--- title: "NQL Query Library" slug: "nql-library" updated: 2026-03-28T00:31:46Z published: 2026-03-28T00:31:46Z canonical: "help.nucleussec.com/nql-library" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt > Use this file to discover all available pages before exploring further. # NQL Query Library ### Overview This page provides examples of useful NQL queries designed to answer common vulnerability management questions. Feel free to base your queries on the samples provided. Please ensure you replace any project specific information with your own, or the queries won’t work as expected. For example, if a query uses an asset group named “Production” and there is no asset group with that name in your project, the query will not work as expected. The examples in this library illustrate a variety of NQL features including: **Relative date and datetime filters:** Use `TODAY`, `"-Nd"` (N days in the past), and `"Nd"` (N days in the future) with date/datetime fields such as `finding_discovered`, `finding_last_seen`, `host_last_seen_date`, and `due_date`, for example: - "-30d" means **30 days in the past** from today. - "30d" means **30 days in the future** from today. - "TODAY" refers to the current date. **EMPTY:** Use `field = EMPTY` or `field != EMPTY` to filter on missing values. **List and nested fields:** Examples include: - List fields like `asset_group`. - Nested metadata fields such as `asset_info."crq.data_classification"`. For the complete syntax, see the [Nucleus Query Language (NQL)](/v1/docs/nucleus-query-language-nql) article. ### Basic Vulnerability Discovery Simple queries to understand what vulnerabilities exist in your environment: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities do I have in my environment? | ```sql SELECT finding_name, host_name, severity, finding_discovered FROM findings ORDER BY severity DESC, finding_name ASC ``` | | What are all the Critical severity vulnerabilities? | ```sql SELECT finding_name, host_name, severity, finding_discovered FROM findings WHERE severity = "Critical" ORDER BY finding_discovered DESC ``` | | What vulnerabilities were discovered in the last 30 days? | ```sql SELECT finding_name, host_name, severity, finding_discovered FROM findings WHERE finding_discovered >= "-30d" ORDER BY finding_discovered DESC ``` | | What vulnerabilities exist on a specific host? Ex: nessus-scanner (172.31.17.4) | ```sql SELECT finding_name, asset_name, severity, finding_discovered, finding_status FROM findings WHERE asset_name = "nessus-scanner (172.31.17.4)" ORDER BY severity DESC ``` | | What are the most recent vulnerabilities discovered today? | ```sql SELECT finding_name, host_name, severity, finding_discovered FROM findings WHERE finding_discovered = TODAY ORDER BY finding_name ASC ``` | | What are the first 10 critical severity vulnerabilities in my environment? | ```sql SELECT finding_name, host_name, severity FROM findings WHERE severity = "Critical" LIMIT 10 ``` | | Which Critical vulnerabilities are on assets in a particular asset group? (Prod) *Note: Use the full tree to specify a sub-group, e.g. “/Prod/region1”, for example* | ```sql SELECT finding_name, severity FROM findings WHERE asset_group IN ("/Prod") AND severity = "Critical" ``` | ### Severity and Risk Assessment Queries focused on understanding the criticality and impact of vulnerabilities: | **VM Question** | **NQL Query** | | --- | --- | | What are all High and Critical severity vulnerabilities that need immediate attention? | ```sql SELECT finding_name, host_name, severity, finding_status, due_date FROM findings WHERE severity IN ("Critical", "High") ORDER BY severity DESC, due_date ASC ``` | | Which vulnerabilities have the highest risk scores? | ```sql SELECT finding_name, host_name, severity, finding_risk_score FROM findings WHERE finding_risk_score != EMPTY ORDER BY finding_risk_score DESC ``` | | What Critical vulnerabilities are still Active and unresolved? | ```sql SELECT finding_name, host_name, severity, finding_status, finding_discovered FROM findings WHERE severity = "Critical" AND finding_status = "Active" ORDER BY finding_discovered ASC ``` | | What are all the zero-day vulnerabilities in my environment? | ```sql SELECT finding_name, host_name, severity, nucleus_zero_day, finding_discovered FROM findings