Example

Find Alibaba instances with this MAC address

alibaba.instance.macAddress: 00:16:3e:0f:XX:XX

alibaba.instance.networkTypealibaba.instance.networkType

Select the network type to find cloud instances. The network type can be vpc or classic.

Example

Find Alibaba instances with this network type

alibaba.instance.networkType: vpc

alibaba.instance.privateIpAddressalibaba.instance.privateIpAddress

Use an integer value to define a private IPv4address or range of IPs .

Example

Find Alibaba instances with the following private IP address

alibaba.instance.privateIpAddress: 192.168.XX.XX

alibaba.instance.publicIpAddressalibaba.instance.publicIpAddress

Use an integer value to define a public IPv4address or range of IPs .

Example

Find Alibaba instances with the following private IP address

alibaba.instance.publicIpAddress: 149.xx.xx.xx

alibaba.instance.region.codealibaba.instance.region.code

Select the region code to find the alibaba cloud instances that belong to the region with specific code.

Example

Find Alibaba instances for the following region code

alibaba.instance.region.code: cn-chengdu

alibaba.instance.region.namealibaba.instance.region.name

Use a text value to define the region name.

Example

Find Alibaba instances for the following region

alibaba.instance.region.name: US (Silicon Valley)

alibaba.instance.serialNumberalibaba.instance.serialNumber

Use a text value to define the serial number of the instance.

Example

Find Alibaba instances of the following serial number

alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45

alibaba.instance.vpcCidrBlockalibaba.instance.vpcCidrBlock

Use an integer value to define the CIDR block.

Example

Find Alibaba instances of the following CIDR block

alibaba.instance.vpcCidrBlock: 172.xx.x.x/16

alibaba.instance.vpcIdalibaba.instance.vpcId

Use a text value to search all the assets with the specified VPC ID.

Example

Show all assets with this VPC ID

alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj

alibaba.instance.vswitchIdalibaba.instance.vswitchId

Use a text value to define the switch ID to which the Alibaba instance is connected.

Example

Find Alibaba instances of the following switch ID

alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd

alibaba.instance.vswitchCidrBlockalibaba.instance.vswitchCidrBlock

Use an integer value to define the CIDR block of the switch to which the Alibaba instance is connected.

Example

Find Alibaba instances of the following CIDR block of the switch

alibaba.instance.vswitchCidrBlock: 192.168.XX.XX/24

alibaba.instance.zoneIdalibaba.instance.zoneId

Use a text value to define the zone id.

Example

Find Alibaba instances of the following zone id

alibaba.instance.zoneId: cn-chengdu-a

AWS EC2

Use these tokens when searching your AWS EC2 assets on the Assets list.

  • Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
  • The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.

aws.ec2.accountIdaws.ec2.accountId

Use a text value to find EC2 instances with a certain account ID.

Example

Find EC2 instances in that match this account ID

aws.ec2.accountId: 123456789012

Find EC2 instances with account ID starting "12345"

aws.ec2.accountId: 12345*

Find EC2 instances where account ID is null (remove the colon)

aws.ec2.accountId is null

aws.ec2.availabilityZoneaws.ec2.availabilityZone

Use a text value to find EC2 instances by the availability zone in which the instance launched.

Example

Find EC2 instances in the us-east-1a availability zone

aws.ec2.availabilityZone: us-east-1a

aws.ec2.hasAgentaws.ec2.hasAgent

Use the values true | false to define whether the EC2 asset has a cloud agent.

Examples

Show findings with a cloud agent

aws.ec2.hasAgent: true

Show findings without a cloud agent

aws.ec2.hasAgent: false

aws.ec2.hostnameaws.ec2.hostname

Use a text value to find the EC2 hostname.

Examples

Find instances related to name

aws.ec2.hostname: abc.qualys.com

Find instances that match exact value

aws.ec2.hostname: `abc.qualys.com`

aws.ec2.imageIdaws.ec2.imageId

Use a text value to find EC2 instances with a certain Image (AMI) ID.

