Qualys Active OS Vuln Count

The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys.

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-30d@d | dedup HOST_ID, QID | search STATUS!="FIXED" | join QID [ search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [ search index=qualys HOSTSUMMARY: OS="Windows*" NOT "Windows Server*" | where cidrmatch("10.128.0.0/9", IP) ] | stats count(QID) as #_Vulns by OS | sort -#_Vulns | addcoltotals #_Vulns

* DISCLOSURE* - I did not create this query. That credit goes to Jeff Leggett.