Looking for a list of search tokens? Click here
In this topic, we'll cover various aspects of a QQL search with examples. The following sections help you create QQL search queries that fetch you quicker and smarter results.
Using Tokens | Searching without Tokens | Contains Search | Full Text Search | Suffix Matching | Prefix Matching | Boolean Operators | Multiple Values | Is Null Queries | Range Searches | Date Searches | Nested Queries
Enter the token, then a colon, and then the targeted value. Nested fields are dot-separated.
Examples:
vulnerabilities.category:CGI
repo.tag:latest
users:asmith
containerId:cf4cd77dfc5b
When you enter only the targeted value without any search token, we perform the broadest possible search across the attributes of all fields in the asset index 100 field names. Keep in mind some fields are not included in the asset index, like tag name and vulnerability title, and for those, you’ll need to search by using the tokens.
How it works - A search for “win” without a token returns assets where the text string 'win' appears in the asset name, host name, operating system, software name, and so on. Enclose the value in double quotation marks to match a string.
If you want to perform prefix matching or suffix matching using the wildcard character '*', then you need to search by using the search token.
Enclose your token value in double quotation marks to match a string. Your results include any match that contains the specified value.
Examples:
operatingSystem: "Debian Linux"
vulnerabilities.vulnerability.title: "Remote Code Execution
Vulnerability"
registryUri: "https://registry-1.docker.io"
For exact string matching, enclose your targeted value in the grave accent mark, also known as backtick characters (`<value>`). The result returns all the findings having the exact match with the value that you specify.
Examples:
operatingSystem: `Debian Linux 8.7`
interfaces.hostname: `xpsp2-jp-26-111`
macAddress: `02:42:ac:11:00:09`
Some fields containing strings of text (like names, descriptions) allow you to use full text search and advanced search capabilities. Full text search fields do not support exact matching.
Examples:
Show any findings related to this title
vulnerabilities.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title: "Remote Code"
Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title: `Remote Code`
Show any findings that match nested query. Both sub fields must match in order for an asset to be returned.
vulnerabilities.vulnerability: (title: `Remote Code` AND patchAvailable:
"true")
Suffix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for suffix matching for quicker results. All you need to do is type the wildcard character '*' followed by the string you are looking for. The search returns name values ending with the string that you specify after '*'. Matches are not case-sensitive.
Examples:
This query finds container names ending with "manager" like kube-controller-manager.
name: *manager
Suffix and domain matching is supported for the tokens host.hostname (supported on Images, Containers tabs) and interfaces.hostname (supported on Hosts tab) but the syntax is different.
interfaces.hostname:qualys.com
interfaces.hostname:sjc01.qualys.com
interfaces.hostname:eng.sjc01.qualys.com
interfaces.hostname:*lys.com
Prefix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for prefix matching for quicker results. All you need to do is type the string you are looking for followed by the wildcard character '*'. The search returns name values beginning with the string that you specify before '*'. Matches are case-sensitive.
Example: This query matches assets with an asset name starting with "xp" like xpsp2-jp-26-111.
name:xp*
Example: This query matches assets with a hostname starting with "com-pa30" like com-pa3020-36.eng.sjc01.qualys.com.
interfaces.hostname:com-pa30*
Example: This query matches images with repository name starting with "test" like test123 or testrepo.
repo.repository:test*
Example: This query matches assets with an operating system starting with "Deb" like Debian Linux 8.7 or Debian Linux 10.9.
operatingSystem:Deb*
Use the Boolean operator AND to broaden the scope of your search. Use OR and NOT to narrow it down.
Examples:
operatingSystem: windows OR operatingSystem: linux
(operatingSystem: windows OR operatingSystem: linux) AND (portMapping.hostPort:
80 OR portMapping.hostPort: 8080) NOT operatingSystem: windows
To match values that are in or not in the fields, you can use a colon (:), followed by a comma-separated list of values within square brackets. Do not use quotes around your values. Available for all fields except analyzed fields (i.e. full text search fields).
Example: Find containers with at least one of these three CVE IDs:
vulnerabilities.cveids:[CVE-2018-5146,CVE-2018-4300,CVE-2017-18078]
Want to match an empty or null value for a field? Remove the colon after the search token, and in place of a colon, write "is null".
Examples:
operatingSystem is null
macAddress is null
Ranges can be specified with the [lower limit .. upper limit] syntax using () and/or [] as follows. This is supported for numeric and date fields.
Examples:
Greater than or equal to 123 and less than or equal to 1234 - uses square brackets:
portMapping.hostPort:[123 .. 1234]
Greater than but not equal to 123 and less than but not equal to 1234 - uses parenthesis:
portMapping.hostPort:(123 .. 1234)
Greater than or equal to 123 and less than but not equal to 1234:
portMapping.hostPort:[123 .. 1234)
Greater than but not equal to 123 and less than or equal to 1234:
portMapping.hostPort:(123 .. 1234]
Greater than 123:
portMapping.hostPort > 123
Greater than or equal to 123:
portMapping.hostPort >= 123
Less than 1234:
portMapping.hostPort < 1234
Less than or equal to 1234:
portMapping.hostPort <= 1234
Between January 1st and April 1st 2022:
vulnerabilities.firstFound: [2022-01-01 .. 2022-04-01]
Use a date range [start date .. end date] or a specific date or a year. Several date variables are also available.
Examples:
updated:2022-03-27
updated < 2022-03-27
updated:[2022-01-27 .. 2022-03-27]
updated:[now-3d .. now-1s]
Use a single nested query, using parentheses, to include multiple fields in your query per examples below.
Example: Find vulnerabilities that are severity 5 and are confirmed
vulnerabilities: (severity: "5" AND category: "DNS")
Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:
vulnerabilities: (severity: "5" AND threatIntel.easyExploit:
true AND firstFound > now-5d)
Example: Find controls that have Urgent criticality and the control posture is Fail.
controls: (criticality:URGENT and posture:FAIL)