Examples

Find instances related to the Image ID

aws.ec2.imageId: ami-2ea83347

Find instances that match exact value

aws.ec2.imageId: `ami-2ea83347`

aws.ec2.instanceIdaws.ec2.instanceId

Use a text value to find EC2 instances by the instance ID.

Example

Find EC2 instances with this ID

aws.ec2.instanceId: i-1234567890abcdef0

aws.ec2.instanceStateaws.ec2.instanceState

Select the name of the instance state (e.g. PENDING, RUNNING, TERMINATED, STOPPED, etc) you're interested in. Select from names in the drop-down menu.

Example

Find running EC2 instances

aws.ec2.instanceState: RUNNING

aws.ec2.instanceTypeaws.ec2.instanceType

Select the type of instance you're interested in. Select from names in the drop-down menu.

Example

Find EC2 instances with instance type t2.micro

aws.ec2.instanceType: t2.micro

aws.ec2.isQualysScanneraws.ec2.isQualysScanner

Use the values true | false to define whether the EC2 asset is a Qualys scanner.

Examples

Show findings where assets are scanners

aws.ec2.isQualysScanner: true

Show findings where assets are not scanners

aws.ec2.isQualysScanner: false

aws.ec2.kernelIdaws.ec2.kernelId

Use a text value to find EC2 instances by kernel ID (AKI).

Example

Find EC2 instances with this kernel ID

aws.ec2.kernelId: aki-70ab0c10

aws.ec2.launchDateaws.ec2.launchDate

Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.

Examples

Find EC2 instances launched within certain dates

aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]

Find EC2 instances launched on specific date

aws.ec2.launchDate:'2017-08-15'

aws.ec2.privateDNSaws.ec2.privateDNS

Use a text value to define a private DNS address.

Example

Find the EC2 instance with this private DNS address

aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal

aws.ec2.privateIpAddressaws.ec2.privateIpAddress

Use a text value to define a private IPv4 address or range of IPs.

Examples

Find EC2 instances with this private IP address

aws.ec2.privateIpAddress: 10.90.0.119

Find EC2 instances within this IP range

aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]

aws.ec2.publicDNSaws.ec2.publicDNS

Use a text value to define a public DNS address.

Example

Find the EC2 instance with this public DNS address

aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com

aws.ec2.publicIpAddressaws.ec2.publicIpAddress

Use a text value to define a public IPv4 address or range of IPs.

Examples

Find EC2 instances with this public IP address

aws.ec2.publicIpAddress: 52.70.141.154

Find EC2 instances within this IP range

aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]

aws.ec2.region.codeaws.ec2.region.code

Select the code of the region from codes in the drop-down menu.

Example

Find EC2 instances in the us-east-1 region

aws.ec2.region.code: us-east-1

aws.ec2.region.nameaws.ec2.region.name

Select the name of the region from names in the drop-down menu.

Example

Find EC2 instances in the US East (N. Virginia) region

aws.ec2.region.name: US East (N. Virginia)

aws.ec2.spotInstanceaws.ec2.spotInstance

Use the values true | false to define whether your EC2 instance is a Spot instance.

Examples

Show EC2 Spot instances

aws.ec2.spotInstance: "true"

Show EC2 instances that are not Spot instances

aws.ec2.spotInstance: "false"

aws.ec2.subnetIdaws.ec2.subnetId

Use a text value to find EC2 instances by the ID of the subnet in which the interface resides.

Example

Find EC2 instances with this subnet ID

aws.ec2.subnetId: subnet-bc02c0d4

aws.ec2.vpcIdaws.ec2.vpcId

Use a text value to find EC2 instances by the ID of the VPC in which the interface resides.

Example

Find EC2 instances with this VPC ID

aws.ec2.vpcId: vpc-1e37cd76

aws.tagsaws.tags

Use a text value to find EC2 instances with a certain AWS tag key and value (both are case insensitive).

