Home

Searching for AWS Resources

Use the search tokens below to search for resources discovered. You'll need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here

General

account.id

Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.

Example

Show findings with this account ID

account.id: 205767712438

account.alias

Use a text value ##### to show connectors based on the account alias associated with the connector/ARN at the time of creation.

Example

Show connectors with this account alias

account.alias: Example_connector

created

Use a date range or specific date to define when the resource was created.

Examples

Show resources created within certain dates

created: [2018-01-01 ... 2018-03-01]

Show resources created starting 2018-10-01, ending 1 month ago

created: [2018-01-01 ... now-1m]

Show resources created starting 2 weeks ago, ending 1 second ago

created: [now-2w ... now-1s]

Show resources created on specific date

created: 2018-01-08

updated

Use a date range or specific date to define when the resource was last updated.

Examples

Show resources updated within certain dates

updated: [2018-01-01 ... 2018-03-01]

Show resources updated starting 2018-10-01, ending 1 month ago

updated: [2018-01-01 ... now-1m]

Show resources updated starting 2 weeks ago, ending 1 second ago

updated: [now-2w ... now-1s]

Show resources updated on specific date

updated: 2018-01-08

name

Use quotes within values to help you find the resource name you're looking for.

Examples

Show any findings with this name

name: my-resource

Show any findings that contain parts of name

name: "my-resource"

provider

Select the name of the cloud service provider you're interested in. Select from names in the drop-down menu.

Example

Find resources synced from Amazon AWS

provider: aws

region

Select the name of the region you're interested in. Select from names in the drop-down menu.

Example

Find resources in the Singapore region

region: Singapore

resource.id

Use a text value ##### to find resources by the unique ID assigned to the resource.

Example

Show resources with ID acl-8e5198f5

resource.id: acl-8e5198f5

resource.type

Select the type of resource you're interested in. Select from names in the drop-down menu.

Example

Show resources of type Instance

resource.type: Instance

tag.key

Use a text value ##### to define the key of an AWS or Azure tag assigned to the resource (case sensitive).

Example

Show findings with key Department

tag.key: Department

tag.value

Use a text value ##### to define the value of an AWS or Azure tag assigned to the resource (case sensitive).

Example

Show findings with tag value Finance

tag.value: Finance

and

Use a boolean query to express your query using AND logic.

Example

Show findings with account ID 205767712438 and type Subnet

account.id: 205767712438 and resource.type: Subnet

not

Use a boolean query to express your query using NOT logic.

Example

Show findings that are not resource type Instance

not resource.type: Instance

or

Use a boolean query to express your query using OR logic.

Example

Show findings with one of these tag values

tag.value: Finance or tag.value: Accounting

projectId

Use a text value ##### to find GCP resources with a certain project Id.

Example

Show resources with this projectId

projectId: my-project-1513669048551

 

AWS: Auto Scaling Group

These tokens are available in queries with resource.type:Auto Scaling Group

autoscaling.availabilityZone

Select the availability zone you're interested in. Select from names in the drop-down menu.

Example

Find auto scaling groups in the us-east-1a availability zone

autoscaling.availabilityZone: us-east-1a

autoscaling.createdTime

Use a date range or specific date to define when the Auto Scaling group was created.

Examples

Show groups discovered within certain dates

autoscaling.createdTime: [2018-01-01 ... 2018-03-01]

Show groups updated starting 2018-10-01, ending 1 month ago

autoscaling.createdTime: [2018-01-01 ... now-1m]

Show groups updated starting 2 weeks ago, ending 1 second ago

autoscaling.createdTime: [now-2w ... now-1s]

Show groups discovered on specific date

autoscaling.createdTime: 2018-01-08

autoscaling.healthCheckType

Select the health check type (ec2 or elb) you're interested in. Select from names in the drop-down menu.

Example

Show groups with health check type ec2

autoscaling.healthCheckType: ec2

autoscaling.instanceId

Use a text value ##### to find auto scaling groups with a certain instance ID.

Example

Show findings with this instance ID

autoscaling.instanceId: i-1234567890abcdef0

autoscaling.launchConfigurationName

Use a text value ##### to define the launch configuration name you're interested in.

Example

Show findings with this launch configuration name

autoscaling.launchConfigurationName: LaunchConfig-BF31WBIYCM64

autoscaling.loadBalancerName

Use a text value ##### to define the load balancer name you're interested in.

Example

Show findings with this load balancer name

autoscaling.loadBalancerName: AppServer ELB

AWS: IAM User

These tokens are available in queries with resource.type:IAM User

iamuser.accessKey1Active

Use the values true | false to find IAM users with an active access key1.

Examples

Show findings with access key1 active

iamuser.accessKey1Active: true

Show findings with access key1 not active

iamuser.accessKey1Active: false

iamuser.accessKey1LastRotated

Use a date range or specific date to define when access key1 was last rotated.

Examples

Show last rotated within certain dates

iamuser.accessKey1LastRotated: [2018-01-01 ... 2018-03-01]

Show last rotated starting 2018-10-01, ending 1 month ago

iamuser.accessKey1LastRotated: [2018-01-01 ... now-1m]

Show last rotated starting 2 weeks ago, ending 1 second ago

iamuser.accessKey1LastRotated: [now-2w ... now-1s]

Show last rotated on specific date

iamuser.accessKey1LastRotated: 2018-01-08

iamuser.accessKey1LastUsed

Use a date range or specific date to define when access key1 was last used.

Examples

Show last used within certain dates

iamuser.accessKey1LastUsed: [2018-01-01 ... 2018-03-01]

Show last used starting 2018-10-01, ending 1 month ago

iamuser.accessKey1LastUsed: [2018-01-01 ... now-1m]

Show last used starting 2 weeks ago, ending 1 second ago

iamuser.accessKey1LastUsed: [now-2w ... now-1s]

Show last used on specific date

iamuser.accessKey1LastUsed: 2018-01-08

iamuser.accessKey2Active

Use the values true | false to find IAM users with an active access key2.

Examples

Show findings with access key2 active

iamuser.accessKey2Active: true

Show finings with access key2 not active

iamuser.accessKey2Active: false

iamuser.accessKey2lastRotated>

Use a date range or specific date to define when access key2 was last rotated.

Examples

Show last rotated within certain dates

iamuser.accessKey2lastRotated: [2018-01-01 ... 2018-03-01]

Show last rotated starting 2018-10-01, ending 1 month ago

iamuser.accessKey2lastRotated: [2018-01-01 ... now-1m]

Show last rotated starting 2 weeks ago, ending 1 second ago

iamuser.accessKey2lastRotated: [now-2w ... now-1s]

Show last rotated on specific date

iamuser.accessKey2lastRotated: 2018-01-08

iamuser.accessKey2LastUsed

Use a date range or specific date to define when access key2 was last used.

