A complete list of tokens for writing search queries is provided below.
General | AWS EC2 | IBM | Microsoft Azure | Google Cloud Platform | Assets | Threat Protection | Compliance | Oracle Cloud Compute Instance
Quick links: AWS EC2 | Microsoft Azure | Google Cloud Platform | Assets | Threat Protection | Compliance
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
Examples
Find EC2 instances that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Use these token when searching IBM assets on the Assets list.
Example
Find IBM virtual server with this Id
ibm.virtualServer.id: '123741814'
Example
Find IBM virtual server with this location
ibm.virtualServer.location: 'dal13'
Example
Find IBM virtual server datacenter with this Id
ibm.virtualServer.datacenterId: '1854895'
Example
Find IBM virtual server with this device name
ibm.virtualServer.deviceName: 'virtualserver01.Qualys-Inc.cloud'
Example
Find IBM virtual server with this public IP address
ibm.virtualServer.publicIpAddress: '150.238.75.107'
Example
Find IBM virtual server with this private IP address
ibm.virtualServer.privateIpAddress: '10.187.94.40'
Example
Find IBM virtual server with this public vlan
ibm.virtualServer.publicVlan: '1796'
Example
Find IBM virtual server with this private vlan
ibm.virtualServer.privateVlan: '2236'
Example
Find IBM virtual server with this domain
ibm.virtualServer.domain: 'Qualys-Inc.cloud'
Use these tokens when searching Microsoft Azure assets on the Assets list.
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
Example
Find Azure instances in this location
azure.vm.location: westus
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
Examples
Find Azure instances with this virtual network
azure.vm.virtualNetwork: `mburton01-vnet`
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ... 13.126.125.255]
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Example
Find running Azure instances
azure.vm.state: RUNNING
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Example
Find Azure instances with cloud agent installed
azure.vm.hasAgent: true
Find Azure instances without cloud agent
azure.vm.hasAgent: false
Use these tokens when searching Google Cloud Platform assets on the Assets list.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ... 10.240.0.30]
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ... 104.196.57.218]
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
Examples
Find running GCP instances
gcp.compute.state: RUNNING
All tokens below are available with AssetView.
Example
Show assets with this exact username (case sensitive)
accounts.username: Administrator
Show assets with username starting with "Admin" (case sensitive)
accounts.username: Admin
Examples
Show assets activated for VM
activatedForModules: "VM"
Show assets activated for VM and PC
activatedForModules: "VM" AND activatedForModules:
"PC"
Example
Show assets with agents activated using this key
agentActivations.key: 057cc48a-8d84-48eb-add4-97a605d0567d
Example
Show assets with active agents
agentActivations.status: ACTIVE
Example
Show assets with active agents
agentStatus: ACTIVE
Example
Show the asset with this agent ID
agentID: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Example
Show findings with agent version 1.3.2.0
agentVersion: 1.3.2.0
Example
Show this assets with this category
assetCategory: hardware
Examples
Show this asset ID
assetId: 2918869
Show asset IDs in this range
assetId: [3546997 .. 12945655]
Show the 2 asset IDs listed
assetId: [3546997,12945655]
Example
Show the list of assets that have Anti-malware enabled and have asset tag as Cloud Agent
isAntiMalwareInstalled: true and tags.name: "Cloud Agent"
Examples
Show this assets tracked by IP
trackingMethod: IP
Show asset tracked by NETBIOS
trackingMethod: NETBIOS
Examples
Show any findings related to profile name
configurationProfile: Initial Profile
Show any findings that contain parts of the name
configurationProfile: "Initial Profile"
Show any findings that match exact value
configurationProfile: `Initial Profile`
Example
Show findings detected by connector name myec2
connectors.connector.name: myec2
Note: The query result count will include the number for terminated instances too.