Example

Find EC2 instances with an AWS tag with key "abc" and value "xyz"

aws.tags: (key:abc and value:xyz)

aws.tags.keyaws.tags.key

Use a text value to find EC2 instances with a certain AWS tag key/name (case insensitive).

Examples

Find EC2 instances with key "devops"

aws.tags.key: devops

Find EC2 instances with key starting "dev"

aws.tags.key: dev*

Find EC2 instances with key ending "ops"

aws.tags.key: *ops

aws.tags.valueaws.tags.value

Use a text value to find EC2 instances with a certain AWS tag value (case insensitive).

Examples

Find EC2 instances with tag value "dailybuild"

aws.tags.value: dailybuild

Find EC2 instances with tag value starting "daily"

aws.tags.value: daily*

Find EC2 instances with tag value ending "build"

aws.tags.value: *build

Microsoft Azure

Use these tokens when searching Microsoft Azure assets on the Assets list.

azure.tagsazure.tags

Use a text value to find Azure instances with a certain tag name and value. Both are case insensitive.

Example

Find Azure instances with a tag with name "abc" and value "xyz"

azure.tags: (name:abc and value:xyz)

azure.tags.nameazure.tags.name

Use a text value to find Azure instances with a certain tag name (case insensitive).

Examples

Find Azure instances with name "devops"

azure.tags.name: devops

Find Azure instances with name starting "dev"

azure.tags.name: dev*

Find Azure instances with name ending "ops"

azure.tags.name: *ops

azure.tags.valueazure.tags.value

Use a text value to find Azure instances with a certain tag value (case insensitive).

Examples

Find Azure instances with tag value "dailybuild"

azure.tags.value: dailybuild

Find Azure instances with tag value starting "daily"

azure.tags.value: daily*

Find Azure instances with tag value ending "build"

azure.tags.value: *build

azure.vm.hasAgentazure.vm.hasAgent

Use the values true | false to define whether the Azure virtual machine you're looking for has a cloud agent installed on it.

Examples

Find Azure instances with agents

azure.vm.hasAgent `true`

azure.vm.imageOfferazure.vm.imageOffer

Use a text value to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.

Examples

Find Azure instances related to name

azure.vm.imageOffer: UbuntuServer

Find Azure instances that match exact value

azure.vm.imageOffer: `UbuntuServer`

azure.vm.imagePublisherazure.vm.imagePublisher

Use a text value to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).

Examples

Find Azure instances related to name

azure.vm.imagePublisher: Canonical

Find Azure instances that match exact value

azure.vm.imagePublisher: `Canonical`

azure.vm.imageVersionazure.vm.imageVersion

Use a text value to define the version of the Azure virtual machine image sku you're interested in.

Example

Find Azure instances with this sku version

azure.vm.imageVersion: 16.04.201708030

azure.vm.locationazure.vm.location

Use a text value to define the region you're interested in.

Example

Find Azure instances in this location

azure.vm.location: westus

azure.vm.macAddressazure.vm.macAddress

Use a text value to define the MAC address you're interested in.

Example

Find Azure instances with this MAC address

azure.vm.macAddress: '000D3A36DDED'

azure.vm.nameazure.vm.name

Use a text value to find the Azure virtual machine name you're looking for.

Examples

Find Azure instances related to name

azure.vm.name: avset2

Find Azure instances that match exact value

azure.vm.name: `avset2`

azure.vm.platformazure.vm.platform

Use a text value to define the operating system platform (Linux or Windows) of the Azure virtual machine.

Example

Find Azure instances on Windows platform

azure.vm.platform: Windows

azure.vm.privateIpAddressazure.vm.privateIpAddress

Use a text value to define a private IPv4 address or range of IPs you're interested in.

Examples

Find Azure instances with this private IP

azure.vm.privateIpAddress: 10.1.2.5

Find Azure instances within this IP range

azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]

azure.vm.publicIpAddressazure.vm.publicIpAddress

Use a text value to define a public IPv4 address or range of IPs you're interested in.