Examples

Show last used within certain dates

iamuser.accessKey2LastUsed: [2018-01-01 ... 2018-03-01]

Show last used starting 2018-01-012, ending 1 month ago

iamuser.accessKey2LastUsed: [2018-01-01 ... now-1m]

Show last used starting 2 weeks ago, ending 1 second ago

iamuser.accessKey2LastUsed: [now-2w ... now-1s]

Show last used on specific date

iamuser.accessKey2LastUsed: 2018-01-08

iamuser.arn

Use a text value ##### to define the Amazon Resource Name (ARN) of interest.

Example

Show findings with this ARN

iamuser.arn: arn:aws:iam::383031258652:user/LOCAL_1234

iamuser.mfaActive

Use the values true | false to find IAM users with multi factor authentication enabled.

Examples

Show findings with multi factor authentication enabled

iamuser.mfaActive: true

Show finings without multi factor authentication enabled

iamuser.mfaActive: false

iamuser.passwordEnabled

Use the values true | false to find IAM users with the user password enabled during account creation.

Examples

Show findings with password enabled

iamuser.passwordEnabled: true

Show finings without password enabled

iamuser.passwordEnabled: false

iamuser.passwordLastChanged

Use a date range or specific date to define when the password was last updated.

Examples

Show passwords last updated within certain dates

iamuser.passwordLastChanged: [2018-01-01 ... 2018-03-01]

Show passwords last updated starting 2018-01-01, ending 1 month ago

iamuser.passwordLastChanged: [2018-01-01 ... now-1m]

Show passwords last updated starting 2 weeks ago, ending 1 second ago

iamuser.passwordLastChanged: [now-2w ... now-1s]

Show passwords last updated on specific date

iamuser.passwordLastChanged: 2018-01-08

iamuser.passwordLastUsed

Use a date range or specific date to define when the password was last used.

Examples

Show passwords last used within certain dates

iamuser.passwordLastUsed: [2018-01-01 ... 2018-03-01]

Show passwords last used starting 2018-01-01, ending 1 month ago

iamuser.passwordLastUsed: [2018-01-01 ... now-1m]

Show passwords last used starting 2 weeks ago, ending 1 second ago

iamuser.passwordLastUsed: [now-2w ... now-1s]

Show passwords last used on specific date

iamuser.passwordLastUsed: 2018-01-08

iamuser.passwordNextRotation

Use a date range or specific date to define the next time the password will be rotated.

Examples

Show next rotation within certain dates

iamuser.passwordNextRotation: [2018-01-01 ... 2018-03-01]

Show next rotation starting 2018-01-01, ending 1 month ago

iamuser.passwordNextRotation: [2018-01-01 ... now-1m]

Show next rotation starting 2 weeks ago, ending 1 second ago

iamuser.passwordNextRotation: [now-2w ... now-1s]

Show next rotation on specific date

iamuser.passwordNextRotation: 2018-01-08

iamuser.userCreationTime

Use a date range or specific date to define when the user was created.

Examples

Show users created within certain dates

iamuser.userCreationTime: [2018-01-01 ... 2018-03-01]

Show users created from starting 2018-01-01, ending 1 month ago

iamuser.userCreationTime: [2018-01-01 ... now-1m]

Show users created starting 2 weeks ago, ending 1 second ago

iamuser.userCreationTime: [now-2w ... now-1s]

Show users created on specific date

iamuser.userCreationTime: 2018-01-08

iamuser.userId

Use quotes within values to help you find IAM users with a certain user ID.

Examples

Show any findings with this ID

iamuser.userId: ABCDEFGHIJ1K2

Show any findings that contain parts of ID

iamuser.userId: "ABCDEFGHIJ1K2"

iamuser.username

Use quotes within values to help you find IAM users with a certain user name.

Examples

Show any findings with this name

iamuser.username: Jane

Show any findings that contain parts of name

iamuser.username: "Jane"

iamuser.path

Use quotes within values to help you find IAM users with path.

Examples

Show any findings with this path

iamuser.path: /

Show any findings that contain parts of path

iamuser.path: "/"

AWS: Instance

These tokens are available in queries with resource.type:Instance

instance.availabilityZone

Select the availability zone you're interested in. Select from names in the drop-down menu.

Example

Show findings in the us-east-1a availability zone

instance.availabilityZone: us-east-1a

instance.imageId

Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.

Example

Show findings with this image ID

instance.imageId: ami-2ea83347

instance.isDockerHost

Use the values true | false to define whether the instance has a docker installed on the host.

Example

Show instances with docker installed on the host

instance.isDockerHost:true

Show instances without docker installed on the host

instance.isDockerHost:false

instance.hasSensor

Use the values true | false to define whether the instance has a CMS Sensor installed on the host.

Example

Show instances with CMS Sensor installed on the host

instance.hasSensor:true

Show instances without CMS Sensor installed on the host

instance.hasSensor:false

instance.docker.version

Use a text value ##### to define Docker version you are looking for.

Example

Show instances with specified docker version

instance.docker.version:8.2

instance.networkInterface.addressId

Use a text value ##### to find EC2 instances with a certain network interface address ID.

Example

Show findings with this address ID

instance.networkInterface.addressId: id-12345

instance.networkInterface.description

Use quotes within values to help you find network interfaces with certain keywords in the description.

Examples

Show any findings with this description

instance.networkInterface.description: My Description

Show any findings that contain parts of description

instance.networkInterface.description: "My Description"

instance.networkInterface.groupId

Use a text value ##### to find network interfaces with a certain group ID.

Example

Show findings with this group ID

instance.networkInterface.groupId: sg-1a2b3c4d

instance.networkInterface.groupName

Use a text value ##### to find network interfaces with a certain group name.

Example

Show findings with this group name

instance.networkInterface.groupName: My Group

instance.networkInterface.ipv6Ip

Use a text value ##### to find EC2 instances having network interface with a certain IPv6 IP address.

Example

Show findings with this IPv6 address

instance.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f

instance.networkInterface.privateDnsName

Use a text value ##### to find EC2 instances having network interface with a certain private DNS name.

Example

Show findings with this private DNS name

instance.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal

instance.networkInterface.privateIpAddress

Use a text value ##### to find EC2 instances having network interface with a certain private IP address.

Example

Show findings with this private IP

instance.networkInterface.privateIpAddress: 172.31.28.151

instance.networkInterface.publicIp

Use a text value ##### to find EC2 instances having network interface with a certain public IP address.

Example

Show findings with this public IP address

instance.networkInterface.publicIp: 13.126.125.189

instance.networkInterface.secondaryPrivateIp

Use a text value ##### to find EC2 instances having network interface with a certain secondary private IP address.

Example

Show findings with this secondary private IP

instance.networkInterface.secondaryPrivateIp: 10.0.0.85

instance.networkInterface.subnetId

Use a text value ##### to find EC2 instances having network interface on a certain subnet.

Example

Show findings on this subnet ID

instance.networkInterface.subnetId: subnet-6f2cec07

instance.networkInterface.privateDnsName

Use a text value ##### to find EC2 instances having a private DNS address you're interested in.

Example

Show findings with this private DNS address

instance.networkInterface.privateDnsName: ip-10-90-2-85.ec2.internal

instance.networkInterface.privateIpAddress

Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.