Example
Show assets that have 2 CPUs
cpuCount: 2
Example
Show findings for an external IP address that an agent connected from
connectedFrom: 10.0.100.11
Examples
Show assets created within certain dates
created: [2016-01-01 ... 2016-01-10]
Show assets created starting 2015-10-01, ending 1 month ago
created: [2015-10-01 ... now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
created: [now-2w ... now-1s]
Show assets created on specific date
created:'2016-01-08'
Example
Show findings with this Docker version
docker.dockerVersion:17.3
Example
Show findings with 2 Docker containers
docker.noOfContainers:2
Example
Show findings with 5 Docker images
docker.noOfImages:5
Example
Show docker hosts
isDockerHost:true
Example
Show docker hosts with container sensor installed.
docker.hasSensor:true
Example
Show agents with error status
errorStatus: "true"
Examples
Show agents that are FIM capable and activated for FIM
fimCapable: "true"
Show agents that are not FIM capable but can be upgraded to FIM capability
fimCapable: "false"
Examples
Show any findings that match exact value
hardware.category:Printers/Laser
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category1:Printers
Example
If you are searching for assets that are laser printers, then category1 is Printers and category2 is Laser.
Show any findings that match exact value
hardware.category2:Laser
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 ... now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w ... now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
Examples
Show findings with hardware End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w ... now-1s]
Show findings with this hardware End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
Examples
Show findings with hardware introduction date in this date range
hardware.lifecycle.intro:[2019-01-01 ... 2019-01-15]
Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.intro:[2019-01-15 ... now-1M]
Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.intro:[now-2w ... now-1s]
Show findings with this hardware introduction date
hardware.lifecycle.intro:'2019-03-18'
Examples
Show findings with hardware GA date in this date range
hardware.lifecycle.ga:[2019-01-01 ... 2019-01-15]
Show findings with hardware GA date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.ga:[2019-01-15 ... now-1M]
Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.ga:[now-2w ... now-1s]
Show findings with this hardware GA date
hardware.lifecycle.ga:'2019-03-18'
Example
Show assets that have this host ID
hostId: 2918869
Examples
Show the asset with IPv4 address
interfaces.address: 10.10.100.20
Show the asset with IPv6 address (enclose value in single quotes)
interfaces.address: 'fe80:0:0:0:2501:b53c:4139:404b'
Example
Show the asset with DNS address 10.0.100.11
interfaces.dnsAddress: 10.0.100.11
Example
Show assets with this default gateway address
interfaces.gatewayAddress: 10.11.65.1
Examples
Show any findings related to name
interfaces.hostname: xpsp2-jp-26-111
Show any findings related to name (we'll match super domains)
interfaces.hostname: com-pa3020-36.eng.sjc01.qualys.com
Show any findings that match exact value
interfaces.hostname: `xpsp2-jp-26-111`
interfaces.hostname: `com-pa3020-36.eng.sjc01.qualys.com`
Show any findings that match domain name
interfaces.hostname: qualys.com
interfaces.hostname: sjc01.qualys.com
interfaces.hostname: eng.sjc01.qualys.com
Show any findings starting with string (case sensitive)
interfaces.hostname: xp*
interfaces.hostname: com-pa30*
Show any findings ending with string
interfaces.hostname: *111
interfaces.hostname: *lys.com
Example
Show the asset with name PRO/1000
interfaces.interfaceName: PRO/1000
Example
Show the asset with this MAC address
interfaces.macAddress: "00-50-56-A9-73-5A"
Examples
Show findings with last activity within certain dates
lastActivity: [2016-01-01 ... 2016-01-10]
Show findings with last activity starting 2015-10-01, ending 1 month ago
lastActivity: [2015-10-01 ... now-1M]
Show findings with last activity starting 2 weeks ago, ending 1 second ago
lastActivity: [now-2w ... now-1s]
Show findings with last activity on a specific date
lastActivity:'2015-12-01'
Examples
Show findings with last check in within a specific date range.
lastCheckedIn:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
lastCheckedIn:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago
lastCheckedIn:[now-2w ... now-1s]
Show findings with last check in on a specific date
lastCheckedIn:'2020-02-11'
Show findings with last check in before (older than) last 30 days.