Examples

Find Azure instances with this public IP

azure.vm.publicIpAddress: 13.126.125.189

Find Azure instances within this IP range

azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]

azure.vm.resourceGroupNameazure.vm.resourceGroupName

Use a text value to define the name of the resource group you're interested in.

Examples

Find Azure instances related to name

azure.vm.resourceGroupName: my-eastus-rg

Find Azure instances that match exact value

azure.vm.resourceGroupName: `my-eastus-rg`

azure.vm.sizeazure.vm.size

Use a text value to help you find Azure VM instances with a certain virtual machine size.

Example

Find Azure instances with this size

azure.vm.size: Standard_D1

azure.vm.stateazure.vm.state

Select the name of the instance state (e.g. DEALLOCATED, RUNNING, STOPPED, etc) you're interested in. Select from names in the drop-down menu.

Example

Find running Azure instances

azure.vm.state: RUNNING

azure.vm.subnetazure.vm.subnet

Use a text value to define the Azure virtual machine subnet you're interested in.

Example

Find Azure instances with this subnet

azure.vm.subnet: 10.1.2.0

azure.vm.subscriptionIdazure.vm.subscriptionId

Use a text value to define the subscription ID of the Azure virtual machine subscription.

Example

Find Azure instances with this subscription ID

azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409

azure.vm.virtualNetworkazure.vm.virtualNetwork

Use a text value to define the Azure virtual network you're looking for.

Example

Find Azure virtual network with this ID

azure.vm.virtualNetwork: mburton01-vnet

azure.vm.vmIdazure.vm.vmId

Use a text value to define the Azure virtual machine ID you're looking for.

Example

Find Azure instances with this ID

azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21

Google Cloud Platform

Use these tokens when searching Google Cloud Platform assets on the Assets list.

gcp.compute.hostnamegcp.compute.hostname

Use a text value to define the hostname you're looking for.

Examples

Find GCP instances related to name

gcp.compute.hostname: instance-5.c.qvsa-dev.internal

Find GCP instances that match exact value

gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`

gcp.compute.instanceIdgcp.compute.instanceId

Use a text value to define the Google Compute instance ID you're looking for.

Example

Find GCP instances with this ID

gcp.compute.instanceId: 4392196237934605253

gcp.compute.macAddressgcp.compute.macAddress

Use a text value to define the MAC address you're interested in.

Example

Find GCP instances with this MAC address

gcp.compute.macAddress: '000D3A36DDED'

gcp.compute.machineTypegcp.compute.machineType

Use a text value to define the machine type of the virtual machine instance you're interested in.

Examples

Find GCP instances related to name

gcp.compute.machineType: n1-standard-1

Find GCP instances that match exact value

gcp.compute.machineType: `n1-standard-1`

gcp.compute.networkgcp.compute.network

Use a text value to find GCP instances by the VPC network the instance belongs to.

Example

Find GCP instances with this network

gcp.compute.network: 000D3A36DDED

gcp.compute.privateIpAddressgcp.compute.privateIpAddress

Use a text value to define a private IPv4 address or range of IPs you're interested in.

Examples

Find GCP instances with this private IP

gcp.compute.privateIpAddress: 10.240.0.7

Find GCP instances with this private IP range

gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]

gcp.compute.projectIdgcp.compute.projectId

Use a text value to define the project ID assigned to the GCP Console project the instance belongs to.

Examples

Find GCP instances related to ID

gcp.compute.projectId: qvsa-dev

Find GCP instances that match exact value

gcp.compute.projectId: `qvsa-dev`

gcp.compute.projectNumbergcp.compute.projectNumber

Use an integer value to define the project number assigned to the GCP Console project the instance belongs to.

