A complete list of tokens for writing search queries is provided below.
General | AWS EC2 | IBM | Microsoft Azure | Google Cloud Platform | Alibaba Cloud Platform | Assets | Threat Protection | Compliance | Oracle Cloud Compute Instance
Quick links: AWS EC2 | Microsoft Azure | Google Cloud Platform | Alibaba Cloud Platform | Assets | Threat Protection | Compliance
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Use these token when searching IBM assets on the Assets list.
Example
Find IBM virtual server with this Id
ibm.virtualServer.id: '123741814'
Example
Find IBM virtual server with this location
ibm.virtualServer.location: 'dal13'
Example
Find IBM virtual server datacenter with this Id
ibm.virtualServer.datacenterId: '1854895'
Example
Find IBM virtual server with this device name
ibm.virtualServer.deviceName: 'virtualserver01.Qualys-Inc.cloud'
Example
Find IBM virtual server with this public IP address
ibm.virtualServer.publicIpAddress: '150.238.75.107'
Example
Find IBM virtual server with this private IP address
ibm.virtualServer.privateIpAddress: '10.187.94.40'
Example
Find IBM virtual server with this public vlan
ibm.virtualServer.publicVlan: '1796'
Example
Find IBM virtual server with this private vlan
ibm.virtualServer.privateVlan: '2236'
Example
Find IBM virtual server with this domain
ibm.virtualServer.domain: 'Qualys-Inc.cloud'
Use these tokens when searching Microsoft Azure assets on the Assets list.
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
Example
Find Azure instances in this location
azure.vm.location: westus
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
Examples
Find Azure instances with this virtual network
azure.vm.virtualNetwork: `mburton01-vnet`
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Example
Find running Azure instances
azure.vm.state: RUNNING
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Example
Find Azure instances with cloud agent installed
azure.vm.hasAgent: true
Find Azure instances without cloud agent
azure.vm.hasAgent: false
Use these tokens when searching Google Cloud Platform assets on the Assets list.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
Examples
Find running GCP instances
gcp.compute.state: RUNNING
Use these tokens when searching Alibaba Cloud Platform assets on the Assets list.
Examples
Find instances with a cloud agent
alibaba.instance.hasAgent: "true"
Show instances which do not have cloud agent installed
alibaba.instance.hasAgent: "false"
Example
Find instances with given ID
alibaba.instance.instanceId: i-a2dxxxxsxxxxxhdfax
Example
Find alibaba cloud instances with given instance type
alibaba.instance.instanceType: ecs.t5-lc2m1.nano
Examples
Find instances in a RUNNING state
alibaba.instance.instanceState: "RUNNING"
Example
Find instances related to the given image ID
alibaba.instance.imageId: ubuntu_14_0405_64_20G_alibase_20170824.vhd
Examples
Find instances with the given alibaba account ID
alibaba.instance.accountId: 587xxxxxxx
Examples
Find instances that belong to the given serial number
alibaba.instance.serialNumber: 12trexxxxr-3xx-xxx-rtg4-xxxx6t45
Example
Find instances that belong to the given region code
alibaba.instance.region.id: "ap-south-1"
Example
Find instances that belong to the given region name
alibaba.instance.region.name: "India (Mumbai)"
Example
Find instances that belong to the given zone ID
alibaba.instance.zoneId: ap-south-1b
Example
Find instances that belong to the given VPC ID
alibaba.instance.vpcId: vpc-a2d6pxxxxvvdadd5yikj
Examples
Find instances that are associate with the given hostname
alibaba.instance.hostName: abc.qualys.com
Example
Find instances that are associated with the given DNS configurations
alibaba.instance.dnsServer:100.xxx.x.xxx
Examples
Find instances with the given private IP address.
alibaba.instance.privateIpAddress:192.168.XX.XX
Find instances with the given private IP address
alibaba.instance.privateIpAddress: [192.168.XX.XX.....192.168.XX.XX]
Example
Find instances with the given public IP address
alibaba.instance.publicIpAddress:149.xx.xx.xx
Find instances with the given public IP address
alibaba.instance.publicIpAddress: [149.xx.xx.xx...
149.xx.xx.xx]
Example
Find instances with the given MAC address
alibaba.instance.macAddress: 00:16:3e:0f:XX:XX
Example
Find instances belonging to given CIDR block of VPC network
alibaba.instance.vpcCidrBlock: 172.xx.x.x/16
Example
Find instances connected with the give vSwicth ID
alibaba.instance.vswitchId: vsw-a2dxxxoxxxxsqx1mxxxdd
Examples
Find instances connected with the given interface ID
alibaba.instance.interfaceId: eni-a2dxxxxaixxxtux572
Example
Find instances connected the given CIDR block of vSwitch
alibaba.instance.vswitchCidrBlock:192.168.XX.XX/24
Example
Choose the network type to find cloud instances
alibaba.instance.networkType:vpc
All tokens below are available with AssetView.
Example
Show assets with this exact username (case sensitive)
accounts.username: Administrator
Show assets with username starting with "Admin" (case sensitive)
accounts.username: Admin
Examples
Show assets activated for VM
activatedForModules: "VM"
Show assets activated for VM and PC
activatedForModules: "VM" AND activatedForModules:
"PC"
Example
Show assets with agents activated using this key
agentActivations.key: 057cc48a-8d84-48eb-add4-97a605d0567d
Example
Show assets with active agents
agentActivations.status: ACTIVE
Examples
Show assets with active agents, where the Agent has communicated in last 48 hours
agentStatus: "ACTIVE"
Show assets with inactive agents, where the Agent has not communicated in last 48 hours
agentStatus: "INACTIVE"
Example
Show the asset with this agent ID
agentID: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Example
Show findings with agent version 1.3.2.0
agentVersion: 1.3.2.0
Example
Show this assets with this category
assetCategory: hardware
Examples
Show this asset ID
assetId: 2918869
Show asset IDs in this range
assetId: [3546997 .. 12945655]
Show the 2 asset IDs listed
assetId: [3546997,12945655]
Example
Show the list of assets that have Anti-malware enabled and have asset tag as Cloud Agent
isAntiMalwareInstalled: true and tags.name:
"Cloud Agent"
Examples
Show this assets tracked by IP
trackingMethod: IP
Show asset tracked by NETBIOS
trackingMethod: NETBIOS
configurationProfileUse quotes or backticks
within values to help you find the agent configuration profile you're
looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related
to profile name
configurationProfile:
Initial Profile
Show any findings that contain
parts of the name
configurationProfile:
"Initial Profile"
Show any findings that match
exact value
configurationProfile:
`Initial Profile`
connectors.connector.nameUse a text value
##### to define the connector name you're interested in.Example
Show findings detected by
connector name myec2
connectors.connector.name:
myec2
Note: The query result count
will include the number for terminated instances too.