lastCheckedIn<now-30d
Note: We recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d...now-2s]. See 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
lastCheckedIn>now-30d
Show findings with last check in within last 30 days including day 30
lastCheckedIn>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
lastCheckedIn<now-30d
Show findings with last check in which is older than last 30 days including day 30
lastCheckedIn<=now-30d
Examples
Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastComplianceScanDate:'2017-02-18'
Examples
Show findings with last full scan within certain dates
lastFullScan: [2016-01-01 ... 2016-01-10]
Show findings with last full scan starting 2015-10-01, ending 1 month ago
lastFullScan: [2015-10-01 ... now-1M]
Show findings with last full scan starting 2 weeks ago, ending 1 second ago
lastFullScan: [now-2w ... now-1s]
Show findings with last full scan on a specific date
lastFullScan:'2016-02-08'
Examples
Show findings with last inventory scan within certain dates
lastInventory: [2018-06-01 ... 2018-06-10]
Show findings with last inventory scan on specific date
lastInventory:'2018-07-25'
Examples
Show findings with last inventory scan within certain dates
lastInventoryDate: [2018-05-01 ... 2018-06-28]
Show findings with last inventory scan starting 2018-06-15, ending 1 month ago
lastInventoryDate: [2018-06-15 ... now-1M]
Show findings with last inventory scan starting 3 weeks ago, ending 1 second ago
lastInventoryDate: [now-3w ... now-1s]
Show findings with last inventory scan on specific date
lastInventoryDate:'2018-07-10'
Examples
Show assets with last logon by user asmith
lastLoggedOnUser: asmith
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDate: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDate: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDate: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDate:'2017-04-10'
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateAgent:[2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateAgent:[2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateAgent:[now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateAgent:'2017-04-10'
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateScanner:'2017-04-10'
Examples
Show findings with last policy compliance scan within certain dates
lastPcScanDateAgent:[2017-01-01 ... 2017-02-10]
Show findings with last policy compliance scan starting 2016-11-01, ending 1 month ago
lastPcScanDateAgent:[2016-11-01 ... now-1M]
Show findings with last policy compliance scan starting 2 weeks ago, ending 1 second ago
lastPcScanDateAgent:[now-2w ... now-1s]
Show findings with last policy compliance scan on specific date
lastPcScanDateAgent:'2017-04-10'
Examples
Show findings with last policy compliance scan within certain dates
lastPcScanDateScanner:[2017-01-01 ... 2017-02-10]
Show findings with last policy compliance scan starting 2016-11-01, ending 1 month ago
lastPcScanDateScanner:[2016-11-01 ... now-1M]
Show findings with last policy compliance scan starting 2 weeks ago, ending 1 second ago
lastPcScanDateScanner:[now-2w ... now-1s]
Show findings with last policy compliance scan on specific date
lastPcScanDateScanner:'2017-04-10'
Examples
Show any findings related to name
name: QK2K12QP3-65-53
Show any findings that match exact value
name: `QK2K12QP3-65-53`
Examples
Show assets with this exact name (case sensitive)
netbiosName: EC2AMAZ-19OC2IT
Show assets with name starting with "EC2" (case sensitive)
netbiosName: EC2
Show assets with name ending with "c2it" (case insensitive)
netbiosName: *c2it
Examples
Show any findings with this description
openPorts.description: Windows Remote Desktop
Show any findings that contain parts of description
openPorts.description: "Windows Remote Desktop"
Show any findings that match exact value
openPorts.description: `Windows Remote Desktop`
Examples
Show any findings with this service name
openPorts.detectedService: win_remote_desktop
Show any findings that match exact value
openPorts.detectedService: `win_remote_desktop`
Examples
Show findings with open ports first found within certain dates
openPorts.firstFound: [2017-06-15 ... 2017-06-30]
Show findings with open ports first found starting 2017-06-22, ending 1 month ago
openPorts.firstFound: [2017-06-22 ... now-1M]
Show findings with open ports first found starting 2 weeks ago, ending 1 second ago
openPorts.firstFound: [now-2w ... now-1s]
Show findings with open ports first found on specific date
openPorts.firstFound:'2017-06-14'
Examples
Show findings with open ports last updated within certain dates
openPorts.lastUpdated: [2017-06-15 ... 2017-06-30]
Show findings with open ports last updated starting 2017-06-22, ending 1 month ago
openPorts.lastUpdated: [2017-06-22 ... now-1M]
Show findings with open ports last updated starting 2 weeks ago, ending 1 second ago
openPorts.lastUpdated: [now-2w ... now-1s]
Show findings with open ports last updated on specific date
openPorts.lastUpdated:'2017-06-14'
Example
Show assets with open port 80
openPorts.port: 80
Examples
Show findings found on TCP
openPorts.protocol: TCP
Show findings found on port 80 and TCP
openPorts: (port: 80 AND protocol: TCP)
Examples
Show assets pending activation for VM
pendingActivationForModules: "VM"
Show assets pending activation for VM and FIM
pendingActivationForModules: "VM"
AND pendingActivationForModules: "FIM"
Examples
Show any findings with this description
processors.description: intel
Show any findings that match exact value
processors.description: `intel`
Example
Show assets with this processor speed
processors.speed: 1995
Examples
Show assets synced from Amazon AWS
provider: "AWS"
Example
Show assets with this Qualys Correlation ID
qualysCorrelationID: "0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058"
Show assets without any Qualys Correlation ID
qualysCorrelationID: "UNIDENTIFIED"
Show assets all assets with Qualys Correlation ID
qualysCorrelationID: "*"
Examples
Show any findings with this description
services.description: Windows Event Log
Show any findings that contain parts of description
services.description: "Windows Event Log"
Show any findings that match exact value
services.description: `Windows Event Log`
Examples
Show any findings with this name
services.name: eventlog
Show any findings that match exact value
services.name: `eventlog`
Examples
Show any findings with this status
services.status: running
Show any findings that match exact value
services.status: `running`
Example
Show any findings that match exact value
software.architecture:64-Bit
Example
Show any findings that match exact value
software.edition:Professional
Example
Show any findings that match exact value
software.category:Application Development/Testing
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software.category1:Application Development
Example
If you are searching for assets having testing software, then category1 is Application Development and category2 is Testing.
