BQL Operators
This article details the operators in Brinqa Query Language (BQL) that can be used to specify conditions and perform tasks in a query.
DISTINCT
You may come across situations where a query generates unneeded duplicates. This occurs if there are multiple paths of traversal between the entities referenced in the query.
You can use DISTINCT to only return discrete values or make all values unique before running them through an aggregate function. You can combine the DISTINCT and RETURN keywords to help remove duplicates. For example:
FIND Vulnerability AS v RETURN DISTINCT v.riskRating, count(*)
The above query counts the number of vulnerabilities by their risk rating. Without using DISTINCT, the query selects all values and may return duplicate results.
Boolean Operators
You can use the Boolean operators as conjunctions to combine or exclude conditions in a query. The following table describes the Boolean operators in BQL:
Table 1: Boolean Operators
| Operator | Operators Symbol | Example |
|---|---|---|
| And | AND, & | FIND Finding WHERE riskRating = "Critical" AND severity = "Critical"You can use AND and & interchangeably when querying for "and". |
| Or | OR | FIND Asset WHERE category = ”Host” OR category = ”Virtual Machine” |
| Not | NOT | FIND Finding WHERE firstFound NOT IN LAST 3 months |
Comparison operators
The comparison operators in BQL work for all attribute types. They compare values and return true or false.
You must use the comparison operator symbol (for example, >) rather than the name of the symbol (GREATER THAN) in the query. Using names of the operators is not supported.
The following table describes the comparison operators in BQL:
Table 2: Comparison operators
| Operator | Operators Symbol | Example |
|---|---|---|
| Equals To | = | FIND Finding WHERE riskRating = "Critical" |
| Not Equal To | !=, <> | FIND Finding WHERE severity != "Critical"FIND Finding WHERE severity <> "Critical" You can use != and <> interchangeably when querying for "not equal to". |
| Greater Than | > | FIND Finding WHERE severity > "High" |
| Less Than | < | FIND Finding WHERE riskRating < "Critical" |
| Greater Than Or Equals To | >= | FIND Finding WHERE riskScore >= 4 |
| Less Than Or Equals To | <= | FIND Finding WHERE riskRating <= "Low" |
Attribute operators
The attribute operators in BQL can work with any attribute type.
Attribute operators must be used with attributes from the same data model. They cannot be used across different data models.
The following table describes the attributes operators in BQL:
Table 3: Attribute operators
| Operator | Syntax | Examples |
|---|---|---|
| Equals to Attribute | attribute1 EQUALS TO ATTRIBUTE attribute2 | FIND Finding WHERE riskScore EQUALS TO ATTRIBUTE baseRiskScore |
| Not Equals to Attribute | attribute1 NOT EQUALS TO ATTRIBUTE attribute2 | FIND Finding WHERE riskScore NOT EQUALS TO ATTRIBUTE baseRiskScore |
| Greater Than Attribute | attribute1 GREATER THAN ATTRIBUTE attribute-name attribute2 | FIND Finding WHERE riskScore GREATER THAN ATTRIBUTE baseRiskScore |
| Less Than Attribute | attribute1 LESS THAN ATTRIBUTE attribute-name attribute2 | FIND Finding WHERE riskScore LESS THAN ATTRIBUTE baseRiskScore |
| Greater Than or Equals to Attribute | attribute1 GREATER THAN OR EQUALS TO ATTRIBUTE attribute-name attribute2 | FIND Finding WHERE riskScore GREATER THAN OR EQUALS TO ATTRIBUTE baseRiskScore |
| Less Than or Equals to Attribute | attribute1 LESS THAN OR EQUALS TO ATTRIBUTE attribute-name attribute2 | FIND Finding WHERE riskScore LESS THAN OR EQUALS TO ATTRIBUTE baseRiskScore |
| Exists | attribute EXISTS | FIND Asset WHERE firstSeen EXISTS |
| Not Exists | attribute NOT EXISTS | FIND Finding WHERE dueDate NOT EXISTS |
Date and Time operators
The date and time operators in BQL can work with attributes whose type is Date, DateTime, Time, or any other calculated attribute that returns these attribute types.
BQL only allows for the date format of YYYY-MM-DD. For example, 2022-04-20.
The following date and time units are supported. They are not case sensitive and do not need to be wrapped in quotes:
- ms, milli, millis, milliseconds
- s, second, seconds
- minute, minutes
- hour, hours
- day, days
- week, weeks
- month, months
- year, years
The date and time operators are not case sensitive. The following tables describes the date and time operators in BQL:
Table 4: Date and Time operators
| Operator | Syntax | Examples |
|---|---|---|
| Is | IS date | FIND Ticket WHERE lastUpdated IS 2017-01-31 |
| Is Not | IS NOT date | FIND Ticket WHERE lastUpdated IS NOT 2017-01-31 |
| Since | SINCE date | FIND Vulnerability WHERE lastUpdated SINCE 2022-02-02 |
| Before | BEFORE date | FIND Vulnerability WHERE lastUpdated BEFORE 2022-02-02 |
| Between | BETWEEN [date1 TO date2] | FIND Finding WHERE dateCreated BETWEEN [ 2016-01-01 TO 2022-07-12 ] |
| Not Between | NOT BETWEEN [date1 TO date2] | FIND Finding WHERE dateCreated NOT BETWEEN [ 2016-01-01 TO 2022-07-12 ] |
| In Next | IN NEXT date | FIND Ticket WHERE dueDate IN NEXT 1 month |
| Not In Next | NOT IN NEXT date | FIND Ticket WHERE dueDate NOT IN NEXT 3 weeks |
| In Last | IN LAST date | Find Vulnerability WHERE dateCreated IN LAST 1 day |
| Not In Last | NOT IN LAST date | FIND Vulnerability WHERE dateCreated NOT IN LAST 1 month |
String operators
BQL offers a variety of string operators to compare strings stored either as a single string or multi-value field.
BQL only supports using the name of the string operator in a query (for example,
CONTAINSrather than~=orSTARTS WITHrather than^=).The string must be wrapped in double quotes (
"").
The following table describtes the string operators in BQL:
Table 5: String operators
| Operator | Syntax | Examples |
|---|---|---|
| Contains | CONTAINS "string" | FIND Asset WHERE name CONTAINS "demo" |
| Not Contains | NOT CONTAINS "string" | FIND Finding WHERE severity NOT CONTAINS "Low" |
| Like | LIKE "string" | FIND Asset WHERE name LIKE "demo*"LIKE is similar to CONTAINS, but also allows wildcard characters. |
| Not Like | NOT LIKE "string" | FIND Asset WHERE name NOT LIKE "demo*") |
| Starts With | STARTS WITH "string" | FIND Asset WHERE name STARTS WITH "demo" |
| Does Not Start With | NOT STARTS WITH "string" | FIND Asset WHERE name NOT START WITH "demo" |
| Ends With | ENDS WITH "string" | FIND Asset WHERE createdBy ENDS WITH "admin" |
| Does Not End With | NOT ENDS WITH "string" | FIND Asset WHERE createdBy NOT ENDS WITH "admin" |
List operators
List operators check if an element exists or does not exist in a list. The following table describtes the List operators in BQL:
Table 6: List operators
| Operator | Syntax | Examples |
|---|---|---|
| In | IN [value1, value2] | FIND Finding WHERE severity IN ["Critical", "High"] |
| Not In | NOT IN [value1, value2] | FIND Finding WHERE severity NOT IN ["Critical", "High"] |
| Contains Any | CONTAINS ANY [term1, term2] | FIND Finding WHERE severity CONTAINS ANY ["Critical", "High", "Medium"] |
| Contains All | CONTAINS ALL [term1, term2] | FIND Host WHERE privateIpAddress CONTAINS ALL [ "127.0.0.1", "127.0.0.2" ] |
| Does Not Contain Any | NOT CONTAINS ANY [term1, term2] | FIND Finding WHERE riskRating NOT CONTAINS ANY ["Critical", "Low"] |
| Contains None Of | NOT CONTAINS ALL [term1, term2] | FIND Host WHERE privateIpAddress NOT CONTAINS ALL [ "127.0.0.1", "127.0.0.2" ] |
Security operators
Security operators can be used with attributes whose type is related to a user or any calculated attributes that return a user. The following table describes the security operators in BQL:
Table 7: Security operators
| Operator | Syntax | Examples |
|---|---|---|
| Is Current User | IS CURRENT USER | FIND Asset AS a THAT OWNS Person AS u WHERE u IS CURRENT USER |