Qualys VMDR
Qualys VMDR app is a new Sumo Logic app based on the Qualys VMDR Cloud-to-Cloud source, which tracks errors, reports its health, and start-up progress. It provides a cloud security, compliance, and vulnerability management solutions across your IT infrastructure.
Log Types
The Sumo logic App for Qualys VMDR uses vulnerability data from Vulnerability API and asset data from Asset API.
Sample Log Message
{
"Id": "9816652",
"IP": "10.50.4.15",
"Hostname": "vmauditdev",
"Detection": {
"Qid": "216273",
"Type": "Potential",
"Severity": "3",
"Ssl": "0",
"Results": "VMWare Build Version is 19832280",
"Status": "New",
"FirstFoundDateTime": "2022-12-07T10:50:00Z",
"LastFoundDateTime": "2022-12-07T10:50:00Z",
"TimesFound": "1",
"LastTestDateTime": "2022-12-07T10:50:00Z",
"LastUpdateDateTime": "2022-12-07T12:08:22Z",
"IsIgnored": "0",
"IsDisabled": "0",
"LastProcessedDateTime": "2022-12-07T12:08:22Z"
}
}
Sample Queries
source=Qualys
| where (_raw matches /^\{.*\}$/)
| json "IP", "Hostname", "Detection.Qid" as ip, hostname, Qid nodrop
| first(_raw) as _raw by ip, hostname, Qid
| json "Detection" as vulnerability nodrop
| where ip matches "*"
| where hostname matches "*"
| json auto field=vulnerability nodrop
| fields -vulnerability
| where !IsEmpty(severity)
| where severity matches "*"
| "Unknown" as severity_label
| if(severity = 1, "Informational", severity_label) as severity_label
| if(severity = 2, "Low", severity_label) as severity_label
| if(severity = 3, "Medium", severity_label) as severity_label
| if(severity = 4, "High", severity_label) as severity_label
| if(severity = 5, "Critical", severity_label) as severity_label
| count as Total ip, hostname, severity, severity_label
| transpose row ip, hostname column severity, severity_label as %"1|Informational", %"2|Low", %"3|Medium", %"4|High", %"5|Critical"
| if(IsNull(%"1|Informational"), 0, %"1|Informational") as %"1|Informational"
| if(IsNull(%"2|Low"), 0, %"2|Low") as %"2|Low"
| if(IsNull(%"3|Medium"), 0, %"3|Medium") as %"3|Medium"
| if(IsNull(%"4|High"), 0, %"4|High") as %"4|High"
| if(IsNull(%"5|Critical"), 0, %"5|Critical") as %"5|Critical"
| %"1|Informational" + %"2|Low" + %"3|Medium" + %"4|High" + %"5|Critical" as %"Total"
| order by %"Total" desc
Set up Collection
This section provides instructions for setting up Cloud-to-Cloud-Integration for Qualys VMDR to create the source and use the same source category while installing the app.
Installing the Qualys VMDR App
This section provides instructions for installing the Qualys VMDR Sumo Logic App, as well as the descriptions of each of the app dashboards.
To install the app:
- From the left nav, select App Catalog.
- Search for your app name and select it.
- When you get to your app page:
- If you want to see a preview of the dashboards included with the app before installing, scroll down to Dashboard Preview.
- If your Sumo Logic app has multiple versions (not all apps do), select the version of the service you're using.
- Click Add Integration.
- On the next configuration page, Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category, and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
_sourceCategory=MyCategory.
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- You'll see a dialog confirming that the app was installed successfully.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't be available immediately, but within 20 minutes, you'll see full graphs and maps.
Viewing Qualys VMDR Dashboard
Qualys VMDR - Overview dashboard This dashboard gives you visibility into low, medium, high, and critical vulnerabilities by hosts in your network. Use the dashboard to slice and dice data by vulnerability severity, IPs, and hosts.
