セキュリティデータ構造（NRQLリファレンス）

FROM Entity
SELECT * WHERE type = 'SECURITY_FINDING'

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
  AND severity = 'CRITICAL'
FACET impactedEntity.name

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
  AND cve.id = 'CVE-2024-23944'
FACET impactedEntity.name

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND cve.exploitKnown IS true
FACET impactedEntity.name, cve.id

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND cve.epssPercentile > '0.95'
FACET cve.id

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
FACET source

SELECT impactedEntity
FROM (
  SELECT count(*) AS vulnerableCount
  FROM Entity
  WHERE type = 'SECURITY_FINDING'
    AND severity IN ('CRITICAL', 'HIGH')
  FACET impactedEntity.name AS impactedEntity, severity
)
WHERE (severity = 'HIGH' AND vulnerableCount > 10)
   OR (severity = 'CRITICAL' AND vulnerableCount > 5)

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
FACET status

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
FACET misconfiguration.issueTitle
LIMIT 10

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
  AND severity IN ('CRITICAL', 'HIGH')
FACET aparse(additionalInfo, '%"key":"cloudProviderAccountId","values":["*"]%') AS 'AWS Account ID'
LIMIT 10

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
FACET misconfiguration.normalizedResourceType

FROM Entity
SELECT name, impactedEntity.name, misconfiguration.misconfigurationType
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
  AND severity = 'CRITICAL'
  AND misconfiguration.misconfigurationType LIKE 'Effects/Data Exposure'
SINCE 1 day ago

FROM NrAiIncident
SELECT count(*)
WHERE conditionName LIKE '%Security RX%'
FACET priority, state

FROM Vulnerability
SELECT count(*)
WHERE severity = 'CRITICAL'
AND activeRansomware = true
FACET affectedPackage

FROM NrAiIncidentTimeline
SELECT timestamp, event, previousState, newState, changedBy
WHERE event = 'STATUS_CHANGED'
SINCE 7 days ago

SecurityFinding Entity (type = 'SECURITY_FINDING')
    ↓ contains
    ├─ findingType (VULNERABILITY or MISCONFIGURATION)
    ├─ cve (CVE details for vulnerabilities)
    ├─ misconfiguration (Cloud security details)
    └─ impactedEntity (Affected New Relic entity)

Entity (Application/Host)
    ↓ has many
NrAiIncident (Active vulnerabilities)
    ↓ references
Vulnerability (CVE details)
    ↓ has many
NrAiIncidentTimeline (Status history)

FROM NrAiIncident
SELECT entity.name, count(*) as 'Vulnerability Count'
WHERE conditionName LIKE '%Security RX%'
AND state = 'OPEN'
FACET entity.name
SINCE 1 day ago

FROM Entity
SELECT impactedEntity.name, count(*) as 'Vulnerability Count'
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
FACET impactedEntity.name
SINCE 1 day ago

FROM Vulnerability
SELECT entity.name,
       cveId,
       (max(timestamp) - min(timestamp)) / 86400 as 'Days Exposed'
WHERE severity IN ('CRITICAL', 'HIGH')
FACET entity.name, cveId
SINCE 30 days ago

FROM Entity
SELECT impactedEntity.name,
       cve.id,
       (max(findingUpdatedAt) - min(firstDetected)) / 86400 as 'Days Exposed'
WHERE type = 'SECURITY_FINDING'
  AND severity IN ('CRITICAL', 'HIGH')
FACET impactedEntity.name, cve.id
SINCE 30 days ago

FROM NrAiIncidentTimeline
SELECT count(*) as 'Vulnerabilities Resolved'
WHERE event = 'STATUS_CHANGED'
AND newState = 'CLOSED'
FACET weekOf(timestamp)
SINCE 90 days ago

CRITICAL - CVSS 9.0-10.0
HIGH     - CVSS 7.0-8.9
MEDIUM   - CVSS 4.0-6.9
LOW      - CVSS 0.1-3.9
INFO     - CVSS 0.0

OPEN      - Vulnerability currently active
CLOSED    - Vulnerability resolved or fixed
AFFECTED  - Entity is confirmed affected
IGNORED   - Marked as not applicable
NO_LONGER_DETECTED - No longer seen in scans

APM_AGENT            - Detected by New Relic APM agent
INFRASTRUCTURE       - Detected by Infrastructure agent
SNYK                 - Imported from Snyk
AWS_SECURITY_HUB     - Imported from AWS Security Hub
DEPENDABOT           - Imported from GitHub Dependabot
FOSSA                - Imported from FOSSA
TRIVY                - Imported from Trivy
SECURITY_DATA_API    - Sent via API

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND severity IN ('CRITICAL', 'HIGH')
  AND status = 'AFFECTED'
FACET impactedEntity.name

-- Vulnerabilities only
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'VULNERABILITY'
FACET impactedEntity.type

-- Misconfigurations only
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
FACET misconfiguration.normalizedResourceType

-- Application vulnerabilities
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND impactedEntity.type LIKE '%APPLICATION%'
FACET impactedEntity.name

-- Infrastructure vulnerabilities
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND impactedEntity.type LIKE '%HOST%'
FACET impactedEntity.name

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND source = 'Snyk'
FACET severity

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND firstDetected > ago(7 days)
FACET cve.id, severity