Learn more about Nested Queries

(1) Use nested queries when tokens have a shared key, in this example "vulnerabilities.vulnerability".

(2) Consider the intent of your query. Here's some examples.

Query 1: This will return assets having QIDs with severity 5 and category CGI. An asset is returned only when it has a QID that matches both criteria.

vulnerabilities.vulnerability: (severity: "5" AND category: "CGI")

Query 2: This will return all assets having any QID with severity 5, and all assets having any QID with category CGI. An asset is returned when it has a QID that matches only one criteria.

vulnerabilities.vulnerability.severity: "5" AND vulnerabilities.vulnerability.category: "CGI"

(3) When your query is nested, enter the entire shared key first for best results. For example, Query 1 is preferred format for best results.

Query 1: Entire shared key is "vulnerabilities.vulnerability" (preferred format)

vulnerabilities.vulnerability: (severity: "5" AND authTypes: "WINDOWS_AUTH")

Query 2: Partial shared key is "vulnerabilities"

vulnerabilities: (vulnerability.severity: "5" AND vulnerability.authTypes: "WINDOWS_AUTH")

(4) Keep in mind a nested query (preferred format) will have shared key "vulnerabilities" in some cases.

Query 1: This will return assets having QIDs with severity 5 and detection type "Confirmed"

vulnerabilities: (vulnerability.severity: "5" AND typeDetected: "Confirmed")

Query 2: This will return assets having QIDs with severity 5 and first found in past 3 days

vulnerabilities: (vulnerability.severity: "5" AND firstFound > now-3d)

tags.name: `Cloud Agent` AND software: (name:`Cisco AnyConnect Secure Mobility Client` and version: `3.1.14018`)

vulnerabilities: (lastFound: '2018-01-12' AND vulnerability.patchAvailable: "true")

vulnerabilities: (firstFound > now-10d AND vulnerability.cvssInfo.baseScore: 7.8)