Search Tokens for VMDR
You can use the search tokens in the Vulnerabilities tab to refine your search results. We have broadly classified the asset and vulnerability search tokens in the Vulnerabilities tab. Click each token to learn more about it.
Generic | Vulnerability | Asset | Asset Inventory | Alerting | RTIs | Threat Feed | Alibaba | AWS | Microsoft Azure | GCP | IBM | OCI | Passive Scanner
Generic
The order of precedence for the operators is NOT, AND, OR. However, you can use parenthesis to override the precedence.
Use a boolean query to express your query using NOT logic.
Example
Show assets that do not have Windows operating system
not operatingSystem: Windows
Use a boolean query to express your query using AND logic.
Example
Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows
Vulnerability Tokens
Use these tokens to define search criteria for vulnerabilities.
vulnerabilities.disabledvulnerabilities.disabled
Use the values true or false to define whether vulnerabilities are disabled or enabled.
Example
Show findings with vulnerabilities disabled
vulnerabilities.disabled:TRUE
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
- Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80 - Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25
vulnerabilities.detectionSourcevulnerabilities.detectionSource
Use a string value within quotes or backticks to find vulnerabilities with a certain source of detection.
From the drop-down, select the name of a detection source:
Generic, Qualys, Tenable, Wiz
Examples
- Show findings with Qualys as the detection source
vulnerabilities.detectionSource:Qualys - Show findings that contain parts of the detection source
vulnerabilities.detectionSource:"Qualys" - Show findings that match the exact value Qualys
vulnerabilities.detectionSource:`Qualys`
vulnerabilities.detectionSource.namevulnerabilities.detectionSource.name
Use quotes or backticks within values to help you find the source that detected the vulnerability. Understanding the origin of vulnerability data is essential for grasping the detection's context, reliability, and scope.
Examples
- Show findings with Qualys as the detection source
vulnerabilities.detectionSource.name:AZURE - Show findings that contain parts of the detection source
vulnerabilities.detectionSource.name:"CAR Agent" - Show findings that match the exact value Qualys
vulnerabilities.detectionSource.name:`Cloud Agent`
vulnerabilities.detectionSource.firstFoundDatevulnerabilities.detectionSource.firstFoundDate
Use the date range or specific date to define when a vulnerability was first detected. Tracking this information helps teams analyze vulnerabilities, prioritize remediation, and identify trends. You can determine if further investigation or alternative remediation is needed by tracking the last and first found dates.
Examples
- Show vulnerabilities first detected on a certain date
vulnerabilities.detectionSource.firstFoundDate:[2017-10-21 ... 2017-10-30] - Show vulnerabilities first detected starting 2015-10-01, ending 1 month ago
vulnerabilities.detectionSource.firstFoundDate:[2015-10-01 ... now-1M] - Show vulnerabilities first detected 2 weeks ago, ending 1 second ago
vulnerabilities.detectionSource.firstFoundDate:[now-2w ... now-1s] - Show vulnerabilities first detected on certain date
vulnerabilities.detectionSource.firstFoundDate:'2016-11-11'
vulnerabilities.detectionSource.lastFoundDatevulnerabilities.detectionSource.lastFoundDate
Use the date range or specific date to define when a vulnerability was last detected. This helps assess whether a vulnerability is active or has reappeared after remediation. You can determine if further investigation or alternative remediation is needed by tracking the last and first found dates.
Examples
- Show vulnerabilities last detected on a certain date
vulnerabilities.detectionSource.lastFoundDate:[2017-10-21 ... 2017-10-30] - Show vulnerabilities last detected starting 2015-10-01, ending 1 month ago
vulnerabilities.detectionSource.lastFoundDate:[2015-10-01 ... now-1M] - Show vulnerabilities last detected 2 weeks ago, ending 1 second ago
vulnerabilities.detectionSource.lastFoundDate:[now-2w ... now-1s] - Show vulnerabilities last detected on certain date
vulnerabilities.detectionSource.lastFoundDate:'2016-11-11'
vulnerabilities.foundvulnerabilities.found
Use the values true or false to define vulnerabilities are detected or not on the assets.
Example
Show findings with vulnerabilities detected
vulnerabilities.found:TRUE
vulnerabilities.firstFoundvulnerabilities.firstFound
Use the date range or specific date to define when findings were first found.
Examples
- Show findings first found within certain dates
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30] - Show findings first found starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFound:[2015-10-01 ... now-1M] - Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:[now-2w ... now-1s] - Show findings first found on certain date
vulnerabilities.firstFound:'2016-11-11'
vulnerabilities.hostAssetNamevulnerabilities.hostAssetName
Use quotes or backticks within values to help you find the host asset name.
Examples
- Show any findings related to name
vulnerabilities.hostAssetName:QK2K12QP3-65-53 - Show any findings that contain parts of name
vulnerabilities.hostAssetName:"QK2K12QP3-65-53" - Show any findings that match exact value "QK2K12QP3-65-53"
vulnerabilities.hostAssetName:`QK2K12QP3-65-53`
vulnerabilities.hostOSvulnerabilities.hostOS
Use quotes or backticks within values to help you find the host operating system.
Examples
- Show any findings with this OS name
vulnerabilities.hostOS:Windows 2012 - Show any findings that contain components of OS name
vulnerabilities.hostOS:"Windows 2012" - Show any findings that match exact value "Windows 2012"
vulnerabilities.hostOS:`Windows 2012`
vulnerabilities.ignoredvulnerabilities.ignored
Use an integer value to find vulnerabilities that have been marked as ignored.
Example
Show vulnerabilities that are marked as ignored
vulnerabilities.ignored:TRUE
vulnerabilities.instancevulnerabilities.instance
Use a text value to find vulnerabilities found on a certain instance.
Example
Show vulnerabilities found in this instance
vulnerabilities.instance: oracle
vulnerabilities.lastFixedvulnerabilities.lastFixed
Use a date range or specific date to define when findings were last fixed.
Examples
- Show findings last fixed within certain dates
vulnerabilities.lastFixed:[2015-10-21 ... 2016-01-15] - Show findings last fixed starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFixed:[2016-01-01 ... now-1M] - Show findings last fixed starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFixed:[now-2w ... now-1s] - Show findings last fixed on certain date
vulnerabilities.lastFixed:'2016-01-11' - Show findings last fixed within certain number of days
vulnerabilities.lastFixed: [91..180]
vulnerabilities.lastFoundvulnerabilities.lastFound
Use a date range or specific date to define when findings were last found.
Examples
- Show findings last found within certain dates
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15] - Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound:[2016-01-01 ... now-1M] - Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:[now-2w ... now-1s] - Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11' - Show findings last found within certain number of days
vulnerabilities.lastFound: [91..180] - Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)
vulnerabilities.nonExploitableConfigvulnerabilities.nonExploitableConfig
Use the values true or false to define vulnerabilities with non-exploitable configurations.
Examples
- Show findings with non exploitable configurations
vulnerabilities.nonExploitableConfig:TRUE - Show findings with exploitable configurations
vulnerabilities.nonExploitableConfig:FALSE
vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel
Use the values true or false to view vulnerabilities found on non-running kernels.
Examples
- Show detections found on non-running Kernal
vulnerabilities.nonRunningKernel:TRUE - Show detections found on running Kernal
vulnerabilities.nonRunningKernel:FALSE
vulnerabilities.portvulnerabilities.port
Use an integer value to find vulnerabilities found on a certain port.
Example
Show vulnerabilities found on this port
vulnerabilities.port:443
vulnerabilities.protocolvulnerabilities.protocol
Use a text value UDP or TCP to define the port protocol.
Example
Show vulnerabilities found on TCP protocol
vulnerabilities.protocol:TCP
vulnerabilities.runningServicevulnerabilities.runningService
Use the values true or false to define vulnerabilities found on a non-exploitable port/service.
Examples
- Show vulnerabilities found on running service
vulnerabilities.runningService:TRUE - Show vulnerabilities found on non-running service
vulnerabilities.nonexploitableService:FALSE
vulnerabilities.riskFactor.cisaKEVDueDatevulnerabilities.riskFactor.cisaKEVDueDate
Use a specific date to get the list of known exploited vulnerabilities whose remediation due date is as per the CISA Catalog. The date format used is yyyy-mm-dd.
Example
List the QIDs whose CISA Due Date is 3rd May 2022
vulnerabilities.riskFactor.cisaKEVDueDate:2022-05-03
vulnerabilities.riskFactor.cisaKnownExploitsvulnerabilities.riskFactor.cisaKnownExploits
Use this token to get the list of QIDs impacted due to CISA Known Exploits. The token uses true or false as the input value.
Example
List the QIDs that are impacted due to CISA Known Exploit
vulnerabilities.riskFactor.cisaKnownExploits:TRUE
vulnerabilities.riskFactor.threatActorNamevulnerabilities.riskFactor.threatActorName
Use string as an input value to get the list of QIDs that are impacted by the threat actor.
Example
List the QIDs that are impacted by the threat actor name Labyrinth Chollima
vulnerabilities.riskFactor.threatActorName:"Labyrinth Chollima"
List the QIDs that are impacted by the threat actor name Insiders
vulnerabilities.riskFactor.threatActorName:"Insiders"
List the QIDs that are impacted by the threat actor name Senstive Information
vulnerabilities.riskFactor.threatActorName:"senstive information"
List the QIDs that are impacted by the threat actor name Script Kiddies
vulnerabilities.riskFactor.threatActorName:"Script kiddies"
vulnerabilities.riskFactor.malwareNamevulnerabilities.riskFactor.malwareName
Use string as an input value to get the list of QIDs that are impacted by the malware name.
Example
List the QIDs that are impacted by the malware name TROJ_PDFKA.DQ
vulnerabilities.riskFactor.malwareName:"TROJ_PDFKA.DQ"
vulnerabilities.riskFactor.exploitCodeMaturityvulnerabilities.riskFactor.exploitCodeMaturity
Use this token to get the list of QIDs that can be exploited based on the existing state of exploit techniques and code availability.
From the drop-down, select the name of an exploit technique:
poc, weaponized
Example
List the QIDs exploited by Weaponized exploit code maturity technique
vulnerabilities.riskFactor.exploitCodeMaturity:"weaponized"
vulnerabilities.riskFactor.exploitTypevulnerabilities.riskFactor.exploitType
Use string as an input value to get the list of QIDs based on the type of exploits and its related vulnerabilities.
Example
List the QIDs that are exploited whose target vulnerabilities are in web applications
vulnerabilities.riskFactor.exploitType:"webapps"
vulnerabilities.riskFactor.exploitType:"shellcode"
vulnerabilities.riskFactor.exploitType:"remote"
vulnerabilities.riskFactor.rtivulnerabilities.riskFactor.rti
Use this token to get the list of QIDs with Real-Time Threat Indicators (RTI) related vulnerabilities.
Example
List the QIDs that are assoicated with the Denial of Service Real-Time Threat Indicator
vulnerabilities.riskFactor.rti:"Denial of Service"
vulnerabilities.riskFactor.trendingvulnerabilities.riskFactor.trending
Use this token to get the list of QIDs that are trending within a specific date range. You can select the date range from the drop-down.
Example
Show trending vulnerabilities with its QIDs within certain number of days
vulnerabilities.riskFactor.trending:[16..30]
vulnerabilities.sslvulnerabilities.ssl
Use the values true or false to define vulnerabilities found on secure socket layer (SSL).
Example
Show vulnerabilities associated with SSL
vulnerabilities.ssl:TRUE
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
Show findings with severity by 5
vulnerabilities.severity:5
For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.statusvulnerabilities.status
From the drop-down, select a status Active, Fixed, New, and Reopened to find vulnerabilities with certain status.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
Show vulnerabilities with New status
vulnerabilities.status:Fixed
vulnerabilities.hidePatchSupersededvulnerabilities.hidePatchSuperseded
Use the boolean value True to generate the list of excluded superseded QIDs and show the latest patches.
