Qualys Vulnerability Management¶
About¶
Qualys VMDR offers an all-inclusive risk-based vulnerability management solution to prioritize vulnerabilities and assets based on risk and business criticality. VMDR seamlessly integrates with configuration management databases (CMDB) and patch management solutions to quickly discover, prioritize, and automatically remediate vulnerabilities at scale to reduce risk.
Product Details¶
Vendor URL: Qualys Vulnerability Management
Product Type: Vulnerability Management
Product Tier: Tier II
Integration Method: Custom
Integration URL: Not available
Log Guide: N\A
Parser Details¶
Log Format: JSON, CSV
Expected Normalization Rate: NN%
Data Label: QUALYS_VM
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
LastVMAuthScanDuration | additional.fields["LastVMAuthScanDuration"] |
LastVMScanDuration | additional.fields["LastVMScanDuration"] |
Netbios | additional.fields["NETBIOS"] |
HOST.NETBIOS | additional.fields["HOST NETBIOS"] |
HOST.QG_HOSTID | additional.fields["HOST QG_HOSTID"] |
HOST.TRACKING_METHOD | additional.fields["HOST TRACKING_METHOD"] |
TRACKING_METHOD | additional.fields["TRACKING_METHOD"] |
NetworkID | additional.fields["NetworkID"] |
Detection status | extensions.vulns.vulnerabilities.about.labels.key |
DETECTION.STATUS | extensions.vulns.vulnerabilities.about.labels.value |
Detection type | extensions.vulns.vulnerabilities.about.labels.key |
DETECTION.TYPE | extensions.vulns.vulnerabilities.about.labels.value |
DETECTION.RESULTS | extensions.vulns.vulnerabilities.about.description |
DETECTION.FIRST_FOUND_DATETIME | extensions.vulns.vulnerabilities.first_found |
DETECTION.LAST_FOUND_DATETIME | extensions.vulns.vulnerabilities.last_found |
HOST.LAST_SCAN_DATETIME | extensions.vulns.vulnerabilities.start_time |
HOST.LAST_VM_SCANNED_DATE | extensions.vulns.vulnerabilities.end_time |
DETECTION.QID | extensions.vulns.vulnerabilities.name |
LOW, MEDIUM, HIGH | extensions.vulns.vulnerabilities.severity |
HOST.ID, ID | metadata.product_log_id |
Vulnerability Management | metadata.product_name |
Qualys | metadata.vendor_name |
DETECTION.RESULTS | network.ip_protocol |
HOST_ID, HOST.ASSET_ID, QgHostID | principal.asset_id |
HOST.DNS_DATA.DOMAIN, DNSData.DOMAIN | principal.domain.name |
DNS | principal.hostname |
IP, HOST.IP | principal.ip |
LINUX, WINDOWS, MAC | principal.platform |
OS, HOST.OS | principal.platform_version |
DETECTION.RESULTS | principal.port |
Product Event Types¶
Event | UDM Event Classification |
---|---|
scan | SCAN_VULN_HOST |
update | STATUS_UPDATE |
all others | GENERIC_EVENT |
Log Sample¶
{"HOST":{"ID":123456,"ASSET_ID":123456,"IP":"10.168.1.84","QG_HOSTID":"123456","TRACKING_METHOD":"AGENT","OS":"Windows 11 Enterprise 64 bit Edition Version 22H2","DNS":"website.domain.com","DNS_DATA":{"HOSTNAME":"host1","DOMAIN":"domain.com","FQDN":"host1.domain.com"},"NETBIOS":"NB000000","LAST_SCAN_DATETIME":"2023-07-31T19:48:44Z","LAST_VM_SCANNED_DATE":"2023-07-31T19:43:07Z","LAST_VM_SCANNED_DURATION":1696,"LAST_VM_AUTH_SCANNED_DATE":"2023-07-31T19:43:07Z","LAST_VM_AUTH_SCANNED_DURATION":1696,"TAGS\u003eTAG":[{"NAME":"Cloud Agent","TAG_ID":"123456"},{"NAME":"Windows OS","TAG_ID":"123456"},{"NAME":"ALL Tenant1 Assets","TAG_ID":"123456"},{"NAME":"Windows 11","TAG_ID":"123456"},{"NAME":"DigiCert Trusted Root G4 certificate","TAG_ID":"123456"},{"NAME":"Unreachable Assets","TAG_ID":"123456"},{"NAME":"[Secure Config] Chrome Browser","TAG_ID":"123456"},{"NAME":"[Secure Config] Edge Browser","TAG_ID":"123456"},{"NAME":"[Secure Config] Internet Explorer Browser","TAG_ID":"123456"},{"NAME":"[Secure Config] Firefox - Windows Workstations","TAG_ID":"123456"},{"NAME":"Crowdstrike","TAG_ID":"123456"},{"NAME":"Snow","TAG_ID":"123456"},{"NAME":"SCCM","TAG_ID":"123456"}]},"DETECTION":{"QID":123456,"TYPE":"Confirmed","SEVERITY":4,"RESULTS":"HKLM\\Software\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing. \nHKLM\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing.","STATUS":"Active","FIRST_FOUND_DATETIME":"2023-04-07T03:40:23Z","LAST_FOUND_DATETIME":"2023-07-31T19:43:07Z","LAST_TEST_DATETIME":"2023-07-31T19:43:07Z","LAST_UPDATE_DATETIME":"2023-07-31T19:48:44Z","LAST_PROCESSED_DATETIME":"2023-07-31T19:48:44Z","FIRST_REOPENED_DATETIME":"2023-04-08T05:33:28Z","LAST_REOPENED_DATETIME":"2023-06-17T03:14:46Z","TIMES_FOUND":686,"TIMES_REOPENED":6}}
Sample Parsing¶
metadata.product_log_id = "123456"
metadata.event_timestamp = 2023-07-31T21:32:37Z
metadata.event_type = SCAN_VULN_HOST
metadata.vendor_name = "Qualys"
metadata.product_name = "Vulnerability Management"
additional.fields["HOST NETBIOS"] = "NB000000"
additional.fields["HOST QG_HOSTID"] = "123456"
additional.fields["HOST TRACKING_METHOD"] = "AGENT"
principal.hostname = "website.domain.com"
principal.domain.name = "domain.com"
principal.asset_id = "QUALYS:123456"
principal.ip = "10.168.1.84"
principal.platform = WINDOWS
extensions.vulns.vulnerabilities[0].about.labels.key = "Detection type"
extensions.vulns.vulnerabilities[0].about.labels.value = "Confirmed"
extensions.vulns.vulnerabilities[0].about.labels.key = "Detection status"
extensions.vulns.vulnerabilities[0].about.labels.value = "Active"
extensions.vulns.vulnerabilities[0].name = "QID = 123456"
extensions.vulns.vulnerabilities[0].description = "HKLM\\Software\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing. \nHKLM\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config EnableCertPaddingCheck is missing."
extensions.vulns.vulnerabilities[0].scan_start_time.seconds = 2023-07-31T19:48:44Z
extensions.vulns.vulnerabilities[0].scan_end_time.seconds = 2023-07-31T19:43:07Z
extensions.vulns.vulnerabilities[0].first_found.seconds = 2023-07-31T09:40:23Z
extensions.vulns.vulnerabilities[0].last_found.seconds = 2023-07-31T19:43:07Z