In this topic, let's discuss, with examples, various aspects of a QQL search. The following sections help you create QQL search queries that fetch you quicker and smarter results.
Using Tokens | Searching without Tokens | String Matching | Contains Search | Full Text Search | Suffix Matching | Prefix Matching | Boolean Operators | Multiple Values | Is Null Queries | Range Searches | Date Searches | Nested Queries
Enter the token, then a colon, and then the targeted value. Nested fields are dot-separated.
Examples:
provider:aws
tag.key:department
subnet.availabilityZone:ap-southeast-2c
instance.state:terminated
There are many fields you can search within each resource type. Start by clicking on the resource type in List View. Then enter "and" followed by the field name and value.
Examples:
resource.type:"Instance" and instance.type:t2.micro
resource.type:"Subnet" and subnet.availabilityZone:ap-southeast-2c
resource.type:"VPC" and vpc.instanceTenancy:default
When you enter only the targeted value without any search token, we perform the broadest possible search across the attributes of all fields in the asset index 100 field names . Keep in mind some fields are not included in the asset index, like tag name and vulnerability title, and for those, you’ll need to search by using the tokens.
How it works - A search for “win” without a token returns assets where the text string 'win' appears in the asset name, host name, operating system, software name, and so on. Enclose the value in double quotation marks to match a string.
If you want to perform prefix matching or suffix matching using the wildcard character '*', you need to search by using the search token.
Enclose your token value in double quotation marks to match a string. Your results include any match that contains the specified value.
Examples:
iamuser.arn:"arn:aws:iam::383031258652:user"
resource.id:"subnet"
vulnerabilities.vulnerability.title: "Remote
Code Execution Vulnerability"
For exact string matching, enclose your targeted value in the grave accent mark, also known as backtick characters (`<value>`). The result returns all the findings having the exact match with the value that you specify.
Examples:
operatingSystem:
`Windows 7 Ultimate Service Pack 1`
interfaces.hostname:
`xpsp2-jp-26-111`
host.sensorUid: `cbcb5ef6-1c49-3ba0-91c1-5462ffbd26af`
Some fields containing strings of text (like names, descriptions) allow you to use full text search and advanced search capabilities. Full text search fields do not support exact matching.
Examples:
Show controls with s3 in the name (case insensitive)
control.name:s3
Show policies with "amazon" and "benchmark" in the name (in any order, case insensitive)
policy.name:"amazon benchmark"
Suffix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for suffix matching for quicker results. All you need to do is, type the wildcard character '*' followed by the string you are looking for. The search returns name values ending with the string that you specify after '*'. Matches are not case-sensitive.
Examples:
To find asset names ending with 110, form the following query:
name: *110
The query returns asset names such as bw2012-35-110 or vsweblogic12110 or stvsp2-32-110 and so on.
To find assets based on tag names ending with 'region east,' form the following query:
tags.name:*Region East
The query returns assets having tag names ending with Region East, region east, or Region EAST.
Suffix and domain matching is supported for the token interfaces.hostname but the syntax is different.
interfaces.hostname:qualys.com
interfaces.hostname:sjc01.qualys.com
interfaces.hostname:eng.sjc01.qualys.com
interfaces.hostname:*lys.com
Prefix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for prefix matching for quicker results. All you need to do is, type the string you are looking for followed by the wildcard character '*'. The search returns name values beginning with the string that you specify before '*'. Matches are case-sensitive.
Example: This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.
name:xp*
Example: This query matches assets with tag names starting with "Win" like Windows XP, Windows 2012, Windows Hosts.
tags.name:Win*
Example: This query matches assets with a hostname starting with "com-pa30" like com-pa3020-36.eng.sjc01.qualys.com.
interfaces.hostname:com-pa30*
Example: This query matches assets with an operating system starting with "Lin" like Linux 2.4-2.6.
operatingSystem:Lin*
Use the Boolean operator AND to broaden the scope of your search. Use OR and NOT to narrow it down.
Note: For the VMDR dashboards, the NOT operator can be used only with Asset search tokens. Vulnerability search tokens do not support the NOT operator.
Examples:
region:Mumbai or region:Sydney
NOT account.id:383031258652
control.criticality:HIGH and service.type:IAM
To match values that are in or not in the fields, you can use a colon (:), followed by a comma-separated list of values within square brackets. Do not use quotes around your values. Available for all fields except analyzed fields (i.e. full text search fields).
Show subnets not in any of the availability zones listed
resource.type:Subnet and subnet.availabilityZone not: [eu-west-2c, eu-west-1a, eu-west-3c]
Want to match an empty or null value for a field? Remove the colon after the search token, and in place of a colon, write "is null". For example, find resources where the name is null.
Examples:
name is null
tag.value is null
Ranges can be specified with the [lower limit .. upper limit]
syntax using () and/or [] as follows. This is supported for numeric and
date fields.
Examples:
Greater than or equal to 123 and less than or equal to 1234 - uses square brackets
elb.listener.loadBalancerPort:[123 .. 1234]
Greater than but not equal to 123 and less than but not equal to 1234 - uses parenthesis
elb.listener.loadBalancerPort:(123 .. 1234)
Greater than or equal to 123 and less than but not equal to 1234
elb.listener.loadBalancerPort:[123 .. 1234)
Greater than but not equal to 123 and less than or equal to 1234
elb.listener.loadBalancerPort:(123 .. 1234]
Greater than 123
elb.listener.loadBalancerPort > 123
Greater than or equal to 123
elb.listener.loadBalancerPort >= 123
Less than 1234
elb.listener.loadBalancerPort < 1234
Less than or equal to 1234
elb.listener.loadBalancerPort <= 1234
Between January 1st and April 1st 2018
updated: [2018-01-01 .. 2018-04-01]
Use a date range [start date .. end date] or a specific
date or a year. Several date variables are also available.
Examples:
updated:2018-03-27
updated < 2018-03-27
updated:[2018-01-27 .. 2018-03-27]
updated:[now-3d .. now-1s]
Use a single nested query, using parentheses, to include multiple fields in your query per examples below.
Examples:
Find instances that are type t2.micro and stopped.
resource.type:Instance and instance: (type:t2.micro and state:stopped)
Find controls that have High criticality and the control result is Fail.
control: (criticality:HIGH and result:FAIL)