cpuCountUse an integer value
##### to help you find assets with some number of CPUs.Example
Show assets that have 2 CPUs
cpuCount: 2
connectedFromUse a text value
##### to define the external IP address a cloud agent connected
from.Example
Show findings for an external
IP address that an agent connected from
connectedFrom: 10.0.100.11
createdUse a date range
or specific date to define when assets were created (i.e. when first
scanned by a scanner appliance, or when agent was installed).Examples
Show assets created within
certain dates
created: [2016-01-01
... 2016-01-10]
Show assets created starting
2015-10-01, ending 1 month ago
created: [2015-10-01
... now-1M]
Show assets created starting
2 weeks ago, ending 1 second ago
created: [now-2w
... now-1s]
Show assets created on specific
date
created:'2016-01-08'
docker.dockerVersionUse a text value
##### to define a Docker version you're looking for. Example
Show findings with this Docker
version
docker.dockerVersion:17.3
docker.noOfContainersUse an integer value
##### to help you find assets with some number of Docker
containers. The value is displayed only for VM scan or Agent scan
(and not for sensors).Example
Show findings with 2 Docker
containers
docker.noOfContainers:2
docker.noOfImagesUse an integer value
##### to help you find assets with some number of Docker
images. The value is displayed only for VM scan or Agent scan (and
not for sensors).Example
Show findings with 5 Docker
images
docker.noOfImages:5
isDockerHostUse the values true
| false to choose whether to show docker hosts or
not (only when the hosts have been scanned). Example
Show docker hosts
isDockerHost:true
docker.hasSensorUse the values true
| false to choose whether to show docker hosts that
have the Container Sensor installed.Example
Show docker hosts with container
sensor installed.
docker.hasSensor:true
errorStatusUse the values true
| false to define agents with or without error status.Example
Show agents with error status
errorStatus: "true"
fimCapableUse the values true
| false to define whether or not agents are FIM capable.
fimCapable search is not supported for all operating systems. Check
the Cloud Agent Getting Started Guide for platform/OS support.Examples
Show agents that are FIM capable
and activated for FIM
fimCapable: "true"
Show agents that are not FIM
capable but can be upgraded to FIM capability
fimCapable: "false"
hardware.categoryUse quotes or backticks
within values to help you find the hardware category you're looking
for.Examples
Show any findings that match
exact value
hardware.category:Printers/Laser
hardware.category1Use text value #####
to find assets with hardware category 1 value.Example
If you are searching for assets
that are laser printers, then category1 is Printers and category2
is Laser.
Show any findings that match
exact value
hardware.category1:Printers
hardware.category2Use text value #####
to find assets with hardware category 2 value.Example
If you are searching for assets
that are laser printers, then category1 is Printers and category2
is Laser.
Show any findings that match
exact value
hardware.category2:Laser
hardware.manufacturerUse quotes or backticks
within values to find assets having a certain hardware manufacturer.Example
Show any findings that match
exact value "Dell"
hardware.manufacturer:`Dell`
hardware.productUse quotes or backticks
within values to find assets having a certain hardware product.Example
Show any findings that match
exact value "Latitude"
hardware.product:`Latitude`
hardware.modelUse quotes or backticks
within values to find assets having a certain hardware model.Example
Show any findings that match
exact value "e7470"
hardware.model:`De7470`
hardware.lifecycle.stageUse a text value
##### in quotes to define the hardware lifecycle stage (INTRO,
GA, EOS, OBS)Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
hardware.lifecycle.obsUse a date range
or specific date to define a hardware obsolete date of interest.Examples
Show findings with hardware
obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01
... 2019-01-15]
Show findings with hardware
obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15
... now-1M]
Show findings with hardware
obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w
... now-1s]
Show findings with this hardware
obsolete date
hardware.lifecycle.obs:'2019-03-18'
hardware.lifecycle.eosUse a date range
or specific date to define a hardware End-of-Sale date of interest.Examples
Show findings with hardware
End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01
... 2019-01-15]
Show findings with hardware
End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15
... now-1M]
Show findings with hardware
End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w
... now-1s]
Show findings with this hardware
End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
hardware.lifecycle.introUse a date range
or specific date to define a hardware introduction date of interest.Examples
Show findings with hardware
introduction date in this date range
hardware.lifecycle.intro:[2019-01-01
... 2019-01-15]
Show findings with hardware
introduction date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.intro:[2019-01-15
... now-1M]
Show findings with hardware
introduction date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.intro:[now-2w
... now-1s]
Show findings with this hardware
introduction date
hardware.lifecycle.intro:'2019-03-18'
hardware.lifecycle.gaUse a date range
or specific date to define a hardware general availability date of
interest.Examples
Show findings with hardware
GA date in this date range
hardware.lifecycle.ga:[2019-01-01
... 2019-01-15]
Show findings with hardware
GA date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.ga:[2019-01-15
... now-1M]
Show findings with hardware
GA date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.ga:[now-2w
... now-1s]
Show findings with this hardware
GA date
hardware.lifecycle.ga:'2019-03-18'
hostIdUse an integer value
##### to help you find the asset with a certain Qualys host
ID (UUID), assigned by an agent or a scanner appliance when Agentless
Tracking is used.Example
Show assets that have this
host ID
hostId: 2918869
interfaces.addressUse a text value
##### to define an IP address (IPv4 of IPv6) you're interested
in. Note that you cannot perform a range search since this is a text
field.Examples
Show the asset with IPv4 address
interfaces.address:
10.10.100.20
Show the asset with IPv6 address
(enclose value in single quotes)
interfaces.address:
'fe80:0:0:0:2501:b53c:4139:404b'
interfaces.dnsAddressUse a text value
##### to define a DNS address you're interested in.Example
Show the asset with DNS address
10.0.100.11
interfaces.dnsAddress:
10.0.100.11
interfaces.gatewayAddressUse a text value
##### to help you find assets with a certain default gateway
address.Example
Show assets with this default
gateway address
interfaces.gatewayAddress:
10.11.65.1
interfaces.hostnameFind the hostname you're
looking for. Search by domain name, use backticks for exact matching,
or enter a partial value with an asterisk (*) for suffix/prefix matching.Examples
Show any findings related
to name
interfaces.hostname:
xpsp2-jp-26-111
Show any findings related
to name (we'll match super domains)
interfaces.hostname:
com-pa3020-36.eng.sjc01.qualys.com
Show any findings that match
exact value
interfaces.hostname:
`xpsp2-jp-26-111`
interfaces.hostname:
`com-pa3020-36.eng.sjc01.qualys.com`
Show any findings that match
domain name
interfaces.hostname:
qualys.com
interfaces.hostname:
sjc01.qualys.com
interfaces.hostname:
eng.sjc01.qualys.com
Show any findings starting
with string (case sensitive)
interfaces.hostname:
xp*
interfaces.hostname:
com-pa30*
Show any findings ending with
string
interfaces.hostname:
*111
interfaces.hostname:
*lys.com
interfaces.interfaceNameUse a text value
##### to help you find a certain interface name.Example
Show the asset with name PRO/1000
interfaces.interfaceName:
PRO/1000
interfaces.macAddressUse values within quotes
to help you find a MAC address you're interested in.Example
Show the asset with this MAC
address
interfaces.macAddress:
"00-50-56-A9-73-5A"
lastActivityUse a date range
or specific date to define when the last activity on the agent occurred.Examples
Show findings with last activity
within certain dates
lastActivity: [2016-01-01
... 2016-01-10]
Show findings with last activity
starting 2015-10-01, ending 1 month ago
lastActivity: [2015-10-01
... now-1M]
Show findings with last activity
starting 2 weeks ago, ending 1 second ago
lastActivity: [now-2w
... now-1s]
Show findings with last activity
on a specific date
lastActivity:'2015-12-01'
lastCheckedInUse a date range or specific
date to define when the asset was last checked in to the platform.Examples
Show findings with last check
in within a specific date range.
lastCheckedIn:[2020-01-01
... 2020-01-10]
Show findings with last check
in starting 2019-11-01, ending 1 month ago.
lastCheckedIn:[2019-11-01
... now-1M]
Show findings with last check
in starting 2 weeks ago, ending 1 second ago
lastCheckedIn:[now-2w
... now-1s]
Show findings with last check
in on a specific date
lastCheckedIn:'2020-02-11'
Show findings with last check
in before (older than) last 30 days.
lastCheckedIn<now-30d
Note: We recommend not to
use the NOT operator in your range search to form a query like NOT
lastCheckedIn:[now-30d...now-2s]. See 'QQL Best Practices' topic in
the Unified Dashboard online Help.
