Security data structure (NRQL reference)

Security RX stores vulnerability and misconfiguration data in New Relic's database (NRDB), making it queryable using NRQL. This reference guide explains the entity types, attributes, and data structure you can use to build custom queries, dashboards, and alerts.

Entity and event types

Security RX uses the following entity and event types to store security data:

SecurityFinding Entity (Recommended)

The SECURITY_FINDING is a specialized entity type that serves as a generic container for all security issues detected by Security RX. This is the recommended way to query security data in New Relic.

Important: SecurityFinding is queried as an Entity type, not as a traditional event:

FROM Entity
SELECT * WHERE type = 'SECURITY_FINDING'

Understanding findingType

The findingType attribute is the key field for distinguishing the data source:

findingType = 'VULNERABILITY': Indicates a vulnerability finding from sources like APM agents, Infrastructure agents, or third-party scanners (Snyk, Trivy, FOSSA)
findingType = 'MISCONFIGURATION': Indicates a cloud security posture management (CSPM) finding from Security RX Cloud (e.g., from AWS Security Hub, GuardDuty, or Config)

Other findingType values include: LIBRARY_VULNERABILITY, INFRASTRUCTURE_VULNERABILITY, APPLICATION_VULNERABILITY, SYSTEM_VULNERABILITY, SECURITY_EVENT, and OTHER.

Core entity fields

Attribute	Type	Description	Example
`id`	String	Globally unique identifier for this SecurityFinding (targets specific CVE & impacted entity)	"ABC123..."
`type`	String	Entity type - always "SECURITY_FINDING"	"SECURITY_FINDING"
`name`	String	Title of the vulnerability or misconfiguration	"CVE-2024-12345: SQL Injection in library-name"
`scope.id`	String	Account ID where this finding was detected	"1234567"
`scope.type`	String	Scope type - typically "ACCOUNT"	"ACCOUNT"
`metadata.createdAt`	Timestamp	When this entity was created	Unix timestamp
`metadata.updatedAt`	Timestamp	When this entity was last updated	Unix timestamp
`tags`	Array	List of tags applicable to entity (typically empty for SecurityFinding)	[]

Classification fields

Attribute	Type	Description	Example
`vulnerabilityIdentifier`	String	Identifier for aggregating SecurityFindings (usually CVE ID)	"CVE-2024-12345"
`findingType`	String	Top-level type of finding	"VULNERABILITY", "MISCONFIGURATION"
`findingSubType`	String	Sub-type (language for APM vulnerabilities, INFRA_OS_VULNERABILITY or INFRA_PACKAGE_VULNERABILITY for infrastructure)	"java", "INFRA_PACKAGE_VULNERABILITY"
`source`	String	Source of the finding	"New Relic", "Snyk", "AWS Security Hub"

Status and severity fields

Attribute	Type	Description	Values
`severity`	String	Reported severity of the finding	"CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN", "INFO"
`status`	String	Current status of the finding	"AFFECTED", "IGNORED", "NO_LONGER_DETECTED", "UNKNOWN"
`remediation.remediationExists`	Boolean	Whether a remediation exists	true, false
`remediation.upgradeAction`	String	Security RX's suggested upgrade	"Upgrade to version 2.17.1"
`remediation.remediationDetails`	String	Brief remediation text from the source	"Update library to patched version"
`remediation.url`	String	Documentation URL from the source	"https://example.com/security-advisory"

CVE reference fields

For vulnerability findings, the cve object contains detailed CVE information:

Attribute	Type	Description
`cve.id`	String	CVE identifier
`cve.description`	String	CVE description
`cve.cvssScore`	Number	CVSS score
`cve.cvssVector`	String	CVSS vector string
`cve.epssScore`	Number	EPSS exploit probability score
`cve.epssPercentile`	Number	EPSS percentile ranking
`cve.exploitKnown`	Boolean	Whether a known exploit exists
`cve.disclosureUrl`	String	URL where CVE was disclosed
`cve.disclosedAt`	Timestamp	When CVE was disclosed

Misconfiguration fields (Cloud findings)

For misconfiguration findings, the misconfiguration object contains cloud-specific information:

Attribute	Type	Description
`misconfiguration.cloudProvider`	String	Cloud provider
`misconfiguration.issueTitle`	String	Title of the misconfiguration
`misconfiguration.misconfigurationType`	String	Raw finding type from source
`misconfiguration.normalizedResourceType`	String	Simplified resource type (e.g., "S3", "EC2", "RDS")