Example
Show all the excluded superseded QIDs and the latest patches.
vulnerabilities.hidePatchSuperseded:True
vulnerabilities.ttr.firstFoundvulnerabilities.ttr.firstFound
Use the number of days to determine the findings based on the Total and First Found time to remediate. The token accepts range input as number of days. You can also customize the range input.
Examples
- Show vulnerabilities findings based on total and first found calculation
vulnerabilities.ttr.firstFound:[61..90] - Use custom query to see the vulnerabilities findings based on total and first found calculation
vulnerabilities.ttr.firstFound:[0..90]
vulnerabilities.typeDetectedvulnerabilities.typeDetected
From the drop-down, select a detection type, such as, Confirmed, Potential, and Information to find assets with vulnerabilities of this type.
Example
Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.vulnerability.authTypesvulnerabilities.vulnerability.authTypes
From the drop-down, select the name, such as, WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH of an authentication type.
Example
Show findings with Windows auth type
vulnerabilities.vulnerability.authTypes:WINDOWS_AUTH
vulnerabilities.vulnerability.bugTraqIdsvulnerabilities.vulnerability.bugTraqIds
Use a text value to find a BugTraq number.
Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqIds:22211
vulnerabilities.vulnerability.categoryvulnerabilities.vulnerability.category
From the drop-down, select a category, such as, `CGI`, `Database`, `DNS`, `BIND`, `Custom QID` to find vulnerabilities with this category.
Example
- Show findings with category `CGI`
vulnerabilities.vulnerability.category:`CGI`
Use quotes or backticks within values to help you find the compliance description.
Examples
- Show any findings related to this description
vulnerabilities.vulnerability.compliance.description:malicious software - Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description:"malicious software" - Show any findings that match exact value "malicious software"
vulnerabilities.vulnerability.compliance.description:`malicious software`
vulnerabilities.vulnerability.compliance.sectionvulnerabilities.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section.
Examples
- Show any findings related to this section
vulnerabilities.vulnerability.compliance.section:164.308 - Show any findings that contain parts of section
vulnerabilities.vulnerability.compliance.section:"164.308" - Show any findings that match exact value "164.308"
vulnerabilities.vulnerability.compliance.section:`164.308`
vulnerabilities.vulnerability.compliance.typevulnerabilities.vulnerability.compliance.type
From the drop-down, select the name of a compliance type:
COBIT, HIPAA, GLBA, SOX, PCI
Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type:HIPAA
Show findings with the compliance type SOX
vulnerabilities.vulnerability.compliance.type:SOX
Show findings with the compliance type COBIT
vulnerabilities.vulnerability.compliance.type:COBIT
vulnerabilities.vulnerability.impactvulnerabilities.vulnerability.impact
Use quotes or backtick within values to find the impact.
Examples
- Show any findings related to impact
vulnerabilities.vulnerability.impact:sensitive information - Show any findings that contain "identity" or "theft" in consequence
vulnerabilities.vulnerability.impact:"identity theft" - Show any findings that match exact value "financial loss"
vulnerabilities.vulnerability.impact:`financial loss`
vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds
Use a text value to find the CVE name.
Example
Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveIds:CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
Use an integer value to find the CVSSv3.1 base score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3_1Info.basescore:7.8
Use an integer value tofind the CVSSv3.1 temporal score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3_1Info.temporalScore:6.4
Select the name of a CVSS2 access vector, for example, UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK. Select from names in the drop-down menu.
Example
Show findings with this name
vulnerabilities.vulnerability.cvss2Info.accessVector:NETWORK
vulnerabilities.vulnerability.cvss2Info.baseScorevulnerabilities.vulnerability.cvss2Info.baseScore
Use an integer value to help you find the CVSS2 base score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2Info.baseScore:7.8
Use an integer value to help you find the CVSS2 temporal score.
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2Info.temporalScore:6.4
vulnerabilities.vulnerability.discoveryTypesvulnerabilities.vulnerability.discoveryTypes
Select a discovery type (Remote or Authenticated) to find assets with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryTypes:REMOTE
vulnerabilities.vulnerability.exploitabilityvulnerabilities.vulnerability.exploitability
Use quotes or backticks within values to find known exploit description.
Examples
Show any findings related to this description
vulnerabilities.vulnerability.exploitability:GIF
Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability:"GIF
Parser Heap"
Show any findings that match exact value "GIF Parser Heap"
vulnerabilities.vulnerability.exploitability:`GIF
Parser Heap`
vulnerabilities.vulnerability.flagsvulnerabilities.vulnerability.flags
Use a text value to find the Qualys defined vulnerability property, for example, REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc.
Example
Show findings with this flag
vulnerabilities.vulnerability.flags:PCI_RELATED
Use the text value within quotes or backticks for the tactics id that represents the why of the ATT&CK technique or sub-technique.
Example
Show findings with the Tactic ID TA0007
vulnerabilities.vulnerability.mitre.attack.tactic.id:`TA0007`
Use the text value within quotes or backticks to view for the tactics name that represents it's respective tactic id.
Example
Show findings with the tactic name inital-access
vulnerabilities.vulnerability.mitre.attack.tactic.name:`inital-access`
Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.
Example
Show findings with the Technique ID T1562.010
vulnerabilities.vulnerability.mitre.attack.technique.id:"T1562.010"
Use the text value within quotes or backticks to view for the technique name that represents it's respective technique id.
Example
Show findings with the tactic name Downgrade Attack
vulnerabilities.vulnerability.mitre.attack.technique.name:"Downgrade Attack"
vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os
Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.
Examples
Show any findings related to this OS value
vulnerabilities.vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerabilities.vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerabilities.vulnerability.os:`windows`
vulnerabilities.vulnerability.patchAvailable vulnerabilities.vulnerability.patchAvailable
Use the values true |false to define vulnerabilities with patch available.
Examples
Show findings with patch available
vulnerabilities.vulnerability.patchAvailable:TRUE
Show findings with no patch available
vulnerabilities.vulnerability.patchAvailable:FALSE
vulnerabilities.vulnerability.pcivulnerabilities.vulnerability.pci
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Examples
Show PCI vulnerabilities
vulnerabilities.vulnerability.pci:TRUE
Do not show PCI vulnerabilities
vulnerabilities.vulnerability.pci:FALSE
vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired
Use the values true | false to find vulnerabilities that need reboot.
Examples
Show vulnerabilities that need reboot.
vulnerabilities.vulnerability.rebootRequired: TRUE
vulnerabilities.vulnerability.qidvulnerabilities.vulnerability.qid
Use an integer value to define the QID in question.
Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.ransomware.namevulnerabilities.vulnerability.ransomware.name
Use quotes or backticks within values to help you find the ransomware name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show findings with this name
vulnerabilities.vulnerability.ransomware.name: Locky
Show findings that match exact value
vulnerabilities.vulnerability.ransomware.name: Locky
vulnerabilities.vulnerability.scaTechnologiesvulnerabilities.vulnerability.scaTechnologies
Use the SCA technology values like Python or Java for listing vulnerabilities associated with assets on which any of the software components are identified.
Example
List the vulnerabilities that have SCA Technology as Python
vulnerabilities.vulnerability.scaTechnologies: Python
vulnerabilities.vulnerability.sans20Categoriesvulnerabilities.vulnerability.sans20Categories
Use a text value to find vulnerabilities in the SANS 20 category, for example, Anti-virus Software, Backup Software, etc.
Example
Show findings with this category name
vulnerabilities.vulnerability.sans20Categories:Media
Players
vulnerabilities.vulnerability.severityvulnerabilities.vulnerability.severity
Use an integer value to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.
Example
Show findings with severity set by Qualys as 5
vulnerabilities.vulnerability.severity:5
For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.vulnerability.solutionvulnerabilities.vulnerability.solution
Use quotes or backticks within values to help you find the solution.
Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution:Bulletin
MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution:"Bulletin
MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerabilities.vulnerability.solution:`Bulletin
MS10-006`
vulnerabilities.vulnerability.supportedByvulnerabilities.vulnerability.supportedBy
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
vulnerabilities.vulnerability.supportedBy:CA-Linux
Agent
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code
Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote
Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.typesvulnerabilities.vulnerability.types
Select a detection type (e.g. Vulnerability, Potential, Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
Example
Show findings with this type
vulnerabilities.vulnerability.types:VULNERABILITY
vulnerabilities.vulnerability.vendorRefsvulnerabilities.vulnerability.vendorRefs
Use a text value to find the vendor reference.
Example
Show this vendor reference
vulnerabilities.vulnerability.vendorRefs:KB3021953
vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName
Use a text value to find the vendor product name.
Example
Show findings with this vendor product name
vulnerabilities.vulnerability.vendors.productName:Windows
vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName
Use a text value to find the vendor name.
Example
Show findings with this vendor name
vulnerabilities.vulnerability.vendors.vendorName:Adobe
vulnerabilities.nonExploitableKernelvulnerabilities.nonExploitableKernel
Use the values true | false to define vulnerabilities that exist on non exploitable kernels.
Examples
Show findings on non-exploitable kernels
vulnerabilities.nonExploitableKernel:TRUE
vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService
`Use the values true | false to define vulnerabilities that exist on non exploitable services.
Examples
Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.vulnerability.patchReleasedvulnerabilities.vulnerability.patchReleased
Use a date range or specific date to define when patch was available.
Examples
Show findings last found within certain dates
vulnerabilities.vulnerability.patchReleased:[2018-10-21
... 2019-01-15]
Show findings last found starting 2020-01-01, ending 1 month ago
vulnerabilities.vulnerability.patchReleased:[2020-01-01
... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.patchReleased:[now-2w
... now-1s]
Show findings last found on certain date
vulnerabilities.vulnerability.patchReleased:'2020-01-02'
vulnerabilities.timesFoundvulnerabilities.timesFound
Show findings that were detected for the specified number of times.
Examples
Show findings last found 3 times
vulnerabilities.timesFound:3
vulnerabilities.vulnerability.kbAgevulnerabilities.vulnerability.kbAge
Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was published by Qualys in the Knowledge Base. The kbAge is the published date for the QIDs. Select the number of days from the drop-down menu.
Example
Show findings/QIDs that were recently published (in the last 30 days)
vulnerabilities.vulnerability.kbAge:[00..30]
vulnerabilities.detectionAgevulnerabilities.detectionAge
Select the number of days from the range (00..30, 31..60, 61..90, 91..180,180..+) since the vulnerability was first detected (by a scanner or cloud agent) on the asset till the current date. The age is calculated irrespective of the vulnerability status.
Example
Show findings that were detected in the last 30 days.
vulnerabilities.detectionAge:[00..30]
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
Show any findings related to description
vulnerabilities.vulnerability.description:remote
code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote
code execution"
Show any findings that match exact value "remote code execution"
vulnerabilities.vulnerability.description:`remote
code execution`
vulnerabilities.vulnerability.listsvulnerabilities.vulnerability.lists
Use a text value to find the vulnerability list of interest, for example, SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
vulnerabilities.vulnerability.lists:SANS_20
vulnerabilities.vulnerability.patchesvulnerabilities.vulnerability.patches
Use an integer value to help you find the patch QID.
Example
Show assets with this patch QID
vulnerabilities.vulnerability.patches:90753
vulnerabilities.vulnerability.publishedvulnerabilities.vulnerability.published
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Examples
Show findings for vulnerabilities published within certain dates
vulnerabilities.vulnerability.published:[2015-10-21
... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerabilities.vulnerability.published:[2017-01-01
... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.published:[now-2w
... now-1s]
Show findings for vulnerabilities published on certain date
vulnerabilities.vulnerability.published:'2018-01-15'
vulnerabilities.vulnerability.riskvulnerabilities.vulnerability.risk
Use an integer value to define the vulnerability risk rating. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
vulnerabilities.vulnerability.risk:50
vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable
Use the valuesvulnerabilities true | false to define that can be patched at Qualys.
