You can use the search tokens available in Vulnerabilities tab and refine your search results. We have broadly classified the search tokens for asset and vulnerability search in Vulnerabilities tab. Click each token to learn more about it.
Generic | Vulnerability | Asset | Asset Inventory | RTIs | Threat Feed | AWS | Microsoft Azure | GCP | IBM | Passive Scanner
Example
Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software:
(name:`Cisco AnyConnect Secure Mobility Client`
and version:`3.1.12345`)
Example
Show assets that don't have Windows operating system
not operatingSystem: Windows
Example
Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows
Use these tokens to define search criteria for vulnerabilities.
Examples
Show findings first found within certain dates
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerabilities.firstFound:[2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:[now-2w ... now-1s]
Show findings first found on certain date
vulnerabilities.firstFound:'2016-11-11'
Examples
Show any findings related to name
vulnerabilities.hostAssetName:QK2K12QP3-65-53
Show any findings that contain parts of name
vulnerabilities.hostAssetName:"QK2K12QP3-65-53"
Show any findings that match exact value "QK2K12QP3-65-53"
vulnerabilities.hostAssetName:`QK2K12QP3-65-53`
Examples
Show any findings with this OS name
vulnerabilities.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerabilities.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerabilities.hostOS:`Windows 2012`
Examples
Show findings with vulnerabilities detected
vulnerabilities.found:TRUE
Examples
Show findings with vulnerabilities disabled
vulnerabilities.disabled:TRUE
vulnerabilities.detectionScore
Examples
Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80
Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25
Examples
Show findings last found within certain dates
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound:[2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:[now-2w ... now-1s]
Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11'
Show findings last found within certain number of days
vulnerabilities.lastFound: [91..180]
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12'
AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)
vulnerabilities.nonExploitableConfig
Examples
Show findings with non exploitable configurations
vulnerabilities.nonExploitableConfig:TRUE
Show findings with exploitable configurations
vulnerabilities.nonExploitableConfig:FALSE
vulnerabilities.nonRunningKernel
Examples
Show detections found on non-running Kernal
vulnerabilities.nonRunningKernel:TRUE
Show detections found on running Kernal
vulnerabilities.nonRunningKernel:FALSE
Examples
Show vulnerabilities associated with SSL
vulnerabilities.ssl:TRUE
Example
Show vulnerabilities found on this port
vulnerabilities.port:443
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Example
Show vulnerabilities found on TCP protocol
vulnerabilities.protocol:TCP
Example
Show vulnerabilities that are marked as ignored
vulnerabilities.ignored:TRUE
Example
Show vulnerabilities found on this instance
vulnerabilities.instance: 354216
vulnerabilities.runningService
Example
Show vulnerabilities found on running service
vulnerabilities.runningService:TRUE
Show vulnerabilities found on non-running service
vulnerabilities.runningService:FALSE
Example
Show findings with severity 5
vulnerabilities.severity:5
Note: If you have customized the severity for a QID, you can use the new severity to filter the token only after the scan is completed.
If you select the status as Fixed, the list will only show vulnerabilities that are fixed in the last 365 days.
Example
Show vulnerabilities with New status
vulnerabilities.status:NEW
Example
Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.vulnerability.authTypes
Example
Show findings with Windows auth type
vulnerabilities.vulnerability.authTypes:WINDOWS_AUTH
vulnerabilities.vulnerability.bugTraqIds
Example
Show findings with BugTraq ID 22211
vulnerabilities.vulnerability.bugTraqIds:22211
vulnerabilities.vulnerability.category
Example
Show findings with category CGI
vulnerabilities.vulnerability.category:CGI
vulnerabilities.vulnerability.compliance.description
Examples
Show any findings related to this description
vulnerabilities.vulnerability.compliance.description:malicious
software
Show any findings that contain "malicious" or "software" in description
vulnerabilities.vulnerability.compliance.description:"malicious
software"
Show any findings that match exact value "malicious software"
vulnerabilities.vulnerability.compliance.description:`malicious
software`
vulnerabilities.vulnerability.compliance.section
Examples
Show any findings related to this section
vulnerabilities.vulnerability.compliance.section:164.308
Show any findings that contain parts of section
vulnerabilities.vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
vulnerabilities.vulnerability.compliance.section:`164.308`
vulnerabilities.vulnerability.compliance.type
Example
Show findings with the compliance type HIPAA
vulnerabilities.vulnerability.compliance.type:HIPAA
vulnerabilities.vulnerability.impact
Examples
Show any findings related to impact
vulnerabilities.vulnerability.impact:sensitive
information
Show any findings that contain "sensitive" or "information" in consequence
vulnerabilities.vulnerability.impact:"sensitive
information"
Show any findings that match exact value "sensitive information"
vulnerabilities.vulnerability.impact:`sensitive
information`
vulnerabilities.vulnerability.cveIds
Example
Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveIds:CVE-2015-0313
vulnerabilities.vulnerability.cvss3Info.basescore
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3Info.basescore:7.8
vulnerabilities.vulnerability.cvss3Info.temporalScore
Example
Show assets with this score
vulnerabilities.vulnerability.cvss3Info.temporalScore:6.4
vulnerabilities.vulnerability.cvss2Info.accessVector
Example
Show findings with this name
vulnerabilities.vulnerability.cvss2Info.accessVector:NETWORK
vulnerabilities.vulnerability.cvss2Info.baseScore
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2Info.baseScore:7.8
vulnerabilities.vulnerability.cvss2Info.temporalScore
Example
Show assets with this score
vulnerabilities.vulnerability.cvss2Info.temporalScore:6.4
vulnerabilities.vulnerability.discoveryTypes
Example
Show findings with Remote discovery type
vulnerabilities.vulnerability.discoveryTypes:REMOTE
vulnerabilities.vulnerability.exploitability
Examples
Show any findings related to this description
vulnerabilities.vulnerability.exploitability:GIF
Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerabilities.vulnerability.exploitability:"GIF
Parser Heap"
Show any findings that match exact value "GIF Parser Heap"
vulnerabilities.vulnerability.exploitability:`GIF
Parser Heap`
vulnerabilities.vulnerability.flags
Example
Show findings with this flag
vulnerabilities.vulnerability.flags:PCI_RELATED
vulnerabilities.vulnerability.os
Examples
Show any findings related to this OS value
vulnerabilities.vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerabilities.vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerabilities.vulnerability.os:`windows`
vulnerabilities.vulnerability.patchAvailable
Examples
Show findings with patch available
vulnerabilities.vulnerability.patchAvailable:TRUE
Show findings with no patch available
vulnerabilities.vulnerability.patchAvailable:FALSE
vulnerabilities.vulnerability.pci
Examples
Show PCI vulnerabilities
vulnerabilities.vulnerability.pci:TRUE
Do not show PCI vulnerabilities
vulnerabilities.vulnerability.pci:FALSE
vulnerabilities.vulnerability.rebootRequired
Examples
Show vulnerabilities that need reboot.
