Home

Looking for listing of search tokens? Click here

 

How to Search

Search by Field | String matching | Exact matching | Full text search | Suffix matching | Is Null queries | Range searches | Date searches | Multiple values | Boolean operators | Nested Queries

Search by Field

Enter the field name, then a colon, then your query. Nested fields are dot separated.

Examples:

vulnerabilities.category: "CGI"

users: asmith

String matching

Use single quotes or double quotes around your query to match a string. Your results will include any asset that contains the string.

Examples:

operatingSystem: 'Microsoft Windows'

operatingSystem: "Microsoft Windows"

Exact matching

Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.

Examples:

operatingSystem: `Windows 7 Ultimate Service Pack 1`

host.sensorUuid: `cbcb5ef6-1c49-3ba0-91c1-5462ffbd26af`

Full Text Search

Many asset fields containing text allow you to use full text search and advanced search capabilities.

Learn more >>

Examples:

Show any findings related to this title

vulnerabilities.vulnerability.title: Remote Code Execution

Show any findings that contain "Remote" or "Code" in title

vulnerabilities.vulnerability.title: "Remote Code"

Show any findings that match exact value "Remote Code"

vulnerabilities.vulnerability.title: `Remote Code`

Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.

vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable: "true")

Suffix matching

Suffix matching is supported when searching for container name "name". Match asset values "ending in" a string you specify - using a string that starts with *. Matches are case insensitive.

Example: This query matches container names ending in "53" like QK2K12QP3-65-53.

name:*53

Suffix matching is also supported for the field "host.hostname" but the syntax is different.

Example: These queries match assets with the hostname "T100.qualys.corp.com".

host.hostname:com

host.hostname:corp.com

host.hostname:qualys.corp.com

Is Null Queries

Want to match an empty/null value for a field? You'll need to remove the colon and then write "is null". For example, quickly find assets where the OS has not been identified.

Examples:

operatingSystem is null

macAddress is null

Range searches

Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.

Examples:

portMapping.hostPort:(123 .. 1234)  // Greater than but not equal to 123 and less than but not equal to 1234.

portMapping.hostPort:(123 .. 1234]  // Greater than but not equal to 123 and less than or equal to 1234.

portMapping.hostPort:[123 .. 1234)  // Greater than or equal to 123 and less than but not equal to 1234.

portMapping.hostPort:[123 .. 1234]  // Greater than but or equal to 123 and less than or equal to 1234.

portMapping.hostPort > 123  // Greater than 123.

portMapping.hostPort >= 123  // Greater than or equal to 123.

portMapping.hostPort < 1234  // Less than 1234.

portMapping.hostPort <= 1234  // Less than or equal to 1234.

vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01]  // Between January 1st and April 1st 2015.

Date searches

Use a date range [start date .. end date] or a specific date. Several date variables are also available.

Learn more >>

Examples:

vulnerabilities.fixed: "2017-11-20"

vulnerabilities.fixed <= "2017-11-20"

vulnerabilities.fixed: ["2017-11-20" .. "2017-11-24"]

vulnerabilities.fixed: [now-3d .. now-1s]

Match multiple values

Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).

Example: Find containers with at least one of these three CVE IDs:

vulnerabilities.cveids:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]

Example: Find containers with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12

not vulnerabilities.firstfound:="" ["2016-08-31","2016-09-12"]

Supported date formats:

YYYY example: vulnerabilities.firstFound:["2016","2017"]  // in 2016 or 2017

YYYY-MM example: vulnerabilities.firstFound:["2016-08","2016-09"]  // in month of Aug or Sept

YYYY-MM-DD example: vulnerabilities.firstFound:["2016-08-31","2016-08-30"]  // on one of exact dates

Boolean Operators

Use keywords AND, OR, NOT to narrow or broaden your search.

Examples:

operatingSystem: windows OR operatingSystem: linux

(operatingSystem: windows OR operatingSystem: linux) AND (portMapping.hostPort: 80 OR portMapping.hostPort: 8080) NOT operatingSystem: windows

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Learn more >>

Example: Find vulnerabilities that are severity 5 and are confirmed

vulnerabilities: (severity: "5" AND category: "DNS")

Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:

vulnerabilities: (severity: "5" AND threatIntel.easyExploit: true AND firstFound > now-5d)