Examples
Show vulnerabilities with patch available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "true"
Show vulnerabilities with patch not available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "false"
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (e.g. "CRITICAL","HIGH","MEDIUM","LOW","NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes the priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Examples
Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.updatedvulnerabilities.vulnerability.updated
Use a date range or specific date to define when vulnerabilities were updated in the KnowledgeBase.
Examples
Show vulnerabilities updated within certain dates
vulnerabilities.vulnerability.updated:[2017-10-21
... 2017-10-30]
Show vulnerabilities updated starting 2017-11-01, ending 1 month ago
vulnerabilities.vulnerability.updated:[2017-11-01
... now-1M]
Show vulnerabilities updated stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updated:[now-2w
... now-1s]
Show vulnerabilities updated on certain date
vulnerabilities.vulnerability.updated:'2018-03-08'
vulnerabilities.mitigationDetectedvulnerabilities.mitigationDetected
Use this token to filter vulnerabilities where the "PCControl" mitigation has been detected.
Example
Show PCControl mitigated data
vulnerabilities.mitigationDetected:PCControl
vulnerabilities.qualysPatchablevulnerabilities.qualysPatchable
Use the values true | false to indicate whether Qualys can patch a detected vulnerability.
Example
Show findings with vulnerabilities that can be patched
vulnerabilities.qualysPatchable:TRUE
This QQL is dependent on other modules. To use this QQL, ensure that all prerequisites are met.
Patch Management v3.0.0 and higher | Mitigation - v3.0 | ARSC Services - v1.10.0
vulnerabilities.qualysMitigablevulnerabilities.qualysMitigable
Use the values true | false to indicate whether Qualys can mitigate a detected vulnerability.
Example
Show findings with vulnerabilities that can be mitigated
vulnerabilities.qualysMitigable:TRUE
This QQL is dependent on other modules. To use this QQL, ensure that all prerequisites are met.
Patch Management v3.0.0 and higher | Mitigation - v3.0 | ARSC Services - v1.10.0
Asset Tokens
The following asset tokens will list all the assets mentioned in the QQL. You can filter the search results using other token options such as Generic, Search by Field, Search without field tokens.
accounts.usernameaccounts.username
Use a text value to find the username.
Example
Show assets with the username Administrator
accounts.username:Administrator
activatedForModulesactivatedForModules
Select the name of an activated module. Select from names in the drop-down menu.
Examples
Show assets activated for VM
activatedForModules:VM
Show assets activated for VM and FIM
activatedForModules:VM AND activatedForModules:FIM
agent.activations.keyagent.activations.key
Use a text value to define the agent activation key.
Example
Show assets with agents activated using key-value
agent.activations.key:key-value
agent.activations.statusagent.activations.status
Use a text value (ACTIVE or INACTIVE) to define agent activation status.
Example
Show assets with active agents
agent.activations.status:ACTIVE
Use a text value to find an agent ID of interest.
Example
Show the asset with this agent ID
agent.agentID:f0xxx82-exxx-4e7d-xxx-0c905xxxxx4
agent.swCAIdealCandidateagent.swCAIdealCandidate
Use the values true or false to find assets on which at least one of the software components—Ruby, Node.js, Go, Rust, PHP, Python, Java Platform, and Standard Edition (Java SE), is identified.
Example
List the assets that have software components identified
agent.swCAIdealCandidate: true
Use a text value to find the agent version.
Example
Show findings with agent version 1.5.6.46
agent.version:1.5.6.46
Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Examples
Show this asset ID
assetId: 2918869
Show asset IDs in this range
assetId: [3546997 .. 12945655]
Show the 2 asset IDs listed
assetId: [3546997,12945655]
asset.hostingCategory1asset.hostingCategory1
Use a value to filter your assets based on the hosting category. The supported values are CDN, Cloud, OnPrem, and ThirdParty.
Example
Show findings with hosting catagory CDN
asset.hostingCategory1:"CDN"
agent.configurationProfileagent.configurationProfile
Use quotes or backticks within values to help you find the agent configuration profile.
Examples
Show any findings related to profile name
agent.configurationProfile:Initial Profile
Show any findings that contain parts of profile name
agent.configurationProfile:"Initial Profile"
Show any findings that match exact value "Initial Profile"
agent.configurationProfile:`Initial Profile`
agent.connectedFromagent.connectedFrom
Use a text value to define the external IP address a cloud agent is connected from.
Example
Show findings for an external IP address that an agent connected from
agent.connectedFrom:10.0.100.11
businessApp.businessCriticalitybusinessApp.businessCriticality
Use values within quotes or backticks to help you find the business application.
Examples
Show any findings that contain parts of name
businessApp:(businessCriticality:"1 - most")
Show any findings that match exact value "1 - most critical"
businessApp:(businessCriticality:`1 - most critical`)
businessApp.environmentbusinessApp.environment
Use a text value to help you find business application based on environment.
Example
Show assets with business application environment as Production
businessApp:(environment:Production)
Use a text value to help you find business application using unique ID.
Example
Show findings with business app ID as APP007
businessApp:(id:APP007)
businessApp.managedBybusinessApp.managedBy
Use values within quotes or backticks to help you find business applications managed by user.
Examples
Show any findings that contain parts of name
businessApp:(managedBy:"Byron")
businessApp:(managedBy:`Byron Fortuna`)
businessApp.namebusinessApp.name
Use values within quotes or backticks to help you find the business application name.
Examples
Show any findings that contain parts of name
businessApp:(managedBy:"HR")
businessApp:(managedBy:`HR Intranet`)
businessApp.operationalStatusbusinessApp.operationalStatus
Use a text value to help you find business applications based on operational status.
Example
Show business applications with operational status as Installed
businessApp:(operationalStatus:Installed)
businessApp.ownedBybusinessApp.ownedBy
Use values within quotes or backticks to help you find business applications owned by user.
Examples
Show any findings that contain parts of name
businessApp:(ownedBy:"Joey")
Show any findings that match exact value "Joey Bolick"
businessApp:(ownedBy:"Joey Bolick")
businessApp.supportedBybusinessApp.supportedBy
Use values within quotes or backticks to help you find business applications supported by user.
Examples
Show any findings that contain parts of name
businessApp:(supportedBy:"Joe")
Show any findings that match exact value `Joey Doe`
businessApp:(supportedBy:`Joe Doe`)
businessApp.supportGroupbusinessApp.supportGroup
Use a text value to help you find business applications with support group.
Example
Show assets with business application support group as Security.
businessApp:(supportGroup:"Security")
connectors.connector.nameconnectors.connector.name
Use a text value to define the connector name.
Example
Show findings detected by connector myec2
connectors.connector.name:myec2
connectors.firstDiscoveredconnectors.firstDiscovered
Use a date range or specific date to define when the connectors were first discovered.
Example
Show findings for connectors that were first discovered within certain dates
connectors.firstDiscovered:[2015-10-21 ... 2016-01-15]
Show findings for connectors that were first discovered starting 2017-01-01, ending 1 month ago
connectors.firstDiscovered:[2017-01-01 ... now-1M]
Show findings for connectors that were first discovered starting 2 weeks ago, ending 1 second ago
connectors.firstDiscovered:[now-2w ... now-1s]
Show findings for connectors that were first discovered on certain date
connectors.firstDiscovered:'2018-01-15'
Show findings for connectors that were first discovered before a certain date
connectors.firstDiscovered <'2018-01-15'
Show findings for connectors that were first discovered after a certain date
connectors.firstDiscovered >'2018-01-15'
connectors.lastDiscoveredconnectors.lastDiscovered
Use a date range or specific date to define when the connectors were last discovered.
Example
Show findings for connectors last discovered within certain dates
connectors.lastDiscovered:[2015-10-21 ... 2016-01-15]
Show findings for connectors last discovered starting 2017-01-01, ending 1 month ago
connectors.lastDiscovered:[2017-01-01 ... now-1M]
Show findings for connectors last discovered starting 2 weeks ago, ending 1 second ago
connectors.lastDiscovered:[now-2w ... now-1s]
Show findings for connectors last discovered on certain date
connectors.lastDiscovered:'2018-01-15'
Show findings for connectors last discovered before a certain date
connectors.lastDiscovered <'2018-01-15'
Show findings for connectors last discovered after a certain date
connectors.lastDiscovered >'2018-01-15'
connectors.connectorIdconnectors.connectorId
Show assets sourced from a specific connector created by the user
Example
Show assets for the following connector id:
connectors.connectorId:1278237
Use an integer value to help you find assets with some number of CPUs.
Example
Show assets that have 2 CPUs
cpuCount:2
Use a date range or specific date to define when assets were created, that is, when first scanned by a scanner appliance, or when agent was installed.
Examples
Show assets created within certain dates
created:[2016-01-01 ... 2016-01-10]
Show assets created starting 2017-10-01, ending 1 month ago
created:[2017-10-01 ... now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
created:[now-2w ... now-1s]
Show assets created on specific date
created:'2018-01-08'
criticalityScorecriticalityScore
Use an integer value (1-5) to help you find assets based on specific criticality score.
Examples
Show assets with criticality score 5
criticalityScore:5
Show assets with criticality score 2
criticalityScore:2
customAttributes.keycustomAttributes.key
Provide the value to identify your assets based on the key entered as part of the custom attribute.
Example
Find assets with "Department" as part of the key name
customAttributes:(key:"Department")
The result includes assets with the 'Department' custom attribute key.
Note: If 'Department' is part of the key name, such as Department 1, Department A-C, or Department US, those assets are also included in the result.
customAttributes.valuecustomAttributes.value
Provide the value to identify your assets based on the value entered as part of the custom attribute.
Example
Find assets with "DEVOPS" as part of the key value
customAttributes:(value:"DEVOPS")
The result includes assets with the 'DEVOPS' custom attribute value.
Note: If 'DEVOPS' is part of the value name, such as DEVOPS CSAM, DEVOPS CA, or DEVOPS PM, those assets are also included in the result.
docker.dockerVersiondocker.dockerVersion
Use a text value to define a Docker version.
Example
Show findings with this Docker version
docker.dockerVersion:17.3
docker.noOfContainersdocker.noOfContainers
Use an integer value to help you find assets with some number of Docker containers. .
Example
Show findings with 2 Docker containers
docker.noOfContainers:2
docker.noOfImagesdocker.noOfImages
Use an integer value to help you find assets with some number of Docker images.
Example
Show findings with 5 Docker images
docker.noOfImages:5
Use the values true | false to choose whether to show docker hosts or not (only when the hosts have been scanned).
Examples
Show docker hosts
isDockerHost:true
Do not show docker hosts
isDockerHost:false
interfaces.addressinterfaces.address
Use a text value to define an IP address (IPv4 of IPv6).
Examples
Show the asset with IPv4 address
interfaces.address:10.10.100.20
Show the asset with IPv6 address (enclose value in single quotes)
interfaces.address:'fe80:0:0:0:2501:b53c:4139:404b'
interfaces.dnsAddressinterfaces.dnsAddress
Use a text value to define a DNS address.
Example
Show the asset with DNS address 10.0.100.11
interfaces.dnsAddress:10.0.100.11
interfaces.gatewayAddressinterfaces.gatewayAddress
Use a text value to help you find assets with a certain default gateway address.
Example
Show assets with this default gateway address
interfaces.gatewayAddress:10.11.65.1
interfaces.hostnameinterfaces.hostname
Use quotes or backticks within values to help you find the hostname.