Show findings with last check
in within last 30 days excluding day 30
lastCheckedIn>now-30d
Show findings with last check
in within last 30 days including day 30
lastCheckedIn>=now-30d
Show findings with last check
in which is older than last 30 days excluding day 30
lastCheckedIn<now-30d
Show findings with last check
in which is older than last 30 days including day 30
lastCheckedIn<=now-30d
lastComplianceScanDateUse a date range
or specific date to define when compliance scans were last conducted.Examples
Show findings with last compliance
scan within certain dates
lastComplianceScanDate:
[2017-01-01 ... 2017-03-31]
Show findings with last compliance
scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate:
[2016-10-15 ... now-1M]
Show findings with last compliance
scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate:
[now-2w ... now-1s]
Show findings with last compliance
scan on specific date
lastComplianceScanDate:'2017-02-18'
lastFullScanUse a date range
or specific date to define when full scans (assessments) were last
conducted using Cloud Agent (CA).Examples
Show findings with last full
scan within certain dates
lastFullScan: [2016-01-01
... 2016-01-10]
Show findings with last full
scan starting 2015-10-01, ending 1 month ago
lastFullScan: [2015-10-01
... now-1M]
Show findings with last full
scan starting 2 weeks ago, ending 1 second ago
lastFullScan: [now-2w
... now-1s]
Show findings with last full
scan on a specific date
lastFullScan:'2016-02-08'
lastInventoryUse a date range
or specific date to define when inventory scans were last conducted
by agents. We recommend lastInventoryDate for date range queries using
parameters i.e. [now-1M ... now-1s]Examples
Show findings with last inventory
scan within certain dates
lastInventory: [2018-06-01
... 2018-06-10]
Show findings with last inventory
scan on specific date
lastInventory:'2018-07-25'
lastInventoryDateUse a date range
or specific date to define when inventory scans were last conducted
by agents. We recommend lastInventoryDate for date range queries using
parameters i.e. [now-1M ... now-1s]Examples
Show findings with last inventory
scan within certain dates
lastInventoryDate: [2018-05-01
... 2018-06-28]
Show findings with last inventory
scan starting 2018-06-15, ending 1 month ago
lastInventoryDate: [2018-06-15
... now-1M]
Show findings with last inventory
scan starting 3 weeks ago, ending 1 second ago
lastInventoryDate: [now-3w
... now-1s]
Show findings with last inventory
scan on specific date
lastInventoryDate:'2018-07-10'
lastLoggedOnUserUse a text value
##### to help you find assets last logged into by a user
of interest.Examples
Show assets with last logon
by user asmith
lastLoggedOnUser: asmith
lastVmScanDateUse a date range
or specific date to define when vulnerability scans were last conducted.Examples
Show findings with last vulnerability
scan within certain dates
lastVmScanDate: [2017-01-01
... 2017-02-10]
Show findings with last vulnerability
scan starting 2016-11-01, ending 1 month ago
lastVmScanDate: [2016-11-01
... now-1M]
Show findings with last vulnerability
scan starting 2 weeks ago, ending 1 second ago
lastVmScanDate: [now-2w
... now-1s]
Show findings with last vulnerability
scan on specific date
lastVmScanDate:'2017-04-10'
lastVmScanDateAgentUse a date range
or specific date to define when vulnerability scans were last conducted
on the agent.Examples
Show findings with last vulnerability
scan within certain dates
lastVmScanDateAgent:[2017-01-01
... 2017-02-10]
Show findings with last vulnerability
scan starting 2016-11-01, ending 1 month ago
lastVmScanDateAgent:[2016-11-01
... now-1M]
Show findings with last vulnerability
scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateAgent:[now-2w
... now-1s]
Show findings with last vulnerability
scan on specific date
lastVmScanDateAgent:'2017-04-10'
lastVmScanDateScannerUse a date range
or specific date to define when vulnerability scans were last conducted
on the scanner.Examples
Show findings with last vulnerability
scan within certain dates
lastVmScanDateScanner:
[2017-01-01 ... 2017-02-10]
Show findings with last vulnerability
scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner:
[2016-11-01 ... now-1M]
Show findings with last vulnerability
scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner:
[now-2w ... now-1s]
Show findings with last vulnerability
scan on specific date
lastVmScanDateScanner:'2017-04-10'
lastPcScanDateAgentUse a date range
or specific date to define when policy compliance scans were last
conducted on agent.Examples
Show findings with last policy
compliance scan within certain dates
lastPcScanDateAgent:[2017-01-01
... 2017-02-10]
Show findings with last policy
compliance scan starting 2016-11-01, ending 1 month ago
lastPcScanDateAgent:[2016-11-01
... now-1M]
Show findings with last policy
compliance scan starting 2 weeks ago, ending 1 second ago
lastPcScanDateAgent:[now-2w
... now-1s]
Show findings with last policy
compliance scan on specific date
lastPcScanDateAgent:'2017-04-10'
lastPcScanDateScannerUse a date range
or specific date to define when policy compliance scans were last
conducted on the scanner.Examples
Show findings with last policy
compliance scan within certain dates
lastPcScanDateScanner:[2017-01-01
... 2017-02-10]
Show findings with last policy
compliance scan starting 2016-11-01, ending 1 month ago
lastPcScanDateScanner:[2016-11-01
... now-1M]
Show findings with last policy
compliance scan starting 2 weeks ago, ending 1 second ago
lastPcScanDateScanner:[now-2w
... now-1s]
Show findings with last policy
compliance scan on specific date
lastPcScanDateScanner:'2017-04-10'
nameUse quotes or backticks
within values to help you find the asset name you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings related
to name
name: QK2K12QP3-65-53
Show any findings that match
exact value
name: `QK2K12QP3-65-53`
netbiosNameUse a text value
##### to define the NetBIOS name you're interested in.Examples
Show assets with this exact
name (case sensitive)
netbiosName: EC2AMAZ-19OC2IT
Show assets with name starting
with "EC2" (case sensitive)
netbiosName: EC2
Show assets with name ending
with "c2it" (case insensitive)
netbiosName: *c2it
openPorts.descriptionUse quotes or backticks
within values to help you find the service description detected on
an open port. Quotes can be used when the value has more than one
word.Examples
Show any findings with this
description
openPorts.description:
Windows Remote Desktop
Show any findings that contain
parts of description
openPorts.description:
"Windows Remote Desktop"
Show any findings that match
exact value
openPorts.description:
`Windows Remote Desktop`
openPorts.detectedServiceUse quotes or backticks
within values to help you find the detected service you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings with this
service name
openPorts.detectedService:
win_remote_desktop
Show any findings that match
exact value
openPorts.detectedService:
`win_remote_desktop`
openPorts.firstFoundUse a date range
or specific date to define when open ports were first found.Examples
Show findings with open ports
first found within certain dates
openPorts.firstFound:
[2017-06-15 ... 2017-06-30]