Examples

Find GCP instances related to this number

gcp.compute.projectNumber: 1035365309337

Find GCP instances that match exact value

gcp.compute.projectNumber: `1035365309337`

gcp.compute.publicIpAddressgcp.compute.publicIpAddress

Use a text value to define a public IPv4 address or range of IPs you're interested in.

Examples

Find GCP instances with this public IP

gcp.compute.publicIpAddress: 104.196.57.216

Find GCP instances within this IP range

gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]

gcp.compute.zonegcp.compute.zone

Use a text value to define the zone of the GCP instance you're looking for

Examples

Find GCP instances related to name

gcp.compute.zone: us-east1-d

Find GCP instances that match exact value

gcp.compute.zone: `us-east1-d`

gcp.compute.stategcp.compute.state

Select the state of the GCP instance (e.g. DEALLOCATED, PENDING, RUNNING, SHUTTING DOWN, STOPPED, STOPPING, TERMINATED, etc) you're interested in. Select the state from the drop-down menu.

Examples

Find running GCP instances

gcp.compute.state: RUNNING

IBM

Use these token when searching IBM assets on the Assets list.

ibm.tags.nameibm.tags.name

Use a text value to find IBM instances with a certain tag name.

Examples

Find running IBM instances with tag name

ibm.tags.name: Test1

ibm.tags.valueibm.tags.value

Use a text value to find IBM instances with a certain tag value.

Examples

Find running IBM instances with tag value

ibm.tags.value: centos7

ibm.virtualServer.idibm.virtualServer.id

Use a text value to find IBM virtual server with a certain account ID.

Examples

Find IBM virtual server with this ID

ibm.virtualServer.id: 123741814

ibm.virtualServer.locationibm.virtualServer.location

Use a text value to find IBM virtual server with a certain location.

Examples

Find IBM virtual server with this location

ibm.virtualServer.location: dall3

ibm.virtualServer.datacenterIdibm.virtualServer.datacenterId

Use a text value to find IBM virtual server datacenter with a certain id.

Examples

Find IBM virtual server datacenter with this Id

ibm.virtualServer.datacenterId: 1854895

ibm.virtualServer.deviceNameibm.virtualServer.deviceName

 Use a text value to find IBM virtual server with device name.

Examples

Find IBM virtual server with this device name

ibm.virtualServer.deviceName: virtualserver01.Qualys-Inc.cloud

ibm.virtualServer.publicIpAddressibm.virtualServer.publicIpAddress

 Use a numerical value to find IBM virtual server with specific public IP address.

Examples

Find IBM virtual server with this public IP address

ibm.virtualServer.publicIpAddress: 150.238.75.107

ibm.virtualServer.privateIpAddressibm.virtualServer.privateIpAddress

 Use a numerical value to find IBM virtual server with specific private IP address.

Examples

Find IBM virtual server with this private IP address

ibm.virtualServer.privateIpAddress: 10.187.94.40

ibm.virtualServer.publicVlanibm.virtualServer.publicVlan

 Use a numerical value to find IBM virtual server with specific public vlan.

Examples

Find IBM virtual server with this public vlan

ibm.virtualServer.publicVlan: 1796

ibm.virtualServer.privateVlanibm.virtualServer.privateVlan

 Use a numerical value to find IBM virtual server with specific private vlan.

Examples

Find IBM virtual server with this private vlan

ibm.virtualServer.privateVlan: 2236

ibm.virtualServer.domainibm.virtualServer.domain

 Use a text value to find IBM virtual server with specific domain.

Examples

Find IBM virtual server with this domain

ibm.virtualServer.domain: Qualys-Inc.cloud

Oracle Cloud Compute Instance

Use these token when searching Oracle Cloud Compute Instance (OCI) assets on the Assets list.

oci.compute.ociIdoci.compute.ociId

Use a text value to search all assets with the specified OCI ID.

Examples

Show assets with this OCI ID

oci.compute.ociId: ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq

oci.compute.compartmentIdoci.compute.compartmentId

Use a text value to search all assets with the specified OCI compartment ID.

