Looking for listing of search tokens? Click here
Search by Field | String matching | Exact matching | Full text search | Suffix matching | Is Null queries | Range searches | Date searches | Multiple values | Boolean operators | Nested Queries
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.
operatingSystem: 'Microsoft Windows'
operatingSystem: "Microsoft Windows"
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
operatingSystem: `Windows 7 Ultimate
Service Pack 1`
Many asset fields containing text allow you to use full text search and advanced search capabilities.
Show any findings related to this title
Show any findings that contain "Remote" or "Code" in title
Show any findings that match exact value "Remote Code"
Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.
vulnerabilities.vulnerability: (title: `Remote
Code` AND patchAvailable: "true")
Suffix matching is supported when searching for container name "name". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.
Example: This query matches container names ending in "53" like QK2K12QP3-65-53.
Suffix matching is also supported for the field "
but the syntax is different.
Example: These queries match assets with the hostname "T100.qualys.corp.com".
Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.
operatingSystem is null
macAddress is null
Ranges can be specified with the
[lower .. upper] syntax
using () and/or  as follows. This is supported for numeric and date
portMapping.hostPort:(123 .. 1234)
// Greater than but not equal to 123 and less than but not equal
portMapping.hostPort:(123 .. 1234]
// Greater than but not equal to 123 and less than or equal to 1234.
portMapping.hostPort:[123 .. 1234)
// Greater than or equal to 123 and less than but not equal to 1234.
portMapping.hostPort:[123 .. 1234]
// Greater than but or equal to 123 and less than or equal to 1234.
portMapping.hostPort > 123
// Greater than 123.
portMapping.hostPort >= 123
// Greater than or equal to 123.
portMapping.hostPort < 1234
// Less than 1234.
portMapping.hostPort <= 1234
// Less than or equal to 1234.
vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01]
// Between January 1st and April 1st 2015.
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
vulnerabilities.fixed <= "2017-11-20"
vulnerabilities.fixed: [now-3d ..
Match multiple values
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Example: Find containers with at least one of these three CVE IDs:
vulnerabilities.cveids:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]
Example: Find containers with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12
not vulnerabilities.firstfound:="" ["2016-08-31","2016-09-12"]
Supported date formats:
YYYY example: vulnerabilities.firstFound:["2016","2017"] // in 2016 or 2017
// in month of Aug or Sept
// on one of exact dates
Use keywords AND, OR, NOT to narrow or broaden your search.
operatingSystem: windows OR operatingSystem:
(operatingSystem: windows OR operatingSystem:
linux) AND (portMapping.hostPort: 80 OR portMapping.hostPort: 8080) NOT
Use a single nested query, using parentheses, to include multiple fields in your query per examples below.
Example: Find vulnerabilities that are severity 5 and are confirmed
vulnerabilities: (severity: "5" AND category: "DNS")
Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:
vulnerabilities: (severity: "5" AND threatIntel.easyExploit: true AND firstFound > now-5d)