vulnerabilities.vulnerability.rebootRequired: TRUE
vulnerabilities.vulnerability.qid
Example
Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.ransomware.name
Example
Show findings with this name
vulnerabilities.vulnerability.ransomware.name: Locky
Show findings that match exact value
vulnerabilities.vulnerability.ransomware.name: Locky
vulnerabilities.vulnerability.sans20Categories
Example
Show findings with this category name
vulnerabilities.vulnerability.sans20Categories:Media
Players
vulnerabilities.vulnerability.solution
Examples
Show any findings related to this solution
vulnerabilities.vulnerability.solution:Bulletin
MS10-006
Show any findings that contain parts of solution
vulnerabilities.vulnerability.solution:"Bulletin
MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerabilities.vulnerability.solution:`Bulletin
MS10-006`
vulnerabilities.vulnerability.supportedBy
Example
Show vulnerabilities supported by Linux Agent
vulnerabilities.vulnerability.supportedBy:LINUX_AGENT
vulnerabilities.vulnerability.title
Examples
Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code
Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote
Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.types
Example
Show findings with this type
vulnerabilities.vulnerability.types:VULNERABILITY
vulnerabilities.vulnerability.vendorRefs
Example
Show this vendor reference
vulnerabilities.vulnerability.vendorRefs:KB3021953
vulnerabilities.vulnerability.vendors.productName
Example
Show findings with this vendor product name
vulnerabilities.vulnerability.vendors.productName:Windows
vulnerabilities.vulnerability.vendors.vendorName
Example
Show findings with this vendor name
vulnerabilities.vulnerability.vendors.vendorName:Adobe
vulnerabilities.nonExploitableKernel
Examples
Show findings on non-exploitable kernels
vulnerabilities.nonExploitableKernel:TRUE
vulnerabilities.nonExploitableService
Examples
Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.vulnerability.patchReleased
Examples
Show findings last found within certain dates
vulnerabilities.vulnerability.patchReleased:[2018-10-21
... 2019-01-15]
Show findings last found starting 2020-01-01, ending 1 month ago
vulnerabilities.vulnerability.patchReleased:[2020-01-01
... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.patchReleased:[now-2w
... now-1s]
Show findings last found on certain date
vulnerabilities.vulnerability.patchReleased:'2020-01-02'
Examples
Show findings last found 3 times
vulnerabilities.timesFound:3
vulnerabilities.vulnerability.kbAge
Example
Show findings/QIDs that were recently published (in the last 30 days)
vulnerabilities.vulnerability.kbAge:[00..30]
Example
Show findings that were detected in the last 30 days.
vulnerabilities.detectionAge:[00..30]
vulnerabilities.vulnerability.description
Examples
Show any findings related to description
vulnerabilities.vulnerability.description:remote
code execution
Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote
code execution"
Show any findings that match exact value "remote code execution"
vulnerabilities.vulnerability.description:`remote
code execution`
vulnerabilities.vulnerability.lists
Example
Show findings with vulnerabilities in SANS Top 20
vulnerabilities.vulnerability.lists:SANS_20
vulnerabilities.vulnerability.patches
Example
Show assets with this patch QID
vulnerabilities.vulnerability.patches:90753
vulnerabilities.vulnerability.published
Examples
Show findings for vulnerabilities published within certain dates
vulnerabilities.vulnerability.published:[2015-10-21
... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerabilities.vulnerability.published:[2017-01-01
... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.published:[now-2w
... now-1s]
Show findings for vulnerabilities published on certain date
vulnerabilities.vulnerability.published:'2018-01-15'
vulnerabilities.vulnerability.risk
Example
Show findings with risk 50
vulnerabilities.vulnerability.risk:50
vulnerabilities.vulnerability.qualysPatchable
Examples
Show vulnerabilities with patch available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "true"
Show vulnerabilities with patch not available at Qualys
vulnerabilities.vulnerability.qualysPatchable: "false"
vulnerabilities.vulnerability.criticality
Examples
Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.updated
Examples
Show vulnerabilities updated within certain dates
vulnerabilities.vulnerability.updated:[2017-10-21
... 2017-10-30]
Show vulnerabilities updated starting 2017-11-01, ending 1 month ago
vulnerabilities.vulnerability.updated:[2017-11-01
... now-1M]
Show vulnerabilities updated stating 2 weeks ago, ending 1 second ago
vulnerabilities.vulnerability.updated:[now-2w
... now-1s]
Show vulnerabilities updated on certain date
vulnerabilities.vulnerability.updated:'2018-03-08'
Use these tokens to define search criteria for assets.