Show any findings that match exact value
software.category2:Testing
Examples
Show assets with software first found within certain dates
software.firstFound: [2017-06-15 ... 2017-06-30]
Show assets with software first found starting 2017-06-22, ending 1 month ago
software.firstFound: [2017-06-22 ... now-1M]
Show assets with software first found starting 2 weeks ago, ending 1 second ago
software.firstFound: [now-2w ... now-1s]
Show assets with software first found on specific date
software.firstFound:'2017-06-14'
Examples
Show assets with software last updated within certain dates
software.lastUpdated: [2017-06-15 ... 2017-06-30]
Show assets with software last updated starting 2017-06-22, ending 1 month ago
software.lastUpdated: [2017-06-22 ... now-1M]
Show assets with software last updated starting 2 weeks ago, ending 1 second ago
software.lastUpdated: [now-2w ... now-1s]
Show assets with software last updated on specific date
software.lastUpdated:'2017-06-14'
Examples
Show assets with software installed within certain dates
software.installedDate:[2018-01-15 ... 2018-03-12]
Show assets with software installed starting 2018-01-22, ending 1 month ago
software.installedDate:[2018-01-22 ... now-1M]
Show assets with software installed starting 2 weeks ago, ending 1 second ago
software.installedDate:[now-2w ... now-1s]
Show assets with software installed on specific date
software.installedDate:'2018-02-16'
Example
Show any findings that match exact value
software.marketVersion:7
Example
Show any findings that match exact value
software.majorVersion:1.19.0.0
Examples
Show any findings with this name
software.name: VMware Tools
Show any findings that contain parts of name
software.name: "VMware Tools"
Show any findings that match exact value
software.name: `VMware Tools`
Find assets with certain tag and software installed
tags.name: `Cloud Agent` AND software: (name:
`Cisco AnyConnect Secure Mobility Client` AND version:
`3.1.12345`)
Example
Show findings with this exact product name
software.product:Office
Example
Show findings with this exact software publisher
software.publisher:Microsoft
Example
Show findings having this software type
software.type:Installer Package
Example
Show findings with this exact software update version
software.update:16.0.1.2
Example
Show findings with this version
software.version: 8.6.10
Find assets with certain tag and software installed
tags.name: `Cloud Agent` AND software: (name:
`Cisco AnyConnect Secure Mobility Client` AND version:
`3.1.12345`)
Examples
Show findings having this software lifecycle stage
software:(lifecycle.stage:eol)
Show findings having software category Windows and software lifecycle stage "active"
software:(category:Windows AND lifecycle.stage:eol)
Examples
Show findings with software GA date in this date range
software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])
Show findings with woftware GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15 ... now-1M])
Show findings with software GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w ... now-1s])
Show findings with this software GA date
software:(lifecycle.ga:'2019-03-18')
Examples
Show findings with software End-of-Life date in this date range
software.lifecycle.eol:[2019-01-01 ... 2019-01-15]
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software.lifecycle.eol:[2019-01-15 ... now-1M]
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software.lifecycle.eol:[now-2w ... now-1s]
Show findings with this software End-of-Life date
software.lifecycle.eol:'2019-03-18'
Examples
Show findings with software End-of-Support date in this date range
software.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago
software.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago
software.lifecycle.eos:[now-2w ... now-1s]
Show findings with this software End-of-Support date
software.lifecycle.eos:'2019-03-18'
Example
Show any findings that match exact value
software:(license.subcategory:Apache 2.0)