Examples
Show any findings related to name
interfaces.hostname:xpsp2-jp-26-111
Show any findings that contain parts of name
interfaces.hostname:"xpsp2-jp-26-111"
Show any findings that match exact value "xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111`
Show any findings related to name (we'll match super domains)
interfaces.hostname:qcentos71sqp3.rdlab.acme.com
Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`
interfaces.interfaceNameinterfaces.interfaceName
Use a text value to help you find a certain interface name.
Example
Show the asset with name PRO/1000
interfaces.interfaceName:PRO/1000
interfaces.macAddressinterfaces.macAddress
Use values within quotes to help you find a MAC address.
Example
Show the asset with this MAC address
interfaces.macAddress:"00-50-56-A9-73-5A"
agent.lastCheckedInagent.lastCheckedIn
Use a date range or specific date to define when agents last checked in to the platform. The last checked in date will be updated after agent provisioning, agent inventory and agent scan.
Examples
Show findings with last check in within a specific date range.
agent.lastCheckedIn:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
agent.lastCheckedIn:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago
agent.lastCheckedIn:[now-2w ... now-1s]
Show findings with last check in on a specific date
agent.lastCheckedIn:'2020-02-11'
Show findings with last check in before (older than) last 30 days.
agent.lastCheckedIn<now-30d
Note: We recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d...now-2s]. See 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
agent.lastCheckedIn>now-30d
Show findings with last check in within last 30 days including day 30
agent.lastCheckedIn>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
agent.lastCheckedIn<now-30d
Show findings with last check in which is older than last 30 days including day 30
agent.lastCheckedIn<=now-30d
lastLocation.namelastLocation.name
Use a text value to help you find assets based on last location.
Examples
Show assets with last location as Redwood City, California - United States
lastLocation.name: `Redwood City, California - United States`
Show assets with last location with exact string
lastLocation.name: `Redwood City, California - United States`
lastLocation.continentlastLocation.continent
Use a text value to help you find assets based on continent of the last location.
Examples
Show assets with last location continent as North America
lastLocation.continent: `North America`
Show assets with last location with exact string
lastLocation.continent: `North America`
lastLocation.countrylastLocation.country
Use a text value to help you find assets based on country of the last location.
Example
Show assets with last location country as United States
lastLocation.country:United States
lastLocation.statelastLocation.state
Use a text value to help you find assets based on state of the last location.
Example
Show assets with last location state as California
lastLocation.state: California
lastLocation.citylastLocation.city
Use a text value to help you find assets with city of the last location.
Example
Show assets with last location state as Miami
lastLocation.city: Miami
lastLocation.postallastLocation.postal
Use a text value to help you find assets based on postal of the last location.
Example
Show assets with last location postal as 94065
lastLocation.postal: 94065
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateScanner:'2017-04-10'
lastVmScanDateScanner lastVmScanDateScanner
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateScanner:'2017-04-10'
lastVmScanDateAgentlastVmScanDateAgent
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateAgent: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateAgent: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateAgent: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateAgent:'2017-04-10'
lastPcScanDateAgentlastPcScanDateAgent
Use a date range or specific date to define when compliance scans were last conducted. In case of a full policy compliance scan all QIDs are triggered. For custom policy compliance scan specific QIDs are triggered.
Examples
Show findings with last compliance scan within certain dates
lastPcScanDateAgent: [2017-01-01 ... 2017-02-10]
Show findings with last compliance scan starting 2016-11-01, ending 1 month ago
lastPcScanDateAgent: [2016-11-01 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastPcScanDateAgent: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastPcScanDateAgent:'2017-04-10'
lastPcScanDateScannerlastPcScanDateScanner
Use a date range or specific date to define when policy compliance scans were last conducted by the scanner. In case of a full policy compliance scan all QIDs are triggered. For custom policy compliance scan specific QIDs are triggered.
Examples
Show findings with last compliance scan within certain dates
lastPcScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with last compliance scan starting 2016-11-01, ending 1 month ago
lastPcScanDateScanner: [2016-11-01 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastPcScanDateScanner: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastPcScanDateScanner:'2017-04-10'
lastComplianceScanDatelastComplianceScanDate
Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.
Examples
Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastComplianceScanDate:'2017-02-18'
Use a date range or specific date to define when full scans were last conducted on an agent or a scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
Show findings with last full scan within certain dates
lastFullScan:[2018-01-01 ... 2018-01-10]
Show findings with last full scan starting 2017-11-01, ending 1 month ago
lastFullScan:[2017-11-01 ... now-1M]
Show findings with last full scan starting 2 weeks ago, ending 1 second ago
lastFullScan:[now-2w ... now-1s]
Show findings with last full scan on a specific date
lastFullScan:'2018-02-08'
middlewareManifestVersionmiddlewareManifestVersion
Use the manifest version to find host assets, where middleware scan is performed using the specific manifest version.
Example
Show host assets, where middleware scan is performed with the specified manifest version
middlewareManifestVersion: "VULNSIGS-MIDDLEWARE-SCAN-2.5.884-2"
agent.lastInventoryagent.lastInventory
Use a date range or specific date to define when inventory scans were last conducted by agents.
Examples
Show findings with last inventory scan within certain dates
agent.lastInventory:[2018-01-12 ... 2018-01-20]
Show findings with last inventory scan starting 2018-01-01, ending 1 month ago
agent.lastInventory:[2018-01-01 ... now-1M]
Show findings with last inventory scan starting 3 weeks ago, ending 1 second ago
agent.lastInventory:[now-3w ... now-1s]
Show findings with last inventory scan on specific date
agent.lastInventory:'2018-02-10'
lastLoggedOnUserlastLoggedOnUser
Use a text value to help you find assets last logged into by a user of interest.
Examples
Show assets with last logon by user asmith
lastLoggedOnUser:asmith
agent.lastActivityagent.lastActivity
Use a date range or specific date to define when the last activity on the agent occurred. The last activity date will be updated after agent provisioning, and agent inventory. The date will not be updated after agent scan.
Examples
Show findings with last activity within certain dates
agent.lastActivity: [2016-01-01 ... 2016-01-10]
Show findings with last activity starting 2015-10-01, ending 1 month ago
agent.lastActivity: [2015-10-01 ... now-1M]
Show findings with last activity starting 2 weeks ago, ending 1 second ago
agent.lastActivity: [now-2w ... now-1s]
Show findings with last activity on a specific date
agent.lastActivity:'2015-12-01'
Use quotes or backticks within values to help you find the asset name.
Examples
Show any findings related to name
name:QK2K12QP3-65-53
Show any findings that contain parts of name
name:"QK2K12QP3-65-53"
Show any findings that match exact value "QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`
Use a text value to define the NetBIOS name.
Examples
Show assets with this exact name (case sensitive)
netbiosName: EC2AMAZ-19OC2IT
Show assets with name starting with "EC2" (case sensitive)
netbiosName: EC2*
Show assets with name ending with "c2it" (case insensitive)
netbiosName: *c2it
openPorts.descriptionopenPorts.description
Use quotes or backticks within values to help you find the service description detected on an open port.
Examples
Show any findings with this description
openPorts.description:Windows Remote Desktop
Show any findings that contain parts of description
openPorts.description:"Windows Remote Desktop"
Show any findings that match exact value "Windows Remote Desktop"
openPorts.description:`Windows Remote Desktop`
openPorts.detectedServiceopenPorts.detectedService
Use quotes or backticks within values to help you find the detected service.
Examples
Show any findings with this service name
openPorts.detectedService:win_remote_desktop
Show any findings that contain parts of name
openPorts.detectedService:"win_remote_desktop"
Show any findings that match exact value "win_remote_desktop"
openPorts.detectedService:`win_remote_desktop`
openPorts.firstFoundopenPorts.firstFound
Use a date range or specific date to define when open ports were first found.
Examples
Show findings with open ports first found within certain dates
openPorts.firstFound:[2017-06-15 ... 2017-06-30]
Show findings with open ports first found starting 2017-06-22, ending 1 month ago
openPorts.firstFound: [2017-06-22 ... now-1M]
Show findings with open ports first found starting 2 weeks ago, ending 1 second ago
openPorts.firstFound:[now-2w ... now-1s]
Show findings with open ports first found on specific date
openPorts.firstFound:'2017-06-14'
openPorts.lastUpdatedopenPorts.lastUpdated
Use a date range or specific date to define when open ports were last updated.
Examples
Show findings with open ports last updated within certain dates
openPorts.lastUpdated:[2017-06-15 ... 2017-06-30]
Show findings with open ports last updated starting 2017-06-22, ending 1 month ago
openPorts.lastUpdated:[2017-06-22 ... now-1M]
Show findings with open ports last updated starting 2 weeks ago, ending 1 second ago
openPorts.lastUpdated:[now-2w ... now-1s]
Show findings with open ports last updated on specific date
openPorts.lastUpdated:'2018-01-14'
Use an integer value to help you find assets with some open port.
Example
Show assets with open port 80
openPorts.port:80
openPorts.protocolopenPorts.protocol
Use a text value (UDP or TCP) to define the port protocol.
Examples
Show findings found on TCP
openPorts.protocol:TCP
Show findings found on port 80 and TCP
openPorts:(port:80 AND protocol:TCP)
pendingActivationForModulespendingActivationForModules
Select the name of a module that's pending activation. Select from names in the drop-down menu.
Examples
Show assets pending activation for VM
pendingActivationForModules:VM
Show assets pending activation for VM and FIM
pendingActivationForModules:VM AND pendingActivationForModules:FIM
pcManifestVersionpcManifestVersion
Use the manifest version to find host assets, where PC scan is performed using the specific manifest version.
Example
Show host assets, where PC scan is performed with the specified manifest version.
pcManifestVersion: "VULNSIGS-PC-2.5.889-6"
Use a text value to find assets on Windows or Linux platform.
Example
Show assets on Windows platform
platform:Windows
Select the name of a cloud service provider.
Examples
Show assets synced from Amazon AWS
provider: AWS
processors.descriptionprocessors.description
Use quotes or backticks within values to help you find the processor description.
Examples
Show any findings with this description
processors.description:intel
Show any findings that contain parts of description
processors.description:"intel"
Show any findings that match exact value "intel"
processors.description:`intel`
processors.speedprocessors.speed
Use an integer value to help you find assets with a certain processor speed.
Example
Show assets with this processor speed
processors.speed:1995
processors.threadsPerCoreprocessors.threadsPerCore
Use an integer value to show the number of threads per core.
Example
Show number of threads per core
processors.threadsPerCore:1
processors.coresPerSocketprocessors.coresPerSocket
Use an integer value to show the number of cores per socket.
Example
Show number of cores per socket
processors.coresPerSocket:2
processors.numberOfSocketsprocessors.numberOfSockets
Use an integer value to show the number of sockets.
Example
Show number of sockets
processors.numberofSockets:2
processors.numberOfCpuprocessors.numberOfCpu
Use an integer value to show the number of CPUs.
Example
Show the CPUs
processors.numberofCpu:4
processors.multithreadingStatusprocessors.multithreadingStatus
Use a string value to determine the multithreading status of the processor.
Example
Show multi-threading status
processors.multithreadingStatus:"ENABLED"
Use an integer value to define the QID.
Example
Show findings with QID 90405
QID: 90405
Note: The QID token shows all assets that have the specific QID. The exclude vulnerabilities filters are not applicable for the QID token.
qualysCorrelationIDqualysCorrelationID
Use a text value #### to show assets with specific Qualys Correlation ID.
Example
Show assets with this Qualys Correlation ID
qualysCorrelationID: 0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058
Show assets without any Qualys Correlation ID
qualysCorrelationID: UNIDENTIFIED
Show assets all assets with Qualys Correlation ID
qualysCorrelationID: *
Use an integer value (0-1000) to help you find assets based on specific risk score.