WHERE nucleus_zero_day = "Yes" ORDER BY severity DESC, finding_discovered DESC ``` | ### Asset and Host Analysis Understanding which systems are affected and their characteristics: | **VM Question** | **NQL Query** | | --- | --- | | Which hosts have Critical vulnerabilities that need immediate attention? | ```sql SELECT host_name, asset_name, finding_name, finding_status, due_date FROM findings WHERE severity = "Critical" ORDER BY host_name ASC, due_date ASC ``` | | What assets haven't been seen recently and may have stale vulnerability data? | ```sql SELECT host_name, asset_name, host_last_seen_date, severity FROM findings WHERE host_last_seen_date < "-30d" ORDER BY host_last_seen_date ASC ``` | | Which systems are missing asset classification information? | ```sql SELECT asset_name, severity, finding_name FROM findings WHERE asset_name = EMPTY AND severity IN ("Critical", "High") ORDER BY severity DESC, host_name ASC ``` | | Which vulnerabilities exist on assets tagged in a particular AWS region? Ex: us-west-2 *Note: If your asset metadata uses array values, you must use CONTAINS and not “=”* | ```sql SELECT finding_name, severity, asset_info.aws.region FROM findings WHERE asset_info.aws.region = "us-west-2" ORDER BY severity DESC ``` | | Which vulnerabilities exist on assets tagged with a customer data classification? Ex: crq.data_classification | ```sql SELECT finding_name, severity, asset_info."crq.data_classification" FROM findings WHERE asset_info."crq.data_classification" CONTAINS "Customer Data" ORDER BY severity DESC ``` | | Which vulnerabilities are impacting a particular AWS account (Cost center)? | ```sql SELECT finding_name, severity, asset_info.aws.account_id FROM findings WHERE asset_info.aws.account_id = "215654987012" ORDER BY severity DESC ``` | ### Timeline and Age Analysis Queries related to when vulnerabilities were discovered and how long they've existed: | **VM Question** | **NQL Query** | | --- | --- | | What are the oldest unresolved vulnerabilities in my environment? | ```sql SELECT finding_name, host_name, severity, finding_discovered, finding_status FROM findings WHERE finding_status = "Active" AND finding_discovered != EMPTY ORDER BY finding_discovered ASC ``` | | What Critical vulnerabilities have been open for more than 90 days? | ```sql SELECT finding_name, host_name, severity, finding_discovered, finding_status FROM findings WHERE severity = "Critical" AND finding_discovered < "-90d" AND finding_status = "Active" ORDER BY finding_discovered ASC ``` | | What vulnerabilities were discovered this week? | ```sql SELECT finding_name, host_name, severity, finding_discovered FROM findings WHERE finding_discovered >= "-7d" ORDER BY finding_discovered DESC, severity DESC ``` | | Which vulnerabilities are missing discovery date information? | ```sql SELECT finding_name, host_name, severity, finding_status, finding_discovered FROM findings WHERE finding_discovered = EMPTY ORDER BY severity DESC, finding_name ASC ``` | | What High severity vulnerabilities were found in the last 60 days? | ```sql SELECT finding_name, host_name, severity, finding_discovered, finding_status FROM findings WHERE severity = "High" AND finding_discovered >= "-60d" ORDER BY finding_discovered DESC ``` | ### Status and Workflow Management Tracking vulnerability remediation progress and workflow states: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities are currently being worked on? | ```sql SELECT finding_name, host_name, severity, finding_status, due_date FROM findings WHERE finding_status = "In Progress" ORDER BY severity DESC, due_date ASC ``` | | Which vulnerabilities are waiting for third-party vendor fixes? | ```sql SELECT finding_name, host_name, severity, finding_status, finding_discovered FROM findings WHERE finding_status = "Waiting For 3rd Party" ORDER BY severity DESC, finding_discovered ASC ``` | | What vulnerabilities have been fixed and are awaiting verification? | ```sql SELECT finding_name, host_name, severity, finding_status, due_date FROM findings WHERE finding_status = "Waiting For Verification" ORDER BY due_date ASC, severity DESC ``` | | Which vulnerabilities have exception requests pending approval? | ```sql SELECT finding_name, host_name, severity, finding_status, finding_discovered FROM findings WHERE finding_status = "Exception Requested" ORDER BY severity DESC, finding_discovered ASC ``` | ### Due Date and SLA Monitoring Managing remediation deadlines and service level agreements: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities are overdue and past their remediation deadline? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE due_date < TODAY ORDER BY due_date ASC, severity DESC ``` | | Which Critical vulnerabilities are due for remediation today? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE severity = "Critical" AND due_date = TODAY ORDER BY finding_name ASC ``` | | What vulnerabilities are due within the next 7 days? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE due_date >= TODAY AND due_date < "7d" ORDER BY due_date ASC, severity DESC ``` | | Which active vulnerabilities are missing due dates for SLA tracking? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE due_date = EMPTY AND finding_status = "In Progress" ORDER BY severity DESC, finding_name ASC ``` | | What High severity vulnerabilities are due in the next 30 days? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE severity = "High" AND due_date >= TODAY AND due_date <= "30d" ORDER BY due_date ASC ``` | ### Team Assignment and Ownership Queries for understanding responsibility and workload distribution: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities are assigned to a specific team? Ex: (“Infrastructure Team”) | ```sql SELECT finding_name, asset_name, severity, assigned_team, finding_status FROM findings WHERE assigned_team = "Infrastructure Team" ORDER BY severity DESC, finding_name ASC ``` | | Which Critical vulnerabilities have no team assigned? | ```sql SELECT finding_name, asset_name, severity, assigned_team, due_date FROM findings WHERE severity = "Critical" AND assigned_team = EMPTY ORDER BY due_date ASC ``` | | What is the workload distribution across all teams? | ```sql SELECT assigned_team, finding_name, asset_name, severity, finding_status FROM findings WHERE assigned_team != EMPTY ORDER BY assigned_team ASC, severity DESC ``` | | Which teams have overdue vulnerabilities? | ```sql SELECT assigned_team, finding_name, asset_name, severity, due_date FROM findings WHERE assigned_team != EMPTY AND due_date < TODAY ORDER BY assigned_team ASC, due_date ASC ``` | | What High and Critical vulnerabilities need team assignment? | ```sql SELECT finding_name, asset_name, severity, assigned_team, finding_discovered FROM findings WHERE severity IN ("Critical", "High") AND assigned_team = EMPTY ORDER BY severity DESC, finding_discovered ASC ``` | ### Scan Source and Coverage Analysis Understanding where vulnerabilities come from and scan effectiveness: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities were found by each scanning tool? | ```sql SELECT finding_source, finding_name, asset_name, severity FROM findings ORDER BY finding_source ASC, severity DESC ``` | | Which scan types are finding the most Critical vulnerabilities? | ```sql SELECT finding_source, finding_name, asset_name, severity, finding_discovered FROM findings WHERE severity = "Critical" ORDER BY finding_source ASC, finding_discovered DESC ``` | | What vulnerabilities were discovered by Qualys scans? Ex: QUALYS, CROWDSTRIKE, etc | ```sql SELECT finding_name, asset_name, severity, finding_source, finding_discovered FROM findings WHERE finding_source = "QUALYS" ORDER BY severity DESC, finding_discovered DESC ``` | | Which scanning tools haven't reported findings recently? | ```sql SELECT finding_source, finding_name, host_name, finding_discovered FROM findings WHERE finding_discovered < "-30d" ORDER BY finding_source ASC, finding_discovered ASC ``` | | What high-severity vulnerabilities are confirmed by multiple scanners? Ex: QUALYS, WIZ, NOZOMI, etc | ```sql SELECT finding_name, severity, finding_source, cves, asset_name, finding_risk_score FROM findings WHERE (finding_source = "Qualys" OR finding_source = "Wiz" OR finding_source = "Nozomi") AND (severity = "Critical" OR severity = "High") AND cve_count > 0 ORDER BY finding_risk_score DESC ``` | | What is the vulnerability distribution across different scan sources? | ```sql SELECT finding_source, finding_name, host_name, severity, finding_status FROM findings ORDER BY finding_source ASC, severity DESC, finding_name ASC ``` | ### Threat Intelligence Enrichment Leveraging external threat data for prioritization: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities are actively being exploited in the wild? | ```sql SELECT finding_name, asset_name, severity, nucleus_exploited, finding_status FROM findings WHERE nucleus_exploited = "Yes" ORDER BY severity DESC, finding_name ASC ``` | | Which vulnerabilities are being exploited by known malware? | ```sql SELECT finding_name, asset_name, severity, nucleus_exploited_by_malware, due_date FROM findings WHERE nucleus_exploited_by_malware = "Yes" ORDER BY severity DESC, due_date ASC ``` | | What zero-day vulnerabilities require immediate attention? | ```sql SELECT finding_name, asset_name, severity, nucleus_zero_day, finding_discovered FROM findings WHERE nucleus_zero_day = "Yes" ORDER BY severity DESC, finding_discovered DESC ``` | ### Identifying Missing Data Data quality and completeness validation queries: | **VM Question** | **NQL Query** | | --- | --- | | Which vulnerabilities are missing discovery dates? | ```sql SELECT finding_name, asset_name, severity, finding_discovered, finding_source FROM findings WHERE finding_discovered = EMPTY ORDER BY severity DESC, finding_name ASC ``` | | What Critical vulnerabilities don't have due dates assigned? | ```sql SELECT finding_name, asset_name, severity, due_date, finding_status FROM findings WHERE severity = "Critical" AND due_date = EMPTY ORDER BY finding_name ASC ``` | | Which vulnerabilities are missing risk score data? | ```sql SELECT finding_name, asset_name, severity, finding_risk_score, finding_source FROM findings WHERE finding_risk_score = EMPTY AND severity IN ("Critical", "High") ORDER BY severity DESC, finding_name ASC ``` | | What assets are missing proper naming or classification? | ```sql SELECT finding_name, asset_name, severity FROM findings WHERE asset_name = EMPTY AND severity IN ("Critical", "High") ORDER BY severity DESC, host_name ASC ``` | ### Advanced Filtering and Correlation Complex multi-criteria queries for sophisticated analysis: | **VM Question** | **NQL Query** | | --- | --- | | What Critical vulnerabilities are overdue, actively exploited, and still unresolved? | ```sql SELECT finding_name, asset_name, severity, due_date, nucleus_exploited, finding_status FROM findings WHERE severity = "Critical" AND due_date < TODAY AND nucleus_exploited = "Yes" AND finding_status = "Active" ORDER BY due_date ASC ``` | | Which High severity vulnerabilities discovered recently lack proper assignment and due dates? | ```sql SELECT finding_name, asset_name, severity, finding_discovered, assigned_team, due_date FROM findings WHERE severity = "High" AND finding_discovered >= "-7d" AND assigned_team = EMPTY AND due_date = EMPTY ORDER BY finding_discovered DESC ``` | | What vulnerabilities on stale assets have threat intelligence indicating active exploitation? | ```sql SELECT finding_name, asset_name, host_last_seen_date, nucleus_exploited, severity FROM findings WHERE host_last_seen_date < "-60d" AND nucleus_exploited = "Yes" ORDER BY severity DESC, host_last_seen_date ASC ``` | | Which old Critical vulnerabilities are in progress but approaching their due dates? | ```sql SELECT finding_name, asset_name, severity, finding_discovered, finding_status, due_date FROM findings WHERE severity = "Critical" AND finding_discovered < "-90d" AND finding_status = "In Progress" AND due_date <= "7d" ORDER BY due_date ASC ``` | ### Trend Analysis and Metrics Queries supporting KPIs, dashboards, and trend reporting | **VM Question** | **NQL Query** | | | --- | --- | --- | | What is the current vulnerability count by severity level? | ```sql SELECT severity, finding_name, asset_name, finding_status FROM findings ORDER BY severity DESC, finding_name ASC ``` | | | How many vulnerabilities were discovered in the last 30 days by severity? | ```sql SELECT severity, finding_name, asset_name, finding_discovered FROM findings WHERE finding_discovered >= "-30d" ORDER BY severity DESC, finding_discovered DESC ``` | | | What is the age distribution of all active vulnerabilities? | ```sql SELECT finding_name, asset_name, severity, finding_discovered, finding_status FROM findings WHERE finding_status = "Active" ORDER BY finding_discovered ASC, severity DESC ``` | | | Which scan sources are