Qualys Hosts not Scanned in 30 days+

The following Splunk Search (query) is for Qualys and will show hosts that have not been scanned in 30 days or more. This query assumes that your index is defined as qualys.

index=qualys HOSTVULN earliest=-30d@d STATUS="RE-OPENED" | dedup HOST_ID, QID sortby +_time | join HOST_ID [ search index=qualys HOSTSUMMARY OS="Windows*" NOT "Windows Server*" | where cidrmatch("10.128.0.0/9", IP) ] | timechart span=1d count(QID) by SEVERITY

* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.

Share This:
Tagged:

Leave A Comment?