Asset Tags: Are You Getting The Best Value Out of This Feature?

Document created by Colton Pepper Employee on Mar 6, 2018
Version 1Show Document
  • View in full screen mode

Introduction

When you take a moment to reflect on your Qualys account, what goes through your head? Do you think about whether or not you're getting the best use out of the features you've paid for? From time to time, I find myself thinking about innovative ways that I can leverage Qualys and squeeze every gram of value out of the tool. I got to thinking about the features within AssetView and realized that I wasn't using asset tags to get the maximum value. I had a few asset tags that I created but everything else was created by the system.

 

With the nearly endless list of asset tags you could create, it can be difficult to think about where to even begin. Since the possibilities of asset tagging are almost limitless, the basic question of "where to start" still exists. My goal for this document is to share a handful of my experiences; some successful and some partially successful. Something to keep in mind while thinking of use cases and creating asset tags, just because a tag doesn’t work or doesn’t deliver what you thought it would, it’s never a failure. Your “failures” are just as valuable as your successes. You are still creating value.

 

One thing you’re going to notice in this document is that I try to get as creative as possible when creating asset tags. If I had to guess, around 98% or more of my asset tags leverage Information Gathered (IG) QIDs. At the time of publication of this document, there are 1,101 different IG QIDs. When you also leverage the ability to search within these IG QID results, the possibilities expand even further! That said, why wouldn’t you take advantage these?

 

I’ll share most of my interesting asset tags and also bring up a few other use cases. Some of my asset tags may not be perfect, and that’s okay. The point of this document isn't to be the end-all map of the asset tagging universe, but rather to perhaps inspire you to look into some potential use cases. There are a lot of ways to create an asset tag and more often than not, your particular use case may determine how you create yours. Even still, feel free to comment your thoughts, ideas, and experiences below! Let’s crack on!

 

 

 

 

 

Basic Housekeeping: An Organized Asset Tag Tree Is A Happy Asset Tag Tree... and A Happy Qualys Admin!

Let's get the basic housekeeping items out of the way up front. The tagging use cases below will make a little bit more sense.

 

Naming Conventions:

Almost all of my asset tags utilize some sort of naming convention. Why? The answer is for easier "memory retrieval". It is in my opinion that strategic naming conventions should also be used in Asset Groups and Business Units. Asset tags for these two are created by the system. I've also created asset tags for things such as Cloud Agent Activation Keys and AWS Connectors. I won't go into specific detail on how to create these or how to have them applied but having these allows for increased efficiency in scanning, reporting, and searching in AssetView. Below are some examples of my naming conventions:

Anything that has anything to do with AWS always starts with "AWS:". Every AWS connector has a tag "AWS: ConnectorName", every EC2 states asset tag gets it, instance owners, etc. Take a look at some examples below:

  • AWS: Application
    • AWS: Application|Active Directory
    • AWS: Application|AutoDesk
    • AWS: Application|SSM Agent
  • AWS: Connector Tags
    • AWS: PHEONIX-DEV
    • AWS: PHEONIX-PROD
    • AWS: STLOUIS-DEV
    • AWS: STLOUIS-PROD
  • AWS: EC2 State
    • AWS: State [RUNNING]
    • AWS: State [STOPPED]
    • AWS: State [TERMINATED]
  • AWS: System Owner
    • AWS: System Owner|Cloud Team
    • AWS: System Owner|Security Team

 

 

Asset Groups:

Asset Groups always begin with "AG:", followed by physical location, where on the network is it (internal/external), and a brief description of the group (i.e. "RED Network"). Some variations exist but the same information is in each Asset Group name.

