On the Vulnerabilities tab of the Industrial Control System (ICS) portal, use the following tokens to search the passively discovered vulnerabilities for the assets in your ICS inventory. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
Show HIGH criticality vulnerabilities detected on assets running Windows 2012 operating system
vulnerabilities.vulnerability.criticality: HIGH
and vulnerabilities.hostOS: `Windows 2012`
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Examples
Exclude potential vulnerabilities from search results
not vulnerabilities.typeDetected: Potential
Show the vulnerabilities detected on Windows 2012 assets but exclude the vulnerabilities with the criticality level LOW from this search condition
not vulnerabilities.vulnerability.criticality: LOW
and vulnerabilities.hostOS: `Windows2012`
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Example
Show the vulnerabilities detected on either of the Windows versions
vulnerabilities.hostOS: `Windows 2012`
or vulnerabilities.hostOS: `Windows2012 R2`
Use the asset name as the token value to find vulnerabilities detected on a particular asset. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the vulnerabilities detected on assets name related to Car Assembly
vulnerabilities.asset.name: Car Assembly
Show the vulnerabilities detected on assets containing Car or Assembly or both in their names.
vulnerabilities.asset.name: “Car Assembly”
Show the vulnerabilities detected on the asset with the name ACMENVT7.
vulnerabilities.asset.name: `ACMENVT7`
Find the vulnerabilities on the assets by asset type. For exact search, enclose the token value in backticks `<value>`.
Example
Show the vulnerabilities that are detected on PLC (Programmable Logic Controllers)
vulnerabilities.asset.type: `PLC`
Use an asset ID as the token value to find the vulnerabilities detected on a particular asset. An asset ID is the Qualys asset ID (UUID) assigned by an agent or by a scanner appliance in case of Agentless Tracking. For exact search, enclose the token value in backticks `<value>`. You can search for an asset ID or a comma-separated list of multiple asset IDs enclosed in square brackets.
Examples
Show the vulnerabilities detected on the asset having UUID 56863af6-301e-3788-aa95-95b5f844ad2a
vulnerabilities.assetID: `56863af6-301e-3788-aa95-95b5f844ad2a`
Show the vulnerabilities detected on the specified assets
vulnerabilities.assetID: [25f90e1a-625c-3b79-b13d-ab2b46bed55a,
6b7e8400-167b-3596-a712-78377f16d3f7]
Find the vulnerabilities based on a firmware version of the assets. For exact search, enclose the token value in backticks `<value>`. You can search for a single firmware version or a comma-separated list of firmware versions enclosed in square brackets.
Examples
Show the vulnerabilities detected on assets having firmware version 30.1
vulnerabiliites.firmware: `30.1`
Show the vulnerabilities detected on the assets having the specified firmware versions
vulnerabiliites.firmware: [4.003, 2.6.1]
Use a date range or specific date to find the vulnerabilities found on the asset for the first time.
Supported date formats: yyyy-MM-dd,yyyy-MM, yyyy
Examples
Show the vulnerabilities that were found for the first time on the specified date
vulnerabilities.firstFound: '2020-01-13'
Show the vulnerabilities that were found for the first time within past 90 days (excluding day 90)
vulnerabilities.firstFound > now-90d
Show the vulnerabilities that were found for the first time within past 90 days (including day 90)
vulnerabilities.firstFound >= now-90d
Show the vulnerabilities that were found for the first time before past 90 days (excluding day 90)
vulnerabilities.firstFound < now-90d
Show the vulnerabilities that were found for the first time before past 90 days (including day 90)
vulnerabilities.firstFound <= now-90d
Show the vulnerabilities that were found for the first time within the specified date range
vulnerabilities.firstFound: [2020-01-01 .. 2020-01-10]
Show the vulnerabilities that were found for the first time from two weeks ago till a second ago
vulnerabilities.firstFound: [now-2w .. now-1s]
vulnerabilities.hardware.model
Find the vulnerabilities on assets by their hardware model name. For exact search, enclose the token value in backticks `<value>`. You can search for a single hardware model name or specify a comma-separated list of hardware models enclosed in square brackets.