Example
Show assets with the username Administrator
accounts.username:Administrator
Examples
Show assets activated for VM
activatedForModules:VM
Show assets activated for VM and FIM
activatedForModules:VM AND activatedForModules:FIM
Example
Show assets with agents activated using key-value
agent.activations.key:key-value
Example
Show assets with active agents
agent.activations.status:ACTIVE
Example
Show the asset with this agent ID
agent.agentID:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Examples
Show this assets tracked by IP
trackingMethod: IP
Show asset tracked by NETBIOS
trackingMethod: NETBIOS
Example
Show findings with agent version 1.5.6.46
agent.version:1.5.6.46
Examples
Show this asset ID
assetId: 2918869
Show asset IDs in this range
assetId: [3546997 .. 12945655]
Show the 2 asset IDs listed
assetId: [3546997,12945655]
Examples
Show any findings related to profile name
agent.configurationProfile:Initial Profile
Show any findings that contain parts of profile name
agent.configurationProfile:"Initial Profile"
Show any findings that match exact value "Initial Profile"
agent.configurationProfile:`Initial Profile`
Example
Show findings for an external IP address that an agent connected from
agent.connectedFrom:10.0.100.11
Example
Show findings detected by connector myec2
connectors.connector.name:myec2
Example
Show findings for connectors that were first discovered within certain dates
connectors.firstDiscovered:[2015-10-21 ... 2016-01-15]
Show findings for connectors that were first discovered starting 2017-01-01, ending 1 month ago
connectors.firstDiscovered:[2017-01-01 ... now-1M]
Show findings for connectors that were first discovered starting 2 weeks ago, ending 1 second ago
connectors.firstDiscovered:[now-2w ... now-1s]
Show findings for connectors that were first discovered on certain date
connectors.firstDiscovered:'2018-01-15'
Show findings for connectors that were first discovered before a certain date
connectors.firstDiscovered <'2018-01-15'
Show findings for connectors that were first discovered after a certain date
connectors.firstDiscovered >'2018-01-15'
Example
Show findings for connectors last discovered within certain dates
connectors.lastDiscovered:[2015-10-21 ... 2016-01-15]
Show findings for connectors last discovered starting 2017-01-01, ending 1 month ago
connectors.lastDiscovered:[2017-01-01 ... now-1M]
Show findings for connectors last discovered starting 2 weeks ago, ending 1 second ago
connectors.lastDiscovered:[now-2w ... now-1s]
Show findings for connectors last discovered on certain date
connectors.lastDiscovered:'2018-01-15'
Show findings for connectors last discovered before a certain date
connectors.lastDiscovered <'2018-01-15'
Show findings for connectors last discovered after a certain date
connectors.lastDiscovered >'2018-01-15'
Example
Show assets that have 2 CPUs
cpuCount:2
Examples
Show assets created within certain dates
created:[2016-01-01 ... 2016-01-10]
Show assets created starting 2017-10-01, ending 1 month ago
created:[2017-10-01 ... now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
created:[now-2w ... now-1s]
Show assets created on specific date
created:'2018-01-08'
Examples
Show assets with criticality score 5
criticalityScore:5
Show assets with criticality score 2
criticalityScore:2
Example
Show findings with this Docker version
docker.dockerVersion:17.3
Example
Show findings with 2 Docker containers
docker.noOfContainers:2
Example
Show findings with 5 Docker images
docker.noOfImages:5
Examples
Show docker hosts
isDockerHost:true
Do not show docker hosts
isDockerHost:false
Examples
Show the asset with IPv4 address
interfaces.address:10.10.100.20
Show the asset with IPv6 address (enclose value in single quotes)
interfaces.address:'fe80:0:0:0:2501:b53c:4139:404b'
Example
Show the asset with DNS address 10.0.100.11
interfaces.dnsAddress:10.0.100.11
Example
Show assets with this default gateway address
interfaces.gatewayAddress:10.11.65.1
Examples
Show any findings related to name
interfaces.hostname:xpsp2-jp-26-111
Show any findings that contain parts of name
interfaces.hostname:"xpsp2-jp-26-111"
Show any findings that match exact value "xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111`
Show any findings related to name (we'll match super domains)
interfaces.hostname:qcentos71sqp3.rdlab.acme.com
Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`
Example
Show the asset with name PRO/1000
interfaces.interfaceName:PRO/1000
Example
Show the asset with this MAC address
interfaces.macAddress:"00-50-56-A9-73-5A"
Examples
Show findings with last check in within a specific date range.
agent.lastCheckedIn:[2020-01-01 ... 2020-01-10]
Show findings with last check in starting 2019-11-01, ending 1 month ago.
agent.lastCheckedIn:[2019-11-01 ... now-1M]
Show findings with last check in starting 2 weeks ago, ending 1 second ago
agent.lastCheckedIn:[now-2w ... now-1s]
Show findings with last check in on a specific date
agent.lastCheckedIn:'2020-02-11'
Show findings with last check in before (older than) last 30 days.
agent.lastCheckedIn<now-30d
Note: We recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d...now-2s]. See 'QQL Best Practices' topic in the Unified Dashboard online Help.
Show findings with last check in within last 30 days excluding day 30
agent.lastCheckedIn>now-30d
Show findings with last check in within last 30 days including day 30
agent.lastCheckedIn>=now-30d
Show findings with last check in which is older than last 30 days excluding day 30
agent.lastCheckedIn<now-30d
Show findings with last check in which is older than last 30 days including day 30
agent.lastCheckedIn<=now-30d
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDate: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDate: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDate: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDate:'2017-04-10'
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateScanner:'2017-04-10'
Examples
Show findings with last vulnerability scan within certain dates
lastVmScanDateAgent: [2017-01-01 ... 2017-02-10]
Show findings with last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateAgent: [2016-11-01 ... now-1M]
Show findings with last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateAgent: [now-2w ... now-1s]
Show findings with last vulnerability scan on specific date
lastVmScanDateAgent:'2017-04-10'
Examples
Show findings with last compliance scan within certain dates
lastPCScanDateAgent: [2017-01-01 ... 2017-02-10]
Show findings with last compliance scan starting 2016-11-01, ending 1 month ago
lastPCScanDateAgent: [2016-11-01 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastPCScanDateAgent: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastPCScanDateAgent:'2017-04-10'
Examples
Show findings with last compliance scan within certain dates
lastPCScanDateScanner: [2017-01-01 ... 2017-02-10]
