Splunk Queries for Qualys

Once Qualys App is installed in Splunk and API comm is set for feeds.
we can run the below search query to get the required data, so you don't have to login every time to Qualys :-)

Query for KPI's that will change over time

1. No of hosts Scanned
eventtype="qualys_vm_detection_event" |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 |

2. No of vulnerabilities detected (All severities, All types)
eventtype="qualys_vm_detection_event" STATUS="NEW"  | dedup QID |stats count by SEVERITY |

3. No of hosts taking more time to scan - to find the culprit hosts that are imparting more time to scan
sourcetype="qualys:hostDetection" eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION

4. Culprit Hosts Details taking more time
sourcetype="qualys:hostDetection" eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION

5. New Vulns detected over last scan.
eventtype="qualys_vm_detection_event" | dedup QID |stats count by SEVERITY

6. % contribution of high sev vulns in Total vulns
eventtype="qualys_vm_detection_event" |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 |

7. Query for tracking overall remediation trend
eventtype="qualys_vm_detection_event" |  stats count as eachCount |eval STATUS="Total"  | table STATUS eachCount| append [|search eventtype="qualys_vm_detection_event"| stats count as eachCount by STATUS| eventstats sum(eachCount) as total | eval fixedPerc = ((eachCount/total)*100) | search STATUS=FIXED |table STATUS eachCount ]


Query for Top 25 Most Prevailing Vulnerabilities that has Patch available for various production env.

1. For Linux
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$"  | dedup HOST_ID  QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE  | stats count by QID, TITLE, SEVERITY |  sort 25 –count

2. For Network (F5/Cisco/Firewall)
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID  QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE  | stats count by QID, TITLE, SEVERITY |  sort 25 –count

3. For Windows Desktop
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$"  | dedup HOST_ID  QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE  | stats count by QID, TITLE, SEVERITY |  sort 25 –count

4. For Windows Server
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$"  | dedup HOST_ID  QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE  | stats count by QID, TITLE, SEVERITY |  sort 25 –count

Query for Top 25 most vulnerable systems for various production env.

1. For Network (F5/Cisco/Firewall)
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

2. For Linux
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

3. For Windows Desktop
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

4. For Windows Server
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Query For Tracking Remediation Progress for various Production env.

1. Vulnerability Closed in last 30 days
eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

2. For Network (F5/Cisco/Firewall)
eventtype=qualys_vm_detection_event STATUS="FIXED"|  regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)"  | dedup HOST_ID  QID | stats count by QID

3. For Linux
eventtype=qualys_vm_detection_event STATUS="FIXED"| regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID  QID | stats count by QID

4. For Windows Desktop
eventtype=qualys_vm_detection_event STATUS="FIXED"| regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID  QID | stats count by QID

5. For Windows Server
eventtype=qualys_vm_detection_event STATUS="FIXED"| regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID  QID | stats count by QID