Show findings with open ports
first found starting 2017-06-22, ending 1 month ago
openPorts.firstFound:
[2017-06-22 ... now-1M]
Show findings with open ports
first found starting 2 weeks ago, ending 1 second ago
openPorts.firstFound:
[now-2w ... now-1s]
Show findings with open ports
first found on specific date
openPorts.firstFound:'2017-06-14'
openPorts.lastUpdatedUse a date range
or specific date to define when open ports were last updated.Examples
Show findings with open ports
last updated within certain dates
openPorts.lastUpdated:
[2017-06-15 ... 2017-06-30]
Show findings with open ports
last updated starting 2017-06-22, ending 1 month ago
openPorts.lastUpdated:
[2017-06-22 ... now-1M]
Show findings with open ports
last updated starting 2 weeks ago, ending 1 second ago
openPorts.lastUpdated:
[now-2w ... now-1s]
Show findings with open ports
last updated on specific date
openPorts.lastUpdated:'2017-06-14'
openPorts.portUse an integer value
##### to help you find assets with some open port.Example
Show assets with open port
80
openPorts.port: 80
openPorts.protocolUse a text value
##### (UDP or TCP) to define the port protocol you're interested
in.Examples
Show findings found on TCP
openPorts.protocol:
TCP
Show findings found on port
80 and TCP
openPorts: (port: 80
AND protocol: TCP)
pendingActivationForModulesSelect the name #####
of a module that's pending activation. Select from names in the drop-down
menu.Examples
Show assets pending activation
for VM
pendingActivationForModules:
"VM"
Show assets pending activation
for VM and FIM
pendingActivationForModules:
"VM" AND pendingActivationForModules: "FIM"
processors.descriptionUse quotes or backticks
within values to help you find the processor description you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings with this
description
processors.description:
intel
Show any findings that match
exact value
processors.description:
`intel`
processors.speedUse an integer value
##### to help you find assets with a certain processor speed.Example
Show assets with this processor
speed
processors.speed: 1995
providerSelect the name #####
of a cloud service provider you're looking for. Select from names
in the drop-down menu.Examples
Show assets synced from Amazon
AWS
provider: "AWS"
qualysCorrelationIDUse a text value #### to
show assets with specific Qualys Correlation ID.Example
Show assets with this Qualys
Correlation ID
qualysCorrelationID:
"0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058"
Show assets without any Qualys
Correlation ID
qualysCorrelationID:
"UNIDENTIFIED"
Show assets all assets with
Qualys Correlation ID
qualysCorrelationID:
"*"
services.descriptionUse quotes or backticks
within values to help you find the service description you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings with this
description
services.description:
Windows Event Log
Show any findings that contain
parts of description
services.description:
"Windows Event Log"
Show any findings that match
exact value
services.description:
`Windows Event Log`
services.nameUse quotes or backticks
within values to help you find the service name you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
services.name: eventlog
Show any findings that match
exact value
services.name: `eventlog`
services.statusUse quotes or backticks
within values to help you find the service status you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings with this
status
services.status: running
Show any findings that match
exact value
services.status: `running`
software.architectureUse text value #####
to help you find the software architecture you're looking for, i.e
32-Bit or 64-Bit.Example
Show any findings that match
exact value
software.architecture:64-Bit
software.editionUse text value #####
to help you find the software edition you're looking for.Example
Show any findings that match
exact value
software.edition:Professional
software.categoryUse quotes or backticks
within values to help you find a software category.Example
Show any findings that match
exact value
software.category:Application
Development/Testing
software.category1Use text value #####
to help you find the software category 1 value you're looking for.Example
If you are searching for assets
having testing software, then category1 is Application Development
and category2 is Testing.
Show any findings that match
exact value
software.category1:Application
Development
software.category2Use text value #####
to help you find the software category 2 value you're looking for.Example
If you are searching for assets
having testing software, then category1 is Application Development
and category2 is Testing.
Show any findings that match
exact value
software.category2:Testing
software.firstFoundUse a date range
or specific date to define when software was first found.Examples
Show assets with software
first found within certain dates
software.firstFound:
[2017-06-15 ... 2017-06-30]
Show assets with software
first found starting 2017-06-22, ending 1 month ago
software.firstFound:
[2017-06-22 ... now-1M]
Show assets with software
first found starting 2 weeks ago, ending 1 second ago
software.firstFound:
[now-2w ... now-1s]
Show assets with software
first found on specific date
software.firstFound:'2017-06-14'
software.lastUpdatedUse a date range
or specific date to define when software was last updated in the Qualys
database.Examples
Show assets with software
last updated within certain dates
software.lastUpdated:
[2017-06-15 ... 2017-06-30]
Show assets with software
last updated starting 2017-06-22, ending 1 month ago
software.lastUpdated:
[2017-06-22 ... now-1M]
Show assets with software
last updated starting 2 weeks ago, ending 1 second ago
software.lastUpdated:
[now-2w ... now-1s]
Show assets with software
last updated on specific date
software.lastUpdated:'2017-06-14'
software.installedDateUse a date range
or specific date to define when software was installed.Examples
Show assets with software
installed within certain dates
software.installedDate:[2018-01-15
... 2018-03-12]
Show assets with software
installed starting 2018-01-22, ending 1 month ago
software.installedDate:[2018-01-22
... now-1M]
Show assets with software
installed starting 2 weeks ago, ending 1 second ago
software.installedDate:[now-2w
... now-1s]
Show assets with software
installed on specific date
software.installedDate:'2018-02-16'
software.marketVersionUse text value #####
to help you find a software market version, e.g. Windows OS.Example
Show any findings that match
exact value
software.marketVersion:7
software.majorVersionUse a text value
##### to define the major software version you're interested
in.Example
Show any findings that match
exact value
software.majorVersion:1.19.0.0
software.nameUse quotes or backticks
within values to help you find the software name you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
software.name: VMware
Tools
Show any findings that contain
parts of name
software.name: "VMware
Tools"
Show any findings that match
exact value
software.name: `VMware
Tools`
Find assets with certain tag
and software installed
tags.name: `Cloud
Agent` AND software: (name: `Cisco AnyConnect Secure
Mobility Client` AND version: `3.1.12345`)
