Learn more about Nested Queries

Best Practices

(1) Use nested queries when tokens have a shared key, in this example "vulnerabilities.vulnerability".

vulnerabilities.vulnerability:(patchAvailable:"TRUE" AND authTypes:"WINDOWS_AUTH")

(2) Consider the intent of your query. Here's some examples.

Query 1: This will return findings having vulnerabilities with CVSS base score 7.8 and category CGI. A finding is returned only when it matches both criteria.

vulnerabilities.vulnerability:(cvssInfo.baseScore:"7.8" AND category:"CGI")

Query 2: This will return findings having vulnerabilities with CVSS base score 7.8 and/or findings having vulnerabilities with category CGI. A finding is returned when it matches only one criteria.

vulnerabilities.vulnerability.cvssInfo.baseScore:"7.8" AND vulnerabilities.vulnerability.category:"CGI"

(3) When your query is nested, enter the entire shared key first for best results. For example, Query 1 is preferred format for best results.

Query 1: Entire shared key is "vulnerabilities.vulnerability" (preferred format)

vulnerabilities.vulnerability:(discoveryTypes:"REMOTE" AND patchAvailable:"TRUE")

Query 2: Partial shared key is "vulnerability"

vulnerabilities:(vulnerability.discoveryTypes:"REMOTE" AND vulnerability.patchAvailable:"TRUE")

(4) Keep in mind a nested query (preferred format) will have shared key "vulnerabilities" in some cases.

Query 1: This returns findings having confirmed vulnerabilities which have a patch available

vulnerabilities:(typeDetected:"Confirmed" and vulnerability.patchAvailable:"TRUE")

Query 2: This returns findings having PCI flagged vulnerabilities which were first found in past 3 days

vulnerabilities:(vulnerability.flags:"PCI_RELATED" AND firstFound > now-3d)

More examples

Show assets with the tag "Cloud Agent" and certain software installed. This will return assets that have 1) the tag Cloud Agent, and 2) certain software installed (both name and version).

tags.name:`Cloud Agent` AND software:(name:`Cisco AnyConnect Secure Mobility Client` and version: `3.1.14018`)

Show findings that match both criteria: vulnerabilities last found on 2017-01-12 and vulnerabilities that have a patch available.

vulnerabilities:(lastFound:'2017-01-12' AND vulnerability.patchAvailable:"TRUE")

Show findings with vulnerabilities that match both criteria: vulnerabilities first found in the past 10 days and vulnerabilities that have CVSS Base score 7.8.

vulnerabilities:(firstFound > now-10d AND vulnerability.cvssInfo.baseScore: 7.8)