Home

Learn more about Nested Queries

Best Practices

(1) Use nested queries when tokens have a shared key, in this example "instance".

resource.type:Instance and instance: (type:t2.micro and state:stopped)

(2) Consider the intent of your query.

Query 1: This will return controls that have High criticality and the control result is Fail. A control is returned only when it matches both criteria.

control: (criticality:HIGH and result:FAIL)

Query 2: This will return all controls with High criticality and all controls with Fail result. A control is returned when it matches only one criteria.

control.criticality:HIGH and control.result:FAIL

(3) When your query is nested, enter the entire shared key first for best results.

Query 1: Entire shared key is "routetable.route" (preferred format)

routetable.route: (state:active and instanceOwnerId:aws-acct-joe)

Query 2: Partial shared key is "route"

routetable: (route.state:active and route.instanceOwnerId:aws-acct-joe)

(4) Keep in mind a nested query (preferred format) will have shared key "routetable" in some cases.

This will return route tables with active state and vpc Id "vpc-2da7154b".

routetable: (route.state:active and vpcId:vpc-2da7154b)

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.