 

  • AG: Charlotte - Internal - Servers - ALL
  • AG: UK - EXT - RED NETWORK
  • AG: PHOENIX - EXT - DMZ - WEB SERVER VLAN
  • AG: Phoenix - Internal - Sales Office
  • AG: PHOENIX - EXT - RED NETWORK
  • AG: StLouis - Internal - Network Mgmt

 

You'll notice that although the information is all there, some asset group names are in all-caps whereas others aren't. The asset group titles that are in all-caps are external asset groups. Since the titles are all capitalized, they visually stand out whereas the internal asset groups don't; for me at least. When my mind is in autopilot mode and I'm clicking around as I'm working off of muscle memory, I want these difference to stand out. Also, you'll notice the difference between "EXT" and "Internal". The reason for this is again for visuals. When you see "Int" in an an Asset Group name at quick glance, it gets lost and appears similar to the others. Again, the point of this is to make these visually different as quick glance while still feeling "natural". Can you see the difference between the list above and the list below?

 

  • AG: CHARLOTTE - INT - SERVERS - ALL
  • AG: UK - EXT - RED NETWORK
  • AG: PHOENIX - EXT - DMZ - WEB SERVER VLAN
  • AG: PHOENIX - INT - SALES OFFICE
  • AG: PHOENIX - EXT - RED NETWORK
  • AG: STLOUIS - INT - NETWORK MGMT

 

Using a standard naming convention for many things makes searching for a specific type of asset in AssetView, so much easier. The naming convention makes for easy memory retrieval. To this day, I don't know every one of my 150+ asset group names by heart, but I know the basic information that's in each of them. For example, if I wanted to look in AssetView to see all internal facing web servers in the Phoenix office, my query would look like this:

 

 

Asset Types:

Asset tags that call out a specific asset type have "Type:" at the beginning. Examples of these tags are listed below. It's easy for me to call out asset types while running a targeted scan on just servers, or even Cisco devices. Having the term "Type:" in the naming convention is especially useful when creating widgets in AssetView. When creating a widget, I can group the results by asset tag, then use the filters to select "tags.name:" that "contains" "Type:".

  • Type: Domain Controller
  • Type: ESX Server
  • Type: Server

 

 

Business Units:

All of my business units start with "BU:". This way I can easily run queries in AssetView by including any business units or excluding them. The same goes for running reports or scans. In the mass amounts of asset tags in my subscription, being able to see what tag is a business unit is helpful. This can be useful in a use case similar to the use case I explained just above in the "Asset Types" section above. Examples of this are listed below:

  • BU: Charlotte
  • BU: UK
  • BU: Phoenix
  • BU: StLouis

 

 

Installed Software:

All software asset tags are prefaced with "SW:". Examples of tags listed below.

  • SW: Applications Enumerated (simply looking for QID 90235 and helps identify where we successfully authenticated and were successful in accessing the registry.) 
  • SW: QuickTime For Windows
  • SW: iTunes
  • SW: [AntiVirus Vendor]

 

Using searches in AssetView for where the asset tag "SW: iTunes" is present on servers is really useful in bringing this up to server administrators. Typically, servers don't have a business case for having iTunes installed; that is in most cases. Here's an example of how that query would look.

 

 

Operating Systems:

All operating system asset tags start with "OS:"

  • OS: MacOS
  • OS: RHEL 7.x
  • OS: Ubuntu
  • OS: Windows 10
  • OS: Windows 95 (I hope this OS doesn't exist in your environment but incase it does, there's a tag!)
  • OS: Windows Server 2008
  • OS: Windows Server 2012
  • OS: Windows Servers (ALL)

 

 

 

 

Use Case 1 - Agentless Tracking: Tagging assets where Agentless Tracking was used.

Agentless tracking can be a useful tool to have in Qualys. Even more useful is the ability to tag assets where this feature was used. The tag is very simple since there is an Information Gathered (IG) QID for when this tracking was successful and for when there were errors accessing or finding the Host ID on the target host. Check it out.

 

“Agentless Tracking Used”

Tagging Rule Engine:      Vuln(QID) Exist

QID = 45179

 

 

“Agentless Tracking Errors”

Tagging Rule Engine:      Vuln(QID) Exist

QID = 45180

 

 

 

 

Use Case 2 - Asset Informational Tags: Tagging assets for potentially helpful information.