software.productUse a text value
##### to define a software product name you're looking for.Example
Show findings with this exact
product name
software.product:Office
software.publisherUse a text value
##### to define a software manufacturer you're looking for.Example
Show findings with this exact
software publisher
software.publisher:Microsoft
software.typeUse a text value
##### to define a software type of interest.Example
Show findings having this
software type
software.type:Installer
Package
software.updateUse a text value
##### to define a software update version of interest.Example
Show findings with this exact
software update version
software.update:16.0.1.2
software.versionUse a text value
##### to define the software version you're interested in.
Note that you cannot perform a range search since this is a text field.Example
Show findings with this version
software.version: 8.6.10
Find assets with certain tag
and software installed
tags.name: `Cloud
Agent` AND software: (name: `Cisco AnyConnect Secure
Mobility Client` AND version: `3.1.12345`)
software.lifecycle.stageUse a text value
##### to define a software lifecycle stage you're looking
for, i.e. active, eol, obsolete.Examples
Show findings having this
software lifecycle stage
software:(lifecycle.stage:eol)
Show findings having software
category Windows and software lifecycle stage "active"
software:(category:Windows
AND lifecycle.stage:eol)
software.lifecycle.gaUse a date range
or specific date to define a software general availability date of
interest.Examples
Show findings with software
GA date in this date range
software:(lifecycle.ga:[2019-01-01
... 2019-01-15])
Show findings with woftware
GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15
... now-1M])
Show findings with software
GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w
... now-1s])
Show findings with this software
GA date
software:(lifecycle.ga:'2019-03-18')
software.lifecycle.eolUse a date range
or specific date to define an software End-of-Life date of interest.Examples
Show findings with software
End-of-Life date in this date range
software.lifecycle.eol:[2019-01-01
... 2019-01-15]
Show findings with software
End-of-Life date starting 2019-01-15, ending 1 month ago
software.lifecycle.eol:[2019-01-15
... now-1M]
Show findings with software
End-of-Life date starting 2 weeks ago, ending 1 second ago
software.lifecycle.eol:[now-2w
... now-1s]
Show findings with this software
End-of-Life date
software.lifecycle.eol:'2019-03-18'
software.lifecycle.eosUse a date range
or specific date to define an software End-of-Support date of interest.Examples
Show findings with software
End-of-Support date in this date range
software.lifecycle.eos:[2019-01-01
... 2019-01-15]
Show findings with software
End-of-Support date starting 2019-01-15, ending 1 month ago
software.lifecycle.eos:[2019-01-15
... now-1M]
Show findings with software
End-of-Support date starting 2 weeks ago, ending 1 second ago
software.lifecycle.eos:[now-2w
... now-1s]
Show findings with this software
End-of-Support date
software.lifecycle.eos:'2019-03-18'
software.license.subcategoryUse text value #####
to help you find a software license subcategory, i.e. GPL, Apache
2.0, BSD.Example
Show any findings that match
exact value
software:(license.subcategory:Apache
2.0)
software.license.categoryUse text value #####
to help you find a software license category, i.e. Open Source, Commercial.Example
Show any findings that match
exact value
software:(license.category:`Open
Source`)
system.biosDescriptionUse quotes or backticks
within values to help you find the BIOS description you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings with this
description
system.biosDescription:
Phoenix Technologies
Show any findings that contain
parts of name
system.biosDescription:
"Phoenix Technologies"
Show any findings that match
exact value
system.biosDescription:
`Phoenix Technologies`
system.lastBootUse a date range
or specific date to define when assets were last booted.Examples
Show assets last booted within
certain dates
system.lastBoot: [2016-01-01
... 2016-01-10]
Show assets last booted starting
2015-10-01, ending 1 month ago
system.lastBoot: [2015-10-01
... now-1M]
Show assets last booted starting
2 weeks ago, ending 1 second ago
system.lastBoot: [now-2w
... now-1s]
Show assets last booted on
a specific date
system.lastBoot:'2016-01-08'
system.manufacturerUse quotes or backticks
within values to help you find the system manufacturer you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
system.manufacturer:
dell
Show any findings that match
exact value
system.manufacturer:
`dell`
system.modelUse quotes or backticks
within values to help you find the system model you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
system.model: optiplex
Show any findings that match
exact value
system.model: `optiplex`
system.timezoneUse a text value
##### in quotes to find assets with a certain timezone set.Example
Show assets with this timezone
system.timezone: "-08:00"
system.totalMemoryUse an integer value
##### to help you find assets with a certain total system
memory.Example
Show assets with this total
system memory
system.totalMemory:
1024
udcManifestAssignedUse the values true
| false to find assets with PC agents assigned a
UDC manifest. Assets are found when agents have the PC module enabled
and one or more user defined controls have been added to your subscription.Examples
Show assets with agents assigned
a UDC manfest
udcManifestAssigned:
"true"
Show assets with agents not
assigned a UDC manifest
udcManifestAssigned:
"false"
updatedUse a date range
or specific date to define when assets were updated (i.e. when re-scanned
by a scanner appliance, or when host data uploaded to the cloud platform
by an agent).Examples
Show assets updated within
certain dates
updated: [2016-01-01
... 2016-01-10]
Show assets updated starting
2015-10-01, ending 3 months ago
updated: [2015-10-01
... now-3M]
Show assets updated starting
2 weeks ago, ending 1 second ago
updated: [now-2w
... now-1s]
Show assets updated on a specific
date
updated:'2016-01-10'
volumes.freeUse an integer value
##### to help you find assets with a certain free volume
space.Example
Show assets with this free
volume space
volumes.free: 448312320
volumes.nameUse a text value
##### to find assets with a certain volume name.Example
Show assets with this volume
name
volumes.name: /boot
volumes.sizeUse an integer value
##### to help you find assets with a certain volume size.Example
Show assets with this volume
size
volumes.size: 481529856
vulnerabilitiesChoose the value * to find
assets with vulnerabilities.Example
Show all findings that have
vulnerabilities
vulnerabilities: *
vulnerabilities.firstFoundUse a date range
or specific date to define when findings were first found.Examples
Show findings first found
within certain dates
vulnerabilities.firstFound:
[2015-10-21 ... 2015-10-30]
Show findings first found
starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFound:
[2015-10-01 ... now-1M]
Show findings first found
starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:
[now-2w ... now-1s]
Show findings first found
on certain date
vulnerabilities.firstFound:'2015-11-11'
vulnerabilities.lastFoundUse a date range
or specific date to define when findings were last found.Examples
Show findings last found within
certain dates
vulnerabilities.lastFound:
[2015-10-21 ... 2016-01-15]
Show findings last found starting
2016-01-01, ending 1 month ago
vulnerabilities.lastFound:
[2016-01-01 ... now-1M]
Show findings last found starting
2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:
[now-2w ... now-1s]
Show findings last found on
certain date
vulnerabilities.lastFound:'2016-01-11'
Show findings last found on
2017-01-12 with patch available
vulnerabilities: (lastFound:
'2017-01-12' AND vulnerability.patchAvailable: "true")
vulnerabilities.typeDetectedSelect a detection type (e.g.