Examples
Show the vulnerabilities detected on the assets having the specified hardware model
vulnerabilities.hardware.model: `6ES7511-1AK01-0AB0`
Show the vulnerabilities detected on assets having the specified hardware models
vulnerabilities.hardware.model: [1766-L32BXBA,
6ES7511-1AK01-0AB0]
vulnerabilities.hardware.product
Find the vulnerabilities on the assets by their hardware product name. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the vulnerabilities detected on assets related to the hardware product name.
vulnerabilities.hardware.product: Allen-Bradley
FLEX I/O EtherNet/IP Adapter Module
Show the vulnerabilities detected on assets containing any part of the hardware product name
vulnerabilities.hardware.product: “Allen-Bradley
FLEX I/O EtherNet/IP Adapter Module”
Show the vulnerabilities detected on assets having Allen-Bradley FLEX I/O EtherNet/IP Adapter Module as their hardware product
vulnerabilities.hardware.product: `Allen-Bradley
FLEX I/O EtherNet/IP Adapter Module`
Find the vulnerabilities on the assets by their hardware type. For exact search, enclose the token value in backticks `<value>`.
Example
Show the vulnerabilities identified on the PLC assets
vulnerabilities.hardware.type: `PLC`
vulnerabilities.hardware.vendor
Find the vulnerabilities on assets by their hardware vendor. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the vulnerabilities detected on assets related to hardware vendor Schneider Electric
vulnerabilities.hardware.vendor: Schneider Electric
Show the vulnerabilities detected on assets that contain Schneider or Electric, or both in their hardware vendor name
vulnerabilities.hardware.vendor: “Schneider Electric”
Show the vulnerabilities detected on assets having Siemens as their hardware vendor
vulnerabilities.hardware.vendor: `Siemens`
vulnerabilities.hardware.version
Examples
Show the vulnerabilities detected on assets having hardware version 5
vulnerabilities.hardware.version: `5`
Show the vulnerabilities detected on assets having the specified hardware versions
vulnerabilities.hardware.version: [3, 5]
Find the vulnerabilities identified on a particular host operating system. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the vulnerabilities identified on assets related to Windows 2012
vulnerabilities.hostOS: Windows 2012
Show the vulnerabilities identified on assets running any version of Windows Server 2012 (for example, Standard, Enterprise Edition, Datacenter) with any service pack installed
vulnerabilities.hostOS: “Windows 2012”
Show the vulnerabilities identified on assets running Windows 2012
vulnerabilities.hostOS: `Windows 2012`
vulnerabilities.interfaces.address
Use an IP address as the token value to find vulnerabilities detected on that interface. You can search a single IP address or a comma-separated list of IP addresses enclosed in square brackets.
Examples
Show the vulnerabilities detected on the specified interface address
vulnerabilities.interfaces.address: 192.168.1.10
Show the vulnerabilities detected on the specified IP address range
vulnerabilities.interfaces.address: [172.168.0.1..192.168.1.51]
vulnerabilities.interfaces.macaddress
Use MAC address as the token value to find vulnerabilities detected on a specific interface. For exact search, enclose the token value in backticks `<value>`.
Example
Show the vulnerabilities detected on the specified MAC address
vulnerabilities.interfaces.macaddress:
`5C-88-16-A9-73-5A`
Use a date range or specific date to find the vulnerabilities found last time on the asset .
Supported date formats: yyyy-MM-dd,yyyy-MM, yyyy
Examples
Show the vulnerabilities last found on the specified date
vulnerabilities.lastFound: '2020-01-13'
Show the vulnerabilities last found within past 90 days (excluding day 90)
vulnerabilities.lastFound > now-90d
Show the vulnerabilities last found within past 90 days (including day 90)
vulnerabilities.lastFound >= now-90d
Show the vulnerabilities last found before past 90 days (excluding day 90)
vulnerabilities.lastFound < now-90d
Show the vulnerabilities last found before past 90 days (including day 90)
vulnerabilities.lastFound <= now-90d
Show the vulnerabilities last found within the specified date range
vulnerabilities.lastFound: [2020-01-01 ... 2020-01-10]
Show the vulnerabilities last found from two weeks ago till a second ago
vulnerabilities.lastFound: [now-2w ... now-1s]
Find the vulnerabilities on assets having a specific discovery protocol. Assets are inventoried in Qualys ICS by using ICS protocols. For exact search, enclose the token value in backticks `<value>`.