Example
Show any findings that match exact value
software:(license.category:`Open Source`)
Examples
Show any findings with this description
system.biosDescription: Phoenix Technologies
Show any findings that contain parts of name
system.biosDescription: "Phoenix Technologies"
Show any findings that match exact value
system.biosDescription: `Phoenix Technologies`
Examples
Show assets last booted within certain dates
system.lastBoot: [2016-01-01 ... 2016-01-10]
Show assets last booted starting 2015-10-01, ending 1 month ago
system.lastBoot: [2015-10-01 ... now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
system.lastBoot: [now-2w ... now-1s]
Show assets last booted on a specific date
system.lastBoot:'2016-01-08'
Examples
Show any findings with this name
system.manufacturer: dell
Show any findings that match exact value
system.manufacturer: `dell`
Examples
Show any findings with this name
system.model: optiplex
Show any findings that match exact value
system.model: `optiplex`
Example
Show assets with this timezone
system.timezone: "-08:00"
Example
Show assets with this total system memory
system.totalMemory: 1024
Examples
Show assets with agents assigned a UDC manfest
udcManifestAssigned: "true"
Show assets with agents not assigned a UDC manifest
udcManifestAssigned: "false"
Examples
Show assets updated within certain dates
updated: [2016-01-01 ... 2016-01-10]
Show assets updated starting 2015-10-01, ending 3 months ago
updated: [2015-10-01 ... now-3M]
Show assets updated starting 2 weeks ago, ending 1 second ago
updated: [now-2w ... now-1s]
Show assets updated on a specific date
updated:'2016-01-10'
Example
Show assets with this free volume space
volumes.free: 448312320
Example
Show assets with this volume name
volumes.name: /boot
Example
Show assets with this volume size
volumes.size: 481529856
Example
Show all findings that have vulnerabilities
vulnerabilities: *
Examples
Show findings first found within certain dates
vulnerabilities.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
vulnerabilities.firstFound:'2015-11-11'
Examples
Show findings last found within certain dates
vulnerabilities.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12'
AND vulnerability.patchAvailable: "true")
Example
Show findings with this type
vulnerabilities.typeDetected: "Confirmed"
Examples
Show findings on non-exploitable kernels
vulnerabilities.nonExploitableKernel:TRUE
Examples
Show findings on non-exploitable config
vulnerabilities.nonExploitableConfig:TRUE
Examples
Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
Example
Show findings with Windows auth type
vulnerabilities.vulnerability.authTypes: "WINDOWS_AUTH"
Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqIds: 22211
Example
Show findings with the category CGI
vulnerabilities.vulnerability.category: "CGI"
Examples
Show any findings related to this description
vulnerabilities.vulnerability.compliance.description: malicious
software
Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description: "malicious
software"
Show any findings that match exact value
vulnerabilities.vulnerability.compliance.description: `malicious
software`
Examples
Show any findings related to this section
vulnerabilities.vulnerability.compliance.section: 164.308
Show any findings that match exact value
vulnerabilities.vulnerability.compliance.section: `164.308`
Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type: "HIPAA"
Examples
Show any findings related to consequence
vulnerabilities.vulnerability.consequence: sensitive
information
Show any findings that contain "sensitive" or "information" in consequence
vulnerabilities.vulnerability.consequence: "sensitive
information"
Show any findings that match exact value
vulnerabilities.vulnerability.consequence: `sensitive
information`
Example
Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveIds: CVE-2015-0313
Note: The CVE in the query is case sensitive and must be used in capital case.
