### Simple Query Depth Example Source: https://docs.qualys.com/en/ud/latest/qql_topics/maximum_query_depth.htm Demonstrates a simple query with a depth of 2 levels. ```qql asset: (lastBoot: '2018-10-10' AND cpuCount: 2) ``` -------------------------------- ### Example of a Nested QQL Query Source: https://docs.qualys.com/en/ud/latest/qql_topics/build_query_example.htm Demonstrates the use of parentheses for grouping conditions in a QQL query. ```qql (vulnerabilities.vulnerability.severity:5 OR vulnerabilities.vulnerability.severity:4) ``` -------------------------------- ### Find Assets with Specific Tag and Software Installed Source: https://docs.qualys.com/en/ud/latest/search/ud_search_nested.htm This query combines asset tagging with software details. It returns assets tagged 'Cloud Agent' that have a specific version of 'Cisco AnyConnect Secure Mobility Client' installed. ```search tags.name: `Cloud Agent` AND software: (name:`Cisco AnyConnect Secure Mobility Client` and version: `3.1.14018`) ``` -------------------------------- ### Combine Asset and Vulnerability Queries Source: https://docs.qualys.com/en/ud/latest/qql_topics/build_query_example.htm This example shows how to combine queries targeting different data sources (Asset and Vulnerability) to create a comprehensive search. It looks for QID 100350 on assets scanned recently with specific tag criteria. ```qql vulnerabilities.vulnerability.qid:`100350` AND (lastVmScanDate>=now-24h AND (tags:(name:`Windows Desktop` OR name:`Cloud Agent`)) AND NOT (tags:(name:SiteA AND name:Lab1))) ``` -------------------------------- ### Return All Windows Assets and All Patchable Assets Source: https://docs.qualys.com/en/ud/latest/search/ud_search_nested.htm This query returns assets matching either condition separately, unlike the previous example which required both. It demonstrates querying for assets that are either Windows assets or assets with patchable vulnerabilities. ```search vulnerabilities.vulnerability.os: "windows" AND vulnerabilities.vulnerability.patchAvailable: "true" ``` -------------------------------- ### Filter Windows Assets with Patchable Vulnerabilities Source: https://docs.qualys.com/en/ud/latest/search/ud_search_nested.htm Use nested queries when tokens share a common key, such as 'vulnerabilities.vulnerability'. This example returns Windows assets with patchable vulnerabilities, requiring both conditions to be met. ```search vulnerabilities.vulnerability: (os: "windows" AND patchAvailable: "true") ``` -------------------------------- ### Preferred Nested Query Format for Windows Assets with Vulnerabilities Source: https://docs.qualys.com/en/ud/latest/search/ud_search_nested.htm When constructing nested queries, entering the entire shared key first improves results. This example uses the preferred format to find Windows assets with confirmed vulnerabilities. ```search vulnerabilities: (vulnerability.os: "windows" AND typeDetected: "Confirmed") ``` -------------------------------- ### Date Range Queries Source: https://docs.qualys.com/en/ud/latest/search/ud_dates_queries.htm Specify a start and end date using square brackets `[start .. end]` for date range searches. You can use specific dates or the 'now' shortcut. ```text installedDate: [now-2M .. now-1M] ``` ```text installedDate: [2020-01-01 .. 2020-04-01] ``` ```text installedDate: [2020-10-01 .. 2020-10-03] ``` -------------------------------- ### Combine Brackets and Parentheses for Mixed Range Searches in QQL Source: https://docs.qualys.com/en/ud/latest/qql_topics/qql_best_practices.htm Combine brackets and parentheses to create mixed-range searches. For example, `( .. ]` includes values greater than the lower limit but less than or equal to the upper limit. ```qql openPorts.port:(123 .. 1234] ``` ```qql openPorts.port:[123 .. 