Examples
Show assets with risk score 60
riskScore:60
Show assets with risk score 25
riskScore:25
scaManifestVersionscaManifestVersion
Use the manifest version to find host assets, where SCA scan is performed using the specific manifest version.
Example
Show host assets, where SCA scan is performed with the specified manifest version
scaManifestVersion: "VULNSIGS-SCA-2.5.891-2"
sensors.firstEasmScanDatesensors.firstEasmScanDate
Show a list of External Attack Surface discovered assets based on their first scan date in YYYY-MM-DD format.
Examples
Show a list of External Attack Surface discovered assets scanned for the first time on or after 2022-10-04
sensors.firstEasmScanDate >='2022-10-04'
Show a list of External Attack Surface discovered assets that are scanned for the first time before 2022-10-04
sensors.firstEasmScanDate <'2022-10-04'
Show a list of External Attack Surface discovered assets that are scanned for the first time after 2022-10-04
sensors.firstEasmScanDate > '2022-10-04'
Show a list of External Attack Surface discovered assets that are scanned for the first time on 2022-10-04
sensors.firstEasmScanDate = '2022-10-04'
sensors.lastEasmScanDatesensors.lastEasmScanDate
Shows a list of externally exposed assets based on their latest scan date in YYYY-MM-DD format.
Examples
Show a list of externally exposed assets from the latest scan on or after 2023-06-04
sensors.lastEasmScanDate >='2023-06-04'
Show a list of externally exposed assets from the latest scan before 2023-06-04
sensors.lastEasmScanDate <='2023-06-04'
Show a list of externally exposed assets from the latest scan after 2023-06-04
sensors.lastEasmScanDate >'2023-06-04'
Show a list of externally exposed assets from the latest scan on 2023-06-04
sensors.lastEasmScanDate = '2023-06-04'
services.descriptionservices.description
Use quotes or backticks within values to help you find the service description.
Examples
Show any findings with this description
services.description:Windows Event Log
Show any findings that contain parts of description
services.description:"Windows Event Log"
Show any findings that match exact value "Windows Event Log"
services.description:`Windows Event Log`
Use quotes or backticks within values to help you find the service name.
Examples
Show any findings with this name
services.name:eventlog
Show any findings that contain parts of name
services.name:"eventlog"
Show any findings that match exact value "eventlog"
services.name:`eventlog`
services.statusservices.status
Use quotes or backticks within values to help you find the service status.
Examples
Show any findings with this status
services.status:running
Show any findings that contain parts of name
services.status:"running"
Show any findings that match exact value running
services.status:`running`
software.firstFoundsoftware.firstFound
Use a date range or specific date to define when software was first found.
Examples
Show assets with software first found within certain dates
software:(firstFound:[2017-10-15 ... 2017-10-30]
Show assets with software first found starting 2017-06-22, ending 1 month ago
software:(firstFound:[2017-06-22 ... now-1M]
Show assets with software first found starting 2 weeks ago, ending 1 second ago
software:(firstFound:[now-2w ... now-1s]
Show assets with software first found on specific date
software:(firstFound:'2017-08-14'
software.lastUpdatedsoftware.lastUpdated
Use a date range or specific date to define when software was last updated in Qualys database.
Examples
Show assets with software last updated within certain dates
software:(lastUpdated:[2018-01-15 ... 2018-03-12]
Show assets with software last updated starting 2018-01-22, ending 1 month ago
software:(lastUpdated:[2018-01-22 ... now-1M]
Show assets with software last updated starting 2 weeks ago, ending 1 second ago
software:(lastUpdated:[now-2w ... now-1s]
Show assets with software last updated on specific date
software:(lastUpdated:'2018-02-16'
software.installedDatesoftware.installedDate
Use a date range or specific date to define when software was installed.
Examples
Show assets with software installed within certain dates
software:(installedDate:[2018-01-15 ... 2018-03-12]
Show assets with software installed starting 2018-01-22, ending 1 month ago
software:(installedDate:[2018-01-22 ... now-1M]
Show assets with software installed starting 2 weeks ago, ending 1 second ago
software:(installedDate:[now-2w ... now-1s]
Show assets with software installed on specific date
software:(installedDate:'2018-02-16'
software:(isPackageComponentsoftware:(isPackageComponent
Use the values true or false to define whether software is a package component.
Example
Show software that is a package component
software:(isPackageComponent:"true")
Use quotes or backticks within values to help you find the software name.
Examples
Show any findings with this name
software.name:VMware Tools
Show any findings that contain parts of name
software.name:"VMware Tools"
Show any findings that match exact value "VMware Tools"
software.name:`VMware Tools`
Find assets with certain tag and software installed
tags.name:`Cloud Agent` AND software:(name:`Cisco
AnyConnect Secure Mobility Client` AND version:`3.1.12345`)
software.versionsoftware.version
Use a text value to define the software version.
Example
Show findings with this version
software.version: 8.6.10
Find assets with certain tag and software installed
tags.name:`Cloud Agent` AND software:
(name:`Cisco AnyConnect Secure Mobility Client`
AND version:`3.1.12345`)
system.biosDescriptionsystem.biosDescription
Use quotes or backticks within values to help you find the BIOS description.
Examples
Show any findings with this description
system.biosDescription: Phoenix Technologies
Show any findings that contain parts of name
system.biosDescription: "Phoenix Technologies"
Show any findings that match exact value "Phoenix Technologies"
system.biosDescription: `Phoenix Technologies`
system.lastBootsystem.lastBoot
Use a date range or specific date to define when assets were last booted.
Examples
Show assets last booted within certain dates
system.lastBoot:[2018-01-11 ... 2018-01-23]
Show assets last booted starting 2017-10-01, ending 1 month ago
system.lastBoot:[2017-10-01 ... now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
system.lastBoot:[now-2w ... now-1s]
Show assets last booted on a specific date
system.lastBoot:'2018-03-08'
system.manufacturersystem.manufacturer
Use quotes or backticks within values to help you find the system manufacturer.
Examples
Show any findings with this name
system.manufacturer:dell
Show any findings that contain parts of name
system.manufacturer:"dell"
Show any findings that match exact value "dell"
system.manufacturer:`dell`
Use quotes or backticks within values to help you find the system model.
Examples
Show any findings with this name
system.model: optiplex
Show any findings that contain parts of name
system.manufacturer: "optiplex"
Show any findings that match exact value "optiplex"
system.manufacturer: `optiplex`
system.timezonesystem.timezone
Use a text value in quotes to find assets with a certain timezone set.
Example
Show assets with this timezone
system.timezone:-08:00
system.totalMemorysystem.totalMemory
Use an integer value to help you find assets with a certain total system memory.
Example
Show assets with this total system memory
system.totalMemory:1024
Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.
Examples
Show this assets tracked by IP
trackingMethod: IP
Show asset tracked by NETBIOS
trackingMethod: NETBIOS
Show assets tracked by EASM
trackingMethod: EASM
udcManifestVersionudcManifestVersion
Use the manifest version to find host assets, where UDC scan is performed using the specific manifest version.
Example
Show host assets, where UDC scan is performed with the specified manifest version
udcManifestVersion: "UDCVULNSIGS-1014"
Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).
Examples
Show assets updated within certain dates
updated:[2017-12-01 ... 2018-01-10]
Show assets updated starting 2017-10-01, ending 3 months ago
updated:[2017-10-01 ... now-3M]
Show assets updated starting 2 weeks ago, ending 1 second ago
updated:[now-2w ... now-1s]
Show assets updated on a specific date
updated:'2018-03-10'
vmManifestVersionvmManifestVersion
Use the manifest version to find host assets, where VM scan is performed using the specific manifest version.
Example
Show host assets, where VM scan is performed with the specified manifest version
vmManifestVersion: "VULNSIGS-VM-0.49.0.0-18"
Use an integer value to help you find assets with a certain free volume space.
Example
Show assets with this free volume space
volumes.free:448312320
Use a text value to find assets with a certain volume name.
Example
Show assets with this volume name
volumes.name:/boot
Use an integer value to help you find assets with a certain volume size.
Example
Show assets with this volume size
volumes.size:481529856
vulnerabilitiesvulnerabilities
Choose the value * to find assets with vulnerabilities.
Example
Show all findings that have vulnerabilities
vulnerabilities:*
Asset Inventory
Use search tokens to refine your search for assets based on different asset properties.
hardware.categoryhardware.category
Use quotes or backticks within values to help you find the hardware.
Examples
Show any findings that contain parts of value
hardware.category:"Computer/Server"
Show any findings that match exact value
hardware.category:`Computer/Server`
hardware.category1hardware.category1
Use quotes or backticks within values to find assets with hardware category 1 value.
Example
Show any findings that match exact value
hardware.category1:`Computer`
hardware.category2hardware.category2
Use quotes or backticks within values to find assets with hardware category 2 value.
Example
Show any findings that match exact value
hardware.category2:`Server`
hardware.lifecycle.gahardware.lifecycle.ga
Use a date range or specific date to define a hardware general availability.
Examples
Show findings with hardware GA date in this date range
hardware.lifecycle.ga:[2019-01-01 ... 2019-01-15]
Show findings with hardware GA date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.ga:[2019-01-15 ... now-1M]
Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.ga:[now-2w ... now-1s]
Show findings with this hardware GA date
hardware.lifecycle.ga:'2019-03-18'
hardware.lifecycle.introhardware.lifecycle.intro
Use a date range or specific date to define a hardware introduction date.
Examples
Show findings with hardware introduction date in this date range
hardware.lifecycle.intro:[2019-01-01 ... 2019-01-15]
Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.intro:[2019-01-15 ... now-1M]
Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.intro:[now-2w ... now-1s]
Show findings with this hardware introduction date
hardware.lifecycle.intro:'2019-03-18'
hardware.lifecycle.eoshardware.lifecycle.eos
Use a date range or specific date to define a hardware End-of-Sale date.
Examples
Show findings with hardware End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w ... now-1s]
Show findings with this hardware End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
hardware.lifecycle.obshardware.lifecycle.obs
Use a date range or specific date to define a hardware obsolete date.
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 ... now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w ... now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
hardware.lifecycle.stagehardware.lifecycle.stage
Use a text value in quotes to define the hardware lifecycle stage (INTRO, GA, EOS, OBS)
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
hardware.manufacturerhardware.manufacturer
Use quotes or backticks within values to find assets having a certain hardware manufacturer.
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
Use quotes or backticks within values to find assets having a certain hardware model.
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
hardware.producthardware.product
Use quotes or backticks within values to find assets having a certain hardware product.
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
software.architecturesoftware.architecture
Use quotes or backticks within values to help you find the software architecture, that is, 32-Bit or 64-Bit.
Example
Show any findings that match exact value
software:(architecture:`64-Bit`)
software.categorysoftware.category
Use quotes or backticks within values to help you find a software category.
Example
Show any findings that match exact value
software:(category:`Productivity > Productivity
Suites`)
software.category1software.category1
Use quotes or backticks within values to help you find the software category 1 value.
Example
Show any findings that match exact value
software:(category1:`Productivity`)
software.category2software.category2
Use quotes or backticks within values to help you find the software category 2 value.
Example
Show any findings that match exact value
software:(category2:`Productivity Suites`)
software.editionsoftware.edition
Use quotes or backticks within values to help you find the software edition.
Example
Show any findings that match exact value
software:(edition:`Professional`)
software.lifecycle.gasoftware.lifecycle.ga
Use a date range or specific date to define a software general availability date.
Examples
Show findings with software GA date in this date range
software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])
Show findings with woftware GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15 ... now-1M])
Show findings with software GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w ... now-1s])
Show findings with this software GA date
software:(lifecycle.ga:'2019-03-18')
software.lifecycle.eolsoftware.lifecycle.eol
Use a date range or specific date to define an software End-of-Life date.