Example
Show findings with this name
vulnerabilities.vulnerability.cvssInfo.accessVector: "NETWORK"
Example
Show assets with this score
vulnerabilities.vulnerability.cvssInfo.baseScore: 7.8
Example
Show assets with this score
vulnerabilities.vulnerability.cvssInfo.temporalScore: 6.4
Examples
Show any findings related to description
vulnerabilities.vulnerability.description: remote
code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description: "remote
code execution"
Show any findings that match exact value
vulnerabilities.vulnerability.description: `remote
code execution`
Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryTypes: Remote
Examples
Show any findings related to this description
vulnerabilities.vulnerability.exploitability: GIF
Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability: "GIF
Parser Heap"
Show any findings that match exact value
vulnerabilities.vulnerability.exploitability: `GIF
Parser Heap`
Example
Show findings with this property
vulnerabilities.vulnerability.flags: PCI_RELATED
Example
Show any findings related to impact
vulnerabilities.vulnerability.impact: sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerabilities.vulnerability.impact: "sensitive
information"
Show any findings that match exact value "sensitive information"
vulnerabilities.vulnerability.impact: 'sensitive information'
Example
Show findings with vulnerabilities in SANS Top 20
vulnerabilities.vulnerability.lists: SANS_20
Examples
Show any findings related to this OS value
vulnerabilities.vulnerability.os: windows
Show any findings that match exact value
vulnerabilities.vulnerability.os: `windows`
Examples
Show findings with patch available
vulnerabilities.vulnerability.patchAvailable: "true"
Show findings with no patch available
vulnerabilities.vulnerability.patchAvailable: "false"
Example
Show assets with this patch QID
vulnerabilities.vulnerability.patches: 90753
Examples
Show findings for vulnerabilities published within certain dates
vulnerabilities.vulnerability.published: [2015-10-21
... 2016-01-15]
Show findings for vulnerabilities published starting 2016-01-01, ending 1 month ago
vulnerabilities.vulnerability.published: [2016-01-01
... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.published: [now-2w ...
now-1s]
Show findings for vulnerabilities published on certain date
vulnerabilities.vulnerability.published:'2015-07-15'
Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
Example
Show findings with risk 50
vulnerabilities.vulnerability.risk: 50
Example
Show findings with this category name
vulnerabilities.vulnerability.sans20Categories: "Media
Players"
Example
Show findings with severity 4
vulnerabilities.severity: "4"
Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution: Bulletin MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution: "Bulletin
MS10-006"
Show any findings that match exact value
vulnerabilities.vulnerability.solution: `Bulletin
MS10-006`
Examples
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote
Code"
Show any findings that match exact value
vulnerabilities.vulnerability.title: `Remote Code`
Example
Show findings with this type
vulnerabilities.vulnerability.types: "VULNERABILITY"
Examples
Show vulnerabilities updated within certain dates
vulnerabilities.vulnerability.updated: [2015-10-21
... 2015-10-30]
Show vulnerabilities updated starting 2015-11-01, ending 1 month ago
vulnerabilities.vulnerability.updated: [2015-11-01
... now-1M]
Show vulnerabilities updated stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updated: [now-2w ...
now-1s]
Show vulnerabilities updated on certain date
vulnerabilities.vulnerability.updated: '2015-03-08'
Example
Show findings with this reference
vulnerabilities.vulnerability.vendorRefs: KB3021953
Examples
Show vulnerabilities with patch available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "true"
Show vulnerabilities with patch not available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "false"
Examples
Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
Example
Show assets with operating system Windows and Linux
operatingSystem: windows and operatingSystem:
linux
Example
Show assets that don't have Windows operating system
not operatingSystem: windows
Example
Show assets with one of these tag names
tag.name: Cloud Agent or tag.name: HQ
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
Example
Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks: "true"
Example
Show assets with threats due CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
"true"
Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
"false"
Example
Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService:
"true"
Example
Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: "true"
Example
Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: "true"
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName:
Angler
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName:
`Angler`
Example
Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: "true"
Example
Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement:
"true"
Example
Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: "true"
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Example
Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: "true"
Example
Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: "true"
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
"RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.publicExploitName:
`RealVNC NULL Authentication Mode Bypass`
Example
Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: "true"
Examples
Show assets with wormable threats
vulnerabilities.vulnerability.threatIntel.wormable: "true"
Examples
Show assets with predicted high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk:
"true"
Examples
Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.ransomware:
"true"
Examples
Show assets with Solorigate Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst:
"true"
Use these tokens for searching compliance policies.
