5. Tagging Accuracy
- Checking regex rule accuracy
1. Attempt to download the list of operating systems located under Asset Tab
but I've often found this method --> clicking the gear dropdown and selecting the "Download..." list item doesn't seem to function correctly, so I use a chrome extension called "scraper" and I scrape the list from the page and export the list to excel.
Scraper Chrome Extension: https://chrome.google.com/webstore/detail/scraper/mbigbapnjcgaffohmbkdlecaccepngjd
Here is the XPath that I use to scrape the data
2. Go to Regexr.com and paste your OS list into "Text" list field
*Make sure [multiline] and [Global] are both checked - located under the [Flags] menu item in the top-right corner.
3. Test all the Regex Expressions from the Qualys Community Regex Document and fine-tune your own custom Regex rules.
Asset tagging regular expression library (regex)
- Use the Asset View search bar
* This is a quick way to validate your regex rules without running a complete asset search report.
A snippet from the Qualys Asset View Module that shows a few examples on how to use the search bar to query your assets.
How To Search
The asset search language supports boolean logic, wildcards, grouping and nested query expressions.
Search by Field
Enter the field name, then a colon, then your query. Nested fields are dot separated.
Put quotes around your query to match a string. Your results will include any asset that contains the string.
tags.name: "Cloud Agent"
operatingSystem: "Windows 2012"
vulnerabilities.vulnerability.title: "Remote Code Execution Vulnerability"
Use backticks to exactly match a string. Your results will include any asset with the exact value returned.
operatingSystem: `Windows 7 Ultimate Service Pack 1`
Ranges can be specified with the [lower .. upper] syntax using () and/or  as follows. This is supported for numeric and date fields.
openPorts.port:(123 .. 1234) // Greater than but not equal to 123 and less than but not equal to 1234.
openPorts.port:(123 .. 1234] // Greater than but not equal to 123 and less than or equal to 1234.
openPorts.port:[123 .. 1234) // Greater than or equal to 123 and less than but not equal to 1234.
openPorts.port:[123 .. 1234] // Greater than but or equal to 123 and less than or equal to 1234.
openPorts.port > 123 // Greater than 123.
openPorts.port >= 123 // Greater than or equal to 123.
openPorts.port < 1234 // Less than 1234.
openPorts.port <= 1234 // Less than or equal to 1234.
vulnerabilities.firstFound: [2015-01-01 .. 2015-04-01] // Between January 1st and April 1st 2015.
Use keywords AND, OR, NOT to narrow or broaden your search.
operatingSystem: windows OR operatingSystem: linux
(operatingSystem: windows OR operatingSystem: linux) AND (openPorts.port: 80 OR openPorts.port: 8080)
NOT operatingSystem: windows
Match "In" or "Not In"
Use to match values "In" or "Not In" fields. Available for all fields except analyzed fields (i.e. full text search fields).
Example: Find assets with at least one of these three CVE IDs:
vulnerabilities.vulnerability.cveIds:[CVE-2003-0818 , CVE-2002-0126 , CVE-1999-1058]
Example: Find assets with vulnerabilities not first found on date: 2016-08-31 or 2016-09-12
NOT vulnerabilities.firstFound: ["2016-08-31","2016-09-12"]
Supported date formats:
YYYY example: vulnerabilities.firstFound:["2016","2015"] // in 2015 or 2016
YYYY-MM example: vulnerabilities.firstFound:["2016-08","2015-07"] // in month of Aug or Sept
YYYY-MM-DD example: vulnerabilities.firstFound:["2016-08-31","2016-08-30"] // on one of exact dates
Analyzed fields (i.e. full text search fields) are not supported such as:
Nested Query Expressions
Use a single nested query expression, using parentheses, to include multiple fields in your query. This is useful when you want to be sure all fields are matched in every asset returned by the query.
Example: Find vulnerabilities that are severity 5 and are confirmed
vulnerabilities.vulnerability: (severity: 5 AND types: VULNERABILITY)
Example: Find vulnerabilities that are severity 5, have Easy Exploit RTI, and first found in the last 5 days:
vulnerabilities: (vulnerability.severity: 5 AND vulnerability.threatIntel.easyExploit: true AND firstFound > now-5d)
Example: Find assets on port 80 and TCP
openPorts: (port: 80 AND protocol: TCP)
Example: Find assets with Microsoft Windows version 10
software: (name: Microsoft Windows AND version: 10)
Example: Find assets that have Windows Time service that is running
service: (name: Windows Time AND status: running)