Show findings with last compliance scan starting 2016-11-01, ending 1 month ago
lastPCScanDateScanner: [2016-11-01 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastPCScanDateScanner: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastPCScanDateScanner:'2017-04-10'
Examples
Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M]
Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s]
Show findings with last compliance scan on specific date
lastComplianceScanDate:'2017-02-18'
Examples
Show findings with last full scan within certain dates
lastFullScan:[2018-01-01 ... 2018-01-10]
Show findings with last full scan starting 2017-11-01, ending 1 month ago
lastFullScan:[2017-11-01 ... now-1M]
Show findings with last full scan starting 2 weeks ago, ending 1 second ago
lastFullScan:[now-2w ... now-1s]
Show findings with last full scan on a specific date
lastFullScan:'2018-02-08'
Examples
Show findings with last inventory scan within certain dates
agent.lastInventory:[2018-01-12 ... 2018-01-20]
Show findings with last inventory scan starting 2018-01-01, ending 1 month ago
agent.lastInventory:[2018-01-01 ... now-1M]
Show findings with last inventory scan starting 3 weeks ago, ending 1 second ago
agent.lastInventory:[now-3w ... now-1s]
Show findings with last inventory scan on specific date
agent.lastInventory:'2018-02-10'
Examples
Show assets with last logon by user asmith
lastLoggedOnUser:asmith
Examples
Show findings with last activity within certain dates
agent.lastActivity: [2016-01-01 ... 2016-01-10]
Show findings with last activity starting 2015-10-01, ending 1 month ago
agent.lastActivity: [2015-10-01 ... now-1M]
Show findings with last activity starting 2 weeks ago, ending 1 second ago
agent.lastActivity: [now-2w ... now-1s]
Show findings with last activity on a specific date
agent.lastActivity:'2015-12-01'
Examples
Show any findings related to name
name:QK2K12QP3-65-53
Show any findings that contain parts of name
name:"QK2K12QP3-65-53"
Show any findings that match exact value "QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`
Examples
Show assets with this exact name (case sensitive)
netbiosName: EC2AMAZ-19OC2IT
Show assets with name starting with "EC2" (case sensitive)
netbiosName: EC2*
Show assets with name ending with "c2it" (case insensitive)
netbiosName: *c2it
Example
Show assets on Windows platform
platform:Windows
Examples
Show assets synced from Amazon AWS
provider: AWS
Examples
Show any findings with this description
openPorts.description:Windows Remote Desktop
Show any findings that contain parts of description
openPorts.description:"Windows Remote Desktop"
Show any findings that match exact value "Windows Remote Desktop"
openPorts.description:`Windows Remote Desktop`
Examples
Show any findings with this service name
openPorts.detectedService:win_remote_desktop
Show any findings that contain parts of name
openPorts.detectedService:"win_remote_desktop"
Show any findings that match exact value "win_remote_desktop"
openPorts.detectedService:`win_remote_desktop`
Examples
Show findings with open ports first found within certain dates
openPorts.firstFound:[2017-06-15 ... 2017-06-30]
Show findings with open ports first found starting 2017-06-22, ending 1 month ago
openPorts.firstFound: [2017-06-22 ... now-1M]
Show findings with open ports first found starting 2 weeks ago, ending 1 second ago
openPorts.firstFound:[now-2w ... now-1s]
Show findings with open ports first found on specific date
openPorts.firstFound:'2017-06-14'
Examples
Show findings with open ports last updated within certain dates
openPorts.lastUpdated:[2017-06-15 ... 2017-06-30]
Show findings with open ports last updated starting 2017-06-22, ending 1 month ago
openPorts.lastUpdated:[2017-06-22 ... now-1M]
Show findings with open ports last updated starting 2 weeks ago, ending 1 second ago
openPorts.lastUpdated:[now-2w ... now-1s]
Show findings with open ports last updated on specific date
openPorts.lastUpdated:'2018-01-14'
Example
Show assets with open port 80
openPorts.port:80
Examples
Show findings found on TCP
openPorts.protocol:TCP
Show findings found on port 80 and TCP
openPorts:(port:80 AND protocol:TCP)
Examples
Show any findings with this OS name
operatingSystem:Windows 2012
how any findings that contain components of OS name
operatingSystem:"Windows 2012"
Show any findings that match exact value "Windows 2012"
operatingSystem:`Windows 2012`
Examples
Show assets pending activation for VM
pendingActivationForModules:VM
Show assets pending activation for VM and FIM
pendingActivationForModules:VM AND pendingActivationForModules:FIM
Examples
Show any findings with this description
processors.description:intel
Show any findings that contain parts of description
processors.description:"intel"
Show any findings that match exact value "intel"
processors.description:`intel`
Example
Show findings with QID 90405
QID: 90405
Note: The QID token shows all assets that have the specific QID. The exclude vulnerabilities filters are not applicable for the QID token.
Example
Show assets with this Qualys Correlation ID
qualysCorrelationID: 0f1b031712682e27cca306e4a2a9e3144696ac099b08fcdf76ccb6f3647ec058
Show assets without any Qualys Correlation ID
qualysCorrelationID: UNIDENTIFIED
Show assets all assets with Qualys Correlation ID
qualysCorrelationID: *
Examples
Show assets with risk score 60
riskScore:60
Show assets with risk score 25
riskScore:25
Example
Show assets with this processor speed
processors.speed:1995
Examples
Show any findings with this description
services.description:Windows Event Log
Show any findings that contain parts of description
services.description:"Windows Event Log"
Show any findings that match exact value "Windows Event Log"
services.description:`Windows Event Log`
Examples
Show any findings with this name
services.name:eventlog
Show any findings that contain parts of name
services.name:"eventlog"
Show any findings that match exact value "eventlog"
services.name:`eventlog`
Examples
Show any findings with this status
services.status:running
Show any findings that contain parts of name
services.status:"running"
Show any findings that match exact value "running"
services.status:`running`
Examples
Show assets with software first found within certain dates
software.firstFound:[2017-10-15 ... 2017-10-30]
Show assets with software first found starting 2017-06-22, ending 1 month ago
software.firstFound:[2017-06-22 ... now-1M]
Show assets with software first found starting 2 weeks ago, ending 1 second ago
software.firstFound:[now-2w ... now-1s]
Show assets with software first found on specific date
software.firstFound:'2017-08-14'
Examples
Show assets with software last updated within certain dates
software.lastUpdated:[2018-01-15 ... 2018-03-12]
Show assets with software last updated starting 2018-01-22, ending 1 month ago
software.lastUpdated:[2018-01-22 ... now-1M]
Show assets with software last updated starting 2 weeks ago, ending 1 second ago
software.lastUpdated:[now-2w ... now-1s]
Show assets with software last updated on specific date
software.lastUpdated:'2018-02-16'
Examples
Show assets with software installed within certain dates
software.installedDate:[2018-01-15 ... 2018-03-12]
Show assets with software installed starting 2018-01-22, ending 1 month ago
software.installedDate:[2018-01-22 ... now-1M]
Show assets with software installed starting 2 weeks ago, ending 1 second ago
software.installedDate:[now-2w ... now-1s]
Show assets with software installed on specific date
software.installedDate:'2018-02-16'
Examples
Show any findings with this name
software.name:VMware Tools
Show any findings that contain parts of name
software.name:"VMware Tools"
Show any findings that match exact value "VMware Tools"
software.name:`VMware Tools`
Find assets with certain tag and software installed
tags.name:`Cloud Agent` AND software:(name:`Cisco
AnyConnect Secure Mobility Client` AND version:`3.1.12345`)
Example
Show findings with this version
software.version: 8.6.10
Find assets with certain tag and software installed
tags.name:`Cloud Agent` AND software:
(name:`Cisco AnyConnect Secure Mobility Client`
AND version:`3.1.12345`)
Examples
Show any findings with this description
system.biosDescription: Phoenix Technologies
Show any findings that contain parts of name
system.biosDescription: "Phoenix Technologies"
Show any findings that match exact value "Phoenix Technologies"
system.biosDescription: `Phoenix Technologies`
Examples
Show assets last booted within certain dates
system.lastBoot:[2018-01-11 ... 2018-01-23]
Show assets last booted starting 2017-10-01, ending 1 month ago
system.lastBoot:[2017-10-01 ... now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
system.lastBoot:[now-2w ... now-1s]
Show assets last booted on a specific date
system.lastBoot:'2018-03-08'
Examples
Show any findings with this name
system.manufacturer:dell
Show any findings that contain parts of name
system.manufacturer:"dell"
Show any findings that match exact value "dell"
system.manufacturer:`dell`
Examples
Show any findings with this name
system.model: optiplex
Show any findings that contain parts of name
system.manufacturer: "optiplex"
Show any findings that match exact value "optiplex"
system.manufacturer: `optiplex`
Example
Show assets with this timezone
system.timezone:-08:00
Example
Show assets with this total system memory
system.totalMemory:1024
Example
Show tags names with critical business impact
tags.businessImpact:Critical
Examples
Show any findings related to this tag name
tags.name:Cloud Agent
Show any findings that contain "Cloud" or "Agent" in name
tags.name:"Cloud Agent"
Show any findings that match exact value "Cloud Agent"
tags.name:`Cloud Agent`
Examples
Show assets updated within certain dates
updated:[2017-12-01 ... 2018-01-10]
Show assets updated starting 2017-10-01, ending 3 months ago
updated:[2017-10-01 ... now-3M]
Show assets updated starting 2 weeks ago, ending 1 second ago
updated:[now-2w ... now-1s]
Show assets updated on a specific date
updated:'2018-03-10'
Example
Show assets with this free volume space
volumes.free:448312320
Example
Show assets with this volume name
volumes.name:/boot
Example
Show assets with this volume size
volumes.size:481529856
Example
Show all findings that have vulnerabilities
vulnerabilities:*
Use search tokens to refine your search for assets based on different asset properties.
Examples
Show any findings that contain parts of value
hardware.category:"Computer/Server"
Show any findings that match exact value
hardware.category:`Computer/Server`
Example
Show any findings that match exact value
hardware.category1:`Computer`
Example
Show any findings that match exact value
hardware.category2:`Server`
Examples
Show findings with hardware GA date in this date range
hardware.lifecycle.ga:[2019-01-01 ... 2019-01-15]
Show findings with hardware GA date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.ga:[2019-01-15 ... now-1M]
Show findings with hardware GA date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.ga:[now-2w ... now-1s]
Show findings with this hardware GA date
hardware.lifecycle.ga:'2019-03-18'
Examples
Show findings with hardware introduction date in this date range
hardware.lifecycle.intro:[2019-01-01 ... 2019-01-15]
Show findings with hardware introduction date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.intro:[2019-01-15 ... now-1M]
Show findings with hardware introduction date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.intro:[now-2w ... now-1s]
Show findings with this hardware introduction date
hardware.lifecycle.intro:'2019-03-18'
Examples
Show findings with hardware End-of-Sale date in this date range
hardware.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with hardware End-of-Sale date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with hardware End-of-Sale date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.eos:[now-2w ... now-1s]
Show findings with this hardware End-of-Sale date
hardware.lifecycle.eos:'2019-03-18'
Examples
Show findings with hardware obsolete date in this date range
hardware.lifecycle.obs:[2019-01-01 ... 2019-01-15]
Show findings with hardware obsolete date starting 2019-01-15, ending 1 month ago
hardware.lifecycle.obs:[2019-01-15 ... now-1M]
Show findings with hardware obsolete date starting 2 weeks ago, ending 1 second ago
hardware.lifecycle.obs:[now-2w ... now-1s]
Show findings with this hardware obsolete date
hardware.lifecycle.obs:'2019-03-18'
Example
Show End-of-Sale hardware
hardware.lifecycle.stage:"EOS"
Example
Show any findings that match exact value "Dell"
hardware.manufacturer:`Dell`
Example
Show any findings that match exact value "e7470"
hardware.model:`De7470`
Example
Show any findings that match exact value "Latitude"
hardware.product:`Latitude`
Example
Show any findings that match exact value
operatingSystem.architecture:`64-Bit`
Example
Show any findings that match exact value
operatingSystem.category:`Windows`
Example
Show any findings that match exact value
operatingSystem.category1:`Windows`
Example
Show any findings that match exact value
operatingSystem.category2:`Client`
Example
Show any findings that match exact value
operatingSystem.edition:`Enterprise`
Examples
Show findings with OS GA date in this date range
operatingSystem.lifecycle.ga:[2019-01-01 ... 2019-01-15]
Show findings with OS GA date starting 2019-01-15, ending 1 month ago
operatingSystem.lifecycle.ga:[2019-01-15 ... now-1M]
Show findings with OS GA date starting 2 weeks ago, ending 1 second ago
operatingSystem.lifecycle.ga:[now-2w ... now-1s]
Show findings with this OS GA date
operatingSystem.lifecycle.ga:'2019-03-18'
Examples
Show findings with operating system End-of-Life date in this date range
operatingSystem.lifecycle.eol:[2019-01-01 ...