Examples
Show findings with software End-of-Life date in this date range
software:(lifecycle.eol:[2019-01-01 ... 2019-01-15]
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eol:[2019-01-15 ... now-1M]
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eol:[now-2w ... now-1s]
Show findings with this software End-of-Life date
software:(lifecycle.eol:'2019-03-18'
software.lifecycle.eossoftware.lifecycle.eos
Use a date range or specific date to define an software End-of-Support date.
Examples
Show findings with software End-of-Support date in this date range
software:(lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago
software:(lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.eos:[now-2w ... now-1s]
Show findings with this software End-of-Support date
software:(lifecycle.eos:'2019-03-18'
software.lifecycle.stagesoftware.lifecycle.stage
Use a text value to define a software lifecycle stage that is, active, eol, obsolete.
Examples
Show findings having this software lifecycle stage
software:(lifecycle.stage:eol)
Show findings having software category Windows and software lifecycle stage "active"
software:(category:Windows AND lifecycle.stage:eol)
software.license.categorysoftware.license.category
Use text value to help you find a software license category, i.e. Open Source, Commercial.
Example
Show any findings that match exact value
software:(license.category:`Open Source`)
software.marketVersionsoftware.marketVersion
Use quotes or backticks within values to help you find a software market version, e.g. Windows OS.
Example
Show any findings that match exact value
software:(marketVersion:`7`)
software.productsoftware.product
Use a text value to define a software product name.
Example
Show findings with this exact product name
software:(product:`Office`)
software.publishersoftware.publisher
Use a text value to define a software manufacturer.
Example
Show findings with this exact software publisher
software:(publisher:`Microsoft`)
Use a text value to define a software type.
Example
Show findings having this software type
software:(type:`Installer Package`)
software.updatesoftware.update
Use a text value to define a software update version.
Example
Show findings with this exact software update version
software:(update:`16.0.1.2`)
software.license.subCategorysoftware.license.subCategory
Use text value to help you find a software license subCategory, i.e. GPL, Apache 2.0, BSD.
Example
Show any findings that match exact value
software:(license.subCategory:Apache 2.0)
Alerting
Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Examples
- Show this asset ID
assetId: 2918869 - Show asset IDs in this range
assetId: [3546997 .. 12945655] - Show the 2 asset IDs listed
assetId: [3546997,12945655]
criticalityScorecriticalityScore
Use an integer value (1-5) to help you find assets based on specific criticality score.
Examples
- Show assets with criticality score 5
criticalityScore:5 - Show assets with criticality score 2
criticalityScore:2
interfaces.hostnameinterfaces.hostname
Use quotes or backticks within values to help you find the hostname.
Examples
- Show any findings related to name
interfaces.hostname:xpsp2-jp-26-111 - Show any findings that contain parts of name
interfaces.hostname:"xpsp2-jp-26-111" - Show any findings that match exact value "xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111` - Show any findings related to name (we'll match super domains)
interfaces.hostname:qcentos71sqp3.rdlab.acme.com - Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`
lastComplianceScanDatelastComplianceScanDate
Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.
Examples
- Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31] - Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M] - Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s] - Show findings with last compliance scan on a specific date
lastComplianceScanDate:'2017-02-18'
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
- Show findings with the last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10] - Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M] - Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s] - Show findings with the last vulnerability scan on a specific date
lastVmScanDateScanner:'2017-04-10'
Use quotes or backticks within values to help you find the asset name.
Examples
- Show any findings related to name
name:QK2K12QP3-65-53 - Show any findings that contain parts of name
name:"QK2K12QP3-65-53" - Show any findings that match exact value "QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`
Use a text value to define the NetBIOS name.
Examples
- Show assets with this exact name (case sensitive
netbiosName:EC2AMAZ-19OC2IT - Show assets with name starting with "EC2" (case sensitive
netbiosName:EC2* - Show assets with name ending with "c2it" (case insensitive
netbiosName:*c2it
Use an integer value (0-1000) to help you find assets based on a specific risk score.
Examples
- Show assets with risk score 60
riskScore:60 - Show assets with risk score 25
riskScore:25
Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.
Examples
- Show this asset tracked by IP
trackingMethod: IP - Show asset tracked by NETBIOS
trackingMethod:NETBIOS - Show assets tracked by EASM
trackingMethod:EASM
vulnerabilities.riskFactor.cisaKEVDueDatevulnerabilities.riskFactor.cisaKEVDueDate
Use a specific date to get the list of known exploited vulnerabilities whose remediation due date is as per the CISA Catalog. The date format used is yyyy-mm-dd.
Example
List the QIDs whose CISA Due Date is 3rd May 2022
vulnerabilities.riskFactor.cisaKEVDueDate:2022-05-03
Use the values true | false to define real-time threats due to active attacks.
Examples
- Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks: true - Show assets that don't have threats due to active attack
vulnerabilities.vulnerability.threatIntel.activeAttacks: false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
- Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true - Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false
Use the values true | false to define real-time threats due to denial of service.
Examples
- Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: true - Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: false
Use the values true | false to define real-time threats due to easy exploit.
Examples
- Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: true - Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: false
Use the values true | false to define real-time threats due to the exploit kit.
Examples
- Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: true - Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: false
Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler - Show any findings that match the exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`
Use the values true | false to define real-time threats due to high data loss.
Examples
- Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: true - Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
- Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement: true - Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement: false
vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Examples
- Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: true - Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: false
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ - Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Examples
- Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: true - Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: false
Use the values true | false to define real-time threats due to public exploit.
Examples
- Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: true - Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: false
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass - Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass" - Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Examples
- Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: true - Show assets that don't have threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: false
vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable
Use the values true | false to define real-time wormable threats.
Example
- Show assets with wormable threats
vulnerabilities.vulnerability.threatIntel.wormable: "true"
Use the values true | false to define real-time threats due to predicted high risk.
Example
- Show assets with predicted high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Example
- Show assets with unauthenticated exploitation threat
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"
Use the values true | false to define real-time threats due to remote code execution risk.
Example
- Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Example
- Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.ransomware: "true"
Use the values true | false to define real-time threats due to privilege escalation risk.
Example
- Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Example
- Show assets with Solorigate/Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
- Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80 - Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25
vulnerabilities.disabledvulnerabilities.disabled
Use the values true | false to define vulnerabilities are disabled or enabled.
Example
- Show findings with vulnerabilities disabled
vulnerabilities.disabled:TRUE
vulnerabilities.firstFoundvulnerabilities.firstFound
Use the date range or specific date to define when findings were first found.
Examples
- Show findings first found within certain date
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30] - Show findings first found starting 2015-10-01, ending 1 month ag
vulnerabilities.firstFound:[2015-10-01 ... now-1M] - Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:[now-2w ... now-1s] - Show findings first found on certain dat
vulnerabilities.firstFound:'2016-11-11'
vulnerabilities.ignoredvulnerabilities.ignored
Use an integer value to help you find vulnerabilities that have been marked as ignored.
Example
- Show vulnerabilities that are marked as ignore
vulnerabilities.ignored:TRUE
vulnerabilities.instancevulnerabilities.instance
Use a text value to help you find vulnerabilities found on a certain instance.
Example
- Show vulnerabilities found in this instance
vulnerabilities.instance:oracle
vulnerabilities.lastFoundvulnerabilities.lastFound
Use a date range or specific date to define when findings were last found.
Examples
- Show findings last found within certain dates
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15] - Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound:[2016-01-01 ... now-1M] - Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:[now-2w ... now-1s] - Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11' - Show findings last found within certain number of days
vulnerabilities.lastFound: [91..180] - Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)
vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService
Use the values true | false to define vulnerabilities that exist on non-exploitable services.
Example
- Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel
Use the values true | false to view vulnerabilities found on the non-running kernel.
Examples
- Show detections found on non-running Kernel
vulnerabilities.nonRunningKernel:TRUE - Show detections found on running Kernel
vulnerabilities.nonRunningKernel:FALSE
vulnerabilities.portvulnerabilities.port
Use an integer value to help you find vulnerabilities found on a certain port.
Example
- Show vulnerabilities found on this port
vulnerabilities.port:443
vulnerabilities.protocolvulnerabilities.protocol
Use a text value (UDP or TCP) to define the port protocol.
Example
- Show vulnerabilities found on TCP protoco
vulnerabilities.protocol:TCP
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
- Show findings with severity by 5
vulnerabilities.severity:5For information about customer and Qualys severity, see Customer and Kb Severity Level
vulnerabilities.statusvulnerabilities.status
Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
- Show vulnerabilities with Fixed status
vulnerabilities.status:FIXED
vulnerabilities.typeDetectedvulnerabilities.typeDetected
Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
Example
- Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Example
- Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds
Use a text value to find the CVE name.
The CVE in the query is case-sensitive and must be used in capital case.
Example
- Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveIds:CVE-2015-0313
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
- Show any findings related to description
vulnerabilities.vulnerability.description:remote code execution - Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote code execution" - Show any findings that match exact value "remote code execution
vulnerabilities.vulnerability.description:`remote code execution`
vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os
Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.
Examples
- Show any findings related to this OS value
vulnerabilities.vulnerability.os:windows - Show any findings that contain parts of OS value
vulnerabilities.vulnerability.os:"windows" - Show any findings that match exact value "windows"
vulnerabilities.vulnerability.os:`windows`
vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patches available.
Examples
- Show findings with patch available
vulnerabilities.vulnerability.patchAvailable:TRUE - Show findings with no patch available
vulnerabilities.vulnerability.patchAvailable:FALSE
vulnerabilities.vulnerabilty.qidvulnerabilities.vulnerabilty.qid
Use an integer value to define the QID.
Example
- Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable
Use the values true | false to define that can be patched at Qualys.
Examples
- Show vulnerabilities with patches available at Qualys
vulnerabilities.vulnerability.qualysPatchable:"TRUE" - Show vulnerabilities with patches not available at Qualys
vulnerabilities.vulnerability.qualysPatchable:"FALSE"
vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired
Use the values true | false to find vulnerabilities that need a reboot.
Example
- Show vulnerabilities that need reboot
vulnerabilities.vulnerability.rebootRequired: TRUE
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
- Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code Execution - Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote Code" - Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName
Use a text value to find the vendor product name.
Example
Show findings with this vendor product name
vulnerabilities.vulnerability.vendors.productName:Windows
vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName
Use a text value to find the vendor name.
Example
Show findings with this vendor name
vulnerabilities.vulnerability.vendors.vendorName:Adobe
RTIs
Use these tokens for searching Real-Time Threat Indicator (RTI) related vulnerabilities.
Use the values true | false to define real-time threats due to active attacks.
Examples
Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks:
true
Show assets that don't have threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks:
false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
true
Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
false
Use the values true | false to define real-time threats due to denial of service.
Examples
Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService:
true
Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService:
false
Use the values true | false to define real-time threats due to easy exploit.
Examples
Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit:
true
Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit:
false
Use the values true | false to define real-time threats due to exploit kit.
Examples
Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit:
true
Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit:
false
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName:
Angler
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName:
`Angler`
Use the values true | false to define real-time threats due to high data loss.
Examples
Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss:
true
Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss:
false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement:
true
Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement:
false
vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Examples
Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: true
Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: false
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName:
TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName:
`TROJ_PDFKA.DQ`
vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Examples
Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: true
Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: false
Use the values true | false to define real-time threats due to public exploit.
Example
Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit:
true
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit:
false
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
"RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.publicExploitName:
`RealVNC NULL Authentication Mode Bypass`
vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Examples
Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: true
Show assets that don't have threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: false
vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable
Use the values true | false to define real-time wormable threats.
Examples
Show assets with wormable threats
vulnerabilities.vulnerability.threatIntel.wormable: "true"
Use the values true | false to define real-time threats due to predicted high risk.
