Search by Field | Search without Field | String matching | Exact matching | Full text search | Suffix matching | Prefix matching | Is Null queries | Range searches | Date searches | Multiple values (In, Not In) | Boolean operators | Nested queries | Query limits
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
openPorts.port: 80
accounts.username: administrator
operatingSystem: win*
When your query doesn’t have a field name we’ll perform the broadest possible search across the attributes of all fields in the asset index (100+ field names). Keep in mind some fields are not included in the asset index, like tag name and vulnerability title, and for those you’ll need to search by field name.
How it works - A search for “win” without a field name will return assets where win appears in the asset name, hostname, operating system, software name, and so on.
Syntax help - Use single quotes or double quotes around your query to match a string. If you want to perform prefix matching or suffix matching using wildcards, you’ll need to search using the field name (see above).
Use single quotes or double quotes around your query to match a string with more than one word. Note that interfaces.address and software.version are text fields and support string matching.
Examples:
tags.name: "Cloud Agent"
operatingSystem: 'Microsoft Windows'
interfaces.address: 10.10.10.10
software.version: 2.1.7
vulnerabilities.vulnerability.title: "Remote Code Execution
Vulnerability"
Example using wildcard: If you want to search for exact count you should use asterisk (*). For example to find assets with name starting with WINDOWS2008 use this query:
name:WINDOWS2008*
Note that wildcards can only be used for prefix and suffix matching (as described below). We do not support substring wildcards, meaning you cannot search for a string in the middle of another string.
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
operatingSystem:`Windows 7 Ultimate
Service Pack 1`
interfaces.hostname:`xpsp2-jp-26-111`
Many asset fields containing text allow you to use full text search and advanced search capabilities. If your query does not include quotes (single or double) then we'll perform the broadest search.
Examples:
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title: `Remote Code`
Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.
vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable:
"true")
Suffix matching is supported when searching assets (on your Assets list) for the fields "name", "tags.name" and "netbiosName". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.
Example: This query matches assets with an asset name ending in "53" like QK2K12QP3-65-53.
name:*53
Example: This query matches assets with tag names ending in "region east" like Region East, region east, Region EAST.
tags.name:*Region East
Suffix matching is also supported for the field "interfaces.hostname" but the syntax is different.
Example: These queries match assets with the hostname "com-pa3020-36.eng.sjc01.qualys.com".
interfaces.hostname:qualys.com
interfaces.hostname:sjc01.qualys.com
interfaces.hostname:eng.sjc01.qualys.com
interfaces.hostname:*lys.com
Prefix matching is supported when searching assets (on your Assets list) using certain text fields. Match asset values "starting with" a string you specify - using a string that ends with *. Matches are case sensitive.
Example: This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.
name:xp*
Example: This query matches assets with tag names starting with "Win" like Windows XP, Windows 2012, Windows Hosts.
tags.name:Win*
Example: This query matches assets with a hostname starting with "com-pa30" like com-pa3020-36.eng.sjc01.qualys.com.
interfaces.hostname:com-pa30*
Example: This query matches assets with an operating system starting with "Lin" like Linux 2.4-2.6.
operatingSystem:Lin*
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem is null
interfaces.macAddress is null
Ranges can be specified with the [lower .. upper] syntax
using () and/or [] as follows. This is supported for numeric and date
fields.
Please note that interfaces.address and software.version are text fields (not numeric fields). You cannot perform range searches for these. See String matching to search text fields.
Examples:
openPorts.port:(123 .. 1234)
// Greater than but not equal to 123 and less than but not equal
to 1234.
openPorts.port:(123 .. 1234]
// Greater than but not equal to 123 and less than or equal to 1234.
openPorts.port:[123 .. 1234)
// Greater than or equal to 123 and less than but not equal to 1234.
openPorts.port:[123 .. 1234]
// Greater than but or equal to 123 and less than or equal to 1234.
openPorts.port > 123 //
Greater than 123.
openPorts.port >= 123 //
Greater than or equal to 123.
openPorts.port < 1234 //
Less than 1234.
openPorts.port <= 1234 //
Less than or equal to 1234.
vulnerabilities.firstFound: [2018-01-01 .. 2018-04-01]
// Between January 1st and April 1st 2018.
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
updated:"2018-11-20"
updated <= "2018-10-20"
updated:["2018-11-20" ..
"2018-11-24"]
updated:[now-3d .. now-1s]
Use to match values "In" fields. You'll include a comma-separated list of values within square brackets. Available for all fields except analyzed fields (i.e. full text search fields). Values must exactly match. Matches are case sensitive.
Example: Find all assets with an operating system value that exactly matches one listed:
operatingSystem:["Cisco IOS Version 12.4(19)","Windows
Server 2003 Service Pack 2",Windows]
Example: Find all assets with a name value that exactly matches one listed:
name:[MACMINI-ACA70B,2k8r2-u-10-11,10.10.10.43]
Example: Find all assets with an asset ID value that exactly matches one listed:
assetId:[5301908,10233,2345]
Example: Find all assets with at least one of the CVE IDs listed:
vulnerabilities.vulnerability.cveIds:[CVE-2003-0818,CVE-2002-0126,CVE-1999-1058]
Supported date formats:
YYYY example: ["2017","2018"]
YYYY-MM example: ["2018-08","2018-09"]
YYYY-MM-DD example: ["2018-08-31","2018-08-30"]
Analyzed fields (i.e. full text search fields) are not supported such as:
vulnerabilities.vulnerability.description
vulnerabilities.vulnerability.solution
vulnerabilities.vulnerability.consequence
Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth.
Note: The NOT operator can be used only with Asset search tokens. Vulnerability search tokens do not support the NOT operator.
Examples:
activatedForModules:"TRUE"
AND NOT agentActivations.status:"INACTIVE"
(operatingSystem: windows OR operatingSystem:
linux) AND (openPorts.port: 80 OR openPorts.port: 8080) NOT operatingSystem:
windows
Use a single nested query, using parentheses, to include multiple fields in your query per examples below.
Example: Show findings having vulnerabilities with a patch available and that require Windows authentication
vulnerabilities.vulnerability:(patchAvailable:"TRUE"
AND authTypes:"WINDOWS_AUTH")
Example: Find assets on port 80 and TCP
openPorts:(port:80 AND protocol:TCP)
Example: Find assets that have Windows Time service that is running
service:(name:Windows Time AND status: running)
Maximum query length allowed: 4096 characters
Maximum field value length allowed: 256 characters
Good to know:
- If your query exceeds a limit, an error message is shown and you won't get search results
- These query limits apply to queries created using these apps: AV, TP, CA, VM dashboard
- Spaces in between characters are counted as characters