Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

NQL Query Library

  • 11 minute(s) read
Prev Next

Overview

This page provides examples of useful NQL queries designed to answer common vulnerability management questions. Feel free to base your queries on the samples provided. Please ensure you replace any project specific information with your own, or the queries won’t work as expected. For example, if a query uses an asset group named “Production” and there is no asset group with that name in your project, the query will not work as expected. The examples in this library illustrate a variety of NQL features including:

Relative date and datetime filters:

Use TODAY, "-Nd" (N days in the past), and "Nd" (N days in the future) with date/datetime fields such as finding_discovered, finding_last_seen, host_last_seen_date, and due_date, for example:

  • "-30d" means 30 days in the past from today.

  • "30d" means 30 days in the future from today.  

  • "TODAY" refers to the current date.

EMPTY:

Use field = EMPTY or field != EMPTY to filter on missing values.

List and nested fields: Examples include:

  • List fields like asset_group.

  • Nested metadata fields such as asset_info."crq.data_classification".

For the complete syntax, see the Nucleus Query Language (NQL) article.

Basic Vulnerability Discovery

Simple queries to understand what vulnerabilities exist in your environment:

VM Question

NQL Query

What vulnerabilities do I have in my environment?

SELECT finding_name, host_name, severity, finding_discovered 
FROM findings 
ORDER BY severity DESC, finding_name ASC

What are all the Critical severity vulnerabilities?

SELECT finding_name, host_name, severity, finding_discovered 
FROM findings 
WHERE severity = "Critical" 
ORDER BY finding_discovered DESC

What vulnerabilities were discovered in the last 30 days?

SELECT finding_name, host_name, severity, finding_discovered 
FROM findings 
WHERE finding_discovered >= "-30d" 
ORDER BY finding_discovered DESC

What vulnerabilities exist on a specific host? Ex: nessus-scanner (172.31.17.4)

SELECT finding_name, asset_name, severity, finding_discovered, finding_status 
FROM findings 
WHERE asset_name = "nessus-scanner (172.31.17.4)" 
ORDER BY severity DESC

What are the most recent vulnerabilities discovered today?

SELECT finding_name, host_name, severity, finding_discovered
FROM findings 
WHERE finding_discovered = TODAY 
ORDER BY finding_name ASC

What are the first 10 critical severity vulnerabilities in my environment?

SELECT finding_name, host_name, severity
FROM findings 
WHERE severity = "Critical" 
LIMIT 10

Which Critical vulnerabilities are on assets in a particular asset group?
(Prod)


Note: Use the full tree to specify a sub-group, e.g. “/Prod/region1”, for example

SELECT finding_name, severity 
FROM findings 
WHERE asset_group IN ("/Prod") AND severity = "Critical"

Severity and Risk Assessment

Queries focused on understanding the criticality and impact of vulnerabilities:

VM Question

NQL Query

What are all High and Critical severity vulnerabilities that need immediate attention?

SELECT finding_name, host_name, severity, finding_status, due_date 
FROM findings 
WHERE severity IN ("Critical", "High") 
ORDER BY severity DESC, due_date ASC

Which vulnerabilities have the highest risk scores?

SELECT finding_name, host_name, severity, finding_risk_score 
FROM findings 
WHERE finding_risk_score != EMPTY 
ORDER BY finding_risk_score DESC

What Critical vulnerabilities are still Active and unresolved?

SELECT finding_name, host_name, severity, finding_status, finding_discovered
FROM findings 
WHERE severity = "Critical" AND finding_status = "Active" 
ORDER BY finding_discovered ASC

What are all the zero-day vulnerabilities in my environment?

SELECT finding_name, host_name, severity, nucleus_zero_day, finding_discovered 
FROM findings 
WHERE nucleus_zero_day = "Yes" 
ORDER BY severity DESC, finding_discovered DESC

Asset and Host Analysis

Understanding which systems are affected and their characteristics:

VM Question

NQL Query

Which hosts have Critical vulnerabilities that need immediate attention?

