On the Network tab of the Industrial Control System (ICS) application, use the following tokens to search the network traffic. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
Show the network traffic with the source or destination asset as an OT device and use UDP as the transport protocol
hardware.type: `OT Device` and interfaces.transport.protocol:
UDP
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
Show the network traffic that does not have the source or destination asset as an OT device
not hardware.type: OT Device
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Examples
Show the network traffic with the source or destination asset as router or OT Device
hardware.type: `router` or hardware.type:
`OT Device`
Show the network traffic with the source asset as router or destination asset as OT Device
source.hardware.type: `router` or destination.hardware.type:
`OT Device`
Search the network traffic by the hostname of the source or destination asset. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the hostname of the source or destination asset as PR_HOST_11
asset.name: `PR_HOST_11`
Search the network traffic by the hostname of the source. For exact search, enclose the token value in backticks `<value>`
Example
Show the network traffic with the hostname of the source as PR_HOST_11
source.asset.name: `PR_HOST_11`
Search the network traffic by the hostname of the destination. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the hostname of the destination as PR_HOST_11
destination.asset.name: `PR_HOST_11`
Search the network traffic by IP address of source or destination. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the IP address of the destination as 10.113.14.15
interfaces.address: `10.113.14.15`
Search the network traffic by IP address of source. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic that has IP address of the source asset’s as 10.113.14.15
source.interfaces.address: `10.113.14.15`
destination.interfaces.address
Search the network traffic by IP address of the destination. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic that has IP address of the destination asset as 10.114.15.16
destination.interfaces.address: `10.114.15.16`
Search the network traffic by hardware type of source or destination asset. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the source or destination asset as HVAC Control
hardware.type: `HVAC Control`
Search the network traffic by hardware type of source asset . For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the source asset as HVAC Control
source.hardware.type: `HVAC Control`
Search the network traffic by hardware type of destination asset . For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the destination asset as Programmable Logic Controller (PLC)
destination.hardware.type: `Programmable Logic
Controller (PLC)`
Search the network traffic based on the application protocol. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the network traffic that uses ENIP as an application protocol
interfaces.protocol: `enip`
Show the network traffic that uses BACnet as an application protocol
interfaces.protocol: bacnet
Show the network traffic that uses CIP and ENIP as application protocols
interfaces.protocol: `cip, enip`
Search the network traffic based on the transport protocol. For exact search, enclose the token value in backticks <`value`>.
Examples
Show the network traffic that uses TCP as the transport protocol
interfaces.transport.protocol: `tcp`
Show the network traffic that uses UDP as the transport protocol
interfaces.transport.protocol: `udp`
Search network traffic by port of the destination asset. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the network traffic that has the destination asset’s port as 44818
destination.interfaces.port: 44818
Show the network traffic that has the destination asset’s ports as 80 and 443
destination.interfaces.port: [80, 443]
Search the network traffic by MAC address of the source or the destination asset. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with the MAC address of the source or the destination asset as 5c:88:16:9f:3b:00
interfaces.macAddress: `5c:88:16:9f:3b:00`
Search the network traffic by MAC address of the source. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with MAC address of the source asset as 5c:88:16:9f:3b:00
source.interfaces.macAddress: `5c:88:16:9f:3b:00`
destination.interfaces.macAddress
Search the network traffic by MAC address of the destination asset. For exact search, enclose the token value in backticks `<value>`.
Example
Show the network traffic with MAC address of the destination asset as 5c:88:16:9f:3b:00
destination.interfaces.macAddress: `5c:88:16:9f:3b:00`
Use an integer value ##### to find network traffic based on total traffic volume.
If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.
Examples
Show network traffic with total traffic equal to 10 GB
traffic.total: 10 GB
Show network traffic with total traffic greater than 10 MB
traffic.total > 10 MB
Show network traffic with total traffic greater than or equal to 10 MB
traffic.total >= 10 KB
Show network traffic with total traffic less than 10 GB
traffic.total < 10 GB
Show network traffic with total traffic less than or equal to 10 MB
traffic.total <= 10 MB
Show network traffic with total traffic not equal to 10 KB
traffic.total != 10 KB
Show network traffic with total traffic equal to 1048576 Bytes
traffic.total = 1048576
Use an integer value ##### to find network traffic based on ingress traffic volume.
Examples
Show network traffic with ingress traffic equal to 10 GB
traffic.ingress: 10 GB
Show network traffic with ingress traffic greater than 10 MB
traffic.ingress > 10 MB
Show network traffic with ingress traffic greater than or equal to 10 MB
traffic.ingress >= 10 KB
Show network traffic with ingress traffic less than 10 GB
traffic.ingress < 10 GB
Show network traffic with ingress traffic less than or equal to 10 MB
traffic.ingress <= 10 MB
Show network traffic with ingress traffic not equal to 10 KB
traffic.ingress!= 10 KB
Show network traffic with ingress traffic equal to 1048576 Bytes
traffic.ingress = 1048576
Use an integer value ##### to find network traffic based on egress traffic volume.
If the unit of network traffic is not specified with the token, the query searches the traffic volume in Bytes by default.
Examples
Show network traffic with egress traffic equal to 10 GB
traffic.egress: 10 GB
Show network traffic with egress traffic greater than 10 MB
traffic.egress > 10 MB
Show network traffic with egress traffic greater than or equal to 10 MB
traffic.egress >= 10 KB
Show network traffic with egress traffic less than 10 GB
traffic.egress < 10 GB
Show network traffic with egress traffic less than or equal to 10 MB
traffic.egress <= 10 MB
Show network traffic with egress traffic not equal to 10 KB
traffic.egress != 10 KB
Show network traffic with egress traffic equal to 1048576 Bytes
traffic.egress = 1048576
For information about search tokens on the Assets tab, see Assets Search Tokens.
For information about search tokens on the Vulnerabilities tab, see Vulnerabilities Search Tokens.
For information about search tokens on the Import Asset tab, see Import Asset Search Tokens.