(1) Use nested queries when tokens have a shared key, in this example "vulnerabilities.vulnerability".
vulnerabilities.vulnerability: (severity: "5" AND authTypes:
"WINDOWS_AUTH")
(2) Consider the intent of your query. Here's some examples.
Query 1: This will return assets having QIDs with severity 5 and category CGI. An asset is returned only when it has a QID that matches both criteria.
vulnerabilities.vulnerability: (severity: "5" AND
category: "CGI")
Query 2: This will return all assets having any QID with severity 5, and all assets having any QID with category CGI. An asset is returned when it has a QID that matches only one criteria.
vulnerabilities.vulnerability.severity: "5" AND
vulnerabilities.vulnerability.category: "CGI"
(3) When your query is nested, enter the entire shared key first for best results. For example, Query 1 is preferred format for best results.
Query 1: Entire shared key is "vulnerabilities.vulnerability" (preferred format)
vulnerabilities.vulnerability: (severity: "5" AND
authTypes: "WINDOWS_AUTH")
Query 2: Partial shared key is "vulnerabilities"
vulnerabilities: (vulnerability.severity: "5" AND
vulnerability.authTypes: "WINDOWS_AUTH")
(4) Keep in mind a nested query (preferred format) will have shared key "vulnerabilities" in some cases.
Query 1: This will return assets having QIDs with severity 5 and detection type "Confirmed"
vulnerabilities: (vulnerability.severity: "5" AND
typeDetected: "Confirmed")
Query 2: This will return assets having QIDs with severity 5 and first found in past 3 days
vulnerabilities: (vulnerability.severity: "5" AND
firstFound > now-3d)
Find assets with the tag "Cloud Agent" and certain software installed. This will return assets that have 1) the tag Cloud Agent, and 2) certain software installed (both name and version).
tags.name: `Cloud Agent` AND software: (name:`Cisco AnyConnect
Secure Mobility Client` and version: `3.1.14018`)
Find assets with vulnerabilities that match both criteria: last found on 2018-01-12 and have a patch available.
vulnerabilities: (lastFound: '2018-01-12' AND vulnerability.patchAvailable:
"true")
Find assets with vulnerabilities that match both criteria: first found in the past 10 days and have CVSS Base score 7.8.
vulnerabilities: (firstFound > now-10d AND vulnerability.cvssInfo.baseScore:
7.8)