Looking for listing of search tokens? Click here
Search by Field | String matching | Exact matching | Full text search | Suffix matching | Is Null queries | Range searches | Date searches | Multiple values | Boolean operators | Nested Queries
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Examples:
vulnerabilities.category: "CGI"
users: asmith
Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.
Examples:
operatingSystem: 'Microsoft Windows'
operatingSystem: "Microsoft Windows"
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
Examples:
operatingSystem: `Windows 7 Ultimate
Service Pack 1`
host.sensorUuid: `cbcb5ef6-1c49-3ba0-91c1-5462ffbd26af`
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Examples:
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote
Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote
Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title: `Remote
Code`
Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.
vulnerabilities.vulnerability: (title: `Remote
Code` AND patchAvailable: "true")
Suffix matchingSuffix matching is supported when searching for container name "name". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.
Example: This query matches container names ending in "53" like QK2K12QP3-65-53.
name:*53
Suffix matching is also supported for the field "host
.hostname"
but the syntax is different.
Example: These queries match assets with the hostname "T100.qualys.corp.com".
host.hostname:com
host.hostname:corp.com
host.hostname:qualys.corp.com
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
Examples:
operatingSystem is null
macAddress is null
Ranges can be specified with the [lower .. upper]
syntax
using () and/or [] as follows. This is supported for numeric and date
fields.
Examples:
portMapping.hostPort:(123 .. 1234)
// Greater than but not equal to 123 and less than but not equal
to 1234.
portMapping.hostPort:(123 .. 1234]
// Greater than but not equal to 123 and less than or equal to 1234.
portMapping.hostPort:[123 .. 1234)
// Greater than or equal to 123 and less than but not equal to 1234.
portMapping.hostPort:[123 .. 1234]
// Greater than but or equal to 123 and less than or equal to 1234.
portMapping.hostPort > 123
// Greater than 123.
portMapping.hostPort >= 123
// Greater than or equal to 123.
portMapping.hostPort < 1234
// Less than 1234.
portMapping.hostPort <= 1234
// Less than or equal to 1234.
vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01]
// Between January 1st and April 1st 2015.
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
Examples:
vulnerabilities.fixed: "2017-11-20"
vulnerabilities.fixed <= "2017-11-20"
vulnerabilities.fixed: ["2017-11-20"
.. "2017-11-24"]
vulnerabilities.fixed: [now-3d ..
now-1s]
Match multiple valuesUse to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Example: Find containers with at least one of these three CVE IDs:
vulnerabilities.cveids:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]
Example: Find containers with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12
not vulnerabilities.firstfound:="" ["2016-08-31","2016-09-12"]
Supported date formats:
YYYY example: vulnerabilities.firstFound:["2016","2017"] // in 2016 or 2017
YYYY-MM example: vulnerabilities.firstFound:["2016-08","2016-09"]
// in month of Aug or Sept
YYYY-MM-DD example: vulnerabilities.firstFound:["2016-08-31","2016-08-30"]
// on one of exact dates
Boolean OperatorsUse keywords AND, OR, NOT to narrow or broaden your search.
Examples:
operatingSystem: windows OR operatingSystem:
linux
(operatingSystem: windows OR operatingSystem:
linux) AND (portMapping.hostPort: 80 OR portMapping.hostPort: 8080) NOT
operatingSystem: windows
Nested QueriesUse a single nested query, using parentheses, to include multiple fields in your query per examples below.
Example: Find vulnerabilities that are severity 5 and are confirmed
vulnerabilities: (severity: "5" AND category: "DNS")
Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:
vulnerabilities: (severity: "5" AND threatIntel.easyExploit: true AND firstFound > now-5d)