Using Tokens | Contains Search | String Matching | Full Text Search | Suffix Matching | Prefix Matching | Boolean Operators | Multiple Values | Range Searches | Date Searches | Nested Queries
Enter the token, then a colon, and then the targeted value. Nested fields are dot-separated.
Examples:
asset.id:83327
webapp.lastScanAuthStatus:FAILURE
asset.name:wasui
There are many fields you can search within each resource type. Start by clicking on the resource type in List View. Then enter "and" followed by the field name and value.
Examples:
asset.name:"WebApp 538" and webapp.severity:HIGH
webapp.url:"http://test.com" and webapp.optionProfile.name:"WAS Options"
Enclose your token value in double quotation marks to match a string. Your results include any match that contains the specified value.
Examples:
asset.name:"WASUITest"
vulnerability.title:"Directory Listing"
vulnerability.ignoredBy.firstName:"Smith"
vulnerability.groupTitle:"XSS"
For exact string matching, enclose your targeted value in the grave accent mark, also known as backtick characters (`<value>`). The result returns all the findings having the exact match with the value that you specify.
Examples:
vulnerability.title:`Directory Listing`
vulnerability.owaspTopTen.name:`Broken Access Control`
vulnerability.id:`1752950`
Some fields containing strings of text (like names, descriptions) allow you to use full text search and advanced search capabilities. Full text search fields do not support exact matching.
Examples:
Show detections with the specified name
vulnerability.title:'Path-Based vulnerability'
vulnerability.title:Directory Listing
Suffix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for suffix matching for quicker results. All you need to do is, type the wildcard character '*' followed by the string you are looking for. The search returns name values ending with the string that you specify after '*'. Matches are not case-sensitive.
Examples:
To find asset names ending with Target1, form the following query:
asset.name:*Target1
The query returns asset names such as MDS 3410 Target1, Burp Bugcrowrd Purge Target1 and so on.
To find assets based on tag names ending with 'ScheduleTag1,' form the following query:
tags.name:*ScheduleTag1
The query returns assets having tag names ending with Region East, region east, or Region EAST.
Prefix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for prefix matching for quicker results. All you need to do is, type the string you are looking for followed by the wildcard character '*'. The search returns name values beginning with the string that you specify before '*'. Matches are case-sensitive.
Example: This query matches assets with an asset name starting with "WASUI".
asset.name:WASUI*
Example: This query matches assets with tag names starting with "CMB" like CMB1, CMB2.
tags.name:CMB*
Use the Boolean operator AND to broaden the scope of your search. Use OR and NOT to narrow it down.
Note: Vulnerability search tokens do not support the NOT operator.
Examples:
tags.name:`CMB1` or tags.name:`SS Targets only`
not asset.id:14916031
tags.name:`CMB1` and tags.name:`SS Targets only`
To match values that are in or not in the fields, you can use a colon (:), followed by a comma-separated list of values within square brackets. Do not use quotes around your values. Available for all fields except analyzed fields (i.e. full text search fields).
Show confirmed vulnerabilities with severity 2 for which detection source is not burp.
vulnerability.severity:"2" AND vulnerability.typeDetected:"CONFIRMED_VULNERABILITY" and not (vulnerability.source:"BURP")
Ranges can be specified with the [lower limit .. upper limit] syntax using () and/or [] as follows. This is supported for numeric and date fields.
Examples:
Greater than or equal to 123 and less than or equal to 922 - uses square brackets
vulnerability.age:[123 .. 922]
Greater than but not equal to 123 and less than but not equal to 922 - uses parenthesis
vulnerability.age:(123 .. 922)
Greater than or equal to 123 and less than but not equal to 922
vulnerability.age:[123 .. 1234)
Greater than but not equal to 123 and less than or equal to 922
vulnerability.age:(123 .. 1234]
Greater than 922
vulnerability.age>922
Greater than or equal to 922
vulnerability.age>= 922
Less than 922
vulnerability.age < 922
Less than or equal to 1234
vulnerability.age <= 922
Between January 1st and April 1st 2018
asset.updated:[2022-01-01 .. 2022-04-01]
Use a date range [start date .. end date] or a specific date or a year. Several date variables are also available.
Examples:
asset.created: [now-6M ... now]
asset.created:"2021-07-20"
asset.updated>"2021-06-20"
asset.updated:[2020-03-01 .. 2021-07-31]
Use a single nested query, using parentheses, to include multiple fields in your query per examples below.
Examples:
Find confirmed vulnerabilities with severity 2 for which the detection source is not Bugcrowd.
vulnerability.severity:"2" AND vulnerability.typeDetected:"CONFIRMED_VULNERABILITY" and not (vulnerability.source:"BUGCROWD")
Find web applications with last scan status and tag 'MS WAS 1000 Webapp' associated with it.
webapp.lastScanStatus:"SUBMITTED" AND webapp.tags.name: "MS WAS 1000 Webapp"