Multi-labeling

Multi-labeling enables you to query multiple data models that share common attributes using the pipe symbol (|). This reduces the need to run multiple queries when looking for the same attribute across different models.

For example, the following query retrieves both Host and Vulnerability records that were sourced from the Qualys Vulnerability Management connector:

FIND Host|Vulnerability WHERE dataIntegrationTitles = "Qualys VM"

When using multi-labeling, the attribute in your WHERE clause must exist on all data models you're querying. If the attribute is not present on one of the models, the query will not return results from that model.

The dataIntegrationTitles attribute exists on both Host and Vulnerability, so the query can evaluate them together and return a unified result set:

Multi-label example for both

The above query returns 42,507 records, combining results across both models. It is more efficient than running two separate queries, as shown below.

The following two queries retrieve the same number of hosts and vulnerabilities from Qualys, but the process is more time-consuming as you must run two separate queries:

FIND Host AS h WHERE h.dataIntegrationTitles = "Qualys VM"

The above query returns 1,828 hosts from Qualys:

Multi-label example for hosts

FIND Vulnerability AS v WHERE v.dataIntegrationTitles = "Qualys VM"

The above query returns 40,679 vulnerabilities from Qualys:

Multi-label example for vulnerabilities

Together, the two individual queries also return 42,507 records. However, multi-labeling provides the same result in a single query, saving time and reducing effort.