Examples

Show assets with this OCI ID

oci.compute.compartmentId: ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq

oci.compute.compartmentNameoci.compute.compartmentName

Use a text value to search all assets with the specified OCI compartment name.

Examples

Show assets with this OCI compartment name

oci.compute.compartmentName: ocid1.compartment.abc

oci.compute.displayNameoci.compute.displayName

Use a text value to search all assets with the specified display name.

Examples

Show assets with display name oracle 8

oci.compute.displayName: oracle 8

oci.compute.shapeoci.compute.shape

Use a text value to search all assets with the specified shape.

Examples

Show all assets with the shape x5-2.36.512

oci.compute.shape: x5-2.36.512

oci.compute.regionoci.compute.region

Use a text value to search all assets in the specified region.

Examples

Show all assets with the region us-east-1

oci.compute.region: us-east-1

oci.compute.regionKeyoci.compute.regionKey

Use a text value to search all assets with the specified region key.

Examples

Show all assets with the region key SYD

oci.compute.regionKey: SYD

oci.compute.regionRealmoci.compute.regionRealm

Use a text value to search all groups with the specified region realm.

Examples

Show all assets with the region realm OC1

oci.compute.regionRealm: OC1

oci.compute.availabilityDomainoci.compute.availabilityDomain

Use a text value to search all assets with the specified available domain.

Examples

Show all assets with the available domain Lhkx:US-ASHBURN-AD-1

oci.compute.availabilityDomain: Lhkx:US-ASHBURN-AD-1

oci.compute.timeCreatedoci.compute.timeCreated

Use a text value to search all assets created at the specified time.

Examples

Show all assets with the created time 2021-02-09T07:24:31.000Z (Use 2021-02-09 while searching in UI)

oci.compute.timeCreated: 2021-02-09

oci.compute.imageIdoci.compute.imageId

Use a text value to search all assets with the specified image ID.

Examples

Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID

oci.compute.imageId: ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq

oci.compute.faultDomainoci.compute.faultDomain

Use a text value to search all assets with the specified fault domain.

Examples

Show all assets with fault domain FAULT-DOMAIN-1

oci.compute.faultDomain: FAULT-DOMAIN-1

oci.compute.hostNameoci.compute.hostName

Use a text value to search all assets with the specified host name.

Examples

Show all findings with the host name oracle-8

oci.compute.hostName: oracle-8

oci.compute.canonicalRegionNameoci.compute.canonicalRegionName

Use a text value to search all assets having the specified canonical region name.

Examples

Show all assets with the canonical region name us-ashburn-1

oci.compute.canonicalRegionName: us-ashburn-1

oci.compute.isQualysScanneroci.compute.isQualysScanner

Use the values true | false to list all assets that are Qualys Scanner. Choose True to list all assets that are Qualys Scanner and choose False to list all assets that are not Qualys Scanner.

Examples

Show all assets that are Qualys Scanner

oci.compute.isQualysScanner: true

oci.tagsoci.tags

Use a text value to search all assets with the specified tags.

Examples

Show all assets with the tag key CreatedBy and specific value

oci.tags: (key:CreatedBy and value:oktasso/abc@example.com)

oci.tags.keyoci.tags.key

Use a text value to search all assets with the specified tag key.

Examples

Show all assets with the tag key CreatedBy

oci.tags.key: CreatedBy

oci.tags.valueoci.tags.value

Use a text value to search all assets with the specified tag value.

Examples

Show all assets with the tag value 2021-02-09

oci.tags.value: 2021-02-09

oci.tags.namespaceoci.tags.namespace

Use a text value to search all assets with the specified namespace.

Examples

Show all assets with the namespace Oracle-Tags

oci.tags.namespace: Oracle-Tags

oci.vnic.vnicIdoci.vnic.vnicId

Use a text value to search all assets with the specified VNIC ID.