Examples
Show assets with predicted high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk:
"true"
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Examples
Show assets with unauthenticated exploitation threat
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation:
"true"
Use the values true | false to define real-time threats due to remote code execution risk.
Examples
Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution:
"true"
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Examples
Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.ransomware:
"true"
Use the values true | false to define real-time threats due to privilege escalation risk.
Examples
Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.privilegeEscalation:
"true"
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Examples
Show assets with Solorigate/Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst:
"true"
Threat Feed
Use the and/or tokens combined with these tokens for searching a threat feed.
Use a text value to find threat feed based on categories.
Examples
Find categories that match any CVE.
categories: CVE:2020-8591
Use a text value to find threat feed based on contents.
Examples
Find content that match a product.
contents: Google
Use a date to find threat feed based publish date.
Examples
Find threat feeds that match a publish date.
publishDate: [2020-10-21 ... 2021-01-15]
Alibaba
Use these tokens when searching Alibaba assets on the Assets list.
alibaba.instance.accountIdalibaba.instance.accountId
Use a text value to define the instance id of the Alibaba cloud account.
Example
Find Alibaba instances with following account ID
alibaba.instance.accountId: 1609xxxx
alibaba.instance.dnsServeralibaba.instance.dnsServer
Use an integer value to define the Domain Name System (DNS) configurations of the instance.
Example
Find Alibaba instances of the following DNS
alibaba.instance.dnsServer: 100.xxx.x.xxx
alibaba.instance.hasAgentalibaba.instance.hasAgent
Use the boolean value, true | false to define whether the Alibaba instance has a cloud agent installed on it.
Example
Find Alibaba instances with agents
alibaba.instance.hasAgent: `true`
alibaba.instance.hostNamealibaba.instance.hostName
Use a text value to find Alibaba hostname.
Example
Find instances related to name
alibaba.instance.hostName: abc.qualys.com
alibaba.instance.imageIdalibaba.instance.imageId
Use a text value to find id of the image used during the instance creation process.
Example
Find instances related to image id
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
alibaba.instance.instanceIdalibaba.instance.instanceId
Use a text value to define the Alibaba instance id.
Example
Find Alibaba instances with this instance ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
alibaba.instance.instanceTypealibaba.instance.instanceType
Use a text value to define the instance type.
Example
Find Alibaba instances with this instance type
alibaba.instance.instanceType: ecs.g6e.large
alibaba.instance.interfaceIdalibaba.instance.interfaceId
Use a text value to define the identifier of the NIC.
Example
Find Alibaba instances of the following interface id
alibaba.instance.interfaceId: eni-a2dxxxxaixxxtux572
alibaba.instance.instanceStatealibaba.instance.instanceState
Use a text value to define the state of the Alibaba instance. The state of the instance can be, Running, Terminated, and Stopped.
Example
Find Alibaba instances for the following state
alibaba.instance.instanceState: Running
alibaba.instance.macAddressalibaba.instance.macAddress
Use a text value to define the MAC address.
Example
Find Alibaba instances with this MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
alibaba.instance.networkTypealibaba.instance.networkType
Select the network type to find cloud instances. The network type can be vpc or classic.
Example
Find Alibaba instances with this network type
alibaba.instance.networkType: vpc
alibaba.instance.privateIpAddressalibaba.instance.privateIpAddress
Use an integer value to define a private IPv4address or range of IPs .
Example
Find Alibaba instances with the following private IP address
alibaba.instance.privateIpAddress: 192.168.XX.XX
alibaba.instance.publicIpAddressalibaba.instance.publicIpAddress
Use an integer value to define a public IPv4address or range of IPs .
Example
Find Alibaba instances with the following private IP address
alibaba.instance.publicIpAddress: 149.xx.xx.xx
alibaba.instance.region.codealibaba.instance.region.code
Select the region code to find the alibaba cloud instances that belong to the region with specific code.
Example
Find Alibaba instances for the following region code
alibaba.instance.region.code: cn-chengdu
alibaba.instance.region.namealibaba.instance.region.name
Use a text value to define the region name.
Example
Find Alibaba instances for the following region
alibaba.instance.region.name: US (Silicon Valley)
alibaba.instance.serialNumberalibaba.instance.serialNumber
Use a text value to define the serial number of the instance.
Example
Find Alibaba instances of the following serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
alibaba.instance.vpcCidrBlockalibaba.instance.vpcCidrBlock
Use an integer value to define the CIDR block.
Example
Find Alibaba instances of the following CIDR block
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
alibaba.instance.vpcIdalibaba.instance.vpcId
Use a text value to search all the assets with the specified VPC ID.
Example
Show all assets with this VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
alibaba.instance.vswitchIdalibaba.instance.vswitchId
Use a text value to define the switch ID to which the Alibaba instance is connected.
Example
Find Alibaba instances of the following switch ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
alibaba.instance.vswitchCidrBlockalibaba.instance.vswitchCidrBlock
Use an integer value to define the CIDR block of the switch to which the Alibaba instance is connected.
Example
Find Alibaba instances of the following CIDR block of the switch
alibaba.instance.vswitchCidrBlock: 192.168.XX.XX/24
alibaba.instance.zoneIdalibaba.instance.zoneId
Use a text value to define the zone id.
Example
Find Alibaba instances of the following zone id
alibaba.instance.zoneId: cn-chengdu-a
AWS EC2
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
aws.ec2.accountIdaws.ec2.accountId
Use a text value to find EC2 instances with a certain account ID.
Example
Find EC2 instances in that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
aws.ec2.availabilityZoneaws.ec2.availabilityZone
Use a text value to find EC2 instances by the availability zone in which the instance launched.
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
aws.ec2.hasAgentaws.ec2.hasAgent
Use the values true | false to define whether the EC2 asset has a cloud agent.
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
aws.ec2.hostnameaws.ec2.hostname
Use a text value to find the EC2 hostname.
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
aws.ec2.imageIdaws.ec2.imageId
Use a text value to find EC2 instances with a certain Image (AMI) ID.
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
aws.ec2.instanceIdaws.ec2.instanceId
Use a text value to find EC2 instances by the instance ID.
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
aws.ec2.instanceStateaws.ec2.instanceState
Select the name of the instance state (e.g. PENDING, RUNNING, TERMINATED, STOPPED, etc) you're interested in. Select from names in the drop-down menu.
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
aws.ec2.instanceTypeaws.ec2.instanceType
Select the type of instance you're interested in. Select from names in the drop-down menu.
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
aws.ec2.isQualysScanneraws.ec2.isQualysScanner
Use the values true | false to define whether the EC2 asset is a Qualys scanner.
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
aws.ec2.kernelIdaws.ec2.kernelId
Use a text value to find EC2 instances by kernel ID (AKI).
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
aws.ec2.launchDateaws.ec2.launchDate
Use a date range or specific date to define when the EC2 instance launched. Enter dates in yyyy-mm-dd format.
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
aws.ec2.privateDNSaws.ec2.privateDNS
Use a text value to define a private DNS address.
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal
aws.ec2.privateIpAddressaws.ec2.privateIpAddress
Use a text value to define a private IPv4 address or range of IPs.
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
aws.ec2.publicDNSaws.ec2.publicDNS
Use a text value to define a public DNS address.
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com
aws.ec2.publicIpAddressaws.ec2.publicIpAddress
Use a text value to define a public IPv4 address or range of IPs.
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
aws.ec2.region.codeaws.ec2.region.code
Select the code of the region from codes in the drop-down menu.
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
aws.ec2.region.nameaws.ec2.region.name
Select the name of the region from names in the drop-down menu.
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
aws.ec2.spotInstanceaws.ec2.spotInstance
Use the values true | false to define whether your EC2 instance is a Spot instance.
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
aws.ec2.subnetIdaws.ec2.subnetId
Use a text value to find EC2 instances by the ID of the subnet in which the interface resides.
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Use a text value to find EC2 instances by the ID of the VPC in which the interface resides.
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Microsoft Azure
Use these tokens when searching Microsoft Azure assets on the Assets list.
azure.vm.hasAgentazure.vm.hasAgent
Use the values true | false to define whether the Azure virtual machine you're looking for has a cloud agent installed on it.
Examples
Find Azure instances with agents
azure.vm.hasAgent `true`
azure.vm.imageOfferazure.vm.imageOffer
Use a text value to define the image offer name (i.e. UbuntuServer or WindowsServer) for images deployed from the Azure image gallery.
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
azure.vm.imagePublisherazure.vm.imagePublisher
Use a text value to define the name of the Azure virtual machine image publisher (i.e. Canonical or MicrosoftWindowsServer).
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
azure.vm.imageVersionazure.vm.imageVersion
Use a text value to define the version of the Azure virtual machine image sku you're interested in.
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
azure.vm.locationazure.vm.location
Use a text value to define the region you're interested in.
Example
Find Azure instances in this location
azure.vm.location: westus
azure.vm.macAddressazure.vm.macAddress
Use a text value to define the MAC address you're interested in.
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Use a text value to find the Azure virtual machine name you're looking for.
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
azure.vm.platformazure.vm.platform
Use a text value to define the operating system platform (Linux or Windows) of the Azure virtual machine.
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
azure.vm.privateIpAddressazure.vm.privateIpAddress
Use a text value to define a private IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
azure.vm.publicIpAddressazure.vm.publicIpAddress
Use a text value to define a public IPv4 address or range of IPs you're interested in.
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ...
13.126.125.255]
azure.vm.resourceGroupNameazure.vm.resourceGroupName
Use a text value to define the name of the resource group you're interested in.
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Use a text value to help you find Azure VM instances with a certain virtual machine size.
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Select the name of the instance state (e.g. DEALLOCATED, RUNNING, STOPPED, etc) you're interested in. Select from names in the drop-down menu.
Example
Find running Azure instances
azure.vm.state: RUNNING
azure.vm.subnetazure.vm.subnet
Use a text value to define the Azure virtual machine subnet you're interested in.
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
azure.vm.subscriptionIdazure.vm.subscriptionId
Use a text value to define the subscription ID of the Azure virtual machine subscription.
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
azure.vm.virtualNetworkazure.vm.virtualNetwork
Use a text value to define the Azure virtual network you're looking for.
Example
Find Azure virtual network with this ID
azure.vm.virtualNetwork: mburton01-vnet
Use a text value to define the Azure virtual machine ID you're looking for.
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Google Cloud Platform
Use these tokens when searching Google Cloud Platform assets on the Assets list.
gcp.compute.hostnamegcp.compute.hostname
Use a text value to define the hostname you're looking for.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
gcp.compute.instanceIdgcp.compute.instanceId
Use a text value to define the Google Compute instance ID you're looking for.
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
gcp.compute.macAddressgcp.compute.macAddress
Use a text value to define the MAC address you're interested in.
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
gcp.compute.machineTypegcp.compute.machineType
Use a text value to define the machine type of the virtual machine instance you're interested in.
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
gcp.compute.networkgcp.compute.network
Use a text value to find GCP instances by the VPC network the instance belongs to.
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
gcp.compute.privateIpAddressgcp.compute.privateIpAddress
Use a text value to define a private IPv4 address or range of IPs you're interested in.
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ...
10.240.0.30]
gcp.compute.projectIdgcp.compute.projectId
Use a text value to define the project ID assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
gcp.compute.projectNumbergcp.compute.projectNumber
Use an integer value to define the project number assigned to the GCP Console project the instance belongs to.
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
gcp.compute.publicIpAddressgcp.compute.publicIpAddress
Use a text value to define a public IPv4 address or range of IPs you're interested in.
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ...
104.196.57.218]
gcp.compute.zonegcp.compute.zone
Use a text value to define the zone of the GCP instance you're looking for
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
gcp.compute.stategcp.compute.state
Select the state of the GCP instance (e.g. DEALLOCATED, PENDING, RUNNING, SHUTTING DOWN, STOPPED, STOPPING, TERMINATED, etc) you're interested in. Select the state from the drop-down menu.