Just because you don't have a specific use case for an asset tag today, doesn't mean you won't later as your asset tag architecture matures in the future. These asset tags help me build a little context around some of the assets I scan. I always take the mindset to tag anything possible; provided that asset tags are nested efficiently to reduce clutter!

 

“No Asset Group”

This asset tag was borrowed from a post I came across some time ago and have really been happy with it ever since. This asset tag is applied to hosts that aren't in any asset group. This can be a useful tag to identify assets that may need some investigating and identifies gaps in asset organization. Simply put, line 2 of the Groovy Scriptlet below, between "return" and the last " } " just after "ASSET_GROUP", returns the term ["ASSET_GROUP"] for each asset group that is associated with that host. Stick with me here... The last part determines if this tag is true or false (again, this is high level...). If the results that return during the first half come back with anything less than 1, than tag it. 

 

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() < 1;

 

You can test this on your own if you'd like. Copy and paste the text below into a new rule using the Groovy Scriptlet rule engine, only delete ".size() < 1" from line 2 (be sure to leave the semicolon). Find an asset that isn't in any asset group and another that is; add them to the "Test Rule Applicability on Selected Assets" drop down box. Click "Test Applicability" and click the gear symbol right of the asset. This shows the results from the query. Here is an example of an asset that is in 6 different asset groups vs. an asset that is not in any asset group.

 

Reapply the ".size() < 1" to the end of line 2 (making sure to the semicolon is placed at the end). Clicking the gear symbol again, the query will now return a "true" or "false". Since the first asset above is associated with 6 different asset groups and the count of "ASSET_GROUP" is NOT < 1, the logic returns a "false". Pretty nifty!

 

 

 

 

“No Hostname Detected”

 

This is another borrowed asset tag. Similar to the "No Asset Group" tag above, this asset tag is applied to hosts that don't have hostnames within Qualys. Rather, where Qualys was unable to gather a hostname for a scanned asset. This could be caused by several reasons that I won't get into here but it could be a good indication of assets to purge later. For me and my situation, if a scan wasn't able to get a hostname from the asset by means of authentication or via DNS records, I likely don't have any reason to hold onto what is nothing more than, what I call, a ghost record that is consuming a license.

 

Here's a quick breakdown of the logic: if the hostname equals "null" or if the hostname returns with a character length that is equal to or less than 0, then this rule is true and therefore is applied.

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getHostName()==null || asset.getHostName().trim().length()<=0;

 

 

“No OS Detected”

Also a borrowed asset tag. Similar to the "No Asset Group" tag and the "No Hostname Detected" tag, this tag is looking for hosts where an operating system wasn't identified. The logic in this asset tag is nearly identical to the previous tag only instead of "asset.getHostName()", it replaces HostName with OperatingSystem.

 

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getOperatingSystem()==null || asset.getOperatingSystem().trim().length()<=0;

 

 

“StickyKey's Enabled”

This tag looks for hosts that have Sticky Keys enabled. There are known exploits where Sticky Keys are involved and this simple asset tag helps to easily identify assets where this feature is enabled. In this case, we simply look for QID 124403 - "Sticky Key's Enabled on System". 

Tagging Rule Engine:      Vuln(QID) Exist

QID = 124403

 

 

 

 

Use Case 3 - Authentication Status: Tagging successful and failed authentication attempts during scans.

When Qualys attempts to use any of the authentication records you provided, the outcome of that attempt is documented through a QID. These really help with creating dashboards within AssetView to report on authentication success rates and potentially point out gaps in your authentication.

