The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic eventtype=”qualys_vm_detection_event” STATUS =”FIXED” earliest=-30d@d | dedup HOST_ID, QID | stats count by QID Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup […]
Top 25 Most Vulnerable Systems by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup QID IP| stats count by IP | sort -count | head 25 Network (F5/Cisco/Firewall) eventtype=qualys_vm_detection_event SEVERITY > 3 | regex […]
Remediation Tracking Trend – Qualys
The following Splunk query will help determine remediation tracking trends within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | stats count as eachCount |eval STATUS=”Total” | table STATUS eachCount| append [|search eventtype=”qualys_vm_detection_event”| stats count as eachCount by STATUS| eventstats sum(eachCount) as total | eval fixedPerc = ((eachCount/total)*100) | search STATUS=FIXED |table STATUS eachCount ] I take no credit […]
High Severity Vulnerabilities – Qualys
The following Splunk query will show the percentage of high severity vulnerabilities within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
New Vulnerabilities Detected Since Last Scan – Qualys
As the title suggests this Splunk Search will dedup results so you can better see changes in Vulnerability detection scan to scan within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Hosts Taking a Long Time to Scan – Qualys
The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype: sourcetype=”qualys:hostDetection” eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Number of Vulnerabilities Detected – Qualys
The following Splunk query will show the number of vulnerabilities detected all severities and all types within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” STATUS=”NEW” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Qualys – Number of Hosts Scanned
The following Splunk query will show the number of hosts scanned within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 | I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Qualys Hosts not Scanned in 30 days+
The following Splunk Search (query) is for Qualys and will show hosts that have not been scanned in 30 days or more. This query assumes that your index is defined as qualys. index=qualys HOSTVULN earliest=-30d@d STATUS=”RE-OPENED” | dedup HOST_ID, QID sortby +_time | join HOST_ID [ search index=qualys HOSTSUMMARY OS=”Windows*” NOT “Windows Server*” | where […]
Qualys 30 Day trending of Re-Opened Vulnerabilities
The following Splunk Search (query) is for Qualys and will show a trending over 30 days for re-opened vulnerabilities. This query assumes that your index is defined as qualys. index=qualys HOSTVULN earliest=-30d@d STATUS=”RE-OPENED” | dedup HOST_ID, QID sortby +_time | join HOST_ID [ search index=qualys HOSTSUMMARY OS=”Windows*” NOT “Windows Server*” | where cidrmatch(“10.128.0.0/9”, IP) ] […]
Qualys Top 10 Vulnerabilities by Severity
The following Splunk Search (query) is for Qualys and will show the top 10 vulnerabilities by severity as well as a Count of Devices. sourcetype=qualys_vm_detection HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d| dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search sourcetype=qualys_knowledgebase PATCHABLE=1 ] | eval Published=strftime(strptime(PUBLISHED_DATETIME, “%Y-%m-%d”), “%m/%d/%Y”) | join HOST_ID […]
Qualys Active OS Vuln Count
The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys. index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d | dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [ search […]