2019-01-15]
Show findings with operating system End-of-Life date starting 2019-01-15, ending 1 month ago
operatingSystem.lifecycle.eol:[2019-01-15 ...
now-1M]
Show findings with operating system End-of-Life date starting 2 weeks ago, ending 1 second ago
operatingSystem.lifecycle.eol:[now-2w ... now-1s]
Show findings with this operating system End-of-Life date
operatingSystem.lifecycle.eol:'2019-03-18'
Examples
Show findings with operating system End-of-Support date in this date range
operatingSystem.lifecycle.eos:[2019-01-01 ...
2019-01-15]
Show findings with operating system End-of-Support date starting 2019-01-15, ending 1 month ago
operatingSystem.lifecycle.eos:[2019-01-15 ...
now-1M]
Show findings with operating system End-of-Support date starting 2 weeks ago, ending 1 second ago
operatingSystem.lifecycle.eos:[now-2w ... now-1s]
Show findings with this operating system End-of-Support date
operatingSystem.lifecycle.eos:'2019-03-18'
operatingSystem.lifecycle.stage
Examples
Show findings having this OS lifecycle stage
operatingSystem.lifecycle.stage:eol
Show findings with OS category Windows and OS lifecycle stage "active"
operatingSystem:(category:Windows AND
lifecycle.stage:eol)
Example
Show any findings that match exact value
operatingSystem.marketVersion:`7`
Example
Show any findings that match exact value
operatingSystem.osId:`96426`
Example
Show any findings that match exact value
operatingSystem.name:`Windows 10`
Example
Show findings with this exact software publisher
operatingSystem.publisher:`Microsoft`
Example
Show findings with this exact OS update version
operatingSystem.update:`SP2`
Example
Show findings with this exact OS version
operatingSystem.version:`16.1`
Example
Show any findings that match exact value
software:(architecture:`64-Bit`)
Example
Show any findings that match exact value
software:(category:`Productivity > Productivity
Suites`)
Example
Show any findings that match exact value
software:(category1:`Productivity`)
Example
Show any findings that match exact value
software:(category2:`Productivity Suites`)
Example
Show any findings that match exact value
software:(edition:`Professional`)
Examples
Show findings with software GA date in this date range
software:(lifecycle.ga:[2019-01-01 ... 2019-01-15])
Show findings with woftware GA date starting 2019-01-15, ending 1 month ago
software:(lifecycle.ga:[2019-01-15 ... now-1M])
Show findings with software GA date starting 2 weeks ago, ending 1 second ago
software:(lifecycle.ga:[now-2w ... now-1s])
Show findings with this software GA date
software:(lifecycle.ga:'2019-03-18')
Examples
Show findings with software End-of-Life date in this date range
software.lifecycle.eol:[2019-01-01 ... 2019-01-15]
Show findings with software End-of-Life date starting 2019-01-15, ending 1 month ago
software.lifecycle.eol:[2019-01-15 ... now-1M]
Show findings with software End-of-Life date starting 2 weeks ago, ending 1 second ago
software.lifecycle.eol:[now-2w ... now-1s]
Show findings with this software End-of-Life date
software.lifecycle.eol:'2019-03-18'
Examples
Show findings with software End-of-Support date in this date range
software.lifecycle.eos:[2019-01-01 ... 2019-01-15]
Show findings with software End-of-Support date starting 2019-01-15, ending 1 month ago
software.lifecycle.eos:[2019-01-15 ... now-1M]
Show findings with software End-of-Support date starting 2 weeks ago, ending 1 second ago
software.lifecycle.eos:[now-2w ... now-1s]
Show findings with this software End-of-Support date
software.lifecycle.eos:'2019-03-18'
Examples
Show findings having this software lifecycle stage
software:(lifecycle.stage:eol)
Show findings having software category Windows and software lifecycle stage "active"
software:(category:Windows AND lifecycle.stage:eol)
Example
Show any findings that match exact value
software:(license.category:`Open Source`)
Example
Show any findings that match exact value
software:(marketVersion:`7`)
Example
Show findings with this exact product name
software:(product:`Office`)
Example
Show findings with this exact software publisher
software:(publisher:`Microsoft`)
Example
Show findings having this software type
software:(type:`Installer Package`)
Example
Show findings with this exact software update version
software:(update:`16.0.1.2`)
Example
Show findings with this exact software version
software:(majorVersion:1.19.0.0)
Example
Show any findings that match exact value
software:(license.subCategory:Apache 2.0)
Use these tokens for searching Real-Time Threat Indicator (RTI) related vulnerabilities.
vulnerabilities.vulnerability.threatIntel.activeAttacks
Examples
Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks:
true
Show assets that don't have threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks:
false
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns
Examples
Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
true
Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:
false
vulnerabilities.vulnerability.threatIntel.denialOfService
Examples
Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService:
true
Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService:
false
vulnerabilities.vulnerability.threatIntel.easyExploit
Examples
Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit:
true
Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit:
false
vulnerabilities.vulnerability.threatIntel.exploitKit
Examples
Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit:
true
Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit:
false
vulnerabilities.vulnerability.threatIntel.exploitKitName
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName:
Angler
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName:
`Angler`
vulnerabilities.vulnerability.threatIntel.highDataLoss
Examples
Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss:
true
Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss:
false
vulnerabilities.vulnerability.threatIntel.highLateralMovement
Examples
Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement:
true
Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement:
false
vulnerabilities.vulnerability.threatIntel.malware
Examples
Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: true
Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: false
vulnerabilities.vulnerability.threatIntel.malwareName
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName:
TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName:
`TROJ_PDFKA.DQ`
vulnerabilities.vulnerability.threatIntel.noPatch
Examples
Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: true
Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: false
vulnerabilities.vulnerability.threatIntel.publicExploit
Example
Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit:
true
Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit:
false
vulnerabilities.vulnerability.threatIntel.publicExploitName
Examples
Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerabilities.vulnerability.threatIntel.publicExploitName:
"RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.publicExploitName:
`RealVNC NULL Authentication Mode Bypass`
vulnerabilities.vulnerability.threatIntel.zeroDay
Examples
Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: true
Show assets that don't have threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: false
vulnerabilities.vulnerability.threatIntel.wormable
Examples
Show assets with wormable threats
vulnerabilities.vulnerability.threatIntel.wormable: "true"
vulnerabilities.vulnerability.threatIntel.predictedHighRisk
Examples
Show assets with predicted high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk:
"true"
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation
Examples
Show assets with unauthenticated exploitation threat
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation:
"true"
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution
Examples
Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution:
"true"
vulnerabilities.vulnerability.threatIntel.ransomware
Examples
Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.ransomware:
"true"
vulnerabilities.vulnerability.threatIntel.privilegeEscalation
Examples
Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.privilegeEscalation:
"true"
vulnerabilities.vulnerability.threatIntel.solorigateSunburst
Examples
Show assets with Solorigate/Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst:
"true"
Use the and/or tokens combined with these tokens for searching a threat feed.