Examples
Find running GCP instances
gcp.compute.state: RUNNING
IBM
Use these token when searching IBM assets on the Assets list.
ibm.virtualServer.idibm.virtualServer.id
Use a text value to find IBM virtual server with a certain account ID.
Examples
Find IBM virtual server with this ID
ibm.virtualServer.id: 123741814
ibm.virtualServer.locationibm.virtualServer.location
Use a text value to find IBM virtual server with a certain location.
Examples
Find IBM virtual server with this location
ibm.virtualServer.location: dall3
ibm.virtualServer.datacenterIdibm.virtualServer.datacenterId
Use a text value to find IBM virtual server datacenter with a certain id.
Examples
Find IBM virtual server datacenter with this Id
ibm.virtualServer.datacenterId: 1854895
ibm.virtualServer.deviceNameibm.virtualServer.deviceName
Use a text value to find IBM virtual server with device name.
Examples
Find IBM virtual server with this device name
ibm.virtualServer.deviceName: virtualserver01.Qualys-Inc.cloud
ibm.virtualServer.publicIpAddressibm.virtualServer.publicIpAddress
Use a numerical value to find IBM virtual server with specific public IP address.
Examples
Find IBM virtual server with this public IP address
ibm.virtualServer.publicIpAddress: 150.238.75.107
ibm.virtualServer.privateIpAddressibm.virtualServer.privateIpAddress
Use a numerical value to find IBM virtual server with specific private IP address.
Examples
Find IBM virtual server with this private IP address
ibm.virtualServer.privateIpAddress: 10.187.94.40
ibm.virtualServer.publicVlanibm.virtualServer.publicVlan
Use a numerical value to find IBM virtual server with specific public vlan.
Examples
Find IBM virtual server with this public vlan
ibm.virtualServer.publicVlan: 1796
ibm.virtualServer.privateVlanibm.virtualServer.privateVlan
Use a numerical value to find IBM virtual server with specific private vlan.
Examples
Find IBM virtual server with this private vlan
ibm.virtualServer.privateVlan: 2236
ibm.virtualServer.domainibm.virtualServer.domain
Use a text value to find IBM virtual server with specific domain.
Examples
Find IBM virtual server with this domain
ibm.virtualServer.domain: Qualys-Inc.cloud
Oracle Cloud Compute Instance
Use these token when searching Oracle Cloud Compute Instance (OCI) assets on the Assets list.
oci.compute.ociIdoci.compute.ociId
Use a text value to search all assets with the specified OCI ID.
Examples
Show assets with this OCI ID
oci.compute.ociId: ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq
oci.compute.compartmentIdoci.compute.compartmentId
Use a text value to search all assets with the specified OCI compartment ID.
Examples
Show assets with this OCI ID
oci.compute.compartmentId: ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq
oci.compute.compartmentNameoci.compute.compartmentName
Use a text value to search all assets with the specified OCI compartment name.
Examples
Show assets with this OCI compartment name
oci.compute.compartmentName: ocid1.compartment.abc
oci.compute.displayNameoci.compute.displayName
Use a text value to search all assets with the specified display name.
Examples
Show assets with display name oracle 8
oci.compute.displayName: oracle 8
oci.compute.shapeoci.compute.shape
Use a text value to search all assets with the specified shape.
Examples
Show all assets with the shape x5-2.36.512
oci.compute.shape: x5-2.36.512
oci.compute.regionoci.compute.region
Use a text value to search all assets in the specified region.
Examples
Show all assets with the region us-east-1
oci.compute.region: us-east-1
oci.compute.regionKeyoci.compute.regionKey
Use a text value to search all assets with the specified region key.
Examples
Show all assets with the region key SYD
oci.compute.regionKey: SYD
oci.compute.regionRealmoci.compute.regionRealm
Use a text value to search all groups with the specified region realm.
Examples
Show all assets with the region realm OC1
oci.compute.regionRealm: OC1
oci.compute.availabilityDomainoci.compute.availabilityDomain
Use a text value to search all assets with the specified available domain.
Examples
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain: Lhkx:US-ASHBURN-AD-1
oci.compute.timeCreatedoci.compute.timeCreated
Use a text value to search all assets created at the specified time.
Examples
Show all assets with the created time 2021-02-09T07:24:31.000Z (Use 2021-02-09 while searching in UI)
oci.compute.timeCreated: 2021-02-09
oci.compute.imageIdoci.compute.imageId
Use a text value to search all assets with the specified image ID.
Examples
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId: ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq
oci.compute.faultDomainoci.compute.faultDomain
Use a text value to search all assets with the specified fault domain.
Examples
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain: FAULT-DOMAIN-1
oci.compute.hostNameoci.compute.hostName
Use a text value to search all assets with the specified host name.
Examples
Show all findings with the host name oracle-8
oci.compute.hostName: oracle-8
oci.compute.canonicalRegionNameoci.compute.canonicalRegionName
Use a text value to search all assets having the specified canonical region name.
Examples
Show all assets with the canonical region name us-ashburn-1
oci.compute.canonicalRegionName: us-ashburn-1
oci.compute.isQualysScanneroci.compute.isQualysScanner
Use the values true | false to list all assets that are Qualys Scanner. Choose True to list all assets that are Qualys Scanner and choose False to list all assets that are not Qualys Scanner.
Examples
Show all assets that are Qualys Scanner
oci.compute.isQualysScanner: true
oci.vnic.vnicIdoci.vnic.vnicId
Use a text value to search all assets with the specified VNIC ID.
Examples
Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vnicId: ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
Use a text value to search all assets with the specified VCN ID.
Examples
Show all assets with this VCN ID
oci.vnic.vcnId: ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.privateIpoci.vnic.privateIp
Use a text value to search all assets with the specified private IP.
Examples
Show all assets with this private IP
oci.vnic.privateIp: 10.0.0.222
oci.vnic.publicIpoci.vnic.publicIp
Use a text value to search all assets with the specified public IP.
Examples
Show all assets with this public IP
oci.vnic.publicIp: 10.0.0.222
oci.vnic.subnetIdoci.vnic.subnetId
Use a text value to find OCI instances by the ID of the subnet in which the interface resides.
Examples
Find OCI instances with this subnet ID
oci.vnic.subnetId: subnet-bc02c0d4
oci.vnic.subnetNameoci.vnic.subnetName
Use a text value to find OCI instances by the name of the subnet in which the interface resides.
Examples
Find OCI instances with this subnet name
oci.vnic.subnetName: subnet-abc
oci.vnic.vcnNameoci.vnic.vcnName
Use a text value to search all assets with the specified vcn name.
Examples
Show all assets with this vcn name
oci.vnic.vcnName: abc
oci.vnic.vlanTagoci.vnic.vlanTag
Use a text value to search all assets with the specified vlan tag.
Examples
Show all assets with the vlan tag 1
oci.vnic.vlanTag: 1
oci.vnic.macAddroci.vnic.macAddr
Use a text value to search all assets with the specified MAC address.
Examples
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic.macAddr: 02:00:17:06:bd:b3
oci.vnic.virtualRouterIpoci.vnic.virtualRouterIp
Use a text value to search all assets with the specified router IP.
Examples
Show all assets with the router IP 10.0.0.1
oci.vnic.virtualRouterIp: 10.0.0.1
oci.vnic.subnetCidrBlockoci.vnic.subnetCidrBlock
Use a text value to search all assets with the specified block.
Examples
Show all assets with the block 10.0.0.0/24
oci.vnic.subnetCidrBlock: 10.0.0.0/24
oci.vnic.nicIndexoci.vnic.nicIndex
Use a text value to search all assets with the specified index.
Examples
Show all assets with the index 1
oci.vnic.nicIndex: 1
oci.compute.stateoci.compute.state
Use a text value to search all assets with specific compute state.
Examples
Show all assets with the compute state Starting
oci.compute.state: STARTING
oci.compute.tenantIdoci.compute.tenantId
Use a text value to search all assets with specific tenant ID.
Examples
Show all assets with the specific tenant ID
oci.compute.tenantId: ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq
oci.compute.tenantNameoci.compute.tenantName
Use a text value to search all assets with specific tenant name.
Examples
Show all assets with the specific tenant name
oci.compute.tenantName: oraclecengg1
oci.compute.hasAgentoci.compute.hasAgent
Use the values true | false to list all assets that have cloud agents. Choose True to list all assets having cloud agents and choose False to list all assets that do not have cloud agents.
Examples
Show all assets with having cloud agent installed
oci.compute.hasAgent: true
Passive Scanner only
Use these tokens when searching assets detected by passive scanning.
Use a text value to define the asset FQDN name you're looking for.
Example
Show the asset with this FQDN
asset.fqdn:ACMENVT7.acme.com
hardware.typingConfidencehardware.typingConfidence
Use a text value to define the hardware typing confidence you're looking for, i.e. HIGH, MEDIUM, LOW.
Example
Show this hardware typing confidence
hardware.typingConfidence:HIGH
inventory.scannerIDinventory.scannerID
Use an integer value to help you find assets scanned by a certain scanner appliance ID.
Example
Show this scanner appliance ID
inventory.scannerID:345678892
inventory.scannerNameinventory.scannerName
Use a text value to help you find assets based on specific scanner appliance name.
Examples
Show assets with scanner name as ITCorp-appliance
inventory.scannerName:ITCorp-appliance
openPorts.lastFoundopenPorts.lastFound
Use a date range or specific date to define when open ports were last found.
Examples
Show open ports found within certain dates
openPorts.lastFound: [2019-01-01 ... 2019-01-15]
Show open ports found starting 2019-01-15, ending 3 months ago
openPorts.lastFound: [2019-01-15 ... now-3M]
Show open ports found starting 2 weeks ago, ending 1 second ago
openPorts.lastFound: [now-2w ... now-1s]
Show open ports found on a specific date
openPorts.lastFound:'2019-03-18'
openPort.lastUpdatedopenPort.lastUpdated
Use a date range or specific date to define when ports on assets were last updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).
Examples
Show ports updated within certain dates
openPort.lastUpdated: [2019-01-01 ... 2019-01-15]
Show ports updated starting 2019-01-15, ending 3 months ago
openPort.lastUpdated: [2019-01-15 ... now-3M]
Show ports updated starting 2 weeks ago, ending 1 second ago
openPort.lastUpdated: [now-2w ... now-1s]
Show ports updated on a specific date
openPort.lastUpdated:'2019-03-18'
Use an integer value to find assets having specific amount of total traffic in MBs (both ingress and egress).
Example
Show assets with 100 MB total traffic
traffic.total:100
traffic.ingresstraffic.ingress
Use an integer value to find assets having specific amount of ingress traffic in MBs.
Example
Show assets with 60 MB ingress traffic
traffic.ingress:60
Use an integer value to find assets having specific amount of egress traffic in MBs.
Example
Show assets with 40 MB egress traffic
traffic.egress:40
traffic.protocoltraffic.protocol
Use a text value to find assets with traffic over specific protocol.
Example
Show assets with traffic over TCP
traffic.protocol:tcp
Use a integer value to find assets with traffic over specific port.
Example
Show assets with traffic over port 80
traffic.port:80
Use a text value to find assets with traffic of a specific type (client or server).
Example
Show assets with client traffic
traffic.type:client
Use a text value to find assets with traffic of a specific family.
Example
Show assets with peer to peer traffic
traffic.family:Peer to Peer
traffic.applicationtraffic.application
Use a text value to find assets with traffic from a specific application.
Example
Show assets with traffic from BitTorrent
traffic.application:BitTorrent
traffic.servicetraffic.service
Use a text value to find assets with traffic from a specific service.
Example
Show assets with traffic from HTTP
traffic.service:http