Advanced Finding Queries
The following examples demonstrate advanced Brinqa Query Language (BQL) queries you can run that involve multiple conditions, relationships, and various operators.
Some of the examples involve relationship keywords. For information about how to view data model relationships, see examine relationships between data models.
Which critical and exploitable findings are due in the next 30 days?
FIND Finding AS f
THAT HAS RiskFactor AS r
WHERE f.dueDate IN NEXT 30 Days
AND f.riskRating = "Critical"
AND r.name CONTAINS "Exploitable"
Which critical and high severity findings come from a specific connector?
FIND Finding AS f
WHERE f.status = "Confirmed active"
AND f.connectorNames = "Veracode"
AND f.severity IN ["Critical", "High"]
Which findings are linked to definitions published in the last 30 days?
FIND Finding AS f
THAT IS FindingDefinition AS fd
WHERE fd.publishedDate IN LAST 30 Days
Which findings are within SLA and due soon?
FIND Finding AS f
WHERE f.dueDate IN NEXT 30 Days
AND f.complianceStatus = "Within SLA"
Which active findings have a patch available?
FIND Finding AS f
THAT IS FindingDefinition AS fd
WHERE fd.patchAvailable = TRUE
AND f.status = "Confirmed active"
Which findings are on assets with many open issues from a specific connector?
FIND Finding AS f
WHERE f.status = "Confirmed active"
THAT HAS Asset AS a
WHERE a.openFindingCount > 50
AND a.connectorNames = "Tenable.io"
Which CVE IDs are critical and have associated findings?
FIND Finding AS f
THAT IS FindingDefinition AS fd
WHERE fd.cveIds IN ["CVE-2021-21972", "CVE-2021-3165"]
AND fd.riskRating = "Critical"
Which out-of-compliance findings have a patch available?
FIND Finding AS f
THAT IS FindingDefinition AS fd
WHERE fd.patchAvailable = TRUE
AND f.complianceStatus = "Out of SLA"
Which old exception requests contain out-of-SLA findings?
FIND ExceptionRequest AS e
THAT REQUESTED Finding AS f
WHERE e.status = "New"
AND e.dateCreated NOT IN LAST 30 Days
AND f.riskScore >= 5.0
AND f.complianceStatus = "Out of SLA"
Which old Microsoft vulnerabilities are patchable and affect workstations?
FIND Vulnerability AS v
THAT HAS Asset AS a
AND v THAT IS VulnerabilityDefinition AS v2
AND a THAT IS AssetType AS a2
AND a THAT WITHIN Environment AS e
WHERE v.firstFound NOT IN LAST 90 Days
AND v.status = "Confirmed active"
AND v.riskRating = "Critical"
AND v2.patchAvailable = TRUE
AND v2.displayName CONTAINS "Microsoft"
AND a2.displayName CONTAINS "Workstation"
AND a.os CONTAINS "Windows"
Which findings are linked to SDM definitions with high source risk?
FIND Finding AS f
THAT IS VulnerabilityDefinition AS vd
THAT SOURCED_FROM Rapid7VulnerabilityDefinition AS r7vd
WHERE r7vd.sourceRiskScore > 900
Which active, CISA-exploitable vulnerabilities are in DMZ environments?
FIND Finding AS f
THAT IS FindingDefinition AS fd
AND f THAT HAS Host AS h
AND h THAT WITHIN Environment AS e
WHERE f.status = "Confirmed active"
AND fd.associatedCvesIsCisaExploitable = TRUE
AND e.name CONTAINS "DMZ"
Which critical findings affect a business service owned by a specific person?
FIND Finding AS f
THAT HAS Asset AS a
THAT SUPPORTS BusinessService AS b
THAT OWNS Person AS p
WHERE p.name = "John Doe"
AND f.riskRating = "Critical"