I had a query using "updated <now-30d" in order to pull any assets not scanned within 30 days, but i now receive the error message "'updated' expression not valid"... did anything change?
updated:[now-30d ... now] is the correct syntax and works for me
Honestly, it would be way more helpful if Qualys Employees included more information in their responses here. I'm sure more of your customers would benefit real insight and discussion on all the ways something can be done, and the benefits of each. This would enable them to engineer their deployments better and build confidence in your product. For example, is there any reason to use [date .. date] or a simpler > statement? Also, there are other posts on these forums where Employees state specifically that you should only use two periods for 'correct syntax', here you specify three.
The Updated expression also works just fine. I've used it on several widgets. You appear to be missing a space after the operator.
updated > now-6d
Personally, I've found that this gives me undesirable results, as it can present assets with partial or unauth scans. It also doesn't seem to discriminate which module it was updated. I.e. Via a PC Scan or VM scan. Maybe you want that, but if you simply want to look up when things are scanned, I'd recomend you be more specific:
lastVmScanDate > now-6d
this is great. I have also had some undesirable results. Is there a way to limit results only to SUCCESSFUL auth scans?
I did a quick search and I can't find any QID's for general auth, but you can filter OUT the below QID's to exclude unsuccessful auth scans.
"and not vulnerabilities.vulnerability:(qid:105421 or qid:150036 or qid:150038)"
Just keep adding OR's until you've listed all the auth types you use.
Retrieving data ...