(1) Use nested queries when tokens have a shared key, in this example "vulnerabilities.vulnerability".
vulnerabilities.vulnerability: (os: "windows" AND patchAvailable:
"true")
(2) Consider the intent of your query. Here's some examples.
Query 1: This will return Windows assets having patchable vulnerabilities. An asset is returned only when it matches both criteria.
vulnerabilities.vulnerability: (os: "windows" AND
patchAvailable: "true")
Query 2: This will return all Windows assets, and all patchable assets. An asset is returned when it matches only one criteria.
vulnerabilities.vulnerability.os: "windows" AND
vulnerabilities.vulnerability.patchAvailable: "true"
(3) When your query is nested, enter the entire shared key first for best results. For example, Query 1 is preferred format for best results.
Query 1: Entire shared key is "vulnerabilities.vulnerability" (preferred format)
vulnerabilities.vulnerability: (os: "windows" AND
patchAvailable: "true")
Query 2: Partial shared key is "vulnerabilities"
vulnerabilities: (vulnerability.os: "windows" AND
vulnerability.patchAvailable: "true")
(4) Keep in mind a nested query (preferred format) will have shared key "vulnerabilities" in some cases.
Query 1: This will return Windows assets with confirmed vulnerabilities
vulnerabilities: (vulnerability.os: "windows" AND
typeDetected: "Confirmed")
Query 2: This will return Windows assets having vulnerabilities first found in past 3 days
vulnerabilities: (vulnerability.os: "windows" AND
firstFound > now-3d)
Find assets with the tag "Cloud Agent" and certain software installed. This will return assets that have 1) the tag Cloud Agent, and 2) certain software installed (both name and version).
tags.name: `Cloud Agent` AND software: (name:`Cisco AnyConnect
Secure Mobility Client` and version: `3.1.14018`)
Find assets with vulnerabilities that match both criteria: last found on 2018-01-12 and have a patch available.
vulnerabilities: (lastFound: '2018-01-12' AND vulnerability.patchAvailable:
"true")
Find assets with vulnerabilities that match both criteria: first found in the past 10 days and have CVSS Base score 7.8.
vulnerabilities: (firstFound > now-10d AND vulnerability.cvssInfo.baseScore:
7.8)