I feel like I’m missing something obvious, but I can’t seem to come up with a way to combine two queries using the query builder. We have a bunch of SLAs defined both in the system and on paper in documentation. I’m trying to create a card which filters and shows only the vulnerabilities that are outside all the SLA windows in one place. I’m able to create individual cards with the parameters using the simple builder, but I want to combine all the results into one card.
For example- I want to find all vulnerabilities that are rated critical AND first found over 15 days ago, OR all vulnerabilities that are severe and found over 30 days ago.
I would expect the query syntax to be something like
(vulnerability.severity = ‘critical’ && finding.firstFound >= /NOW - P15D/) || (vulnerability.severity = ‘severe’ && finding.firstFound >= /NOW - P30D/)
but that doesn’t appear to be a valid query. Any suggestions?
Dmitry - Happy Friday! Sorry for the silly question but I just wanted to confirm before elaborating further - have you built your query in Expert Mode within Query Builder or are you trying this in Standard Mode?
I’ve tried both ways. I built the original single queries using standard mode, and then once I saw the syntax it created, I tried combining them using expert mode.
It may be something to do with focusing on the discovery date?
(vulnerability.severity = ‘critical’ && vulnerability.datePublished >= /NOW - P15D/) || (vulnerability.severity = ‘severe’ && vulnerability.datePublished >= /NOW - P30D/)
The query with publish date as a parameter comes back as valid and gets results.
I think you have the condition statement for the date published incorrect.
You have:
vulnerability.datePublished >= /NOW - P15D/
This syntax means find a published date greater or equal to “today’s date minus 15 days”,
If today is Aug 11, then your syntax is looking for published dates greater than July 27, 2021. Well, Aug 1, 2021 is greater than July 27.
If you want older than 15 days, then you want to search for dates LESS THAN July 27.
Correct syntax should be:
(vulnerability.severity = ‘critical’ && vulnerability.datePublished <= /NOW - P15D/) || (vulnerability.severity = ‘severe’ && vulnerability.datePublished <= /NOW - P30D/)