Impacted entity fields

The impactedEntity object identifies which New Relic entity is affected:

Attribute	Type	Description
`impactedEntity.id`	String	Entity GUID
`impactedEntity.name`	String	Entity name
`impactedEntity.type`	String	Entity type (APM-APPLICATION, INFRA-HOST, etc.)
`impactedEntity.scope.id`	String	Account ID
`impactedEntity.scope.type`	String	Scope type

Timestamp fields

Attribute	Type	Description
`firstDetected`	Timestamp	When the finding was first detected
`findingUpdatedAt`	Timestamp	When the finding was last updated
`lastSeen`	Timestamp	When the finding was last known to be active

UI and internal fields

Attribute	Type	Description
`vulnerabilityUILinks.detailsUrl`	String	Link to details page in Security RX UI
`vulnerabilityUILinks.tabUrl`	String	Link to entity-view in Security RX UI
`internalState.status`	String	Internal status field
`internalState.active`	Boolean	Internal active flag (used in cloud queries)
`entityLookupValue`	String	Internal field (will be hidden in production)
`issueInstanceKey`	String	Internal field (will be hidden in production)
`additionalInfo`	Array of Objects	Additional metadata with key-value pairs (used for cloud account IDs, etc.)

Conseil

Fields marked as "internal" are currently visible in NRDB but may be hidden upon final launch. The internalState.active field is commonly used in cloud misconfiguration queries to filter active findings.

Query examples for vulnerabilities

Count active critical vulnerabilities by entity:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
  AND severity = 'CRITICAL'
FACET impactedEntity.name

Find entities affected by a specific CVE:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
  AND cve.id = 'CVE-2024-23944'
FACET impactedEntity.name

Find CVEs with active ransomware campaigns:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND cve.exploitKnown IS true
FACET impactedEntity.name, cve.id

Find likely exploitable vulnerabilities (high EPSS score):

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND cve.epssPercentile > '0.95'
FACET cve.id

Find reporting sources for your findings:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
FACET source

Entities with high vulnerability thresholds:

SELECT impactedEntity
FROM (
  SELECT count(*) AS vulnerableCount
  FROM Entity
  WHERE type = 'SECURITY_FINDING'
    AND severity IN ('CRITICAL', 'HIGH')
  FACET impactedEntity.name AS impactedEntity, severity
)
WHERE (severity = 'HIGH' AND vulnerableCount > 10)
   OR (severity = 'CRITICAL' AND vulnerableCount > 5)

Query examples for cloud misconfigurations

Count unique misconfigurations by status:

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
FACET status

Top 10 most common misconfiguration types:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
FACET misconfiguration.issueTitle
LIMIT 10

Find riskiest AWS accounts:

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
  AND severity IN ('CRITICAL', 'HIGH')
FACET aparse(additionalInfo, '%"key":"cloudProviderAccountId","values":["*"]%') AS 'AWS Account ID'
LIMIT 10

Count misconfigurations by resource type:

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
FACET misconfiguration.normalizedResourceType

Find critical and publicly exposed resources:

FROM Entity
SELECT name, impactedEntity.name, misconfiguration.misconfigurationType
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
  AND internalState.active = true
  AND severity = 'CRITICAL'
  AND misconfiguration.misconfigurationType LIKE 'Effects/Data Exposure'
SINCE 1 day ago

Vulnerability (Custom Event)

Stores detailed vulnerability metadata including CVE information, severity scores, and remediation guidance.

Primary use: Deep dive into vulnerability details and metadata

Key attributes:

Attribute	Type	Description	Example
`cveId`	String	CVE identifier	"CVE-2024-12345"
`severity`	String	CVSS-based severity	"CRITICAL", "HIGH", "MEDIUM", "LOW"
`cvssScore`	Number	CVSS numeric score	9.8
`epssScore`	Number	EPSS exploit probability	0.95
`epssPercentile`	Number	EPSS percentile ranking	98.5
`activeRansomware`	Boolean	Used in known ransomware campaigns	`true`, `false`
`affectedPackage`	String	Vulnerable library/package name	"log4j-core"
`affectedVersion`	String	Vulnerable package version	"2.14.0"
`fixedVersion`	String	Version with fix	"2.17.1"
`entityGuid`	String	Affected entity GUID	"ABC123..."
`source`	String	Detection source	"APM_AGENT", "SNYK", "AWS_SECURITY_HUB"

Query example:

FROM Vulnerability
SELECT count(*)
WHERE severity = 'CRITICAL'
AND activeRansomware = true
FACET affectedPackage

Common attributes across event types

These attributes appear across multiple event types:

Entity identification

Attribute	Description
`entity.guid`	Unique identifier for the affected entity
`entity.name`	Human-readable entity name
`entity.type`	Entity type (APPLICATION, HOST, SERVICE)
`accountId`	New Relic account ID

Timestamps

Attribute	Description
`timestamp`	When the event occurred
`detectedAt`	When vulnerability was first detected
`updatedAt`	Last update timestamp
`resolvedAt`	When vulnerability was marked resolved

Source tracking

Attribute	Description
`source`	Data source (APM_AGENT, INFRASTRUCTURE, SNYK, etc.)
`sourceId`	Unique ID from source system
`integrationName`	Integration that provided data

Data relationships

Understanding how data types relate to each other:

SecurityFinding Entity (type = 'SECURITY_FINDING')
    ↓ contains
    ├─ findingType (VULNERABILITY or MISCONFIGURATION)
    ├─ cve (CVE details for vulnerabilities)
    ├─ misconfiguration (Cloud security details)
    └─ impactedEntity (Affected New Relic entity)

Query patterns

For query patterns using SecurityFinding Entity, see the Query examples sections above.

Attribute types and formats

Severity values

CRITICAL - CVSS 9.0-10.0
HIGH     - CVSS 7.0-8.9
MEDIUM   - CVSS 4.0-6.9
LOW      - CVSS 0.1-3.9
INFO     - CVSS 0.0

State values

OPEN      - Vulnerability currently active
CLOSED    - Vulnerability resolved or fixed
AFFECTED  - Entity is confirmed affected
IGNORED   - Marked as not applicable
NO_LONGER_DETECTED - No longer seen in scans

Source values

APM_AGENT            - Detected by New Relic APM agent
INFRASTRUCTURE       - Detected by Infrastructure agent
SNYK                 - Imported from Snyk
AWS_SECURITY_HUB     - Imported from AWS Security Hub
DEPENDABOT           - Imported from GitHub Dependabot
FOSSA                - Imported from FOSSA
TRIVY                - Imported from Trivy
SECURITY_DATA_API    - Sent via API

Querying tips

Filter by severity (Modern approach)

Findings are prioritized based on severity:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND severity IN ('CRITICAL', 'HIGH')
  AND status = 'AFFECTED'
FACET impactedEntity.name

Filter by finding type

Separate vulnerabilities from misconfigurations:

-- Vulnerabilities only
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'VULNERABILITY'
FACET impactedEntity.type

-- Misconfigurations only
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
FACET misconfiguration.normalizedResourceType

Filter by entity type

Separate application from infrastructure vulnerabilities:

-- Application vulnerabilities
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND impactedEntity.type LIKE '%APPLICATION%'
FACET impactedEntity.name

-- Infrastructure vulnerabilities
FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND impactedEntity.type LIKE '%HOST%'
FACET impactedEntity.name

Filter by detection source

Query findings from specific integrations:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND source = 'Snyk'
FACET severity

Time-based filtering

Find recently detected findings:

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND firstDetected > ago(7 days)
FACET cve.id, severity

Building custom dashboards

Use SecurityFinding Entity to create comprehensive security dashboards:

Executive dashboard - High-level security metrics across all finding types

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
FACET severity, findingType

Vulnerability trends - Track vulnerability detection over time

FROM Entity
SELECT count(*)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'VULNERABILITY'
FACET weekOf(firstDetected)
SINCE 90 days ago

Cloud security posture - Monitor cloud misconfigurations

FROM Entity
SELECT uniqueCount(misconfiguration.issueTitle)
WHERE type = 'SECURITY_FINDING'
  AND findingType = 'MISCONFIGURATION'
FACET misconfiguration.cloudProvider, severity

Entity security posture - Per-entity security views

FROM Entity
SELECT count(*) AS 'Findings'
WHERE type = 'SECURITY_FINDING'
  AND status = 'AFFECTED'
FACET impactedEntity.name, severity

For more query examples, see Security data query examples.

Legacy dashboard approaches

For backward compatibility, you can still use the legacy event type (Vulnerability), but we recommend migrating to SecurityFinding Entity for new dashboards.

What's next?

Query examples

Ready-to-use NRQL queries for common security scenarios

Set up alerts

Create NRQL-based alerts for vulnerabilities

Manage vulnerability status

Change vulnerability status and track remediation