Examples

Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q

oci.vnic.vnicId: ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q

oci.vnic.vcnIdoci.vnic.vcnId

Use a text value to search all assets with the specified VCN ID.

Examples

Show all assets with this VCN ID

oci.vnic.vcnId: ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q

oci.vnic.privateIpoci.vnic.privateIp

Use a text value to search all assets with the specified private IP.

Examples

Show all assets with this private IP

oci.vnic.privateIp: 10.0.0.222

oci.vnic.publicIpoci.vnic.publicIp

Use a text value to search all assets with the specified public IP.

Examples

Show all assets with this public IP

oci.vnic.publicIp: 10.0.0.222

oci.vnic.subnetIdoci.vnic.subnetId

Use a text value to find OCI instances by the ID of the subnet in which the interface resides.

Examples

Find OCI instances with this subnet ID

oci.vnic.subnetId: subnet-bc02c0d4

oci.vnic.subnetNameoci.vnic.subnetName

Use a text value to find OCI instances by the name of the subnet in which the interface resides.

Examples

Find OCI instances with this subnet name

oci.vnic.subnetName: subnet-abc

oci.vnic.vcnNameoci.vnic.vcnName

Use a text value to search all assets with the specified vcn name.

Examples

Show all assets with this vcn name

oci.vnic.vcnName: abc

oci.vnic.vlanTagoci.vnic.vlanTag

Use a text value to search all assets with the specified vlan tag.

Examples

Show all assets with the vlan tag 1

oci.vnic.vlanTag: 1

oci.vnic.macAddroci.vnic.macAddr

Use a text value to search all assets with the specified MAC address.

Examples

Show all assets with the MAC address 02:00:17:06:bd:b3

oci.vnic.macAddr: 02:00:17:06:bd:b3

oci.vnic.virtualRouterIpoci.vnic.virtualRouterIp

Use a text value to search all assets with the specified router IP.

Examples

Show all assets with the router IP 10.0.0.1

oci.vnic.virtualRouterIp: 10.0.0.1

oci.vnic.subnetCidrBlockoci.vnic.subnetCidrBlock

Use a text value to search all assets with the specified block.

Examples

Show all assets with the block 10.0.0.0/24

oci.vnic.subnetCidrBlock: 10.0.0.0/24

oci.vnic.nicIndexoci.vnic.nicIndex

Use a text value to search all assets with the specified index.

Examples

Show all assets with the index 1

oci.vnic.nicIndex: 1

oci.compute.stateoci.compute.state

Use a text value to search all assets with specific compute state.

Examples

Show all assets with the compute state Starting

oci.compute.state: STARTING

oci.compute.tenantIdoci.compute.tenantId

Use a text value to search all assets with specific tenant ID.

Examples

Show all assets with the specific tenant ID

oci.compute.tenantId: ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq

oci.compute.tenantNameoci.compute.tenantName

Use a text value to search all assets with specific tenant name.

Examples

Show all assets with the specific tenant name

oci.compute.tenantName: oraclecengg1

oci.tags.typeoci.tags.type

Use a text value to search all assets with specific tag type.

Examples

Show all assets with the specific tag type

oci.tags.type: DEFINED

oci.compute.hasAgentoci.compute.hasAgent

Use the values true | false to list all assets that have cloud agents. Choose True to list all assets having cloud agents and choose False to list all assets that do not have cloud agents.

Examples

Show all assets with having cloud agent installed

oci.compute.hasAgent: true

Passive Scanner only

Use these tokens when searching assets detected by passive scanning.

asset.fqdnasset.fqdn

Use a text value to define the asset FQDN name you're looking for.

Example

Show the asset with this FQDN

asset.fqdn:ACMENVT7.acme.com

hardware.typingConfidencehardware.typingConfidence

Use a text value to define the hardware typing confidence you're looking for, i.e. HIGH, MEDIUM, LOW.