Example

Show findings with this private IP address

instance.networkInterface.privateIpAddress: 10.90.0.119

instance.privateDnsName

Use a text value ##### to find EC2 instances having a private DNS name you're interested in.

Example

Show findings with this private DNS name

instance.privateDnsName: ip-10-90-2-85.ec2.internal

instance.privateIpAddress

Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.

Example

Show findings with this private IP address

instance.privateIpAddress: 10.90.0.119

instance.publicDnsName

Use a text value ##### to find EC2 instances having a public DNS address you're interested in.

Example

Show findings with this public DNS address

instance.publicDnsName: ec2-52-70-141-154.compute-1.amazonaws.com

instance.publicIpAddress

Use a text value ##### to find EC2 instances having a public IPv4 address you're interested in.

Example

Show findings with this public IP address

instance.publicIpAddress: 52.70.141.154

instance.secondaryPrivateIpAddress

Use a text value ##### to find EC2 instances having a secondary private IPv4 address you're interested in.

Example

Show findings with this secondary private IP

instance.secondaryPrivateIpAddress: 10.90.0.119

instance.securityGroup.id

Use a text value ##### to find EC2 instances having a certain security group ID.

Example

Show EC2 instances with this security group ID

instance.securityGroup.id: sg-4798a22f

instance.securityGroup.name

Use a text value ##### to find EC2 instances having a certain security group name.

Example

Show findings with this security group name

instance.securityGroup.name: Windows RDP Allow Group

instance.spotInstanceRequestId

Use a text value ##### to find EC2 instances having a certain Spot Instance request ID.

Example

Show findings with this Spot Instance request ID

instance.spotInstanceRequestId: sir-08b93456

instance.state

Select a state name (pending, running, shutting-down, terminated, etc) to find EC2 instances with a certain state. Select from names in the drop-down menu.

Example

Show running EC2 instances

instance.state: running

instance.status

Select the status (ok, impaired, insufficient-data, etc) you're interested in. Select from names in the drop-down menu.

Example

Show EC2 instances with impaired status

instance.status: impaired

instance.subnetId

Use a text value ##### to find EC2 instances residing on a certain subnet ID.

Example

Show findings on this subnet ID

instance.subnetId: subnet-bc02c0d4

instance.type

Select the type of EC2 instance you're interested in. Select from names in the drop-down menu.

Example

Show findings with this instance type

instance.type: t2.micro

instance.vpcId

Use a text value ##### to find EC2 instances having a certain VPC ID.

Example

Show findings with this VPC ID

instance.vpcId: vpc-1e37cd76

instance.profileName

Use a text value ##### to find EC2 instances having a certain profile name.

Example

Show all EC2 instances having ANY instance profile

instance.profileName: (*..*)

instance.profileArn

Use a text value ##### to find EC2 instances having a certain profile arn.

Example

Show all EC2 instances having profile arn

instance.profileArn: abc12345arnsample

Show all EC2 instances that exactly match the specified profile arn

instance.profileArn: `abc12345arnsample`

instanceProfile.role.name

Enter the name of roles associated with the profiles to search all the EC2 instances associated with it.

Example

Show all instances NOT associated with any roles in the profile

instanceProfile.role.name is null

instanceProfile.role.arn

Enter the instance profile arn to search all the EC2 instances associated with it.

Example

Show all instances associated with any arn

instanceProfile.role.arn: (*..*)

Show all instances that exactly match the arn

instanceProfile.role.arn: `1de1e0a7-4f67-4812-917d-1236853844e1`

connector.remediationEnabled

Use  true to view the resources associated with the connector for which remediation is enabled.

Example

Show resources associated with the connector for which remediation is enabled

connector.remediationEnabled: TRUE

action.status

Select the action status ("Sucess", "Queued", "Error") you're interested in. Select from names in the drop-down menu.

Example

Show resources with success status for remediation action

action.status: Success

Vulnerability Tokens

instance.hasAgent

Use the values true | false to define whether the instance has a cloud agent installed.

Example

Show findings with a cloud agent

instance.hasAgent:true

Show findings without a cloud agent

instance.hasAgent:false

vulnerability.qid

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

vulnerability.qid:90405

vulnerability.severity

Select a severity (1-5) to find assets having vulnerabilities with this severity. Select from values in the drop-down menu.

Example

Show findings with severity 4

vulnerability.severity:4

vulnerability.customerSeverity

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

vulnerability.customerSeverity:3

vulnerability.exploitability

Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to this description

 vulnerability.exploitability: GIF Parser Heap

Show any findings that contain "GIF", "Parser" or "Heap" in description

 vulnerability.exploitability: "GIF Parser Heap"

Show any findings that match exact value

 vulnerability.exploitability: `GIF Parser Heap`

vulnerability.patchAvailable

Use the values true | false to define vulnerabilities with patch available.

Examples

Show findings with patch available

vulnerability.patchAvailable: "true"

Show findings with no patch available

vulnerability.patchAvailable: "false"

vulnerability.firstFound

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

vulnerability.firstFound:

vulnerability.firstFound

Use a date range or specific date to define when findings were first found.

Examples

Show findings first found within certain dates

vulnerability.firstFound: [2015-10-21 ... 2015-10-30]

Show findings first found starting 2015-10-01, ending 1 month ago

vulnerability.firstFound: [2015-10-01 ... now-1M]

Show findings first found starting 2 weeks ago, ending 1 second ago

vulnerability.firstFound: [now-2w ... now-1s]

Show findings first found on certain date

vulnerability.firstFound:'2015-11-11'

vulnerability.lastFound

Use a date range or specific date to define when findings were last found.

Examples

Show findings last found within certain dates

vulnerability.lastFound: [2015-10-21 ... 2016-01-15]

Show findings last found starting 2016-01-01, ending 1 month ago

vulnerability.lastFound: [2016-01-01 ... now-1M]

Show findings last found starting 2 weeks ago, ending 1 second ago

vulnerability.lastFound: [now-2w ... now-1s]

Show findings last found on certain date

vulnerability.lastFound:'2016-01-11'

Show findings last found on 2017-01-12 with patch available

vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")

vulnerability.title

Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to this title

vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerability.title: "Remote Code"

Show any findings that match exact value

vulnerability.title: `Remote Code`

vulnerability.description

Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to description

vulnerability.description: remote code execution

Show any findings that contain "remote" or "code" in description

vulnerability.description: "remote code execution"

Show any findings that match exact value

vulnerability.description: `remote code execution`

vulnerability.cveIds

Use a text value ##### to find the CVE name you're interested in.

Example

Show findings with CVE name CVE-2015-0313

vulnerability.cveIds: CVE-2015-0313

vulnerability.category

Select a category (CGI, Database, DNS, BIND, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.

Example

Show findings with the category CGI

vulnerability.category: "CGI"

vulnerability.cvss3Info.baseScore

Use an integer value ##### to help you find the CVSS base score you're interested in.

Example

Show assets with this score

vulnerability.cvss3Info.baseScore: 7.8

vulnerability.cvss3Info.temporalScore

Use an integer value ##### to help you find the CVSS temporal score you're interested in.

