Home

How to Search

In this topic, let's discuss, with examples, various aspects of a QQL search. The following sections help you create QQL search queries that fetch you quicker and smarter results.

Using Tokens | Searching without Tokens | String Matching | Contains Search | Full Text Search | Suffix Matching | Prefix Matching | Boolean Operators | Multiple Values | Is Null Queries | Range Searches | Date Searches | Nested Queries

Using Tokens

Enter the token, then a colon, and then the targeted value. Nested fields are dot-separated.

Examples:

provider:aws
tag.key:department
subnet.availabilityZone:ap-southeast-2c
instance.state:terminated

There are many fields you can search within each resource type. Start by clicking on the resource type in List View. Then enter "and" followed by the field name and value.

Examples:

resource.type:"Instance" and instance.type:t2.micro
resource.type:"Subnet" and subnet.availabilityZone:ap-southeast-2c
resource.type:"VPC" and vpc.instanceTenancy:default

Searching without Token

When you enter only the targeted value without any search token, we perform the broadest possible search across the attributes of all fields in the asset index 100 field names . Keep in mind some fields are not included in the asset index, like tag name and vulnerability title, and for those, you’ll need to search by using the tokens.

How it works - A search for “win” without a token returns assets where the text string 'win' appears in the asset name, host name, operating system, software name, and so on. Enclose the value in double quotation marks to match a string.

If you want to perform prefix matching or suffix matching using the wildcard character '*', you need to search by using the search token.

Contains Search

Enclose your token value in double quotation marks to match a string. Your results include any match that contains the specified value.

Examples:

iamuser.arn:"arn:aws:iam::383031258652:user"

resource.id:"subnet"

vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"

Exact matching

For exact string matching, enclose your targeted value in the grave accent mark, also known as backtick characters (`<value>`). The result returns all the findings having the exact match with the value that you specify.

Examples:

operatingSystem: `Windows 7 Ultimate Service Pack 1`

interfaces.hostname: `xpsp2-jp-26-111`

host.sensorUid: `cbcb5ef6-1c49-3ba0-91c1-5462ffbd26af`

Full Text Search

Some fields containing strings of text (like names, descriptions) allow you to use full text search and advanced search capabilities. Full text search fields do not support exact matching.

Learn more about Full Text Search >>

Examples:

Show controls with s3 in the name (case insensitive)

control.name:s3

Show policies with "amazon" and "benchmark" in the name (in any order, case insensitive)

policy.name:"amazon benchmark"

Suffix matching

Suffix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for suffix matching for quicker results. All you need to do is, type the wildcard character '*' followed by the string you are looking for. The search returns name values ending with the string that you specify after '*'. Matches are not case-sensitive.

Examples:

To find asset names ending with 110, form the following query:

name: *110

The query returns asset names such as bw2012-35-110 or vsweblogic12110 or stvsp2-32-110 and so on.

To find assets based on tag names ending with 'region east,' form the following query:

tags.name:*Region East

The query returns assets having tag names ending with Region East, region east, or Region EAST.

Suffix and domain matching is supported for the token interfaces.hostname but the syntax is different.

interfaces.hostname:qualys.com

interfaces.hostname:sjc01.qualys.com

interfaces.hostname:eng.sjc01.qualys.com

interfaces.hostname:*lys.com

Prefix matching

Prefix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for prefix matching for quicker results. All you need to do is, type the string you are looking for followed by the wildcard character '*'. The search returns name values beginning with the string that you specify before '*'. Matches are case-sensitive.

Example: This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.

name:xp*

Example: This query matches assets with tag names starting with "Win" like Windows XP, Windows 2012, Windows Hosts.

tags.name:Win*

Example: This query matches assets with a hostname starting with "com-pa30" like com-pa3020-36.eng.sjc01.qualys.com.

interfaces.hostname:com-pa30*

Example: This query matches assets with an operating system starting with "Lin" like Linux 2.4-2.6.

operatingSystem:Lin*

Boolean Operators

Use the Boolean operator AND to broaden the scope of your search. Use OR and NOT to narrow it down.

Note: For the VMDR dashboards, the NOT operator can be used only with Asset search tokens. Vulnerability search tokens do not support the NOT operator.

Examples:

region:Mumbai or region:Sydney
NOT account.id:383031258652
control.criticality:HIGH and service.type:IAM

Learn more about Boolean Queries >>

Multiple values

To match values that are in or not in the fields, you can use a colon (:), followed by a comma-separated list of values within square brackets. Do not use quotes around your values. Available for all fields except analyzed fields (i.e. full text search fields).

Show subnets not in any of the availability zones listed

resource.type:Subnet and subnet.availabilityZone not: [eu-west-2c, eu-west-1a, eu-west-3c]

Is Null Queries

Want to match an empty or null value for a field? Remove the colon after the search token, and in place of a colon, write "is null". For example, find resources where the name is null.

Examples:

name is null
tag.value is null

Range searches

Ranges can be specified with the [lower limit .. upper limit] syntax using () and/or [] as follows. This is supported for numeric and date fields.

Examples:

Greater than or equal to 123 and less than or equal to 1234 - uses square brackets

elb.listener.loadBalancerPort:[123 .. 1234]

Greater than but not equal to 123 and less than but not equal to 1234 - uses parenthesis

elb.listener.loadBalancerPort:(123 .. 1234)

Greater than or equal to 123 and less than but not equal to 1234

elb.listener.loadBalancerPort:[123 .. 1234)

Greater than but not equal to 123 and less than or equal to 1234

elb.listener.loadBalancerPort:(123 .. 1234]

Greater than 123

elb.listener.loadBalancerPort > 123

Greater than or equal to 123

elb.listener.loadBalancerPort >= 123

Less than 1234

elb.listener.loadBalancerPort < 1234

Less than or equal to 1234

elb.listener.loadBalancerPort <= 1234

Between January 1st and April 1st 2018

updated: [2018-01-01 .. 2018-04-01]

Date Searches

Use a date range [start date .. end date] or a specific date or a year. Several date variables are also available.

Learn more about Date Searches >>

Examples:

updated:2018-03-27
updated < 2018-03-27
updated:[2018-01-27 .. 2018-03-27]
updated:[now-3d .. now-1s]

Nested Queries

Use a single nested query, using parentheses, to include multiple fields in your query per examples below.

Learn more about Nested Queries >>

Examples:

Find instances that are type t2.micro and stopped.

resource.type:Instance and instance: (type:t2.micro and state:stopped)

Find controls that have High criticality and the control result is Fail.

control: (criticality:HIGH and result:FAIL)