Examples
Find categories that match any CVE.
categories: CVE:2020-8591
Examples
Find content that match a product.
contents: Google
Examples
Find threat feeds that match a publish date.
publishDate: [2020-10-21 ... 2021-01-15]
Use these tokens when searching your AWS EC2 assets on the Assets list.
- Your results may return Terminated instances. It's recommended you include aws.ec2instanceState in your query to reduce the number of results.
- The syntax is different when writing queries for tag rules than when searching assets in the Assets list. Be sure to follow the syntax tips in the drop-down when writing your query.
Example
Find EC2 instances in that match this account ID
aws.ec2.accountId: 123456789012
Find EC2 instances with account ID starting "12345"
aws.ec2.accountId: 12345*
Find EC2 instances where account ID is null (remove the colon)
aws.ec2.accountId is null
Example
Find EC2 instances in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
Examples
Show findings with a cloud agent
aws.ec2.hasAgent: true
Show findings without a cloud agent
aws.ec2.hasAgent: false
Examples
Find instances related to name
aws.ec2.hostname: abc.qualys.com
Find instances that match exact value
aws.ec2.hostname: `abc.qualys.com`
Examples
Find instances related to the Image ID
aws.ec2.imageId: ami-2ea83347
Find instances that match exact value
aws.ec2.imageId: `ami-2ea83347`
Example
Find EC2 instances with this ID
aws.ec2.instanceId: i-1234567890abcdef0
Example
Find running EC2 instances
aws.ec2.instanceState: RUNNING
Example
Find EC2 instances with instance type t2.micro
aws.ec2.instanceType: t2.micro
Examples
Show findings where assets are scanners
aws.ec2.isQualysScanner: true
Show findings where assets are not scanners
aws.ec2.isQualysScanner: false
Example
Find EC2 instances with this kernel ID
aws.ec2.kernelId: aki-70ab0c10
Examples
Find EC2 instances launched within certain dates
aws.ec2.launchDate: [2017-06-15 ... 2017-06-30]
Find EC2 instances launched on specific date
aws.ec2.launchDate:'2017-08-15'
Example
Find the EC2 instance with this private DNS address
aws.ec2.privateDNS: ip-10-90-2-85.ec2.internal
Examples
Find EC2 instances with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
Find EC2 instances within this IP range
aws.ec2.privateIpAddress: [10.1.78.23 ... 10.100.78.235]
Example
Find the EC2 instance with this public DNS address
aws.ec2.publicDNS: ec2-52-70-141-154.compute-1.amazonaws.com
Examples
Find EC2 instances with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
Find EC2 instances within this IP range
aws.ec2.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
Example
Find EC2 instances in the us-east-1 region
aws.ec2.region.code: us-east-1
Example
Find EC2 instances in the US East (N. Virginia) region
aws.ec2.region.name: US East (N. Virginia)
Examples
Show EC2 Spot instances
aws.ec2.spotInstance: "true"
Show EC2 instances that are not Spot instances
aws.ec2.spotInstance: "false"
Example
Find EC2 instances with this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
Example
Find EC2 instances with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
Example
Find EC2 instances with an AWS tag with key "abc" and value "xyz"
aws.tags: (key:abc and value:xyz)
Examples
Find EC2 instances with key "devops"
aws.tags.key: devops
Find EC2 instances with key starting "dev"
aws.tags.key: dev*
Find EC2 instances with key ending "ops"
aws.tags.key: *ops
Examples
Find EC2 instances with tag value "dailybuild"
aws.tags.value: dailybuild
Find EC2 instances with tag value starting "daily"
aws.tags.value: daily*
Find EC2 instances with tag value ending "build"
aws.tags.value: *build
Use these tokens when searching Microsoft Azure assets on the Assets list.
Example
Find Azure instances with a tag with name "abc" and value "xyz"
azure.tags: (name:abc and value:xyz)
Examples
Find Azure instances with name "devops"
azure.tags.name: devops
Find Azure instances with name starting "dev"
azure.tags.name: dev*
Find Azure instances with name ending "ops"
azure.tags.name: *ops
Examples
Find Azure instances with tag value "dailybuild"
azure.tags.value: dailybuild
Find Azure instances with tag value starting "daily"
azure.tags.value: daily*
Find Azure instances with tag value ending "build"
azure.tags.value: *build
Examples
Find Azure instances with agents
azure.vm.hasAgent `true`
Examples
Find Azure instances related to name
azure.vm.imageOffer: UbuntuServer
Find Azure instances that match exact value
azure.vm.imageOffer: `UbuntuServer`
Examples
Find Azure instances related to name
azure.vm.imagePublisher: Canonical
Find Azure instances that match exact value
azure.vm.imagePublisher: `Canonical`
Example
Find Azure instances with this sku version
azure.vm.imageVersion: 16.04.201708030
Example
Find Azure instances in this location
azure.vm.location: westus
Example
Find Azure instances with this MAC address
azure.vm.macAddress: '000D3A36DDED'
Examples
Find Azure instances related to name
azure.vm.name: avset2
Find Azure instances that match exact value
azure.vm.name: `avset2`
Example
Find Azure instances on Windows platform
azure.vm.platform: Windows
Examples
Find Azure instances with this private IP
azure.vm.privateIpAddress: 10.1.2.5
Find Azure instances within this IP range
azure.vm.privateIpAddress: [10.1.2.5 ... 10.1.2.33]
Examples
Find Azure instances with this public IP
azure.vm.publicIpAddress: 13.126.125.189
Find Azure instances within this IP range
azure.vm.publicIpAddress: [13.126.125.180 ...