Confirmed, Potential, Information) to find assets with vulnerabilities
of this type. Select from names in the drop-down menu. Example
Show findings with this type
vulnerabilities.typeDetected:
"Confirmed"
vulnerabilities.nonExploitableKernelUse the values true
| false to define vulnerabilities that exist on non
exploitable kernels.Examples
Show findings on non-exploitable
kernels
vulnerabilities.nonExploitableKernel:TRUE
vulnerabilities.nonExploitableConfigUse the values true
| false to list vulnerabilities that exist on non
exploitable configuration.Examples
Show findings on non-exploitable
config
vulnerabilities.nonExploitableConfig:TRUE
vulnerabilities.nonExploitableServiceUse the values true
| false to list vulnerabilities that exist on non
exploitable services.Examples
Show findings on non-exploitable
services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.vulnerability.authTypesSelect the name (WINDOWS_AUTH,
UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested
in. Select from names in the drop-down menu.Example
Show findings with Windows
auth type
vulnerabilities.vulnerability.authTypes:
"WINDOWS_AUTH"
vulnerabilities.vulnerability.bugTraqIdsUse a text value
##### to find a BugTraq number you're interested in.Example
Show findings with BugTraq
ID 22211
vulnerabilities.vulnerability.bugTraqIds:
22211
vulnerabilities.vulnerability.categorySelect a category (CGI, Database,
DNS, BIND, etc) to find vulnerabilities with this category. Select
from names in the drop-down menu.Example
Show findings with the category
CGI
vulnerabilities.vulnerability.category:
"CGI"
vulnerabilities.vulnerability.compliance.descriptionUse quotes or backticks
within values to help you find the compliance description you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings related
to this description
vulnerabilities.vulnerability.compliance.description:
malicious software
Show any findings that contain
"malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description:
"malicious software"
Show any findings that match
exact value
vulnerabilities.vulnerability.compliance.description:
`malicious software`
vulnerabilities.vulnerability.compliance.sectionUse quotes or backticks
within values to help you find the compliance section you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings related
to this section
vulnerabilities.vulnerability.compliance.section:
164.308
Show any findings that match
exact value
vulnerabilities.vulnerability.compliance.section:
`164.308`
vulnerabilities.vulnerability.compliance.typeSelect the name #####
of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA,
SOX). Select from names in the drop-down menu.Example
Show findings with the compliance
type HIPAA
vulnerabilities.vulnerability.compliance.type:
"HIPAA"
vulnerabilities.vulnerability.consequenceUse quotes or backticks
within values to help you find the consequence you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings related
to consequence
vulnerabilities.vulnerability.consequence:
sensitive information
Show any findings that contain
"sensitive" or "information" in consequence
vulnerabilities.vulnerability.consequence:
"sensitive information"
Show any findings that match
exact value
vulnerabilities.vulnerability.consequence:
`sensitive information`
vulnerabilities.vulnerability.cveIdsUse a text value
##### to find the CVE name you're interested in.Example
Show findings with CVE name
CVE-2015-0313
vulnerabilities.vulnerability.cveIds:
CVE-2015-0313
Note: The CVE in the query
is case sensitive and must be used in capital case.
vulnerabilities.vulnerability.cvssInfo.accessVectorSelect the name #####
of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS,
ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.Example
Show findings with this name
vulnerabilities.vulnerability.cvssInfo.accessVector:
"NETWORK"
vulnerabilities.vulnerability.cvssInfo.baseScoreUse an integer value
##### to help you find the CVSS base score you're interested
in.Example
Show assets with this score
vulnerabilities.vulnerability.cvssInfo.baseScore:
7.8
vulnerabilities.vulnerability.cvssInfo.temporalScoreUse an integer value
##### to help you find the CVSS temporal score you're interested
in.Example
Show assets with this score
vulnerabilities.vulnerability.cvssInfo.temporalScore:
6.4
vulnerabilities.vulnerability.descriptionUse quotes or backticks
within values to help you find the vulnerability description you're
looking for. Quotes can be used when the value has more than one word.Examples
Show any findings related
to description
vulnerabilities.vulnerability.description:
remote code execution
Show any findings that contain
"remote" or "code" in description
vulnerabilities.vulnerability.description:
"remote code execution"
Show any findings that match
exact value
vulnerabilities.vulnerability.description:
`remote code execution`
vulnerabilities.vulnerability.discoveryTypesSelect a discovery type (Remote
or Authenticated) to find assets with vulnerabilities having this
discovery type. Select from names in the drop-down menu.Example
Show findings with Remote
discovery type
vulnerabilities.vulnerability.discoveryTypes:
Remote
vulnerabilities.vulnerability.exploitabilityUse quotes or backticks
within values to help you find known exploit description you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings related
to this description
vulnerabilities.vulnerability.exploitability:
GIF Parser Heap
Show any findings that contain
"GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability:
"GIF Parser Heap"
Show any findings that match
exact value
vulnerabilities.vulnerability.exploitability:
`GIF Parser Heap`
vulnerabilities.vulnerability.flagsUse a text value
##### to find the Qualys defined vulnerability property of
interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH etc, PCI_RELATED).Example
Show findings with this property
vulnerabilities.vulnerability.flags:
PCI_RELATED
vulnerabilities.vulnerability.impactUse quotes or backticks within
values to help you find the impact you're looking for.Example
Show any findings related
to impact
vulnerabilities.vulnerability.impact:
sensitive information
Show any findings that contain
"sensitive" or "information" in consequence
vulnerabilities.vulnerability.impact:
"sensitive information"
Show any findings that match
exact value "sensitive information"
vulnerabilities.vulnerability.impact:
'sensitive information'
vulnerabilities.vulnerability.listsUse a text value
##### to find the vulnerability list of interest (e.g. SANS_20,
QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).Example
Show findings with vulnerabilities
in SANS Top 20
vulnerabilities.vulnerability.lists:
SANS_20
vulnerabilities.vulnerability.osUse quotes or backticks
within values to help you find the operating system vulnerabilities
were detected on. Quotes can be used when the value has more than
one word.Examples
Show any findings related
to this OS value
vulnerabilities.vulnerability.os:
windows
Show any findings that match
exact value
vulnerabilities.vulnerability.os:
`windows`
vulnerabilities.vulnerability.patchAvailableUse the values true
| false to define vulnerabilities with patch available.Examples
Show findings with patch available
vulnerabilities.vulnerability.patchAvailable:
"true"
Show findings with no patch
available
vulnerabilities.vulnerability.patchAvailable:
"false"
vulnerabilities.vulnerability.patchesUse an integer value
##### to help you find the patch QID you're interested in.Example
Show assets with this patch
QID
vulnerabilities.vulnerability.patches:
90753
vulnerabilities.vulnerability.publishedUse a date range
or specific date to define when vulnerabilities were first published
in the KnowledgeBase.Examples
Show findings for vulnerabilities
published within certain dates
vulnerabilities.vulnerability.published:
[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities
published starting 2016-01-01, ending 1 month ago
vulnerabilities.vulnerability.published:
[2016-01-01 ... now-1M]
Show findings for vulnerabilities
published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.published:
[now-2w ... now-1s]
Show findings for vulnerabilities
published on certain date
vulnerabilities.vulnerability.published:'2015-07-15'
vulnerabilities.vulnerability.qidUse an integer value
##### to filter assets with specific QID. By default, the
results exclude the vulnerabilities with the Fixed status.Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid:
90405
vulnerabilities.vulnerability.riskUse an integer value
##### to define the vulnerability risk rating you're interested
in. For confirmed and potential issues risk is 10 times severity,
for information gathered it is severity.Example
Show findings with risk 50
vulnerabilities.vulnerability.risk:
50
vulnerabilities.vulnerability.sans20CategoriesUse a text value
##### to find vulnerabilities in the SANS 20 category you're
interested in (e.g. Anti-virus Software, Backup Software, etc).Example
Show findings with this category
name
vulnerabilities.vulnerability.sans20Categories:
"Media Players"
vulnerabilities.severitySelect a severity (1-5) to
find assets having vulnerabilities with this severity. Select from
values in the drop-down menu.Example
Show findings with severity
4
vulnerabilities.severity:
"4"
vulnerabilities.vulnerability.solutionUse quotes or backticks
within values to help you find the solution you're looking for. Quotes
can be used when the value has more than one word.Examples
Show any findings related
to this solution
vulnerabilities.vulnerability.solution:
Bulletin MS10-006
Show any findings that contain
parts of solution
vulnerabilities.vulnerability.solution:
"Bulletin MS10-006"
Show any findings that match
exact value
vulnerabilities.vulnerability.solution:
`Bulletin MS10-006`
vulnerabilities.vulnerability.titleUse quotes or backticks
within values to help you find the title you're looking for. Quotes
can be used when the value has more than one word.Examples
Show any findings related
to this title
vulnerabilities.vulnerability.title:
Remote Code Execution
Show any findings that contain
"Remote" or "Code" in title
vulnerabilities.vulnerability.title:
"Remote Code"
Show any findings that match
exact value
vulnerabilities.vulnerability.title:
`Remote Code`
vulnerabilities.vulnerability.typesSelect a detection type (e.g.
