Qualys Continuous Monitoring¶
About¶
Qualys Continuous Monitoring lets you see your perimeter the way hackers do — directly from the Internet — and acts as a sentinel in the cloud, constantly watching your network for changes that could put you at risk. Qualys CM automates monitoring of your global perimeter, tracking systems in your global network, wherever they are.
Product Details¶
Vendor URL: Qualys Continuous Monitoring
Product Type: Network Monitoring
Product Tier: Tier II
Integration Method: Custom
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: QUALYS_CONTINUOUS_MONITORING
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| appName | principal.application |
| appVersion | metadata.product_version |
| eventType | metadata.product_event_type |
| hostname | principal_host |
| id | security_result.threat_id |
| ipAddress | principal.ip |
| operatingSystem | principal.platform_version |
| port | principal.port |
| profile.id | additional.fields |
| protocol | network.ip_protocol |
| service | network.application_protocol |
| source | metadata.description |
| sslIssuer | network.tls.client.certificate.issuer |
| sslName | additional.fields |
| sslOrg | additional.fields |
| ticketId | additional.fields |
| triggerUuid | metadata.product_log_id |
| vpeConfidence | additional.fields |
| vpeStatus | additional.fields |
| vulnTitle | security_result.summary |
Product Event Types¶
| type,subtype | UDM Event Classification |
|---|---|
| General | GENERIC_EVENT |
Log Sample¶
{"Alert":{"id":12345678,"source":"REMEDIATION","eventType":"HOST_FOUND","qid":0,"triggerUuid":"a12b345c-1a23-1234-a123-12345a6b1234","vulnTitle":"Installed Applications Enumerated From Windows Installer","vulnSeverity":0,"vulnType":"Configuration File","vulnCategory":"Ig","ipAddress":"10.xxx.xxx.xxx","hostname":"hostname.np.domain.com","isHidden":"false","eventDate":"2023-06-08T14:27:16Z","alertDate":"2023-06-08T14:27:16Z","profile":{"id":123456,"title":"Test CM"},"alertInfo":{"operatingSystem":"EulerOS / Ubuntu / Fedora / Tiny Core Linux / Linux 3.x / IBM / FortiSOAR","port":20,"protocol":"udp","service":"ssh","appName":"CrowdStrike Sensor Platform","appVersion":"6.54.16812.0","sslName":"name","sslOrg":"org","sslIssuer":"issuer","ticketId":0,"ticketState":"","vpeConfidence":"","vpeStatus":""}}}
Sample Parsing¶
metadata.description = "REMEDIATION"
metadata.product_event_type = "HOST_FOUND"
metadata.product_log_id = "a12b345c-1a23-1234-a123-12345a6b1234"
metadata.product_version = ""6.54.16812.0"
security_result.threat_id = "12345678"
security_result.summary = "Installed Applications Enumerated From Windows Installer"
principal.ip = "10.xxx.xxx.xxx"
principal.hostname = "hostname"
principal.administrative_domain = "np.domain.com"
prinicpal.port = 20
principal.application = "CrowdStrike Sensor Platform"
principal.platform_version = "EulerOS / Ubuntu / Fedora / Tiny Core Linux / Linux 3.x / IBM / FortiSOAR"
network.ip_protocol = UDP
network.application_protocol = SSH
network.tls.client.certificate.issuer = "issuer"
additional.fields["Profile Id"] = "123456"
additional.fields["Vulnerabilty Type"] = "Configuration File"
additional.fields["Vulnerabilty Category"] = "Ig"
additional.fields["Profile Title"] = "Test CM"
additional.fields["SSL Name"] = "name"
additional.fields["SSL Org"] = "org"
Rules¶
Coming Soon