 

“Authentication Successful”

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.hasAnyVuln([38307,70053])

 

“Authentication Failed”

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.hasAnyVuln([105053,105015])

 

“Authentication Not Attempted”

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.hasAnyVuln([105296,105297])

 

 

“NULL Session Allowed”

Tagging Rule Engine:      Asset Search

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
  <QID_LIST>
   <QID>70028</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>Authentication_Scheme NULL_session</SEARCH_TERM>
  </RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

“Authentication Not Attempted”

Tagging Rule Engine:      Groovy Scriptlet

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.hasAnyVuln([105296,105297])

 

 

“SNMP Authentication Successful”

Tagging Rule Engine:      Vuln(QID) Exist

QID = 78049

 

 

“SNMP Authentication Failed”

Tagging Rule Engine:      Vuln(QID) Exist

QID = 105192

 

 

“SNMP Authentication Not Attempted”

Tagging Rule Engine:      Vuln(QID) Exist

QID = 105298

 

"Authentication Successful" (Username Specific)

This tag can be adapted to Windows, Linux or SNMP authentication methods. The example below is for a successful authentication on a Windows system (determined by the QID) but you could adapt this to the correct OS and outcome by simply changing the QID. Additionally, you will need to change the username in the "<SEARCH_TERM>" value. Leave "User_Name" and modify "useraccountnamehere" to suit your needs. From my experience, the case of what is typed here doesn't seem to matter.

Tagging Rule Engine:      Asset Search

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>User_Name useraccountnamehere</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

 

 

 

Use Case 4 - Asset Management: Tagging assets by who manages it.

This specific use case may not apply to everyone but you may find some aspect of this useful. In my particular scenario, servers may be managed by different teams or even different businesses. Simply looking at IP ranges isn't enough. So after several months of experimenting, I came up with the solution. Take note of the Information Gather QID 105231 - "Administrator Group Members Enumerated". This QID lists user accounts or groups that are on the local admin group of the scanned system. Hopefully, each business and/or groups use different service accounts to manage their workstations or servers. Using the Asset Search rule engine, you can look in the results for a specific username and/or group. Before creating this rule, it's best to do a search in AssetView looking for assets with this QID and browse through the results of several hosts. Identify commonly occuring values and go from there. This was one of my best and early wins for Qualys in my organization. Keep in mind that this QID requires authentication!

 

Management Ownership

Tagging Rule Engine:      Asset Search

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>105231</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>Domain Server Admins</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

 

 

 

Use Case 5 - Tagging AWS Legacy Assets

Tagging instances based on EC2 Instance Tags

This is something that I'm quite proud of. Before Qualys came out with the "Cloud Asset Search (AWS EC2 Instances)" rule engine, I found that the QID 45150 - "Extended attributes for EC2 instance" listed the EC2 instance tags from AWS. An example of the results output is below. Notice that the tag key is left of the pipe " | " and the value is to the right (e.g. key=Owner ; value=john.doe@email.com). Something to keep in mind, these tag keys and values created within AWS, may be slightly different depending on whether or not your organization has any standardized tagging methodologies in place within AWS. You may have to run a CSV report that contains this QID and its results to do some Microsoft Excel and/or Notepad++ kung fu to get a list of all EC2 instance tags in your accounts. This is an example of the output of the results field from the QID.

I've created asset tags based around this using the Asset Search rule engine where the results contain the results I'm looking for. Today, I've updated a lot, if not all, of my AWS tags to leverage the new rule engine for EC2 instances. Aside from the different variations in the key & values of EC2 instance tags, there is another drawback using using this QID with the Asset Search rule engine. You can't use the "AND" "OR" boolean operators to look for multiple search terms which means that you may need to have an asset tag for each variation of the instance tag key & value. You would need to create a parent asset tag and nest the multiple asset tags together under the parent tag. The good news here is that Qualys fixed this with the release of the Cloud Asset Search rule engine. Now you can use boolean operators which eliminates this entire issue and ensures you're getting each different variation of a key and/or value.

