Qualys VMDR
Qualys VMDR app is a new Sumo Logic app based on the Qualys VMDR Cloud-to-Cloud source, which tracks errors, reports its health, and start-up progress. It provides a cloud security, compliance, and vulnerability management solutions across your IT infrastructure.
Log Types​
The Sumo logic App for Qualys VMDR uses vulnerability data from Vulnerability API and asset data from Asset API.
Sample Log Message​
{
"Id": "9816652",
"IP": "10.50.4.15",
"Hostname": "vmauditdev",
"Detection": {
"Qid": "216273",
"Type": "Potential",
"Severity": "3",
"Ssl": "0",
"Results": "VMWare Build Version is 19832280",
"Status": "New",
"FirstFoundDateTime": "2022-12-07T10:50:00Z",
"LastFoundDateTime": "2022-12-07T10:50:00Z",
"TimesFound": "1",
"LastTestDateTime": "2022-12-07T10:50:00Z",
"LastUpdateDateTime": "2022-12-07T12:08:22Z",
"IsIgnored": "0",
"IsDisabled": "0",
"LastProcessedDateTime": "2022-12-07T12:08:22Z"
}
}
Sample Queries​
source=Qualys
| where (_raw matches /^\{.*\}$/)
| json "IP", "Hostname", "Detection.Qid" as ip, hostname, Qid nodrop
| first(_raw) as _raw by ip, hostname, Qid
| json "Detection" as vulnerability nodrop
| where ip matches "*"
| where hostname matches "*"
| json auto field=vulnerability nodrop
| fields -vulnerability
| where !IsEmpty(severity)
| where severity matches "*"
| "Unknown" as severity_label
| if(severity = 1, "Informational", severity_label) as severity_label
| if(severity = 2, "Low", severity_label) as severity_label
| if(severity = 3, "Medium", severity_label) as severity_label
| if(severity = 4, "High", severity_label) as severity_label
| if(severity = 5, "Critical", severity_label) as severity_label
| count as Total ip, hostname, severity, severity_label
| transpose row ip, hostname column severity, severity_label as %"1|Informational", %"2|Low", %"3|Medium", %"4|High", %"5|Critical"
| if(IsNull(%"1|Informational"), 0, %"1|Informational") as %"1|Informational"
| if(IsNull(%"2|Low"), 0, %"2|Low") as %"2|Low"
| if(IsNull(%"3|Medium"), 0, %"3|Medium") as %"3|Medium"
| if(IsNull(%"4|High"), 0, %"4|High") as %"4|High"
| if(IsNull(%"5|Critical"), 0, %"5|Critical") as %"5|Critical"
| %"1|Informational" + %"2|Low" + %"3|Medium" + %"4|High" + %"5|Critical" as %"Total"
| order by %"Total" desc
Set up Collection​
This section provides instructions for setting up Cloud-to-Cloud-Integration for Qualys VMDR to create the source and use the same source category while installing the app.
Installing the Qualys VMDR App​​
This section provides instructions for installing the Qualys VMDR Sumo Logic App.
To install the app:
- From the Sumo Logic navigation, select App Catalog.
- In the Search Apps field, search for and then select your app.
- Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).note
If your app has multiple versions, you'll need to select the version of the service you're using before installation.
- On the next configuration page, under Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
_sourceCategory=MyCategory.
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- Look for the dialog confirming that your app was installed successfully.
Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.
Viewing Qualys VMDR Dashboard​
Qualys VMDR - Overview dashboard This dashboard gives you visibility into low, medium, high, and critical vulnerabilities by hosts in your network. Use the dashboard to slice and dice data by vulnerability severity, IPs, and hosts.
