Skip to content

Qualys Vulnerability Management

Qualys Vulnerability Management

About

Qualys VMDR offers an all-inclusive risk-based vulnerability management solution to prioritize vulnerabilities and assets based on risk and business criticality. VMDR seamlessly integrates with configuration management databases (CMDB) and patch management solutions to quickly discover, prioritize, and automatically remediate vulnerabilities at scale to reduce risk.

Product Details

Vendor URL: Qualys Vulnerability Management

Product Type: Vulnerability Management

Product Tier: Tier II

Integration Method: Custom

Integration URL: Not available

Log Guide: N\A

Parser Details

Log Format: JSON, CSV

Expected Normalization Rate: NN%

Data Label: QUALYS_VM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
LastVMAuthScanDuration additional.fields["LastVMAuthScanDuration"]
LastVMScanDuration additional.fields["LastVMScanDuration"]
Netbios additional.fields["NETBIOS"]
HOST.NETBIOS additional.fields["HOST NETBIOS"]
HOST.QG_HOSTID additional.fields["HOST QG_HOSTID"]
HOST.TRACKING_METHOD additional.fields["HOST TRACKING_METHOD"]
TRACKING_METHOD additional.fields["TRACKING_METHOD"]
NetworkID additional.fields["NetworkID"]
Detection status extensions.vulns.vulnerabilities.about.labels.key
DETECTION.STATUS extensions.vulns.vulnerabilities.about.labels.value
Detection type extensions.vulns.vulnerabilities.about.labels.key
DETECTION.TYPE extensions.vulns.vulnerabilities.about.labels.value
DETECTION.RESULTS extensions.vulns.vulnerabilities.about.description
DETECTION.FIRST_FOUND_DATETIME extensions.vulns.vulnerabilities.first_found
DETECTION.LAST_FOUND_DATETIME extensions.vulns.vulnerabilities.last_found
HOST.LAST_SCAN_DATETIME extensions.vulns.vulnerabilities.start_time
HOST.LAST_VM_SCANNED_DATE extensions.vulns.vulnerabilities.end_time
DETECTION.QID extensions.vulns.vulnerabilities.name
LOW, MEDIUM, HIGH extensions.vulns.vulnerabilities.severity
HOST.ID, ID metadata.product_log_id
Vulnerability Management metadata.product_name
Qualys metadata.vendor_name
DETECTION.RESULTS network.ip_protocol
HOST_ID, HOST.ASSET_ID, QgHostID principal.asset_id
HOST.DNS_DATA.DOMAIN, DNSData.DOMAIN principal.domain.name
DNS principal.hostname
IP, HOST.IP principal.ip
LINUX, WINDOWS, MAC principal.platform
OS, HOST.OS principal.platform_version
DETECTION.RESULTS principal.port

Product Event Types

Event UDM Event Classification
scan SCAN_VULN_HOST
update STATUS_UPDATE
all others GENERIC_EVENT

Log Sample

{"HOST":{"ID":123456,"ASSET_ID":123456,"IP":"10.168.1.84","QG_HOSTID":"123456","TRACKING_METHOD":"AGENT","OS":"Windows 11 Enterprise 64 bit Edition Version 22H2","DNS":"website.domain.com","DNS_DATA":{"HOSTNAME":"host1","DOMAIN":"domain.com","FQDN":"host1.domain.com"},"NETBIOS":"NB000000","LAST_SCAN_DATETIME":"2023-07-31T19:48:44Z","LAST_VM_SCANNED_DATE":"2023-07-31T19:43:07Z","LAST_VM_SCANNED_DURATION":1696,"LAST_VM_AUTH_SCANNED_DATE":"2023-07-31T19:43:07Z","LAST_VM_AUTH_SCANNED_DURATION":1696,"TAGS\u003eTAG":[{"NAME":"Cloud Agent","TAG_ID":"123456"},{"NAME":"Windows OS","TAG_ID":"123456"},{"NAME":"ALL Tenant1 Assets","TAG_ID":"123456"},{"NAME":"Windows 11","TAG_ID":"123456"},{"NAME":"DigiCert Trusted Root G4 certificate","TAG_ID":"123456"},{"NAME":"Unreachable Assets","TAG_ID":"123456"},{"NAME":"[Secure Config] Chrome Browser","TAG_ID":"123456"},{"NAME":"[Secure Config] Edge Browser","TAG_ID":"123456"},{"NAME":"[Secure Config] Internet Explorer Browser","TAG_ID":"123456"},{"NAME":"[Secure Config] Firefox - Windows Workstations","TAG_ID":"123456"},{"NAME":"Crowdstrike","TAG_ID":"123456"},{"NAME":"Snow","TAG_ID":"123456"},{"NAME":"SCCM","TAG_ID":"123456"}]},"DETECTION":{"QID":123456,"TYPE":"Confirmed","SEVERITY":4,"RESULTS":"HKLM\\Software\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing. \nHKLM\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing.","STATUS":"Active","FIRST_FOUND_DATETIME":"2023-04-07T03:40:23Z","LAST_FOUND_DATETIME":"2023-07-31T19:43:07Z","LAST_TEST_DATETIME":"2023-07-31T19:43:07Z","LAST_UPDATE_DATETIME":"2023-07-31T19:48:44Z","LAST_PROCESSED_DATETIME":"2023-07-31T19:48:44Z","FIRST_REOPENED_DATETIME":"2023-04-08T05:33:28Z","LAST_REOPENED_DATETIME":"2023-06-17T03:14:46Z","TIMES_FOUND":686,"TIMES_REOPENED":6}}

Sample Parsing

metadata.product_log_id = "123456"
metadata.event_timestamp = 2023-07-31T21:32:37Z
metadata.event_type = SCAN_VULN_HOST
metadata.vendor_name = "Qualys"
metadata.product_name = "Vulnerability Management"
additional.fields["HOST NETBIOS"] = "NB000000"
additional.fields["HOST QG_HOSTID"] = "123456"
additional.fields["HOST TRACKING_METHOD"] = "AGENT"
principal.hostname = "website.domain.com"
principal.domain.name = "domain.com"
principal.asset_id = "QUALYS:123456"
principal.ip = "10.168.1.84"
principal.platform = WINDOWS
extensions.vulns.vulnerabilities[0].about.labels.key = "Detection type"
extensions.vulns.vulnerabilities[0].about.labels.value = "Confirmed"
extensions.vulns.vulnerabilities[0].about.labels.key = "Detection status"
extensions.vulns.vulnerabilities[0].about.labels.value = "Active"
extensions.vulns.vulnerabilities[0].name = "QID = 123456"
extensions.vulns.vulnerabilities[0].description = "HKLM\\Software\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing. \nHKLM\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing."
extensions.vulns.vulnerabilities[0].scan_start_time.seconds = 2023-07-31T19:48:44Z
extensions.vulns.vulnerabilities[0].scan_end_time.seconds = 2023-07-31T19:43:07Z
extensions.vulns.vulnerabilities[0].first_found.seconds = 2023-07-31T09:40:23Z
extensions.vulns.vulnerabilities[0].last_found.seconds = 2023-07-31T19:43:07Z