SELECT host_name, asset_name, finding_name, finding_status, due_date 
FROM findings 
WHERE severity = "Critical" 
ORDER BY host_name ASC, due_date ASC

What assets haven't been seen recently and may have stale vulnerability data?

SELECT host_name, asset_name, host_last_seen_date, severity 
FROM findings 
WHERE host_last_seen_date < "-30d" 
ORDER BY host_last_seen_date ASC

Which systems are missing asset classification information?

SELECT asset_name, severity, finding_name 
FROM findings 
WHERE asset_name = EMPTY AND severity IN ("Critical", "High") 
ORDER BY severity DESC, host_name ASC

Which vulnerabilities exist on assets tagged in a particular AWS region?

Ex: us-west-2

Note: If your asset metadata uses array values, you must use CONTAINS and not “=”

SELECT finding_name, severity, asset_info.aws.region 
FROM findings 
WHERE asset_info.aws.region = "us-west-2" 
ORDER BY severity DESC

Which vulnerabilities exist on assets tagged with a customer data classification?

Ex: crq.data_classification

SELECT finding_name, severity, asset_info."crq.data_classification" 
FROM findings 
WHERE asset_info."crq.data_classification" 
CONTAINS "Customer Data" ORDER BY severity DESC

Which vulnerabilities are impacting a particular  AWS account (Cost center)?

SELECT finding_name, severity, asset_info.aws.account_id 
FROM findings 
WHERE asset_info.aws.account_id = "215654987012" 
ORDER BY severity DESC

Timeline and Age Analysis

Queries related to when vulnerabilities were discovered and how long they've existed:

VM Question

NQL Query

What are the oldest unresolved vulnerabilities in my environment?

SELECT finding_name, host_name, severity, finding_discovered, finding_status 
FROM findings 
WHERE finding_status = "Active" AND finding_discovered != EMPTY 
ORDER BY finding_discovered ASC

What Critical vulnerabilities have been open for more than 90 days?

SELECT finding_name, host_name, severity, finding_discovered, finding_status 
FROM findings 
WHERE severity = "Critical" AND finding_discovered < "-90d" AND finding_status = "Active" 
ORDER BY finding_discovered ASC

What vulnerabilities were discovered this week?

SELECT finding_name, host_name, severity, finding_discovered 
FROM findings 
WHERE finding_discovered >= "-7d" 
ORDER BY finding_discovered DESC, severity DESC

Which vulnerabilities are missing discovery date information?

SELECT finding_name, host_name, severity, finding_status, finding_discovered 
FROM findings 
WHERE finding_discovered = EMPTY 
ORDER BY severity DESC, finding_name ASC

What High severity vulnerabilities were found in the last 60 days?

SELECT finding_name, host_name, severity, finding_discovered, finding_status 
FROM findings 
WHERE severity = "High" AND finding_discovered >= "-60d" 
ORDER BY finding_discovered DESC

Status and Workflow Management

Tracking vulnerability remediation progress and workflow states:

VM Question

NQL Query

What vulnerabilities are currently being worked on?

SELECT finding_name, host_name, severity, finding_status, due_date 
FROM findings WHERE finding_status = "In Progress" 
ORDER BY severity DESC, due_date ASC

Which vulnerabilities are waiting for third-party vendor fixes?

SELECT finding_name, host_name, severity, finding_status, finding_discovered 
FROM findings WHERE finding_status = "Waiting For 3rd Party" 
ORDER BY severity DESC, finding_discovered ASC

What vulnerabilities have been fixed and are awaiting verification?

SELECT finding_name, host_name, severity, finding_status, due_date 
FROM findings WHERE finding_status = "Waiting For Verification" 
ORDER BY due_date ASC, severity DESC

Which vulnerabilities have exception requests pending approval?

