The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic eventtype=”qualys_vm_detection_event” STATUS =”FIXED” earliest=-30d@d | dedup HOST_ID, QID | stats count by QID Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup […]
Remediation Tracking Trend – Qualys
The following Splunk query will help determine remediation tracking trends within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | stats count as eachCount |eval STATUS=”Total” | table STATUS eachCount| append [|search eventtype=”qualys_vm_detection_event”| stats count as eachCount by STATUS| eventstats sum(eachCount) as total | eval fixedPerc = ((eachCount/total)*100) | search STATUS=FIXED |table STATUS eachCount ] I take no credit […]
High Severity Vulnerabilities – Qualys
The following Splunk query will show the percentage of high severity vulnerabilities within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
New Vulnerabilities Detected Since Last Scan – Qualys
As the title suggests this Splunk Search will dedup results so you can better see changes in Vulnerability detection scan to scan within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Number of Vulnerabilities Detected – Qualys
The following Splunk query will show the number of vulnerabilities detected all severities and all types within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” STATUS=”NEW” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