Vulnerability, Potential, Information) to find assets with vulnerabilities
of this type. Select from names in the drop-down menu. Example
Show findings with this type
vulnerabilities.vulnerability.types:
"VULNERABILITY"
vulnerabilities.vulnerability.updatedUse a date range
or specific date to define when vulnerabilities were updated in the
KnowledgeBase.Examples
Show vulnerabilities updated
within certain dates
vulnerabilities.vulnerability.updated:
[2015-10-21 ... 2015-10-30]
Show vulnerabilities updated
starting 2015-11-01, ending 1 month ago
vulnerabilities.vulnerability.updated:
[2015-11-01 ... now-1M]
Show vulnerabilities updated
stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updated:
[now-2w ... now-1s]
Show vulnerabilities updated
on certain date
vulnerabilities.vulnerability.updated:
'2015-03-08'
vulnerabilities.vulnerability.vendorRefsUse a text value
##### to find the vendor reference you're interested in.Example
Show findings with this reference
vulnerabilities.vulnerability.vendorRefs:
KB3021953
vulnerabilities.vulnerability.qualysPatchableUse the values true
| false to search for vulnerabilities that can be
patched at Qualys.Examples
Show vulnerabilities with
patch available at Qualys
vulnerabilities.vulnerability.qualysPatchable:
"true"
Show vulnerabilities with
patch not available at Qualys
vulnerabilities.vulnerability.qualysPatchable:
"false"
vulnerabilities.vulnerability.criticalitySelect a criticality (e.g.
"CRITICAL","HIGH","MEDIUM","LOW","NONE")
to find assets with vulnerabilities of this type. Select from names
in the drop-down menu. Examples
Show vulnerabilities with
HIGH criticality
vulnerabilities.vulnerability.criticality:
"HIGH"
andUse a boolean query
to express your query using AND logic.Example
Show assets with operating
system Windows and Linux
operatingSystem: windows
and operatingSystem: linux
Example
Show assets that don't have Windows operating system
not operatingSystem: windows
orUse a boolean query
to express your query using OR logic.Example
Show assets with one of these
tag names
tag.name: Cloud
Agent or tag.name: HQ
Example
Show host assets, where VM scan is performed with the specified manifest version
vmManifestVersion: "VULNSIGS-VM-0.49.0.0-18"
Example
Show host assets, where PC scan is performed with the specified manifest version
pcManifestVersion: "VULNSIGS-PC-2.5.889-6"
Example
Show host assets, where SCA scan is performed with the specified manifest version
scaManifestVersion: "VULNSIGS-SCA-2.5.891-2"
Example
Show host assets, where UDC scan is performed with the specified manifest version
udcManifestVersion: "UDCVULNSIGS-1014"
Example
Show host assets, where middleware scan is performed with the specified manifest version
middlewareManifestVersion: "VULNSIGS-MIDDLEWARE-SCAN-2.5.884-2"
Examples
Show assets that has at least one of the software components from the list, is identified.
swCAIdealCandidate: "true"
Show assets where none of the software components from the list are identified.
swCAIdealCandidate: "false"
Threat Protection(For Threat Protection users)
Use these tokens for searching Real-Time Threat Indicators (RTI).
vulnerabilities.vulnerability.threatIntel.activeAttacksUse the values true
| false to define real-time threats due to active
attacks.Example
Show assets with threats due
to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks:
"true"
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulnsUse the values true
| false to define real-time threats due to CISA exploits.Example
Show assets with threats due
CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
"true"
Show assets that don't have
threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
"false"
vulnerabilities.vulnerability.threatIntel.denialOfServiceUse the values true
| false to define real-time threats due to denial
of service.Example
Show assets with threats due
to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService:
"true"
vulnerabilities.vulnerability.threatIntel.easyExploitUse the values true
| false to define real-time threats due to easy exploit.Example
Show assets with threats due
to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit:
"true"
vulnerabilities.vulnerability.threatIntel.exploitKitUse the values true
| false to define real-time threats due to exploit
kit.Example
Show assets with threats due
to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit:
"true"
vulnerabilities.vulnerability.threatIntel.exploitKitNameUse quotes or backticks
within values to help you find the exploit kit name you're looking
for. Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
vulnerabilities.vulnerability.threatIntel.exploitKitName:
Angler
Show any findings that match
exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName:
`Angler`
vulnerabilities.vulnerability.threatIntel.highDataLossUse the values true
| false to define real-time threats due to high data
loss.Example
Show assets with threats due
to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss:
"true"
vulnerabilities.vulnerability.threatIntel.highLateralMovementUse the values true
| false to define real-time threats due to high lateral
movement.Example
Show assets with threats due
to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement:
"true"
vulnerabilities.vulnerability.threatIntel.malwareUse the values true
| false to define real-time threats due to malware.Example
Show assets with threats due
to malware
vulnerabilities.vulnerability.threatIntel.malware:
"true"
vulnerabilities.vulnerability.threatIntel.malwareNameUse quotes or backticks
within values to help you find the malware name you're looking for.
Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
vulnerabilities.vulnerability.threatIntel.malwareName:
TROJ_PDFKA.DQ
Show any findings that match
exact value
vulnerabilities.vulnerability.threatIntel.malwareName:
`TROJ_PDFKA.DQ`
vulnerabilities.vulnerability.threatIntel.noPatchUse the values true
| false to define real-time threats due to no patch
available.Example
Show assets with threats due
to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch:
"true"
vulnerabilities.vulnerability.threatIntel.publicExploitUse the values true
| false to define real-time threats due to public
exploit.Example
Show assets with threats due
to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit:
"true"
vulnerabilities.vulnerability.threatIntel.publicExploitNameUse quotes or backticks
within values to help you find the public exploit name of interest.
Quotes can be used when the value has more than one word.Examples
Show any findings with this
name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
RealVNC NULL Authentication Mode Bypass
Show any findings that contain
parts of name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
"RealVNC NULL Authentication Mode Bypass"
Show any findings that match
exact value
vulnerabilities.vulnerability.threatIntel.publicExploitName:
`RealVNC NULL Authentication Mode Bypass`
vulnerabilities.vulnerability.threatIntel.zeroDayUse the values true
| false to define real-time threats due to zero day
exploit.Example
Show assets with threats due
to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay:
"true"
vulnerabilities.vulnerability.threatIntel.wormableUse the values true
| false to define real-time wormable threats.Examples
Show assets with wormable
threats
vulnerabilities.vulnerability.threatIntel.wormable:
"true"
vulnerabilities.vulnerability.threatIntel.predictedHighRiskUse the values true
| false to define real-time threats due to predicted
high risk.Examples
Show assets with predicted
high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk:
"true"
vulnerabilities.vulnerability.threatIntel.ransomwareUse the values true |
false to define real-time threats due to ransomeware vulnerability.Examples
Show assets with ransomeware
threat
vulnerabilities.vulnerability.threatIntel.ransomware:
"true"
vulnerabilities.vulnerability.threatIntel.solorigateSunburstUse the values true
| false to filter real-time threats due to Solorigate
Sunburst risk. Examples
Show assets with Solorigate
Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst:
"true"
ComplianceUse these tokens for searching
compliance policies.