SELECT finding_name, host_name, severity, finding_status, finding_discovered 
FROM findings WHERE finding_status = "Exception Requested" 
ORDER BY severity DESC, finding_discovered ASC

Due Date and SLA Monitoring

Managing remediation deadlines and service level agreements:

VM Question

NQL Query

What vulnerabilities are overdue and past their remediation deadline?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings WHERE due_date < TODAY 
ORDER BY due_date ASC, severity DESC

Which Critical vulnerabilities are due for remediation today?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings WHERE severity = "Critical" AND due_date = TODAY 
ORDER BY finding_name ASC

What vulnerabilities are due within the next 7 days?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings WHERE due_date >= TODAY AND due_date < "7d" 
ORDER BY due_date ASC, severity DESC

Which active vulnerabilities are missing due dates for SLA tracking?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings WHERE due_date = EMPTY AND finding_status = "In Progress" 
ORDER BY severity DESC, finding_name ASC

What High severity vulnerabilities are due in the next 30 days?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings WHERE severity = "High" AND due_date >= TODAY AND due_date <= "30d" 
ORDER BY due_date ASC

Team Assignment and Ownership

Queries for understanding responsibility and workload distribution:

VM Question

NQL Query

What vulnerabilities are assigned to a specific team?

Ex: (“Infrastructure Team”)

SELECT finding_name, asset_name, severity, assigned_team, finding_status 
FROM findings 
WHERE assigned_team = "Infrastructure Team" 
ORDER BY severity DESC, finding_name ASC

Which Critical vulnerabilities have no team assigned?

SELECT finding_name, asset_name, severity, assigned_team, due_date 
FROM findings 
WHERE severity = "Critical" AND assigned_team = EMPTY 
ORDER BY due_date ASC

What is the workload distribution across all teams?

SELECT assigned_team, finding_name, asset_name, severity, finding_status 
FROM findings 
WHERE assigned_team != EMPTY 
ORDER BY assigned_team ASC, severity DESC

Which teams have overdue vulnerabilities?

SELECT assigned_team, finding_name, asset_name, severity, due_date 
FROM findings 
WHERE assigned_team != EMPTY AND due_date < TODAY 
ORDER BY assigned_team ASC, due_date ASC

What High and Critical vulnerabilities need team assignment?

SELECT finding_name, asset_name, severity, assigned_team, finding_discovered 
FROM findings 
WHERE severity IN ("Critical", "High") AND assigned_team = EMPTY 
ORDER BY severity DESC, finding_discovered ASC

Scan Source and Coverage Analysis

Understanding where vulnerabilities come from and scan effectiveness:

VM Question

NQL Query

What vulnerabilities were found by each scanning tool?

SELECT finding_source, finding_name, asset_name, severity 
FROM findings 
ORDER BY finding_source ASC, severity DESC

Which scan types are finding the most Critical vulnerabilities?

SELECT finding_source, finding_name, asset_name, severity, finding_discovered 
FROM findings WHERE severity = "Critical" 
ORDER BY finding_source ASC, finding_discovered DESC

What vulnerabilities were discovered by Qualys scans?

Ex: QUALYS, CROWDSTRIKE, etc

SELECT finding_name, asset_name, severity, finding_source, finding_discovered 
FROM findings WHERE finding_source = "QUALYS" 
ORDER BY severity DESC, finding_discovered DESC

Which scanning tools haven't reported findings recently?

SELECT finding_source, finding_name, host_name, finding_discovered 
FROM findings WHERE finding_discovered < "-30d" 
ORDER BY finding_source ASC, finding_discovered ASC

What high-severity vulnerabilities are confirmed by multiple scanners?

Ex: QUALYS, WIZ, NOZOMI, etc

SELECT finding_name, severity, finding_source, cves, asset_name, finding_risk_score 
FROM findings 
WHERE (finding_source = "Qualys" OR finding_source = "Wiz" OR finding_source = "Nozomi") 
AND (severity = "Critical" OR severity = "High") 
AND cve_count > 0 
ORDER BY finding_risk_score DESC

What is the vulnerability distribution across different scan sources?

SELECT finding_source, finding_name, host_name, severity, finding_status 
FROM findings 
ORDER BY finding_source ASC, severity DESC, finding_name ASC

Threat Intelligence Enrichment

Leveraging external threat data for prioritization:

VM Question

NQL Query

What vulnerabilities are actively being exploited in the wild?