Example

Show assets with this score

vulnerability.cvss3Info.temporalScore: 6.4

vulnerability.cvssInfo.accessVector

Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.

Example

Show findings with this name

vulnerability.cvssInfo.accessVector: "NETWORK"

vulnerability.port

Use an integer value ##### to help you find assets with some open port.

Example

Show vulnerability with port 80

vulnerability.port: 80

vulnerability.protocol

Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.

Examples

Show findings found on TCP

vulnerability.protocol: TCP

Show findings found on port 80 and TCP

vulnerability: (port: 80 AND protocol: TCP)

vulnerability.hostOS

Use quotes or backticks within values to help you find the instance operating system you're interested in.

Examples

Show any findings with this OS name

vulnerability.hostOS:Windows 2012

Show any findings that contain components of OS name

vulnerability.hostOS:"Windows 2012"

Show any findings that match exact value "Windows 2012"

vulnerability.hostOS:`Windows 2012`

vulnerability.typeDetected

Select a detection type (e.g. Confirmed, Potential, Information) to find instances with vulnerabilities of this type. Select from names in the drop-down menu.

Example

Show findings with this type

vulnerability.typeDetected:Confirmed

vulnerability.PCI

Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).

Examples

Show PCI vulnerabilities

vulnerability.PCI:TRUE

Do not show PCI vulnerabilities

vulnerability.PCI:FALSE

vulnerability.authTypes

Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.

Example

Show findings with Windows auth type

vulnerability.authTypes:WINDOWS_AUTH

vulnerability.bugTraqIds

Use a text value ##### to find a BugTraq number you're interested in.

Example

Show findings with BugTraq ID 22211

vulnerability.bugTraqIds:22211

vulnerability.compliance.description

Use quotes or backticks within values to help you find the compliance description you're looking for.

Examples

Show any findings related to this description

vulnerability.compliance.description:malicious software

Show any findings that contain "malicious" or "software" in description

vulnerability.compliance.description:"malicious software"

Show any findings that match exact value "malicious software"

vulnerability.compliance.description:`malicious software`

vulnerability.compliance.section

Use quotes or backticks within values to help you find the compliance section you're looking for.

Examples

Show any findings related to this section

vulnerability.compliance.section:164.308

Show any findings that contain parts of section

vulnerability.compliance.section:"164.308"

Show any findings that match exact value "164.308"

vulnerability.compliance.section:`164.308`

vulnerability.compliance.type

Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.

Example

Show findings with the compliance type HIPAA

vulnerability.compliance.type:HIPAA

vulnerability.consequence

Use quotes or backticks within values to help you find the consequence you're looking for.

Examples

Show any findings related to consequence

vulnerability.consequence:sensitive information

Show any findings that contain "sensitive" or "information" in consequence

vulnerability.consequence:"sensitive information"

Show any findings that match exact value "sensitive information"

vulnerability.consequence:`sensitive information`

vulnerability.flags

Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc).

Example

Show findings with this flag

vulnerability.flags:PCI_RELATED

vulnerability.lists

Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).

Example

Show findings with vulnerabilities in SANS Top 20

vulnerability.lists:SANS_20

vulnerability.patches

Use an integer value ##### to help you find the patch QID you're interested in.

Example

Show assets with this patch QID

vulnerability.patches:90753

vulnerability.published

Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.

Examples

Show findings for vulnerabilities published within certain dates

vulnerability.published:[2015-10-21 ... 2016-01-15]

Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago

vulnerability.published:[2017-01-01 ... now-1M]

Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago

vulnerability.published:[now-2w ... now-1s]

Show findings for vulnerabilities published on certain date

vulnerability.published:'2018-01-15'

vulnerability.risk

Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.

Example

Show findings with risk 50

vulnerability.risk:50

vulnerability.os

Use quotes or backticks within values to help you find the operating system vulnerabilities were detected on.

Examples

Show any findings related to this OS value

vulnerability.os:windows

Show any findings that contain parts of OS value

vulnerability.os:"windows"

Show any findings that match exact value "windows"

vulnerability.os:`windows`

vulnerability.cvssInfo.baseScore

Use an integer value ##### to help you find the CVSS base score you're interested in.

Example

Show instances with this score

vulnerability.cvssInfo.baseScore:7.8

vulnerability.cvssInfo.temporalScore

Use an integer value ##### to help you find the CVSS temporal score you're interested in.

Example

Show instances with this score

vulnerability.cvssInfo.temporalScore:6.4

vulnerability.discoveryTypes

Select a discovery type (Remote or Authenticated) to find instances with vulnerabilities having this discovery type. Select from names in the drop-down menu.

Example

Show findings with Remote discovery type

vulnerability.discoveryTypes:REMOTE

vulnerability.sans20Categories

Use a text value ##### to find vulnerabilities in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).

Example

Show findings with this category name

vulnerability.sans20Categories:Media Players

vulnerability.solution

Use quotes or backticks within values to help you find the solution you're looking for.

Examples

Show any findings related to this solution

vulnerability.solution:Bulletin MS10-006

Show any findings that contain parts of solution

vulnerability.solution:"Bulletin MS10-006"

Show any findings that match exact value "Bulletin MS10-006"

vulnerability.solution:`Bulletin MS10-006`

vulnerability.status

Select the vulnerability status (ACTIVE, FIXED, NEW, REOPENED) you're interested in. Select from names from the drop-down menu.

Example

Show vulnerabilities with ACTIVE status

vulnerability.status:ACTIVE

vulnerability.supportedBy

Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.

Example

Show vulnerabilities supported by Linux Agent

vulnerability.supportedBy:LINUX_AGENT

vulnerability.vendorRefs

Use a text value ##### to find the vendor reference you're interested in.

Example

Show this vendor reference

vulnerability.vendorRefs:KB3021953

vulnerability.vendors.productName

Use a text value ##### to find the vendor product name you're interested in.

Example

Show findings with this vendor product name

vulnerability.vendors.productName:Windows

vulnerability.vendors.vendorName

Use a text value ##### to find the vendor name you're interested in.

Example

Show findings with this vendor name

vulnerability.vendors.vendorName:Adobe

Threat Protection

(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).

vulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Example

Show resources with threats due to active attacks

vulnerability.threatIntel.activeAttacks: "true"

vulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Example

Show resources with threats due to denial of service

vulnerability.threatIntel.denialOfService: "true"

vulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Example

Show resources with threats due to easy exploit

vulnerability.threatIntel.easyExploit: "true"

vulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to exploit kit.

Example

Show resources with threats due to exploit kit

vulnerability.threatIntel.exploitKit: "true"

vulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

vulnerability.threatIntel.exploitKitName: Angler

Show any findings that match exact value

vulnerability.threatIntel.exploitKitName: `Angler`

vulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Example

Show resources with threats due to high data loss

vulnerability.threatIntel.highDataLoss: "true"

vulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Example

Show resources with threats due to high lateral movement

vulnerability.threatIntel.highLateralMovement: "true"

vulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Example

Show resources with threats due to malware

vulnerability.threatIntel.malware: "true"

vulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ

Show any findings that match exact value

vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

vulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Example

Show resources with threats due to no patch available

vulnerability.threatIntel.noPatch: "true"

vulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Example

Show resources with threats due to public exploit

vulnerability.threatIntel.publicExploit: "true"

vulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass

Show any findings that contain parts of name

vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"

Show any findings that match exact value

vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

vulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Example

Show resources with threats due to zero day exploit

vulnerability.threatIntel.zeroDay: "true"

AWS: Internet Gateway

These tokens are available in queries with resource.type:Internet Gateway

internetgateway.state

Use a text value ##### to find internet gateways having a certain state.

