Asset Tagging Accuracy Guide (Part 5 - Asset Tags)

Document created by Davis Dolezal on Dec 20, 2016
Version 1Show Document
  • View in full screen mode

5. Tagging Accuracy

  1. Checking regex rule accuracy

    1. Attempt to download the list of operating systems located under Asset Tab
    Asset list of operating systems
    but I've often found this method --> clicking the gear dropdown and selecting the "Download..." list item doesn't seem to function correctly, so I use a chrome extension called "scraper" and I scrape the list from the page and export the list to excel.

    Scraper Chrome Extension:

    Here is the XPath that I use to scrape the data


    Chrome Extension to scrape operating systems

    2. Go to and paste your OS list into "Text" list field

    *Make sure [multiline] and [Global] are both checked - located under the [Flags] menu item in the top-right corner.

    Make sure [multiline] and [Global] are both checked - located under the [Flags] menu item.

    3. Test all the Regex Expressions from the Qualys Community Regex Document and fine-tune your own custom Regex rules.
    Asset tagging regular expression library (regex)

  2. Use the Asset View search bar

    * This is a quick way to validate your regex rules without running a complete asset search report.
    A snippet from the Qualys Asset View Module that shows a few examples on how to use the search bar to query your assets.
    How To Search
    The asset search language supports boolean logic, wildcards, grouping and nested query expressions.
    Search by Field
    Enter the field name, then a colon, then your query. Nested fields are dot separated.
    openPorts.port: 80
    accounts.username: administrator
    operatingSystem: win*
    String Matching
    Put quotes around your query to match a string. Your results will include any asset that contains the string.
    Examples: "Cloud Agent"
    operatingSystem: "Windows 2012"
    vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"
    Exact Matching
    Use backticks to exactly match a string. Your results will include any asset with the exact value returned.
    operatingSystem: `Windows 7 Ultimate Service Pack 1`
    interfaces.hostname: `xpsp2-jp-26-111`
    Ranges can be specified with the [lower .. upper] syntax using () and/or [] as follows. This is supported for numeric and date fields.
    openPorts.port:(123 .. 1234)  // Greater than but not equal to 123 and less than but not equal to 1234.
    openPorts.port:(123 .. 1234]  // Greater than but not equal to 123 and less than or equal to 1234.
    openPorts.port:[123 .. 1234)  // Greater than or equal to 123 and less than but not equal to 1234.
    openPorts.port:[123 .. 1234]  // Greater than but or equal to 123 and less than or equal to 1234.
    openPorts.port > 123  // Greater than 123.
    openPorts.port >= 123  // Greater than or equal to 123.
    openPorts.port < 1234  // Less than 1234.
    openPorts.port <= 1234  // Less than or equal to 1234.
    vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01]  // Between January 1st and April 1st 2015.
    Boolean Operators
    Use keywords AND, OR, NOT to narrow or broaden your search.
    operatingSystem: windows OR operatingSystem: linux
    (operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)
    NOT operatingSystem: windows
    Match "In" or "Not In"
    Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
    Example: Find assets with at least one of these three CVE IDs:
    vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]
    Example: Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12
    NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]
    Supported date formats:
    YYYY example: vulnerabilities.firstFound:["2016","2015"]  // in 2015 or 2016
    YYYY-MM example: vulnerabilities.firstFound:["2016-08","2015-07"]  // in month of Aug or Sept
    YYYY-MM-DD example: vulnerabilities.firstFound:["2016-08-31","2016-08-30"]  // on one of exact dates
    Analyzed fields (i.e. full text search fields) are not supported such as:
    Nested Query Expressions
    Use a single nested query expression, using parentheses, to include multiple fields in your query. This is useful when you want to be sure all fields are matched in every asset returned by the query.
    Example: Find vulnerabilities that are severity 5 and are confirmed
    vulnerabilities.vulnerability: (severity: 5 AND types: VULNERABILITY)
    Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:
    vulnerabilities: (vulnerability.severity: 5 AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)
    Example: Find assets on port 80 and TCP
    openPorts: (port: 80 AND protocol: TCP)
    Example: Find assets with Microsoft Windows version 10
    software: (name: Microsoft Windows AND version: 10)
    Example: Find assets that have Windows Time service that is running
    service: (name: Windows Time AND status: running)