SELECT finding_name, asset_name, severity, nucleus_exploited, finding_status  
FROM findings  
WHERE nucleus_exploited = "Yes"  
ORDER BY severity DESC, finding_name ASC

Which vulnerabilities are being exploited by known malware?

SELECT finding_name, asset_name, severity, nucleus_exploited_by_malware, due_date  
FROM findings  
WHERE nucleus_exploited_by_malware = "Yes"  
ORDER BY severity DESC, due_date ASC

What zero-day vulnerabilities require immediate attention?

SELECT finding_name, asset_name, severity, nucleus_zero_day, finding_discovered  
FROM findings  
WHERE nucleus_zero_day = "Yes"  
ORDER BY severity DESC, finding_discovered DESC

Identifying Missing Data

Data quality and completeness validation queries:

VM Question

NQL Query

Which vulnerabilities are missing discovery dates?

SELECT finding_name, asset_name, severity, finding_discovered, finding_source 
FROM findings 
WHERE finding_discovered = EMPTY 
ORDER BY severity DESC, finding_name ASC

What Critical vulnerabilities don't have due dates assigned?

SELECT finding_name, asset_name, severity, due_date, finding_status 
FROM findings 
WHERE severity = "Critical" AND due_date = EMPTY 
ORDER BY finding_name ASC

Which vulnerabilities are missing risk score data?

SELECT finding_name, asset_name, severity, finding_risk_score, finding_source 
FROM findings WHERE finding_risk_score = EMPTY AND severity IN ("Critical", "High") 
ORDER BY severity DESC, finding_name ASC

What assets are missing proper naming or classification?

SELECT finding_name, asset_name, severity 
FROM findings 
WHERE asset_name = EMPTY AND severity IN ("Critical", "High") 
ORDER BY severity DESC, host_name ASC

Advanced Filtering and Correlation

Complex multi-criteria queries for sophisticated analysis:

VM Question

NQL Query

What Critical vulnerabilities are overdue, actively exploited, and still unresolved?

SELECT finding_name, asset_name, severity, due_date, nucleus_exploited, finding_status 
FROM findings 
WHERE severity = "Critical" AND due_date < TODAY AND nucleus_exploited = "Yes" AND finding_status = "Active" 
ORDER BY due_date ASC

Which High severity vulnerabilities discovered recently lack proper assignment and due dates?

SELECT finding_name, asset_name, severity, finding_discovered, assigned_team, due_date 
FROM findings 
WHERE severity = "High" AND finding_discovered >= "-7d" AND assigned_team = EMPTY AND due_date = EMPTY 
ORDER BY finding_discovered DESC

What vulnerabilities on stale assets have threat intelligence indicating active exploitation?

SELECT finding_name, asset_name, host_last_seen_date, nucleus_exploited, severity 
FROM findings 
WHERE host_last_seen_date < "-60d" AND nucleus_exploited = "Yes" 
ORDER BY severity DESC, host_last_seen_date ASC

Which old Critical vulnerabilities are in progress but approaching their due dates?

SELECT finding_name, asset_name, severity, finding_discovered, finding_status, due_date 
FROM findings 
WHERE severity = "Critical" AND finding_discovered < "-90d" AND finding_status = "In Progress" AND due_date <= "7d" 
ORDER BY due_date ASC

Trend Analysis and Metrics

Queries supporting KPIs, dashboards, and trend reporting

VM Question

NQL Query

What is the current vulnerability count by severity level?

SELECT severity, finding_name, asset_name, finding_status 
FROM findings 
ORDER BY severity DESC, finding_name ASC

How many vulnerabilities were discovered in the last 30 days by severity?

SELECT severity, finding_name, asset_name, finding_discovered 
FROM findings WHERE finding_discovered >= "-30d" 
ORDER BY severity DESC, finding_discovered DESC

What is the age distribution of all active vulnerabilities?

SELECT finding_name, asset_name, severity, finding_discovered, finding_status 
FROM findings WHERE finding_status = "Active" 
ORDER BY finding_discovered ASC, severity DESC

Which scan sources are contributing the most vulnerabilities this month?

