Boolean Queries in VMDR OT

Using Boolean operators (AND, OR, NOT) give you many ways to refine your search. Here's some things to know.

More complex Boolean queries

These queries show you how to use many robust search capabilities in one query.

hardware.type:`Programmable Logic Controller (PLC)` and hardware.type:`router` and interfaces.protocol:`bacnet` and interfaces.transport.protocol:`udp`

vulnerabilities.hardware.vendor:`Rockwell Automation` and vulnerabilities.vulnerability.threatIntel:`Easy Exploit`  and vulnerabilities.vulnerability.criticality:[`CRITICAL`,`HIGH`]

Using NOT for vulnerability queries

Put the NOT followed by vulnerability key using syntax shown

Show findings that have vulnerabilities not meeting criteria - Information Gathered

vulnerabilities.hardware.vendor:[`Rockwell Automation`, `Omron`] and not vulnerabilities.vulnerability.threatIntel:EasyExlpoit and vulnerabilities.vulnerability.threatIntel:`High Data Loss`

Show findings that have vulnerabilities not meeting both criteria - Information Gathered and typeDetected confirmed

vulnerabilities.hardware.vendor:[`Rockwell Automation`, `Siemens`] and not vulnerabilities.status:`ACTIVE` and vulnerabilities.vulnerability.criticality:[`HIGH`, `MEDIUM`]

Good to Know - Max query depth

We've implemented controls in query parsing for queries containing the operators AND, OR. The maximum depth allowed for an AND/OR query cannot cross 1000 levels. If you run a query having more than 1000 levels of depth, an error is returned.

A simple query like this has level of depth 2

hardware.manufacturer:`Rockwell Automation` and inventory.source:`Passive Sensor`

A more complex query like this has level of depth 3

vulnerabilities.hardware.vendor:`Siemens` and vulnerabilities.vulnerability.threatIntel:`Active Attacks` and not vulnerabilities.vulnerability.criticality:[`HIGH`, `MEDIUM`]