contributing the most vulnerabilities this month? | ```sql SELECT finding_source, finding_name, asset_name, severity, finding_discovered FROM findings WHERE finding_discovered >= "-30d" ORDER BY finding_source ASC, severity DESC ``` | | | What is the current remediation status distribution across all vulnerabilities? | ```sql SELECT finding_status, finding_name, asset_name, severity, due_date FROM findings ORDER BY finding_status ASC, severity DESC ``` | | ### Exception and Edge Case Management Handling special cases, outliers, and unusual scenarios: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities have been in "Exception Requested" status for more than 30 days? | ```sql SELECT finding_name, asset_name, severity, finding_status, finding_discovered FROM findings WHERE finding_status = "Exception Requested" AND finding_discovered < "-30d" ORDER BY finding_discovered ASC, severity DESC ``` | | Which vulnerabilities have due dates set in the past but are still marked as Active? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE finding_status = "Active" AND due_date < TODAY ORDER BY due_date ASC, severity DESC ``` | | What vulnerabilities exist on hosts that haven't been seen in over 90 days? | ```sql SELECT finding_name, asset_name, host_last_seen_date, severity, finding_status FROM findings WHERE host_last_seen_date < "-90d" ORDER BY host_last_seen_date ASC, severity DESC ``` | | Which vulnerabilities have conflicting data (Critical severity but low risk scores)? | ```sql SELECT finding_name, asset_name, severity, finding_risk_score, finding_status FROM findings WHERE severity = "Critical" AND finding_risk_score != EMPTY AND finding_risk_score < 5 ORDER BY finding_risk_score ASC ``` | | What vulnerabilities are marked as "Fixed" but were discovered very recently? | ```sql SELECT finding_name, asset_name, severity, finding_status, finding_discovered FROM findings WHERE finding_status = "Fixed" AND finding_discovered >= "-7d" ORDER BY finding_discovered DESC, severity DESC ``` | ### Operational Efficiency Queries that help optimize vulnerability management processes: | **VM Question** | **NQL Query** | | --- | --- | | What vulnerabilities are ready for closure verification after being marked as Fixed? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE finding_status = "Fixed" ORDER BY due_date ASC, severity DESC ``` | | Which teams have the highest workload of active Critical and High vulnerabilities? | ```sql SELECT assigned_team, finding_name, asset_name, severity, finding_status FROM findings WHERE assigned_team != EMPTY AND severity IN ("Critical", "High") AND finding_status = "Active" ORDER BY assigned_team ASC, severity DESC ``` | | What vulnerabilities can be bulk-assigned due dates based on severity? | ```sql SELECT finding_name, asset_name, severity, finding_status, due_date FROM findings WHERE finding_status = "Active" AND due_date = EMPTY ORDER BY severity DESC, finding_name ASC ``` | | What vulnerabilities have been stuck in "In Progress" status for over 60 days? | ```sql SELECT finding_name, asset_name, severity, finding_status, finding_discovered, assigned_team FROM findings WHERE finding_status = "In Progress" AND finding_discovered < "-60d" ORDER BY finding_discovered ASC, severity DESC ``` | ### Calculated Fields and NQL Functions You can use calculation functions in NQL to create new values in the `SELECT` clause and filter on them in `WHERE` and `ORDER BY`. Here are some examples of using calculated fields and functions: | **Example Scenario** | **NQL Query** | | --- | --- | | Scale the Nucleus Risk Score up by a factor of 10. | ```sql SELECT finding_name, finding_risk_score, MULTIPLY(finding_risk_score, 10) AS ten_x_risk FROM findings WHERE ten_x_risk > 1000 ORDER BY ten_x_risk DESC ``` | | Calculate the finding age (dwell time) on findings. | ```sql SELECT finding_name, finding_discovered, DATE_DIFF(TODAY, finding_discovered) AS calculated_age FROM findings ORDER BY calculated_age DESC ``` | | Show me the top findings based on the number of asset groups impacted. | ```sql SELECT finding_name, asset_group, LIST_LENGTH(asset_group) AS group_count FROM findings ORDER BY group_count DESC LIMIT 100 ``` | These patterns can be adapted to any numeric, date/datetime, or list fields that are available in your project.