SELECT finding_source, finding_name, asset_name, severity, finding_discovered 
FROM findings WHERE finding_discovered >= "-30d" 
ORDER BY finding_source ASC, severity DESC

What is the current remediation status distribution across all vulnerabilities?

SELECT finding_status, finding_name, asset_name, severity, due_date 
FROM findings 
ORDER BY finding_status ASC, severity DESC

Exception and Edge Case Management

Handling special cases, outliers, and unusual scenarios:

VM Question

NQL Query

What vulnerabilities have been in "Exception Requested" status for more than 30 days?

SELECT finding_name, asset_name, severity, finding_status, finding_discovered 
FROM findings 
WHERE finding_status = "Exception Requested" AND finding_discovered < "-30d" 
ORDER BY finding_discovered ASC, severity DESC

Which vulnerabilities have due dates set in the past but are still marked as Active?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings 
WHERE finding_status = "Active" AND due_date < TODAY
ORDER BY due_date ASC, severity DESC

What vulnerabilities exist on hosts that haven't been seen in over 90 days?

SELECT finding_name, asset_name, host_last_seen_date, severity, finding_status 
FROM findings
WHERE host_last_seen_date < "-90d" 
ORDER BY host_last_seen_date ASC, severity DESC

Which vulnerabilities have conflicting data (Critical severity but low risk scores)?

SELECT finding_name, asset_name, severity, finding_risk_score, finding_status 
FROM findings 
WHERE severity = "Critical" AND finding_risk_score != EMPTY AND finding_risk_score < 5 
ORDER BY finding_risk_score ASC

What vulnerabilities are marked as "Fixed" but were discovered very recently?

SELECT finding_name, asset_name, severity, finding_status, finding_discovered 
FROM findings 
WHERE finding_status = "Fixed" AND finding_discovered >= "-7d" 
ORDER BY finding_discovered DESC, severity DESC

Operational Efficiency

Queries that help optimize vulnerability management processes:

VM Question

NQL Query

What vulnerabilities are ready for closure verification after being marked as Fixed?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings 
WHERE finding_status = "Fixed" 
ORDER BY due_date ASC, severity DESC

Which teams have the highest workload of active Critical and High vulnerabilities?

SELECT assigned_team, finding_name, asset_name, severity, finding_status 
FROM findings 
WHERE assigned_team != EMPTY AND severity IN ("Critical", "High") AND finding_status = "Active" 
ORDER BY assigned_team ASC, severity DESC

What vulnerabilities can be bulk-assigned due dates based on severity?

SELECT finding_name, asset_name, severity, finding_status, due_date 
FROM findings 
WHERE finding_status = "Active" AND due_date = EMPTY 
ORDER BY severity DESC, finding_name ASC

What vulnerabilities have been stuck in "In Progress" status for over 60 days?

SELECT finding_name, asset_name, severity, finding_status, finding_discovered, assigned_team 
FROM findings 
WHERE finding_status = "In Progress" AND finding_discovered < "-60d" 
ORDER BY finding_discovered ASC, severity DESC

Calculated Fields and NQL Functions

You can use calculation functions in NQL to create new values in the SELECT clause and filter on them in WHERE and ORDER BY. Here are some examples of using calculated fields and functions:

Example Scenario

NQL Query

Scale the Nucleus Risk Score up by a factor of 10.

SELECT finding_name, finding_risk_score, MULTIPLY(finding_risk_score, 10) AS ten_x_risk
FROM findings
WHERE ten_x_risk > 1000
ORDER BY ten_x_risk DESC

Calculate the finding age (dwell time) on findings.

SELECT finding_name, finding_discovered, DATE_DIFF(TODAY, finding_discovered) AS calculated_age
FROM findings
ORDER BY calculated_age DESC

Show me the top findings based on the number of asset groups impacted.

SELECT finding_name, asset_group, LIST_LENGTH(asset_group) AS group_count
FROM findings
ORDER BY group_count DESC
LIMIT 100

These patterns can be adapted to any numeric, date/datetime, or list fields that are available in your project.