Query Evaluation
The query evaluation of the QQL is based on the indexing. Asset indexing stores the asset related information such as, host id, asset id, softwares, and much more. Similarly, the vulnerabilities indexing stores vulnerabilities related information. Each application has different search indexing context.
For example, the Vulnerability Management application lists all the detections for the assets that are activated for this application. If there are 200 assets with 4000 detections, the asset query search will include all the indexing criterias added in the asset indexing. Similarly, vulnerabilities search query will list down the detections on those 200 assets.
Following screenshot displays:
Asset Query : tags.name:'Cloud Agent' and vulnerabilities.severity : 4
Display results : 246 Vulnerability
Following screenshot displays:
Asset Query : tags.name:'Cloud Agent'
Vulnerability Query : vulnerabilities.severity : 4
Display results : 194 Vulnerability
As the query evaluation of the QQL is based on the indexing, the result depends on the way you write the Query.