Firewall Archives -

Track Remediation Progress by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic

eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

1	eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d \| dedup HOST_ID, QID \| stats count by QID

Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^((?!\/).)Linux((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="(F5 Networks Big-IP)\|(^Cisco((?!\/).)*$)\|(Firewall)" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows (2000$\|XP\|7\|8)((?!\/).)*$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows .Server((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

I take no credit for this. These queries were discovered […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^((?!\/).)Linux((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="(F5 Networks Big-IP)\|(^Cisco((?!\/).)*$)\|(Firewall)" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows (2000$\|XP\|7\|8)((?!\/).)*$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows .Server((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="^((?!\/).)Linux((?!\/).)$" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="(F5 Networks Big-IP)\|(^Cisco((?!\/).)*$)\|(Firewall)" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="^Windows (2000$\|XP\|7\|8)((?!\/).)*$" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="^Windows .Server((?!\/).)$" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Tag: Firewall

Track Remediation Progress by OS – Qualys

Top 25 Most Vulnerable Systems by OS – Qualys

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys