Skip to main content

Boolean Operators

Boolean operators combine or exclude conditions in your Brinqa Query Language (BQL) queries. These operators help refine your results using logical expressions like AND, OR, and NOT.

info

Boolean operators are not case sensitive. You can use AND, And, or and for the same result. The use of & is not currently supported.

AND

Use AND to combine two conditions and return only records where both are true.

FIND Finding AS f
WHERE f.riskRating = "Critical"
AND f.severity = "Critical"

The above query returns findings that have both a risk rating and severity of "Critical".

FIND Host AS h
WHERE h.status = "Confirmed active"
AND h.cloudProvider = "AWS"

The above query returns hosts that are both confirmed active and hosted in AWS.

OR

Use OR to combine two conditions and return records where either condition is true.

FIND Asset AS a
WHERE a.categories CONTAINS "Virtual Machine"
OR a.categories CONTAINS "Server"

The above query returns assets that are categorized as either a "Virtual Machine" or a "Server".

FIND Vulnerability AS v
WHERE v.statusCategory = "Open"
OR v.severity = "Critical"

The above query returns vulnerabilities that are either in an open status category or have a severity of "Critical".

Combining AND and OR

You can combine AND and OR in more complex queries. Use parentheses () to control the order in which conditions are evaluated.

FIND Finding AS f 
WHERE (f.riskRating IN ["High", "Critical"] 
AND f.status IN ["Reopened", "Confirmed active"])
THAT HAS Host AS h WHERE h.status = "Confirmed active"
AND h THAT OWNS_RISK RiskOwner AS r 
THAT OWNS User AS u 
WHERE (u.displayName = "Test User" OR h.tags = "Location: Austin")

Let's break down the above query:

  • Filters findings with high or critical risk rating and specific statuses.

  • Includes only findings with related hosts that are confirmed active.

  • Filters the results where either:

    • The risk owner is "Test User".

    • The host has a tag for the Austin location.

The AND operator is evaluated before OR unless overridden by parentheses. Use parentheses to ensure that your logic is interpreted correctly.

Last updated on