Example

Show findings with this state

internetgateway.state: available

internetgateway.vpcId

Use a text value ##### to find resources having a certain VPC ID.

Example

Show findings with this VPC ID

internetgateway.vpcId: vpc-1e37cd76

AWS: Load Balancer

These tokens are available in queries with resource.type:Load Balancer

elb.availabilityZone

Select the availability zone you're interested in. Select from names in the drop-down menu.

Example

Find resources in the us-east-1a availability zone

elb.availabilityZone: us-east-1a

elb.createdTime

Use a date range or specific date to define when the resource was created.

Examples

Show resources created within certain dates

elb.createdTime: [2018-01-01 ... 2018-03-01]

Show resources created from starting 2018-01-01, ending 1 month ago

elb.createdTime: [2018-01-01 ... now-1m]

Show resources created starting 2 weeks ago, ending 1 second ago

elb.createdTime: [now-2w ... now-1s]

Show resources created on specific date

elb.createdTime: 2018-01-08

elb.dnsName

Use a text value ##### to find load balancers with a certain DNS name.

Example

Show findings with this DNS name

elb.dnsName: load-balancer-12345.elb.us-west.amazonaws.com

elb.instanceId

Use a text value ##### to find resources with a certain instance ID.

Example

Show resources with this instance ID

elb.instanceId: 10.90.0.119

elb.ipAddressType

Use a text value ##### to find load balancers with certain IP address type.

Example

Show findings with this IP address type

elb.ipAddressType: ipv4

elb.listener.instancePort

Use a text value ##### to find load balancer listeners on a certain instance port.

Example

Show load balancers on this instance port

elb.listener.instancePort: 200

elb.listener.instanceProtocol

Select the load balancer listener instance protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.

Example

Show findings with this instance protocol

elb.listener.instanceProtocol: HTTPS

elb.listener.loadBalancerPort

Use a text value ##### to find load balancer listeners on a certain load balancer port.

Example

Show findings on this load balancer port

elb.listener.loadBalancerPort: 200

elb.listener.protocol

Select the load balancer listener protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.

Example

Show findings running on this listener protocol

elb.listener.protocol: HTTP

elb.scheme

Use a text value ##### to find load balancer listeners with a certain scheme.

Example

Show findings with this scheme

elb.scheme: internet-facing

elb.securityGroupId

Use a text value ##### to find resources in a certain security group.

Example

Show findings with this security group ID

elb.securityGroupId: sg-1a2b3c4d

elb.state

Select the load balancer state you're interested in. Select from names in the drop-down menu.

Example

Show findings with this load balancer state

elb.state: active

elb.type

Use a text value ##### to find load balancers having a certain type.

Example

Show findings with this load balancer type

elb.type: classic

elb.vpcId

Use a text value ##### to find resources having a certain VPC ID.

Example

Show findings with this VPC ID

elb.vpcId: vpc-1e37cd76

elb.subnet

Use a text value ##### to find load balancers in a certain subnet.

Example

Show findings in this subnet

elb.subnet: subnet-cc96efa8

AWS: Network ACL

These tokens are available in queries with resource.type:Network ACL

networkacl.association.subnetId

Use a text value ##### to define resources having an association with a certain subnet.

Example

Show findings with this ID

networkacl.association.subnetId: subnet-6f2cec07

networkacl.cidrBlock

Use a text value ##### to find network ACLs having a certain IPv4 CIDR range.

Example

Show findings with this IPv4 CIDR block

networkacl.cidrBlock: 172.31.0.0/16

networkacl.defaultAcl

Use the values true | false to find a network ACL that is the default network ACL for the VPC.

Examples

Show findings with the default network ACL

networkacl.defaultAcl: true

Show findings not defined with default network ACL

networkacl.defaultAcl: false

networkacl.egress

Use the values true | false to find a network ACL that applies (or doesn't apply) to egress traffic.

Examples

Show findings where the network ACL does apply to egress traffic

networkacl.egress: true

Show findings where it does not apply to egress traffic

networkacl.egress: false

networkacl.ipv6CidrBlock

Use a text value ##### to define the IPv6 CIDR range associated with the network ACL.

Example

Show findings with this IPv6 CIDR block

networkacl.ipv6CidrBlock: 2001:db8::/32

networkacl.portRange.from

Use an integer value ##### to define the start of the port range specified in the network ACL rule entry.

Example

Show findings with rules with port range starting at 1024

networkacl.portRange.from: 1024

networkacl.portRange.to

Use an integer value ##### to define the end of the port range specified in the network ACL rule entry.

Example

Show findings with rules with port range ending at 65535

networkacl.portRange.to: 65535

networkacl.protocol

Use a text value ##### to define the protocol (tcp, udp, etc) specified in the network ACL rule entry.

Example

Show findings with rules for protocol tcp

networkacl.protocol: tcp

networkacl.ruleAction

Use a text value ##### to find network ACLs with a certain rule action (allow or deny).

Example

Show findings with rules that allow matching traffic

networkacl.ruleAction: allow

networkacl.ruleNumber

Use an integer value ##### to find network ACLs with a certain rule number.

Example

Show findings with rule number 130

networkacl.ruleNumber: 130

networkacl.vpcId

Use a text value ##### to define the ID of the VPC for the network ACL.

Example

Show findings with this VPC ID

networkacl.vpcId: vpc-1e37cd76

networkacl.association.id

Use a text value ##### to find network ACLs with a certain association ID.

Example

Show findings with this association ID

networkacl.association.id: aclassoc-3999875b

networkacl.association.networkAclId

Use a text value ##### to find network ACLs having an association with a certain network ACL ID.

Example

Show findings with this ID

networkacl.association.networkAclId: acl-211bf848

AWS: Route Table

These tokens are available in queries with resource.type:Route Table

routetable.main

Use the values true | false to find the main route table for the VPC.

Examples

Show findings for the main route table

routetable.main: true

Show findings that are not the main route table

routetable.main: false

routetable.route.destinationCidrBlock

Use a text value ##### to find route tables having routes with a certain IPv4 CIDR range used for destination match.

Example

Show findings with this IPv4 CIDR range

routetable.route.destinationCidrBlock: 10.0.0.0/16

routetable.route.state

Select a route state (active or blackhole) to help you find route tables having routes with this state. Select from names in the drop-down menu.

Example

Show findings with this route state

routetable.route.state: active

routetable.subnetId

Use a text value ##### to define resources having an association with a certain subnet ID.

Example

Show findings with this ID

routetable.subnetId: subnet-6f2cec07

routetable.vpcId

Use a text value ##### to find resources having a certain VPC ID.