Examples
Show the vulnerabilities detected on assets having Modbus TCP discovery protocol
vulnerabilities.protocol: `Modbus
TCP`
Show the vulnerabilities detected on assets having Ethernet/IP discovery protocol
vulnerabilities.protocol: `ENIP`
Find vulnerabilities by their severity levels. Choose the severity level from 1 to 5 from the available option.
Example
Show the vulnerabilities having a severity level of 5
vulnerabilities.severity: 5
Find the vulnerabilities by their status. Choose the status from the available options (ACTIVE, FIXED, NEW, REOPENED).
Examples
Show the vulnerabilities detected for the first time by a scan
vulnerabilities.status: NEW
Show the vulnerabilities that are verified by the recent scan as fixed
vulnerabilities.status: FIXED
Find the vulnerabilities based on their detection type. Choose the type from the available options (Confirmed, Information, Potential).
Example
Show the vulnerabilities of the type Confirmed
vulnerabilities.typeDetected: Confirmed
vulnerabilities.vulnerability.criticality
Find the assets with vulnerabilities according to their criticality level. Choose the criticality level from the available options (CRITICAL, HIGH, MEDIUM, LOW, NONE).
Examples
Show the vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: HIGH
Show the vulnerabilities with MEDIUM criticality
vulnerabilities.vulnerability.criticality: MEDIUM
vulnerabilities.vulnerability.cveIds
Find the vulnerabilities by their CVE IDs. You can search for a single CVE ID or a comma-separated list of multiple CVE IDs enclosed in square brackets.
The CVE in the query is case-sensitive and must be used in the capital case.
Examples
Show the vulnerability having the specified CVE ID
vulnerabilities.vulnerability.cveIds: CVE-2019-19281
Show the vulnerability having the specified CVE IDs
vulnerabilities.vulnerability.cveIds: [CVE-2016-8672,
CVE-2016-9158, CVE-2019-19281]
vulnerabilities.vulnerability.patchAvailable
Select TRUE or FALSE to search vulnerabilities by the availability of patches.
Examples
Show the vulnerabilities for which patches are available
vulnerabilities.vulnerability.patchAvailable: TRUE
Show the vulnerabilities for which patches are not available
vulnerabilities.vulnerability.patchAvailable: FALSE
vulnerabilities.vulnerability.qid
Find the vulnerabilities by their Qualys IDs. You can search for a single QID or a comma-separated list of multiple QIDs enclosed in square brackets.
Examples
Show the vulnerability having the specified QID
vulnerabilities.vulnerability.qid: 42405
Show the vulnerability having the specified QIDs
vulnerabilities.vulnerability.qid: [42405, 42413,
42414]
vulnerabilities.vulnerability.threatIntel
Find the vulnerabilities with Real-time Threat Indicators. Choose the threat indicators from the available options (Active Attacks, Denial of Service, Easy Exploit, Remote Code Execution, etc.)
Examples
Show assets with vulnerabilities due to Active Attacks
vulnerabilities.vulnerability.threatIntel: Active
Attacks
Show assets with vulnerabilities due to Denial of Service
Vulnerabilities.vulnerability.threatIntel: Denial
of Service
Show assets with vulnerabilities due to Remote Code Execution
vulnerabilities.vulnerability.threatIntel: Remote
Code Execution
vulnerabilities.vulnerability.title
Find the vulnerabilities by their titles. For exact search, enclose the token value in backticks` <value>`.
Examples
vulnerabilities.vulnerability.title: Remote Code
Execution
Show the vulnerabilities that contain “Remote,” “Code,” “Execution,” or "Remote Code Execution" in any combination in their titles
vulnerabilities.vulnerability.title: "Remote
Code Execution"
Show the vulnerability having the specified title
vulnerabilities.vulnerability.title:
`Rockwell Automation ControlLogix PLC Multiple Vulnerabilities(ICSA-13-011-03)`
For information about search tokens on the Assets tab, see Assets Search Tokens.
For information about search tokens on the Network tab, see Network Search Tokens.
For information about search tokens on the Import Asset tab, see Import Asset Search Tokens.