Visualizing WannaCry and Shadow Brokers: How to Configure Dashboards in AssetView

Document created by Leif Kremkow Employee on May 17, 2017Last modified by Robert Dell'Immagine on May 18, 2017
Version 15Show Document
  • View in full screen mode

To assess infections from WannaCry ransomware and threat exposure from the Shadow Brokers vulnerabilities across an entire IT environment, it's helpful to visualize via dynamic dashboards. Here is how to create a dashboard that provides 2-second visibility into risk and exposure to the worldwide WannaDecrypt0r (WannaCry) ransomware outbreak.

 

Leveraging Qualys AssetView, this single-pane incident response dashboard contains six key data points that provide a complete picture to assess both threat and infection exposure. From there, immediate action can be taken against WannaCry. Each dashboard element automatically collects trend data that allows customers to track their remediation efforts over time.

 

WannaCry / Shadow Brokers Dashboard

 

This is the same dashboard that Qualys Technical Account Manager Jeremy Briglia created for the How to Rapidly Identify Assets at Risk to WannaCry Ransomware webcast on May 17 hosted by Jimmy Graham, Director of Product Management, Qualys and Mark Butler, Chief Information Security Officer, Qualys. A recording of the presentation is also available on YouTube.

 

Create the Dashboard from a Template

The WannaCry dashboard is now available in the platform as a template. This is the easiest way to create the dashboard.

 

While in AssetView, click the Actions button, then choose "Create New Dashboard":

 

Scroll to the bottom and choose "WannaCry and Shadow Brokers":

 

Name your new dashboard and click "Create":

 

These instruction assume that scans to collect data have already run. If you still need to configure a scan for the first time, see Detect MS17-010 with Qualys Vulnerability Management.

 

Create Dashboards (and Widgets) Manually

Use this method to build the dashboard manually, which is useful if you want to build your own widgets and dashboards.

 

If you are not familiar with how to define a query and build a widget from it, please see the detailed instructions that follow. Otherwise, you can jump down below where we list each widget shown and how it is built.

 

  • Login to your Qualys account. By default this will take you to the “Vulnerability Management” module.
  • Use the module picker to select the AssetView module.
  • By default, AssetView will drop you in the “Dashboard” tab. Click the “Assets”.
  • In the “Search…” field enter the query string you want, such as: “vulnerabilities.vulnerability.qid:91345”. Note that simply entering “qid” is enough - the autocomplete will present you with two options and you can simply select the one you need and complete with the needed QID (91345).
  • Once you query built, click on “create widget…”. This will open a new window where you can fine-tune the configuration of the widget.
  • Give the Widget a title in “Widget Title”, such as “Missing MS17-010 Patch”.
  • Enable “Compare with another reference query” and set the query string to “operatingSystem:Windows”.
  • Set the “Comparison label” to “All Windows Systems”.
  • Set “This set of assets represents” to “A super-set (contains all the assets from initial query)” (the default).
  • On the right, select “Add conditional formatting…”
  • Pick the “Set base color to…” and choose a suitable color, for example green.
  • Select “Add conditional formatting…” again and pick “When the value is…”.
  • Click on “equal to 500”, which is the default proposition. Choose “more than” and “a custom value”. Enter “0” into the field.
  • Change the color for “When the value is more than 0 then highlight in” to red.
  • Enable “Collect trend data”.
  • When done, click on “Add to Dashboard”.
  • The widget will be added to the default dashboard.

 

Repeat this process for each widget you’d like add to your dashboard, adjusting the query string, comparisons, and conditional formatting according to your liking.

 

Widget Definitions for the WannaCry Dashboard

The following are the individual widgets that make up the dashboard with the query strings you can use to build them into your own dashboards.

 

Missing MS17-010 Patch

Query string: vulnerabilities.vulnerability.qid:91345

 

Vulnerable to ETERNALBLUE

Query string: vulnerabilities.vulnerability.qid:91360


WannaDecrypt0r Ransomware Artifacts

Query string: vulnerabilities.vulnerability.qid:1029


Windows Hosts Pending Reboot

Query string: vulnerabilities.vulnerability.qid:90126 and operatingSystem:windows

 

DOUBLEPULSAR Backdoors

Query string: vulnerabilities.vulnerability.qid:70077


SMB Version 1 not Disabled

Query string: vulnerabilities.vulnerability.qid:45261

 

Top 5 OS Missing MS17-010 Patch

Query string: vulnerabilities.vulnerability.qid:91345

 

Top 5 OS Vulnerable to ETERNALBLUE

Query string: vulnerabilities.vulnerability.qid:91360

7 people found this helpful

Attachments

    Outcomes