Example

Show findings with this VPC ID

routetable.vpcId: vpc-1e37cd76

routetable.association.id

Use a text value ##### to find route tables with a certain association ID.

Example

Show findings with this ID

routetable.association.id: rtbassoc-781d0d1a

routetable.association.routeTableId

Use a text value ##### to find route tables having a certain route table ID involved in the association between route table and subnet.

Example

Show findings for this ID

routetable.association.routeTableId: rtb-ffbe1297

routetable.route.destinationIpv6CidrBlock

Use a text value ##### to find route tables having routes with a certain IPv6 CIDR range used for destination match.

Example

Show findings with this IPv6 CIDR range

routetable.route.destinationIpv6CidrBlock: 2001:db8::/32

routetable.route.destinationPrefix

Use a text value ##### to find route tables having routes with a certain ID (prefix) of the AWS service.

Example

Show findings with this prefix list ID

routetable.route.destinationPrefix: pl-63a5400a

routetable.route.egressInternetGatewayId

Use a text value ##### to find route tables having routes with a certain egress-only Internet gateway ID.

Example

Show findings with this ID

routetable.route.egressInternetGatewayId: pl-eigw-1234567890

routetable.route.gatewayId

Use a text value ##### to find route tables having routes with a certain virtual private gateway ID.

Example

Show findings with this virtual private gateway ID

routetable.route.gatewayId: igw-12345678

routetable.route.instanceId

Use a text value ##### to find route tables having routes with a certain NAT instance ID.

Example

Show findings with this ID

routetable.route.instanceId: rtb-f8805e91

routetable.route.instanceOwnerId

Use a text value ##### to find route tables having routes with a NAT instance that has a certain owner.

Example

Show findings with this AWS account ID

routetable.route.instanceOwnerId: aws-acct-id

routetable.route.natGatewayId

Use a text value ##### to find route tables having routes with a certain NAT gateway ID.

Example

Show findings with this ID

routetable.route.natGatewayId: local

routetable.route.networkInterfaceId

Use a text value ##### to find route tables having routes with a certain network interface ID.

Example

Show findings with this ID

routetable.route.networkInterfaceId: eni-12345

routetable.route.vpcPeeringId

Use a text value ##### to find route tables having routes with a certain VPC peering connection.

Example

Show findings with this ID

routetable.route.vpcPeeringId: pcx-00197469

AWS: S3 Bucket

These tokens are available in queries with resource.type:S3 Bucket

s3.creationDate

Use a date range or specific date to define when the S3 bucket was created.

Examples

show S3 buckets created within certain dates

s3.creationDate: [2018-01-01 ... 2018-03-01]

Show S3 bucketscreated from starting 2018-01-01, ending 1 month ago

s3.creationDate: [2018-01-01 ... now-1m]

Show S3 bucketscreated starting 2 weeks ago, ending 1 second ago

s3.creationDate: [now-2w ... now-1s]

Show S3 buckets created on specific date

s3.creationDate: 2018-01-08

s3.isPubliclyAccessible

Use the values true | false to find s3 buckets that are (or aren't) publicly accessible.

Examples

Show s3 buckets that are publicly accessible

s3.isPubliclyAccessible: true

Show s3 buckets that are not publicly accessible

s3.isPubliclyAccessible: false

s3.ownerId

Use a text value ##### to define S3 bucket owner ID of interest.

Example

Show findings with this owner ID

s3.ownerId: a3a33997d333416174cb4c27fa89364a2f31b12498ffc

s3.ownerName

Use quotes within values to help you find the S3 bucket owner name of interest.

Examples

Show any findings with this name

s3.ownerName: Andrew Smith

Show any findings that contain parts of name

s3.ownerName: "Andrew Smith"

AWS: Security Group

These tokens are available in queries with resource.type:Security Group

securitygroup.description

Use quotes within values to help you find security groups with certain keywords in the security group description.

Examples

Show any findings with this description

securitygroup.description: Allow RDP to Windows Machines

Show any findings that contain parts of description

securitygroup.description: "Allow RDP to Windows Machines"

securitygroup.inboundRule.fromPort

Use an integer value ##### to find security groups having inbound rules with a certain from port.

Example

Show findings with this from port

securitygroup.inboundRule.fromPort: 200

securitygroup.inboundRule.ipProtocol

Select an IP protocol (tcp, udp, icmp) to find security groups having inbound rules with a certain IP protocol. Select from names in the drop-down menu.

Example

Show findings with the tcp protocol

securitygroup.inboundRule.ipProtocol: tcp

securitygroup.inboundRule.ipv4Range

Use a text value ##### to find security groups having inbound rules with a certain IPv4 range.

Example

Show findings with this range

securitygroup.inboundRule.ipv4Range: 203.0.113.0/24

securitygroup.inboundRule.ipv6Range

Use a text value ##### to find security groups having inbound rules with a certain IPv6 range.

Example

Show findings with this range

securitygroup.inboundRule.ipv6Range: 2001:db8::/32

securitygroup.inboundRule.toPort

Use an integer value ##### to find security groups having inbound rules with a certain to port.

Example

Show findings with this group ID

securitygroup.inboundRule.toPort: 200

securitygroup.name

Use a text value ##### to find security groups with a certain group name in an inbound security group rule.

Example

Show findings with this group name

securitygroup.name: Windows RDP Allow Group

securitygroup.outboundRule.fromPort

Use an integer value ##### to find security groups having outbound rules with a certain from port.

Example

Show findings with this from port

securitygroup.outboundRule.fromPort: 200

securitygroup.outboundRule.ipProtocol

Select an IP protocol (tcp, udp, icmp) to find security groups having outbound rules with a certain IP protocol. Select from names in the drop-down menu.

Example

Show findings with the tcp protocol

securitygroup.outboundRule.ipProtocol: tcp

securitygroup.outboundRule.ipv4Range

Use a text value ##### to find security groups having outbound rules with a certain IPv4 range.

Example

Show findings with this range

securitygroup.outboundRule.ipv4Range: 203.0.113.0/24

securitygroup.outboundRule.ipv6Range

Use a text value ##### to find security groups having outbound rules with a certain IPv6 range.

Example

Show findings with this range

securitygroup.outboundRule.ipv6Range: 2001:db8::/32

securitygroup.outboundRule.toPort

Use an integer value ##### to find security groups having outbound rules with a certain to port.

Example

Show findings with this to port

securitygroup.outboundRule.toPort: 151

securitygroup.vpcId

Use an integer value ##### to find resources having a certain VPC ID.

Example

Show findings with this VPC ID

securitygroup.vpcId: vpc-1e37cd76

Vulnerability Tokens

association.instances.vulnerability.qid

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

association.instances.vulnerability.qid:90405

association.instances.vulnerability.severity

Select a severity (1-5) to find resources having vulnerabilities with this severity. Select from values in the drop-down menu.

Example

Show findings with severity 4

association.instances.vulnerability.severity:4

association.instances.vulnerability.customerSeverity

Select a severity (1-5) to find resources having vulnerabilities with this  customizedseverity. Select from values in the drop-down menu.

Example

Show findings with severity 3

association.instances.vulnerability.customerSeverity:3

association.instances.vulnerability.exploitability

Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to this description

 association.instances.vulnerability.exploitability: GIF Parser Heap

Show any findings that contain "GIF", "Parser" or "Heap" in description

 association.instances.vulnerability.exploitability: "GIF Parser Heap"

Show any findings that match exact value

 association.instances.vulnerability.exploitability: `GIF Parser Heap`

association.instances.vulnerability.patchAvailable

Use the values true | false to define vulnerabilities with patch available.

Examples

Show findings with patch available

association.instances.vulnerability.patchAvailable: "true"

Show findings with no patch available

association.instances.vulnerability.patchAvailable: "false"

association.instances.vulnerability.firstFound

Use an integer value ##### to define the QID in question.

Example

Show findings with QID 90405

association.instances.vulnerability.firstFound:

association.instances.vulnerability.firstFound

Use a date range or specific date to define when findings were first found.

Examples

Show findings first found within certain dates

association.instances.vulnerability.firstFound: [2015-10-21 ... 2015-10-30]

Show findings first found starting 2015-10-01, ending 1 month ago

association.instances.vulnerability.firstFound: [2015-10-01 ... now-1M]

Show findings first found starting 2 weeks ago, ending 1 second ago

association.instances.vulnerability.firstFound: [now-2w ... now-1s]

Show findings first found on certain date

association.instances.vulnerability.firstFound:'2015-11-11'

association.instances.vulnerability.lastFound

Use a date range or specific date to define when findings were last found.

Examples

Show findings last found within certain dates

association.instances.vulnerability.lastFound: [2015-10-21 ... 2016-01-15]

Show findings last found starting 2016-01-01, ending 1 month ago

association.instances.vulnerability.lastFound: [2016-01-01 ... now-1M]

Show findings last found starting 2 weeks ago, ending 1 second ago

association.instances.vulnerability.lastFound: [now-2w ... now-1s]

Show findings last found on certain date

association.instances.vulnerability.lastFound:'2016-01-11'

Show findings last found on 2017-01-12 with patch available

vulnerabilities: (lastFound: '2017-01-12' AND association.instances.vulnerability.patchAvailable: "true")

association.instances.vulnerability.title

Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to this title

association.instances.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

association.instances.vulnerability.title: "Remote Code"

Show any findings that match exact value

association.instances.vulnerability.title: `Remote Code`

association.instances.vulnerability.description

Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to description

association.instances.vulnerability.description: remote code execution

Show any findings that contain "remote" or "code" in description

association.instances.vulnerability.description: "remote code execution"

Show any findings that match exact value

association.instances.vulnerability.description: `remote code execution`

association.instances.vulnerability.cveIds

Use a text value ##### to find the CVE name you're interested in.

Example

Show findings with CVE name CVE-2015-0313

association.instances.vulnerability.cveIds: CVE-2015-0313

association.instances.vulnerability.category

Select a category (CGI, Database, Debian, OEL, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.

Example

Show findings with the category CGI

association.instances.vulnerability.category: "CGI"

association.instances.vulnerability.cvssInfo.baseScore

Use an integer value ##### to help you find the CVSS base score you're interested in.

Example

Show resources with this score

association.instances.vulnerability.cvssInfo.baseScore: 7.8

association.instances.vulnerability.cvssInfo.temporalScore

Use an integer value ##### to help you find the CVSS temporal score you're interested in.

Example

Show resources with this score

association.instances.vulnerability.cvssInfo.temporalScore: 6.4

association.instances.vulnerability.cvssInfo.accessVector

Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.

Example

Show findings with this name

association.instances.vulnerability.cvssInfo.accessVector: "NETWORK"

instance.securityGroup.name

Use a text value ##### to find the security group name you're looking for.

Examples

Find security group related to name

instance.securityGroup.name: abc.qualys.com

Find security group that match exact value

instance.securityGroup.name: `abc.qualys.com`

association.instances.publicIpAddress

Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.

Examples

Find security groups with this public IP address

association.instances.publicIpAddress: 52.70.141.154

Find security groups within this IP range

association.instances.publicIpAddress: [52.70.141.154 ... 52.70.141.164]

association.instances.vulnerability.port

Use an integer value ##### to help you find assets with some open port.

Example

Show vulnerability with port 80

association.instances.vulnerability.port: 80

association.instances.vulnerability.protocol

Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.

Examples

Show findings found on TCP

association.instances.vulnerability.protocol: TCP

Show findings found on port 80 and TCP

vulnerability: (port: 80 AND protocol: TCP)

Threat Protection

(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).

association.instances.vulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Example

Show resources with threats due to active attacks

association.instances.vulnerability.threatIntel.activeAttacks: "true"

association.instances.vulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Example

Show resources with threats due to denial of service

association.instances.vulnerability.threatIntel.denialOfService: "true"

association.instances.vulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Example

Show resources with threats due to easy exploit

association.instances.vulnerability.threatIntel.easyExploit: "true"

association.instances.vulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to exploit kit.

Example

Show resources with threats due to exploit kit

association.instances.vulnerability.threatIntel.exploitKit: "true"

association.instances.vulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

association.instances.vulnerability.threatIntel.exploitKitName: Angler

Show any findings that match exact value

association.instances.vulnerability.threatIntel.exploitKitName: `Angler`

association.instances.vulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Example

Show resources with threats due to high data loss

association.instances.vulnerability.threatIntel.highDataLoss: "true"

association.instances.vulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Example

Show resources with threats due to high lateral movement

association.instances.vulnerability.threatIntel.highLateralMovement: "true"

association.instances.vulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Example

Show resources with threats due to malware

association.instances.vulnerability.threatIntel.malware: "true"

association.instances.vulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

association.instances.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ

Show any findings that match exact value

association.instances.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

association.instances.vulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Example

Show resources with threats due to no patch available

association.instances.vulnerability.threatIntel.noPatch: "true"

association.instances.vulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Example

Show resources with threats due to public exploit

association.instances.vulnerability.threatIntel.publicExploit: "true"

association.instances.vulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Examples

Show any findings with this name

association.instances.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass

Show any findings that contain parts of name

association.instances.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"

Show any findings that match exact value

association.instances.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

association.instances.vulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Example

Show resources with threats due to zero day exploit

association.instances.vulnerability.threatIntel.zeroDay: "true"

AWS: Subnet

These tokens are available in queries with resource.type:Subnet

subnet.autoAssignIpv6Address

Use the values true | false to find a subnet with auto-assign IPv6 addresses enabled.

Examples

Show subnets with auto-assign IPv6 address

subnet.autoAssignIpv6Address: true

Show subnets without auto-assign IPv6 address

subnet.autoAssignIpv6Address: false

subnet.autoAssignPublicIp

Use the values true | false to find subnets where a public IPv4 address is assigned on launch.

Examples

Show subnets with public IP address assigned on launch

subnet.autoAssignPublicIp: true

Show subnets without public IP address assigned on launch

subnet.autoAssignPublicIp: false

subnet.availabilityZone

Use a text value ##### to find subnets by availability zone.

