Skip to main content

Boolean Operators

Boolean operators combine or exclude conditions in your Brinqa Query Language (BQL) queries. These operators help refine your results using logical expressions like AND, OR, and NOT.

info

Boolean operators are not case sensitive. You can use AND, And, or and for the same result. The use of & is not currently supported.

AND

Use AND to combine two conditions and return only records where both are true.

FIND Finding AS f
WHERE f.riskRating = "Critical"
AND f.severity = "Critical"

The above query returns findings that have both a risk rating and severity of "Critical".

FIND Host AS h
WHERE h.status = "Confirmed active"
AND h.cloudProvider = "AWS"

The above query returns hosts that are both confirmed active and hosted in AWS.

OR

Use OR to combine two conditions and return records where either condition is true.

FIND Asset AS a
WHERE a.categories CONTAINS "Virtual Machine"
OR a.categories CONTAINS "Server"

The above query returns assets that are categorized as either a "Virtual Machine" or a "Server".

FIND Vulnerability AS v
WHERE v.statusCategory = "Open"
OR v.severity = "Critical"

The above query returns vulnerabilities that are either in an open status category or have a severity of "Critical".

Combining AND and OR

You can combine AND and OR in more complex queries. Use parentheses () to control the order in which conditions are evaluated.

FIND Finding AS f 
WHERE (f.riskRating IN ["High", "Critical"] 
AND f.status IN ["Reopened", "Confirmed active"])
THAT HAS Host AS h WHERE h.status = "Confirmed active"
AND h THAT OWNS_RISK RiskOwner AS r 
THAT OWNS User AS u 
WHERE (u.displayName = "Test User" OR h.tags = "Location: Austin")

Let's break down the above query:

  • Filters findings with high or critical risk rating and specific statuses.

  • Includes only findings with related hosts that are confirmed active.

  • Filters the results where either:

    • The risk owner is "Test User".

    • The host has a tag for the Austin location.

The AND operator is evaluated before OR unless overridden by parentheses. Use parentheses to ensure that your logic is interpreted correctly.

NOT

Use NOT to exclude specific values or relationships. NOT is used in the WHERE clause in conjunction with other BQL operators, such as Comparison, Date and Time, List, or String operators, or as part of a relationship clause. When used in relationship clause, NOT goes in between the relationship keyword (THAT) and the relationship type (HAS, IS, etc.).

Some examples:

FIND Finding AS f
WHERE f.riskRating NOT IN ["Low"]

The above query returns all findings except those with a risk rating of "Low".

FIND Vulnerability AS v
WHERE v.firstFound NOT IN LAST 30 days

The above query returns all vulnerabilities that were not initially found in the last 30 days.

Using NOT in relationship clauses:

FIND Finding AS f
THAT NOT IS FindingDefinition AS f2

The above query returns findings that do not have a corresponding finding definition.

FIND Vulnerability AS v
THAT NOT HAS Host AS h

The above query returns vulnerabilities that do not have any associated hosts.

THAT NOT HAS Example

As opposed to the following example, which returns vulnerabilities that do have associated hosts.

FIND Vulnerability AS v
THAT HAS Host AS h

THAT HAS Example

Last updated on