1234) ``` -------------------------------- ### Complex Query Depth Example Source: https://docs.qualys.com/en/ud/latest/qql_topics/maximum_query_depth.htm Illustrates a more complex query with a depth of 5 levels, involving multiple AND, OR, and NOT operators. ```qql (operatingSystem: "Windows 7 SP2 Enterprise" OR operatingSystem: "Windows 2002") AND (hardware: "Dell Latitude e7470" OR hardware: "Dell Inspiron") AND NOT asset.lastBoot <= "2018-11-01" ``` -------------------------------- ### Find Assets with OR Operator Source: https://docs.qualys.com/en/ud/latest/qql_topics/components_of_a_qql_query.htm Use the OR operator to find host assets running either of the specified operating systems. Enclose values with spaces in double quotes. ```qql operatingSystem: "windows 2008 R2" OR operatingSystem: "windows 2012 R2" ``` -------------------------------- ### Date Comparison with 'now' Shortcut Source: https://docs.qualys.com/en/ud/latest/search/ud_dates_queries.htm Combine comparison operators with the 'now' shortcut to find assets based on relative timeframes. Note the inclusivity/exclusivity of the boundary day. ```text installedDate>=now-10d (The result includes patches installed on day 10.)installedDate>now-10d (The result excludes patches installed on day 10.) ``` ```text lastCheckedIn), less than (<), and equal (=) signs instead of colons for flexible comparisons. Combinations like >= and <= provide inclusive range checks. ```qql openPorts.port > 123 ``` ```qql openPorts.port<123 ``` ```qql openPorts.port=123 ``` ```qql openPorts.port>=123 ``` ```qql openPorts.port<=123 ``` -------------------------------- ### Using the 'now' Shortcut for Relative Dates Source: https://docs.qualys.com/en/ud/latest/search/ud_dates_queries.htm The 'now' shortcut allows you to specify dates relative to the current time. Append a number and a time unit (y, M, w, d, h, m, s) to 'now-'. ```text now-1y ``` ```text now-2M ``` ```text now-5d ``` -------------------------------- ### Find Confirmed Vulnerabilities on Windows Assets with Active Status Source: https://docs.qualys.com/en/ud/latest/qql_topics/build_query_example.htm Constructs a query to find vulnerabilities that are confirmed, have an active status, and are detected on Windows assets. ```qql vulnerabilities.vulnerability.detection.type:Confirmed AND vulnerabilities.vulnerability.status:ACTIVE AND assets.operatingSystem:Windows ``` -------------------------------- ### QQL for ANY (OR) Tag Filter Source: https://docs.qualys.com/en/ud/latest/dashboards/manage_your_dashboards/filter_a_dashborad_using_tags.htm Use this QQL syntax when filtering widgets with the 'ANY' option, meaning the widget count is based on assets associated with any of the selected tags. ```qql tags.name:["Remote Endpoints","Cloud Environments"] ``` -------------------------------- ### QQL for ALL (AND) Tag Filter Source: https://docs.qualys.com/en/ud/latest/dashboards/manage_your_dashboards/filter_a_dashborad_using_tags.htm Use this QQL syntax when filtering widgets with the 'ALL' option, meaning the widget count is based on assets associated with all of the selected tags. ```qql tags.name:"Remote Endpoints" and tags.name:"Cloud Environments" ``` -------------------------------- ### Filter Vulnerabilities by First Found Date (On or Before) Source: https://docs.qualys.com/en/ud/latest/qql_topics/components_of_a_qql_query.htm Use the less than or equal to operator (<=) with a date to find vulnerabilities first detected on or before a specific date. Useful for historical analysis. ```qql vulnerabilities.firstFound<=2020-05-21 ``` -------------------------------- ### Simple Boolean Query for Patch Availability Source: https://docs.qualys.com/en/ud/latest/search/ud_boolean_queries.htm This query demonstrates a simple AND condition to find vulnerabilities where a patch is available for a specific category. It has a query depth of 2. ```text vulnerabilities.vulnerability: (patchAvailable: "true" AND category: "CGI") ```