Example

Show findings in the us-east-1a availability zone

subnet.availabilityZone: us-east-1a

subnet.availableIpCount

Use a text value ##### to find subnets by available IP count.

Example

Show findings with this available IP count

subnet.availableIpCount: 4091

subnet.cidrBlock

Use a text value ##### to find resources having a certain IPv4 CIDR block.

Example

Show findings with this IPv4 CIDR block

subnet.cidrBlock: 172.31.0.0/16

subnet.defaultSubnet

Use the values true | false to find the default subnet.

Examples

Show subnets that are the default

subnet.defaultsubnet: true

Show subnets that are not the default

subnet.defaultSubnet: false

subnet.ipv6CidrBlock

Use a text value ##### to find resources having a certain IPv6 CIDR block.

Example

Show findings with this IPv6 CIDR block

subnet.ipv6CidrBlock: 2001:db8::/32

subnet.vpcId

Use a text value ##### to find resources with a certain VPC ID.

Example

Show findings with this VPC ID

subnet.vpcId: vpc-1e37cd76

AWS: VPC

These tokens are available in queries with resource.type:VPC

vpc.cidrBlock

Use a text value ##### to help you find resources (VPCs/subnets) having a certain IPv4 CIDR block.

Example

Show findings with this IPv4 CIDR block

vpc.cidrBlock: 172.31.0.0/16

vpc.defaultVpc

Use the values true | false to find the default VPC.

Examples

Show VPCs that are the default

vpc.defaultVpc: true

Show VPCs that are not the default

vpc.defaultVpc: false

vpc.instanceTenancy

Use quotes within values to find VPCs with certain instance tenancy.

Examples

Show any findings with this tenancy

vpc.instanceTenancy: default

Show findings that contain parts of tenancy

vpc.instanceTenancy: "default"

vpc.ipv6CidrBlock

Use a text value ##### to find resources (VPCs/subnets) with a certain IPv6 CIDR block.

Example

Show findings with this IPv6 CIDR block

vpc.ipv6CidrBlock: 2001:db8::/32

 

AWS: RDS

These tokens are available in queries with resource.type:RDS

rds.dbInstanceIdentifier

Use a text value ##### to help you find resources (RDS) having a certain DB instance name.

Example

Show RDS resources with this DB instance name

rds.dbInstanceIdentifier: RDSdatabasename

rds.endpoint.port

Use a text value ##### to find RDS resources with specified port as endpoint.

Examples

Show RDS resources that use this port as endpoint

rds.endpoint.port: 5432

rds.engine

Use quotes within values to find resources with certain engine name.

Examples

Show RDS resources with this engine name

rds.engine: mysql

rds.instanceClass

Use a text value ##### to find resources (RDS) with a certain size.

Example

Show RDS resources with this size

rds.instanceClass: db.t2.micro

rds.publiclyAccessible

Use the values true | false to find if the resource is publicly accessible or not.

Examples

Show RDS resources that are the accessible

rds.publiclyAccessible: true

Show RDS resources that are not publicly accessible

rds.publiclyAccessible: false

rds.securityGroup.id

Use a text value ##### to find RDS resources with specified security group Id.

Examples

Show RDS resources with this security group Id.

rds.securityGroup.id: sg-3abe5246

rds.status

Use a text value ##### to find resources (RDS) with a certain state.

Example

Show RDS resources that are available

rds.status: available

rds.subnetGroup.dbSubnetVpcId

Use a text value ##### to find resources (RDs) with a certain VPC Id .

Example

Show RDS resources with this VPC Id

rds.subnetGroup.dbSubnetVpcId: vpc-1e37cd76

 

AWS: EBS Volume

These tokens are available in queries with resource.type:EBS Volume

ebsvolume.encrypted

Use the values true | false to know if the resource is encrypted or not.

Examples

Show EBS volume resources that are encrypted.

ebsvolume.encrypted: true

ebsvolume.instance

Use a text value ##### to find EBS Volume resources with a certain instance ID.

Examples

Show resources with this instance ID

ebsvolume.instance: i-045d8dd17d8a2a96f

ebsvolume.state

Use available or in-use state to find EBS volume instances with a certain state.

Example

Show running EBS volume instances

ebsvolume.state: in-use

ebsvolume.volumeId

Use a text value ##### to find resources (EBS volumne) with a certain volumeId.

Example

Show resources with this volumeId

ebsvolume.volumeId: vol-0ac36138436791ca5

 

AWS: Lambda Function

 

lambda.tracingConfig

Use the values Active or Passthrough to decide if we can sample and trace a subset of incoming requests with AWS X-Ray.

Example

Show resources which allow to sample and trace incoming requests with AWS X-Ray. Use Active to achieve this.

lambda.tracingConfig: Active

lambda.timeout

Use a numberic value ##### in seconds to find resources (Lambda function) with a certain timeout value. Timeout is the amount of time that Lambda allows a function to run before stopping it. By default, it is 3 seconds. Maximum allowable timeout value is 900 seconds.

Example

Show resources with this volumeId

lambda.timeout: vol-0ac36138436791ca5

lambda.role

Use a text value ##### to find resources (Lambda function) with a certain role name.

Example

Show resources with role name as sample_role_lambda

lambda.role: sample_role_lambda

lambda.runtime

Use a text value ##### to find resources (Lambda function) based on the programming language used to write the lambda function.

Example

Show resources that are written in Python 2.7

lambda.runtime: python2.7

lambda.functionName

Use a text value ##### to find resources (Lambda function) with a certain name.

Example

Show resources with exact name match as sample_lambda_function

lambda.functionName: sample_lambda_function

lambda.memorySize

Use a numeric value ##### to find resources (Lambda function) based on memory size (in MB) assigned to lambda function for execution.

Example

Show resources with 128 MB memory allocated for execution

lambda.memorySize: 128

lambda.trigger.arn

Use a  value ##### to define the Amazon Resource Name (ARN) that would trigger the Lambda function.

Example

Show resources that are triggered on specified ARN

lambda.trigger.arn: arn:aws:iam::383031258652:user/LOCAL_1234

lambda.trigger.type

Use a text value ##### to define the type of trigger to be initiated when to execute Lambda function.

Example

Show resources that triggered on s3 type

lambda.trigger.type: s3

lambda.layer.name

Use a text value ##### to find resources (Lambda function) with name of layer assigned to the lambda function.

Example

Show resources with this name assigned to the layer

lambda.layer.name: Sample_layer_name

lambda.vpcId

Use a text value ##### to find resources (Lambda function) associated with a certain VPCID.

Example

Show resources with this VPCID

lambda.vpcId: vpc-4bd30131

tag.key

Use a text value ##### to define the key of an AWS or Azure tag assigned to the Lambda function (case sensitive).

Example

Show resources with key Department

tag.key: Department

tag.value

Use a text value ##### to define the value of an AWS or Azure tag assigned to the resource (case sensitive).

Example

Show resources with tag value Finance

tag.value: Finance