 

 

Tagging Instances By State

These tags are very useful when reporting. When I create reports, I almost exclusively use asset tags. For example, when you create a new report and have to select a report source, I'll skip past the Asset Group section and proceed to the Asset Tag portion. Here I'll build my report criteria based on asset tags, obviously. I'll select one or more tag I want to report on, being mindful to use the correct boolean from the drop down box, then I'll add the "AWS: State [TERMINATED]" in the Do not include tags section.

 

Something I'll mention quickly about the "Include hosts that have ______ of the tags below". This drop down is basically an AND/OR operator. Any=OR whereas All=AND.

 

 

"AWS: State [TERMINATED]"

Tagging Rule Engine:      Cloud Asset Search (AWS EC2 Instance)

aws.ec2.instanceState:"TERMINATED"

 

"AWS: State [STOPPED]"

Tagging Rule Engine:      Cloud Asset Search (AWS EC2 Instance)

aws.ec2.instanceState:"STOPPED"

 

 

"AWS: State [RUNNING]"

Tagging Rule Engine:      Cloud Asset Search (AWS EC2 Instance)

aws.ec2.instanceState:"RUNNING"

 

 

 

 

Use Case 6 - Asset Types

Creating asset tags for asset types has proven important in my subscription. The different tags I have is steadily growing as my scope expands. I'll share a few of the tags I use most.

 

"Type: Server"

Tagging Rule Engine:      Operating System Regular Expression

Hands down, the single most used Type: asset tag is my "Type: Server" tag. This tag is used for reporting, scanning, widgets, metrics, and more. It's a tag that I'm constantly tweaking but I've got it about 98% of the way there and suits my needs perfectly. When creating this asset tag, it's important to check the "Ignore Case" checkbox.

.*Windows (Server|20\d\d).*|Linux|Red Hat Enterprise|Server.*

 

"Type: vSphere Server"

Tagging Rule Engine:      Asset Search

This tag looks for TCP port 443 to be open with the QID 12230 - "Default Web Page Found" and the results containing "vsphere".

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<OPEN_PORTS>
<PORT>443</PORT>
</OPEN_PORTS>
<DETECTION>
<QID_LIST>
<QID>12230</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>vsphere</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

 

"Type: Meraki Device"

Tagging Rule Engine:      Asset Search

Identifying a Meraki device based on OS alone proved impossible for me since the OS was either empty, listed as a variant of "UNIX", or it gave me a list of possible OS's. I found that these devices have a default web page (QID 12230). Looking in the results, I found that the source page has an image file titled "cisco-meraki.png". I created an asset tag around this and has worked beautifully!

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>12230</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>img src="images/cisco-meraki.png" width=</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

 

 

 

Conclusion

The purpose of this document was to challenge you to think about whether or not you're getting the most out of the powerful feature of asset tags. I realized early on that asset tags could be incredibly useful but I didn't really know where to even begin. Hopefully if you're new to Qualys or a seasoned Qualys veteran, deep in the trenches of war on ETERNALBLUE or (hopefully not) Conficker, you think about your asset tagging architecture. I'm not exaggerating when I say that once I extensively built out my asset tags, it dramatically increased my productivity, streamlined processes and workflows, standardized my scanning/reporting processes, improved widget results, and opened so many opportunities for exporting asset information outside of Qualys. 

 

It's hard for me to think of specific use cases where I was faced with a challenge and asset tags did at the very least, get me halfway there. I hope that you consider taking some of these items and seeing if they work in your environment. If you've made it this far in the document, you deserve a HUGE gold star. You should also comment if you have any creative ideas that has worked for you and your organization! I'd like to get a bunch of great use cases together and update this document with them. Let me know your feedback on this as well! I'm open to ALL FEEDBACK AND CHALLENGES!!!! Getting everyone sharing knowledge and talking about stuff like this only helps improve the community and welcomes newcomers!

 

And remember, (I'll leave this accurate picture of me here).

 

 

Cheers,

Colton

5 people found this helpful

Attachments

    Outcomes