13.126.125.255]
Examples
Find Azure instances related to name
azure.vm.resourceGroupName: my-eastus-rg
Find Azure instances that match exact value
azure.vm.resourceGroupName: `my-eastus-rg`
Example
Find Azure instances with this size
azure.vm.size: Standard_D1
Example
Find running Azure instances
azure.vm.state: RUNNING
Example
Find Azure instances with this subnet
azure.vm.subnet: 10.1.2.0
Example
Find Azure instances with this subscription ID
azure.vm.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Example
Find Azure virtual network with this ID
azure.vm.virtualNetwork: mburton01-vnet
Example
Find Azure instances with this ID
azure.vm.vmId: 13f56399-bd52-4150-9748-7190aae1ff21
Use these tokens when searching Google Cloud Platform assets on the Assets list.
Examples
Find GCP instances related to name
gcp.compute.hostname: instance-5.c.qvsa-dev.internal
Find GCP instances that match exact value
gcp.compute.hostname: `instance-5.c.qvsa-dev.internal`
Example
Find GCP instances with this ID
gcp.compute.instanceId: 4392196237934605253
Example
Find GCP instances with this MAC address
gcp.compute.macAddress: '000D3A36DDED'
Examples
Find GCP instances related to name
gcp.compute.machineType: n1-standard-1
Find GCP instances that match exact value
gcp.compute.machineType: `n1-standard-1`
Example
Find GCP instances with this network
gcp.compute.network: 000D3A36DDED
Examples
Find GCP instances with this private IP
gcp.compute.privateIpAddress: 10.240.0.7
Find GCP instances with this private IP range
gcp.compute.privateIpAddress: [10.240.0.7 ...
10.240.0.30]
Examples
Find GCP instances related to ID
gcp.compute.projectId: qvsa-dev
Find GCP instances that match exact value
gcp.compute.projectId: `qvsa-dev`
Examples
Find GCP instances related to this number
gcp.compute.projectNumber: 1035365309337
Find GCP instances that match exact value
gcp.compute.projectNumber: `1035365309337`
Examples
Find GCP instances with this public IP
gcp.compute.publicIpAddress: 104.196.57.216
Find GCP instances within this IP range
gcp.compute.publicIpAddress: [104.196.57.216 ...
104.196.57.218]
Examples
Find GCP instances related to name
gcp.compute.zone: us-east1-d
Find GCP instances that match exact value
gcp.compute.zone: `us-east1-d`
Examples
Find running GCP instances
gcp.compute.state: RUNNING
Use these token when searching IBM assets on the Assets list.
Examples
Find running IBM instances with tag name
ibm.tags.name: Test1
Examples
Find running IBM instances with tag value
ibm.tags.value: centos7
Examples
Find IBM virtual server with this ID
ibm.virtualServer.id: 123741814
Examples
Find IBM virtual server with this location
ibm.virtualServer.location: dall3
ibm.virtualServer.datacenterId
Examples
Find IBM virtual server datacenter with this Id
ibm.virtualServer.datacenterId: 1854895
Examples
Find IBM virtual server with this device name
ibm.virtualServer.deviceName: virtualserver01.Qualys-Inc.cloud
ibm.virtualServer.publicIpAddress
Examples
Find IBM virtual server with this public IP address
ibm.virtualServer.publicIpAddress: 150.238.75.107
ibm.virtualServer.privateIpAddress
Examples
Find IBM virtual server with this private IP address
ibm.virtualServer.privateIpAddress: 10.187.94.40
Examples
Find IBM virtual server with this public vlan
ibm.virtualServer.publicVlan: 1796
Examples
Find IBM virtual server with this private vlan
ibm.virtualServer.privateVlan: 2236
Examples
Find IBM virtual server with this domain
ibm.virtualServer.domain: Qualys-Inc.cloud
Use these tokens when searching assets detected by passive scanning.
Example
Show the asset with this FQDN
asset.fqdn:ACMENVT7.acme.com
Example
Show this hardware typing confidence
hardware.typingConfidence:HIGH
Example
Show this scanner appliance ID
inventory.scannerID:345678892
Examples
Show assets with scanner name as ITCorp-appliance
inventory.scannerName:ITCorp-appliance
Examples
Show open ports found within certain dates
openPorts.lastFound: [2019-01-01 ... 2019-01-15]
Show open ports found starting 2019-01-15, ending 3 months ago
openPorts.lastFound: [2019-01-15 ... now-3M]
Show open ports found starting 2 weeks ago, ending 1 second ago
openPorts.lastFound: [now-2w ... now-1s]
Show open ports found on a specific date
openPorts.lastFound:'2019-03-18'
Examples
Show ports updated within certain dates
openPort.lastUpdated: [2019-01-01 ... 2019-01-15]
Show ports updated starting 2019-01-15, ending 3 months ago
openPort.lastUpdated: [2019-01-15 ... now-3M]
Show ports updated starting 2 weeks ago, ending 1 second ago
openPort.lastUpdated: [now-2w ... now-1s]
Show ports updated on a specific date
openPort.lastUpdated:'2019-03-18'
operatingSystem.typingConfidence
Example
Show this OS typing confidence
operatingSystem.typingConfidence:MEDIUM
Examples
Show assets with traffic timestamp 2019-03-18
traffic.timestamp:'2019-03-18'
Show assets with traffic timestamp within certain dates
traffic.timestamp:[2019-01-01 ... 2019-01-15]
Show assets with traffic timestamp starting 2019-01-15, ending 1 month ago
traffic.timestamp:[2019-01-15 ... now-1M]
Show assets with traffic timestamp starting 2 weeks ago, ending 1 second ago
traffic.timestamp:[now-2w ... now-1s]
Example
Show assets with 100 MB total traffic
traffic.total:100
Example
Show assets with 60 MB ingress traffic
traffic.ingress:60
Example
Show assets with 40 MB egress traffic
traffic.egress:40
Example
Show assets with traffic over TCP
traffic.protocol:tcp
Example
Show assets with traffic over port 80
traffic.port:80
Example
Show assets with client traffic
traffic.type:client
Example
Show assets with peer to peer traffic
traffic.family:Peer to Peer
Example
Show assets with traffic from BitTorrent
traffic.application:BitTorrent
Example
Show assets with traffic from HTTP
traffic.service:http