Example

Show this hardware typing confidence

hardware.typingConfidence:HIGH

inventory.scannerIDinventory.scannerID

Use an integer value to help you find assets scanned by a certain scanner appliance ID.

Example

Show this scanner appliance ID

inventory.scannerID:345678892

inventory.scannerNameinventory.scannerName

Use a text value to help you find assets based on specific scanner appliance name.

Examples

Show assets with scanner name as ITCorp-appliance

inventory.scannerName:ITCorp-appliance

openPorts.lastFoundopenPorts.lastFound

Use a date range or specific date to define when open ports were last found.

Examples

Show open ports found within certain dates

openPorts.lastFound: [2019-01-01 ... 2019-01-15]

Show open ports found starting 2019-01-15, ending 3 months ago

openPorts.lastFound: [2019-01-15 ... now-3M]

Show open ports found starting 2 weeks ago, ending 1 second ago

openPorts.lastFound: [now-2w ... now-1s]

Show open ports found on a specific date

openPorts.lastFound:'2019-03-18'

openPort.lastUpdatedopenPort.lastUpdated

Use a date range or specific date to define when ports on assets were last updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the Enterprise TruRisk™  Platform by an agent).

Examples

Show ports updated within certain dates

openPort.lastUpdated: [2019-01-01 ... 2019-01-15]

Show ports updated starting 2019-01-15, ending 3 months ago

openPort.lastUpdated: [2019-01-15 ... now-3M]

Show ports updated starting 2 weeks ago, ending 1 second ago

openPort.lastUpdated: [now-2w ... now-1s]

Show ports updated on a specific date

openPort.lastUpdated:'2019-03-18'

operatingSystem.typingConfidenceoperatingSystem.typingConfidence

Use a text value to define the OS typing confidence you're interested in, i.e. HIGH, MEDIUM, LOW.

Example

Show this OS typing confidence

operatingSystem.typingConfidence:MEDIUM

traffic.timestamptraffic.timestamp

Use a date range or specific date to find assets as per traffic timestamp.

Examples

Show assets with traffic timestamp 2019-03-18

traffic.timestamp:'2019-03-18'

Show assets with traffic timestamp within certain dates

traffic.timestamp:[2019-01-01 ... 2019-01-15]

Show assets with traffic timestamp starting 2019-01-15, ending 1 month ago

traffic.timestamp:[2019-01-15 ... now-1M]

Show assets with traffic timestamp starting 2 weeks ago, ending 1 second ago

traffic.timestamp:[now-2w ... now-1s]

traffic.totaltraffic.total

Use an integer value to find assets having specific amount of total traffic in MBs (both ingress and egress).

Example

Show assets with 100 MB total traffic

traffic.total:100

traffic.ingresstraffic.ingress

Use an integer value to find assets having specific amount of ingress traffic in MBs.

Example

Show assets with 60 MB ingress traffic

traffic.ingress:60

traffic.egresstraffic.egress

Use an integer value to find assets having specific amount of egress traffic in MBs.

Example

Show assets with 40 MB egress traffic

traffic.egress:40

traffic.protocoltraffic.protocol

Use a text value to find assets with traffic over specific protocol.

Example

Show assets with traffic over TCP

traffic.protocol:tcp

traffic.porttraffic.port

Use a integer value to find assets with traffic over specific port.

Example

Show assets with traffic over port 80

traffic.port:80

traffic.typetraffic.type

Use a text value to find assets with traffic of a specific type (client or server).

Example

Show assets with client traffic

traffic.type:client

traffic.familytraffic.family

Use a text value to find assets with traffic of a specific family.

Example

Show assets with peer to peer traffic

traffic.family:Peer to Peer

traffic.applicationtraffic.application

Use a text value to find assets with traffic from a specific application.

Example

Show assets with traffic from BitTorrent

traffic.application:BitTorrent

traffic.servicetraffic.service

Use a text value to find assets with traffic from a specific service.

Example

Show assets with traffic from HTTP

traffic.service:http

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.