公司新购买了Qualys CSAM (CyberSecurityAssetManagement)模块, wiki下查询功能
啥是Qualys
Qualys是一家网络安全和合规性解决方案提供商,成立于1999年,总部位于美国加利福尼亚州的费利蒙市。该公司提供了一系列云安全解决方案,帮助企业识别、评估和保护其网络和应用程序免受网络攻击和数据泄露的风险。
Qualys的解决方案包括漏洞管理、网络扫描、Web应用程序安全、网络流量分析、安全合规性以及IT资产管理等。它们的云安全平台是基于软件即服务(SaaS)模型构建的,可以在任何设备上使用,并且可以自动执行安全扫描和检测以及提供实时报告和警报。
Qualys还提供了一系列API和插件,以便与其他安全工具和服务集成,从而为企业提供更全面和高效的网络安全解决方案。Qualys的客户遍布全球,包括许多知名企业和政府机构。
How to Search 如何搜索
Search by Field | String matching | Exact matching | Full Text Search | Is Null Queries | Range searches | Date searches | Match multiple values | Suffix Matching | Prefix Matching | Boolean operators | Nested Queries
按字段搜索|字符串匹配|精确匹配|全文检索|为空查询|范围搜索|日期搜索|匹配多个值|后缀匹配|前缀匹配|布林运算子|嵌套查询
Search by Field 按字段搜索
Enter the field name, then a colon, then your query. Nested fields are dot separated.
输入字段名称,然后输入冒号,然后输入查询。嵌套字段以点分隔。
Examples:
asset.netbiosName: WIN7PATCH69-85
asset.lastLoggedOnUser: .\Administrator
asset.hostID: 43954857
String matching 字符串匹配
Use single quotes or double quotes around your query to match a string.
在查询前后使用单引号或双引号来匹配字符串。
Examples:
operatingSystem: "Windows 7 SP2 Enterprise"
services.description: "Certificate Propagation"
Example using wildcard: If you want to search for exact count you should use asterisk (). For example to find assets with name starting with WINDOWS2008 use this query:
使用通配符的示例:如果你想搜索精确的计数,你应该使用星号()。例如,要查找名称以WINDOWS2008开头的资产,请使用以下查询:
asset.name: WINDOWS2008*
Exact matching 完全匹配
Use backticks to exactly match a string. Your results will include any asset with the EXACT value returned.
使用反引号精确匹配字符串。您的结果将包括返回精确值的任何资产。
Examples:
operatingSystem:
Windows 7 Ultimate Service Pack 1``
hardware:
Dell Latitude e7470``
Full Text Search 全文检索
Many asset fields containing text allow you to use full text search and advanced search capabilities.
许多包含文本的资产字段允许您使用全文搜索和高级搜索功能。
Examples:
Show any findings with this OS name
显示具有此OS名称的任何发现
operatingSystem: Windows
Show any findings that contain components of OS name
显示包含OS名称组件的任何查找结果
operatingSystem: "Windows 2008 r2 service pack 2"
Show any findings that match exact value “Windows 2002”
显示与精确值“Windows 2002”匹配的任何查找结果
operatingSystem:
Windows 2002``
Is Null Queries 为空查询
Want to match an empty/null value for a field? You’ll need to remove the colon and then write “is null”. For example, quickly find assets where the OS has not been identified.
想要为字段匹配空/null值?您需要删除冒号,然后写“is null”。例如,快速查找尚未识别操作系统的资产。
Examples:
operatingSystem is null
interfaces.macAddress is null
asset.biosDescription is null
Range searches 范围搜索
Ranges can be specified with the [lower .. upper]
syntax using () and/or [] as follows. This is supported for numeric and date fields.
可以使用()和/或[]使用 [lower .. upper]
语法指定范围,如下所示。数字和日期字段支持此操作。
Example:
inventory.created: [2018-08-01 .. 2018-09-01] // Between August 1st and September 1st 2018
Range options:
inventory.created:(date1 .. date2)
// Greater than but not equal to date1 and less than but not equal to date2
inventory.created:(date1 .. date2)
//大于但不等于date 1小于但不等于date 2
inventory.created:(date1 .. date2]
// Greater than but not equal to date1 and less than or equal to date2
inventory.created:(date1 .. date2]
//大于但不等于date 1且小于或等于date 2
inventory.created:[date1.. date2)
// Greater than or equal to date1 and less than but not equal to date2
inventory.created:[date1.. date2)
//大于等于date 1小于但不等于date 2
inventory.created:[date1 .. date2]
// Greater than but or equal to date1 and less than or equal to date2
inventory.created:[date1 .. date2]
//大于等于date 1且小于等于date 2
inventory.created > date1
// Greater than date1
inventory.created > date1
//大于date 1
inventory.created >= date1
// Greater than or equal to date1
inventory.created >= date1
//大于或等于date 1
inventory.created < date1
// Less than date1
inventory.created < date1
//小于date 1
inventory.created <= date1
// Less than or equal to date1
inventory.created <= date1
//小于或等于日期1
Date searches 日期搜索
Use a date range [start date .. end date] or a specific date. Several date variables are also available.