statementUse quotes or backticks
within values to help you find policies by statement.Examples
Show any findings related
to this statement
statement: Accept
Remote rsyslog Messages Only on Designated Log Hosts - ModLoad
Show any findings that contain
parts of statement
statement: "Accept
Remote rsyslog Messages Only on Designated Log Hosts - ModLoad"
Show findings that match exact
value
statement: `Accept
Remote rsyslog Messages Only on Designated Log Hosts - ModLoad`
cidUse an integer value
##### in quotes to help you find policies by CID number.Example
Find policies for CID 1071
cid: "1071"
policyUse quotes or backticks
within values to help you find policies by policy name.Examples
Show any findings related
to this policy name
policy: Policy
to test Error out on 1.2 release
Show any findings that contain
parts of policy name
policy: "Policy
to test Error out on 1.2 release"
Show findings that match exact
value
policy: `Policy
to test Error out on 1.2 release`
categoryUse quotes or backticks
within values to help you find policies by category.Examples
Show any findings related
to this category
category: OS
Security Settings
Show any findings that contain
parts of category name
category: "OS
Security Settings"
Show findings that match exact
value
category: `OS
Security Settings`
postureUse a text value
##### in quotes to find policies of a certain posture (Pass,
Fail, Error).Example
Show policies of this posture
posture: "FAIL"
criticalityUse a text value
##### to find policies of a certain criticality (CRITICAL,
URGENT, SERIOUS, MEDIUM, MINIMAL, UNDEFINED).Example
Show policies of this criticality
criticality: "URGENT"
Oracle Cloud
Compute InstanceUse these tokens for searching
Oracle Cloud Compute instances (OCI).
oci.compute.ociIdUse a text value
##### to search all assets with the specified OCI ID.Example
Show assets with this OCI
ID
oci.compute.ociId:ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq'
oci.compute.compartmentIdUse a text value
##### to search all assets with the specified OCI compartment
ID.Example
Show assets with this OCI
compartment ID
oci.compute.compartmentId:ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq'
oci.compute.compartmentNameUse a text value
##### to search all assets with the specified OCI compartment
name.Example
Show assets with this OCI
compartment name
oci.compute.compartmentName:ocid1.compartment.abc'
oci.compute.displayNameUse a text value
##### to search all assets with the specified display name.Example
Show assets with display name
oracle 8.
oci.compute.displayName:oracle
8
oci.compute.shapeUse a text value
##### to search all assets with the specified shape.Example
Show all assets with the shape
x5-2.36.512
oci.compute.shape:x5-2.36.512
oci.compute.regionUse a text value
##### to search all assets in the specified region.Example
Show all assets with the region
us-east-1
oci.compute.region:us-east-1
oci.compute.regionKeyUse a text value
##### to search all assets with the specified region key.Example
Show all assets with the region
key SYD
oci.compute.regionKey:SYD
oci.compute.regionRealmUse a text value
##### to search all groups with the specified region realm.Example
Show all assets with the region
realm OC1
oci.compute.regionRealm:OC1
oci.compute.availabilityDomainUse a text value
##### to search all assets with the specified available domain.Example
Show all assets with the available
domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:Lhkx:US-ASHBURN-AD-1
oci.compute.timeCreatedUse a text value
##### to search all assets created at the specified time.Example
Show all assets with the created
time 2021-02-09T07:24:31.000Z (Use 2021-02-09 while searching in UI)
oci.compute.timeCreated:2021-02-09
oci.compute.imageIdUse a text value
##### to search all assets with the specified image ID.Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq
image ID
oci.compute.imageId:ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq
oci.compute.faultDomainUse a text value
##### to search all assets with the specified fault domain.Example
Show all assets with fault
domain FAULT-DOMAIN-1
oci.compute.faultDomain:FAULT-DOMAIN-1
oci.compute.hostNameUse a text value
##### to search all assets with the specified host name.Example
Show all findings with the
host name oracle-8
oci.compute.hostName:oracle-8
oci.compute.canonicalRegionNameUse a text value
##### to search all assets having the specified canonical
region name.Example
Show all assets with the canonical
region name us-ashburn-1
oci.compute.canonicalRegionName:us-ashburn-1
oci.compute.isQualysScannerUse the values true
| false to list all assets that are Qualys Scanner.
Choose True to list all assets that are Qualys Scanner and choose
False to list all assets that are not Qualys Scanner.Example
Show all assets that are Qualys
Scanner.
oci.compute.isQualysScanner:"true"
oci.compute.hasAgentUse the values true
| false to list all assets that have cloud agents.
Choose True to list all assets having cloud agents and choose False
to list all assets that do not have cloud agents.Example
Show all assets with having
cloud agent installed
oci.compute.hasAgent:"true"
oci.vnic.vnicIdUse a text value
##### to search all assets with the specified VNIC ID.Example
Show all assets with the VNIC
ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vnicId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vcnIdUse a text value
##### to search all assets with the specified VCN ID.Example
Show all assets with this
VCN ID
oci.vnic.vcnId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.privateIpUse a text value
##### to search all assets with the specified private IP.Example
Show all assets with this
private IP
oci.vnic.privateIp:10.0.0.222
oci.vnic.publicIpUse a text value
##### to search all assets with the specified public IP.Example
Show all assets with this
public IP
oci.vnic.publicIp:10.0.0.222
oci.vnic.subnetIdUse a text value
##### to find OCI instances by the ID of the subnet in which
the interface resides.Example
Find OCI instances with this
subnet ID
oci.vnic.subnetId: subnet-bc02c0d4
oci.vnic.subnetNameUse a text value
##### to find OCI instances by the name of the subnet in
which the interface resides.Example
Find OCI instances with this
subnet name
oci.vnic.subnetName:
subnet-abc
oci.vnic.vcnNameUse a text value
##### to search all assets with the specified vcn name.Example
Show all assets with this
vcn name
oci.vnic.vcnName:abc
oci.vnic.vlanTagUse a text value
##### to search all assets with the specified vlan tag.Example
Show all assets with the vlan
tag 1
oci.vnic.vlanTag:1
oci.vnic.macAddrUse a text value
##### to search all assets with the specified MAC address.Example
Show all assets with the MAC
address 02:00:17:06:bd:b3
oci.vnic.macAddr:02:00:17:06:bd:b3
oci.vnic.virtualRouterIpUse a text value
##### to search all assets with the specified router IP.Example
Show all assets with the router
IP 10.0.0.1
oci.vnic.virtualRouterIp:10.0.0.1
oci.vnic.subnetCidrBlockUse a text value
##### to search all assets with the specified block.Example
Show all assets with the block
10.0.0.0/24
oci.vnic.subnetCidrBlock:10.0.0.0/24
oci.vnic.nicIndexUse a text value
##### to search all assets with the specified index.Example
Show all assets with the index
1
oci.vnic.nicIndex:1
oci.compute.stateUse a text value
##### to search all assets with specific compute state.Example
Show all assets with the compute
state Starting
oci.compute.state:STARTING
oci.compute.tenantIdUse a text value
##### to search all assets with specific tenant ID.Example
Show all assets with the specific
tenant ID
oci.compute.tenantId:ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq
oci.compute.tenantNameUse a text value
##### to search all assets with specific tenant name.Example
Show all assets with the specific
tenant name
oci.compute.tenantName:oraclecengg1