Advanced Asset Queries
The following examples demonstrate more advanced Brinqa Query Language (BQL) queries that you can run to gain insights into your unified asset inventory. You can construct more extensive BQL queries by using operators, adding additional conditions, and querying for relationships.
Which inactive assets have active critical findings?
FIND Asset AS a
THAT HAS Finding AS f
WHERE a.status = "Confirmed inactive"
AND f.status = "Confirmed active"
AND f.riskRating = "Critical"
Which assets are missing CrowdStrike and are laptops?
FIND Asset AS a
WHERE a.dataIntegrationTitles NOT CONTAINS ANY ["CrowdStrike"]
THAT IS AssetType AS at
WHERE at.name IN ["Laptop"]
Which active assets have findings with a risk score of 10?
FIND Asset AS a
THAT HAS Finding AS f
WHERE f.riskScore = 10
AND a.status = "Confirmed active"
Which active assets have high-risk findings from a specific connector?
FIND Asset AS a
THAT HAS Finding AS f
WHERE a.status = "Confirmed active"
AND f.riskScore > 7
AND f.connectorNames CONTAINS ANY ["Tenable.sc"]
Which assets have critical vulnerabilities from Qualys or Tenable?
FIND Asset AS a
THAT HAS Vulnerability AS v
WHERE v.status = "Confirmed active"
AND v.severity = "Critical"
AND v.connectorNames CONTAINS ANY ["Qualys Vulnerability Management", "Tenable.io"]
Which assets are associated with a specific risk factor?
FIND Asset AS a
THAT HAS Finding AS f
THAT HAS RiskFactor AS rf
WHERE rf.name = "PII"
Which active assets have risk score 10 findings discovered in the last 7 days?
FIND Asset AS a
THAT HAS Finding AS f
WHERE f.riskScore = 10
AND a.status = "Confirmed active"
AND f.lastFound IN LAST 7 Days
Which active code projects from Snyk are non-compliant?
FIND CodeProject AS c
WHERE c.status = "Confirmed active"
AND c.connectorNames = "Snyk"
AND c.complianceStatus = "Non compliant"
Which active Windows hosts have more than 50 open findings from Wiz?
FIND Host AS h
WHERE h.openFindingCount > 50
AND h.status = "Confirmed active"
AND h.os CONTAINS "Windows"
AND h.connectorNames = "Wiz"
Which assets have findings without tickets?
FIND Asset AS a
THAT HAS Finding AS f
THAT NOT HAS Ticket
Which assets have 1Password for Windows installed?
FIND InstalledPackage AS i
THAT INSTALLED_ON Asset AS a
WHERE i.displayName = "1Password for Windows"
Which assets belong to "Asset Management" but not "Endpoint Protection"?
FIND Asset AS a
WHERE a.connectorCategories CONTAINS "Asset Management"
AND a.connectorCategories NOT CONTAINS "Endpoint Protection"
Which active assets have torrent software installed?
FIND InstalledPackage AS ip
THAT INSTALLED_ON Asset AS a
WHERE a.status = "Confirmed active"
AND ip.displayName IN ["Torrent", "Bit-Torrent", "uTorrent"]
Which assets haven't been scanned recently?
FIND Asset AS a
WHERE a.lastSeen BETWEEN [2023-02-01 TO 2023-03-13]
AND a.dataIntegrationTitles IN ["Qualys VM"]
Which apps support risky code projects and hosts?
FIND Application AS a
THAT SUPPORTS CodeProject AS c
AND a THAT SUPPORTS Host AS h
WHERE c.riskRating = "Critical"
AND h.riskRating = "Critical"
Which apps have open tickets for static code findings?
FIND Application AS a
THAT SUPPORTS CodeProject AS c
THAT HAS StaticCodeFinding AS s
THAT HAS Ticket AS t
Which Crown Jewel assets haven’t been seen in 30+ days?
A Crown Jewel refers to assets that hold high value or importance to an organization.
FIND Asset AS a
THAT HAS RiskFactor AS rf
WHERE a.lastSeen NOT IN LAST 30 Days
AND rf.name = "Crown Jewel"
Which external tagged assets have CVEs with known exploits?
FIND Asset AS a
WHERE a.tags CONTAINS "External"
THAT HAS Finding AS f
THAT IS FindingDefinition AS fd
THAT EXPLOITS CveRecord AS cve
WHERE cve.exploits EXISTS