More on Boolean queries

Using Boolean operators (AND, OR, NOT) give you many ways to refine your search. Here's some things to know.

More complex Boolean queries

These queries show you how to use many robust search capabilities in one query.

vulnerabilities: (typeDetected: "Confirmed" AND vulnerability.severity:"5" AND firstFound < now-1d AND lastFound:[now-1M ... now-1s])

vulnerabilities:(vulnerability.cveIds: (CVE-2016-0189 OR CVE-2016-0162 OR CVE-2016-7200 OR CVE-2016-7201 OR CVE-2016-0034 OR CVE-2015-3105 OR CVE-2015-3113) AND lastFound:[now-10d ... now-1s]

Using NOT for vulnerability queries

Put the partial token key "vulnerabilities" first, followed by NOT and rest of vulnerability key using syntax shown

Show findings that have vulnerabilities that are not severity 1

vulnerabilities: (not vulnerability.severity:"1")

Show findings that have vulnerabilities not meeting both criteria - Information Gathered and severity 1

vulnerabilities: (not (vulnerability.types:INFORMATION and severity:1 ))

Important - Using the syntax below is not valid

not vulnerabilities.vulnerability.severity:"1"

Good to Know - Max query depth

We've implemented controls in query parsing for queries containing the operators AND, OR. The maximum depth allowed for an AND/OR query cannot cross 1000 levels. If you run a query having more than 1000 levels of depth, an error is returned.

A simple query like this has level of depth 2

vulnerabilities.vulnerability: (severity: "5" AND category: "CGI")

A more complex query like this has level of depth 5

(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port:8080) AND NOT updated <= "2018-01-20"