Examples
Show any findings related to this statement
statement: Accept Remote rsyslog Messages Only on
Designated Log Hosts - ModLoad
Show any findings that contain parts of statement
statement: "Accept Remote rsyslog Messages Only
on Designated Log Hosts - ModLoad"
Show findings that match exact value
statement: `Accept Remote rsyslog Messages Only on
Designated Log Hosts - ModLoad`
Example
Find policies for CID 1071
cid: "1071"
Examples
Show any findings related to this policy name
policy: Policy to test Error out on 1.2 release
Show any findings that contain parts of policy name
policy: "Policy to test Error out on 1.2 release"
Show findings that match exact value
policy: `Policy to test Error out on 1.2 release`
Examples
Show any findings related to this category
category: OS Security Settings
Show any findings that contain parts of category name
category: "OS Security Settings"
Show findings that match exact value
category: `OS Security Settings`
Example
Show policies of this posture
posture: "FAIL"
Example
Show policies of this criticality
criticality: "URGENT"
Use these tokens for searching Oracle Cloud Compute instances (OCI).
Example
Show assets with this OCI ID
oci.compute.ociId:ocid1.compartment.oc1..1234567lbhcx2ajiagh57wrurvqs2ubd4ttaimgy22cxh3r6brpmmugq'
Example
Show assets with this OCI compartment ID
oci.compute.compartmentId:ocid1.compartment.oc1..123452sjze35z6bkhvwjtzzgcp534zj4o75tgsizg3q36wl447jvfg6dq'
Example
Show assets with this OCI compartment name
oci.compute.compartmentName:ocid1.compartment.abc'
Example
Show assets with display name oracle 8.
oci.compute.displayName:oracle 8
Example
Show all assets with the shape x5-2.36.512
oci.compute.shape:x5-2.36.512
Example
Show all assets with the region us-east-1
oci.compute.region:us-east-1
Example
Show all assets with the region key SYD
oci.compute.regionKey:SYD
Example
Show all assets with the region realm OC1
oci.compute.regionRealm:OC1
Example
Show all assets with the available domain Lhkx:US-ASHBURN-AD-1
oci.compute.availabilityDomain:Lhkx:US-ASHBURN-AD-1
Example
Show all assets with the created time 2021-02-09T07:24:31.000Z (Use 2021-02-09 while searching in UI)
oci.compute.timeCreated:2021-02-09
Example
Show all assets with the ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq image ID
oci.compute.imageId:ocid1.image.oc1.iad.aaaaaaaaffp3cnkpfxibzrdkfnxbitkgxk7al33rrhpzhfnrhfv7ml2xdpyq
Example
Show all assets with fault domain FAULT-DOMAIN-1
oci.compute.faultDomain:FAULT-DOMAIN-1
Example
Show all findings with the host name oracle-8
oci.compute.hostName:oracle-8
Example
Show all assets with the canonical region name us-ashburn-1
oci.compute.canonicalRegionName:us-ashburn-1
Example
Show all assets that are Qualys Scanner.
oci.compute.isQualysScanner:"true"
Example
Show all assets with having cloud agent installed
oci.compute.hasAgent:"true"
Example
Show all assets with the VNIC ID ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
oci.vnic.vnicId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
Example
Show all assets with this VCN ID
oci.vnic.vcnId:ocid1.vnic.oc1.iad.abuwcljt6cdjcuwhkce37madk4p6bd6ocjknilpwzai5rsyjejteiodyp22q
Example
Show all assets with this private IP
oci.vnic.privateIp:10.0.0.222
Example
Show all assets with this public IP
oci.vnic.publicIp:10.0.0.222
Example
Find OCI instances with this subnet ID
oci.vnic.subnetId: subnet-bc02c0d4
Example
Find OCI instances with this subnet name
oci.vnic.subnetName: subnet-abc
Example
Show all assets with this vcn name
oci.vnic.vcnName:abc
Example
Show all assets with the vlan tag 1
oci.vnic.vlanTag:1
Example
Show all assets with the MAC address 02:00:17:06:bd:b3
oci.vnic.macAddr:02:00:17:06:bd:b3
Example
Show all assets with the router IP 10.0.0.1
oci.vnic.virtualRouterIp:10.0.0.1
Example
Show all assets with the block 10.0.0.0/24
oci.vnic.subnetCidrBlock:10.0.0.0/24
Example
Show all assets with the index 1
oci.vnic.nicIndex:1
Example
Show all assets with the compute state Starting
oci.compute.state:STARTING
Example
Show all assets with the specific tenant ID
oci.compute.tenantId:ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq
Example
Show all assets with the specific tenant name
oci.compute.tenantName:oraclecengg1