使用日期范围[开始日期..结束日期]或特定日期。还提供了几个日期变量。
Examples:
openPorts.lastFound: "2018-10-20"
openPorts.lastFound <= "2018-11-20"
openPorts.lastFound: ["2018-10-20" .. "2018-10-24"]
openPorts.lastFound: [now-3d .. now-1s]
Match multiple values 匹配多个值
Use to match values “In” or “Not In” fields. Available for all fields except analyzed fields (i.e. full text search fields).
用于匹配值“在”或“不在”字段。适用于除分析字段(即全文检索字段)以外的所有字段。
Examples:
Find assets with at least one of these three scanner appliance locations:
查找至少具有以下三个扫描仪设备位置之一的资产:
inventory.scannerLocation: [SanJose1, SanJose2, SanJose3]
Find assets not last booted on date: 2018-08-31 or 2018-09-12
查找上次启动日期不是以下日期的资产:2018-08-31或2018-09-12
NOT asset.lastBoot: ["2018-08-31","2018-09-12"]
Supported date formats: 支持的日期格式:
YYYY example: asset.lastBoot:["2017","2018"]
// in 2017 or 2018
YYYY示例: asset.lastBoot:["2017","2018"]
//在2017年或2018年
YYYY-MM example: asset.lastBoot:["2018-08","2018-09"]
// in month of Aug or Sept
YYYY-MM示例: asset.lastBoot:["2018-08","2018-09"]
//在8月或9月
YYYY-MM-DD example: asset.lastBoot:["2018-10-30","2018-11-05"]
// on one of exact dates
YYYY-MM-DD示例: asset.lastBoot:["2018-10-30","2018-11-05"]
//在一个确切的日期
Suffix matching 后缀匹配
Suffix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for suffix matching for quicker results.
QQL中的某些搜索标记支持后缀匹配。特别是当您根据资产名称、标记名称、NetBIOS名称搜索资产时,您可以进行后缀匹配以获得更快的结果。
All you need to do is, type the wildcard character ‘‘ followed by the string you are looking for. The search returns name values ending with the string that you specify after ‘‘. Matches are not case-sensitive.
您所需要做的就是键入通配符’‘,后跟您要查找的字符串。搜索将返回以您在“”之后指定的字符串结尾的名称值。匹配项不区分大小写。
Examples:
To find asset names ending with 110, form the following query:
name: *110
The query returns asset names such as bw2012-35-110 or vsweblogic12110 or stvsp2-32-110 and so on.
To find assets based on tag names ending with ‘region east,’ form the following query:
tags.name:*Region East
The query returns assets having tag names ending with Region East, region east, or Region EAST.
Suffix and domain matching is supported for the token interfaces.hostname but the syntax is different.
interfaces.hostname:qualys.com
interfaces.hostname:sjc01.qualys.com
interfaces.hostname:eng.sjc01.qualys.com
interfaces.hostname:*lys.com
Prefix matching
Prefix matching is supported for some search tokens in QQL. Especially when you search for assets based on asset names, tag names, NetBIOS names, you can go for prefix matching for quicker results.
All you need to do is, type the string you are looking for followed by the wildcard character ‘‘. The search returns name values beginning with the string that you specify before ‘‘. Matches are case-sensitive. Example: This query matches assets with an asset name starting with “xp” like xpsp2-jp-26-111.
name:xp*
Example: This query matches assets with tag names starting with “Win” like Windows XP, Windows 2012, Windows Hosts.
示例:此查询匹配标签名称以“Win”开头的资产,如Windows XP、Windows 2012、Windows Hosts。
tags.name:Win*
Example: This query matches assets with a hostname starting with “com-pa30” like com-pa3020-36.eng.sjc01.qualys.com.
示例:此查询匹配主机名以“com-pa 30”开头的资产,如com-pa3020-36.eng.sjc01.qualys.com。
interfaces.hostname:com-pa30* interfaces.hostname:com-pa30*
Example: This query matches assets with an operating system starting with “Lin” like Linux 2.4-2.6.
示例:此查询将资产与以“Lin”开头的操作系统(如Linux 2.4-2.6)匹配。
operatingSystem:Lin* operatingSystem:Lin*
Boolean Operators 布尔运算符
Use keywords AND, OR, NOT to narrow or broaden your search. Click the link below for info on max query depth, using NOT with vulnerability queries.
使用关键字AND、OR、NOT来缩小或扩大搜索范围。单击下面的链接,了解有关在漏洞查询中使用NOT的最大查询深度的信息。
Examples:
Show findings that have one of these operating systems:
显示具有以下操作系统之一的调查结果:
operatingSystem:
Windows 2002OR operatingSystem:
Windows 7 Ultimate Service Pack 1``
Show assets not created on or before date:
显示在以下日期或之前未创建的资产:
AND NOT inventory.created <= "2018-11-05"
Nested Queries 嵌套查询
Use a single nested query, using parentheses, to include multiple fields in your query. This is supported only for certain tokens like “asset”, “hardware”, “interfaces”, etc.
使用单个嵌套查询(使用括号)可以在查询中包括多个字段。这仅支持某些令牌,如“资产”、“硬件”、“接口”等。
Example:
Find assets last booted on certain date and have 2 CPUs:
查找在特定日期最后启动并具有2个CPU的资产:
asset: (lastBoot: '2018-10-10' AND cpuCount: 2)
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 xieaoao@qq.com QQ:1296454177