Boolean Operators
Boolean operators combine or exclude conditions in your Brinqa Query Language (BQL) queries. These operators help refine your results using logical expressions like AND
, OR
, and NOT
.
Boolean operators are not case sensitive. You can use AND
, And
, or and
for the same result. The use of &
is not currently supported.
AND
Use AND
to combine two conditions and return only records where both are true.
FIND Finding AS f
WHERE f.riskRating = "Critical"
AND f.severity = "Critical"
The above query returns findings that have both a risk rating and severity of "Critical".
FIND Host AS h
WHERE h.status = "Confirmed active"
AND h.cloudProvider = "AWS"
The above query returns hosts that are both confirmed active and hosted in AWS.
OR
Use OR
to combine two conditions and return records where either condition is true.
FIND Asset AS a
WHERE a.categories CONTAINS "Virtual Machine"
OR a.categories CONTAINS "Server"
The above query returns assets that are categorized as either a "Virtual Machine" or a "Server".
FIND Vulnerability AS v
WHERE v.statusCategory = "Open"
OR v.severity = "Critical"
The above query returns vulnerabilities that are either in an open status category or have a severity of "Critical".
Combining AND and OR
You can combine AND
and OR
in more complex queries. Use parentheses () to control the order in which conditions are evaluated.
FIND Finding AS f
WHERE (f.riskRating IN ["High", "Critical"]
AND f.status IN ["Reopened", "Confirmed active"])
THAT HAS Host AS h WHERE h.status = "Confirmed active"
AND h THAT OWNS_RISK RiskOwner AS r
THAT OWNS User AS u
WHERE (u.displayName = "Test User" OR h.tags = "Location: Austin")
Let's break down the above query:
-
Filters findings with high or critical risk rating and specific statuses.
-
Includes only findings with related hosts that are confirmed active.
-
Filters the results where either:
-
The risk owner is "Test User".
-
The host has a tag for the Austin location.
-
The AND
operator is evaluated before OR
unless overridden by parentheses. Use parentheses to ensure that your logic is interpreted correctly.
NOT
Use NOT
to exclude specific values or relationships. NOT
is used in the WHERE
clause in conjunction with other BQL operators, such as Comparison, Date and Time, List, or String operators, or as part of a relationship clause. When used in relationship clause, NOT
goes in between the relationship keyword (THAT
) and the relationship type (HAS
, IS
, etc.).
Some examples:
FIND Finding AS f
WHERE f.riskRating NOT IN ["Low"]
The above query returns all findings except those with a risk rating of "Low".
FIND Vulnerability AS v
WHERE v.firstFound NOT IN LAST 30 days
The above query returns all vulnerabilities that were not initially found in the last 30 days.
Using NOT
in relationship clauses:
FIND Finding AS f
THAT NOT IS FindingDefinition AS f2
The above query returns findings that do not have a corresponding finding definition.
FIND Vulnerability AS v
THAT NOT HAS Host AS h
The above query returns vulnerabilities that do not have any associated hosts.
As opposed to the following example, which returns vulnerabilities that do have associated hosts.
FIND Vulnerability AS v
THAT HAS Host AS h