Dashboard Toolbox - AssetView: Performance Management (v1.1)

Document created by Felix Jimenez Employee on Oct 5, 2018Last modified by Felix Jimenez Employee on Apr 8, 2019
Version 43Show Document
  • View in full screen mode

This AssetView Dashboard will enable you to get a clear insight on some key performance indicators which will allow any security professional to be more pro-active in identifying gaps in your Qualys management. Get a quick, easy glance to Key Performance Indicators (KPI) by having the ability to view the count of assets affected by such indicators.

 

The JSON file for this pre-built dashboard can be found in the attachment section at the end of this article. You may download & import it into Qualys AssetView (note: see warning below) in your Qualys subscription.

 

 

Dashboard Demonstration Images: New

 

 

Requirements

The following Widgets Require Asset Search Tags to be created for each:  

Auth With NTLMv1Auth with NTLMv2Auth with KerberosWindows Auth Method - Null SessionAssets NO Asset Group!
TAG-NAME:  Auth Using NTLMv1TAG-NAME:  Auth Using NTLMv2TAG-NAME:  Auth Using kerberosTAG-NAME:  Win-auth-nullsessionTAG-NAME: Assets NO Asset Group!
TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:TAG-CODE:  Copy paste under Groovy Scriptlet rule:

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NTLMSSP v1</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>

<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NTLMSSP v2</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>

<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>kerberos</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70028</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NULL session</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;

return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() < 1;

 

 

The following Widgets Require Groovy Scriptlet Tags to be created for each:  

Click the following link for assistance in converting time: Google Time Converter.

The only sections needed to be changed in the code for your desired time are in RED threshold_minutes = ###

Host Scan Time Tags:

Scan time > 15 MinutesScan time > 60 MinutesScan time > 12 HoursScan time > 24 Hours
TAG-NAME:  ScanTime15mTAG-NAME:  ScanTime60mTAG-NAME:  ScanTime12HTAG-NAME:  ScanTime24H

TAG-CODE: Copy paste under Groovy Scriptlet rule:

TAG-CODE: Copy paste under Groovy Scriptlet rule:TAG-CODE: Copy paste under Groovy Scriptlet rule:TAG-CODE: Copy paste under Groovy Scriptlet rule:

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 15
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 60
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 900
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 1440
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60); 

 

 

ScanTime Range Code for Tags New

These will enable you to specify a range and tag assets that fall within the specified range. 

Thanks tohjkreutzer for the editing of the code and providing the range calculation! 

Scan Time Range in 5 MinutesScan Time Range in 10 Minutes
TAG-NAME:  ScanTimeMin5-10TAG-NAME:  ScanTimeMin10-20

TAG-CODE: Copy paste under Groovy Scriptlet rule:

TAG-CODE: Copy paste under Groovy Scriptlet rule:

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 5
//Next Threshold will always be 5 so do not TAG if more than that.
next_threshold_min = 5+threshold_minutes
// Obtain results for QID 45038.
host_scan_time = asset.resultsForQid(45038L);
if (host_scan_time == "null" || host_scan_time.isEmpty())
return false;
// Parse for duration.
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer;
host_scan_time = host_scan_time.toInteger()
return host_scan_time > (threshold_minutes*60) && host_scan_time < (next_threshold_min*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 10
//Next Threshold will always be 10 so do not TAG if more than that.
next_threshold_min = 10+threshold_minutes
// Obtain results for QID 45038.
host_scan_time = asset.resultsForQid(45038L);
if (host_scan_time == "null" || host_scan_time.isEmpty())
return false;
// Parse for duration.
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer;
host_scan_time = host_scan_time.toInteger()
return host_scan_time > (threshold_minutes*60) && host_scan_time < (next_threshold_min*60);

 

 

API Guide  - Evaluate Tag: 

Asset Mgmt and Tagging v2 APISee Page:  31

The following code will enable you to setup Jobs which can trigger your code to evaluate the tags at a speciefied interval. 

* * * Re-Evaluate the Tags as needed per Scan Candance * * *

Evaluate all tags that have Groovy Script or Asset Search tag rules.

API Request:  **Note the POD API url & the file.xml needs to be created**

POD 1: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/2.0/evaluate/am/tag" < file.xml

POD 2: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg2.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

POD 3: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg3.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

Request POST data:   file.xml  or   GROOVY.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">GROOVY</Criteria>
</filters>
</ServiceRequest>
Request POST data:   file.xml   or  ASSETSEARCH.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">ASSET_SEARCH</Criteria>
</filters>
</ServiceRequest>

 

 

How to Enable Trending on the widgets:

Open the desired widget in edit mode, by selecting the 3 lines on the top right of the widget,

and clicking on Configure Widget. Then select the Collect trend data check box.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Qualys - Training Videos:

Self-Paced Class: Vulnerability Management Asset Tags

Self-Paced Class: AssetView and Threat Protection

AssetView Dashboards

 

Help Link:

POD - 1 - Apply Tags to Organize Your Assets

POD - 2 - Apply Tags to Organize Your Assets

POD - 3 - Apply Tags to Organize Your Assets

 

 

References: 

Qualys Suite Release Notes | Qualys, Inc. 

Qualys Training

Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)

 

Related community Post:

Benefits of Authenticated Scanning (v1.0) 

Verify Authentication with the Authentication Report 

 

Additional AssetView Dashboards:#performance_mgmt

Dashboard Toolbox - Asset View: How To - Import a Dashboard json 

- - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - -
Dashboard Toolbox - AssetView: Host Scan Time Management (v1.1)
Dashboard Toolbox - AssetView: Scanning Activity Management (v1.0) 
Dashboard Toolbox - AssetView: Open Ports Management & RTI (v1.0)

Dashboard Toolbox - AssetView: EOL/Obsolete Software & RTI MGMT (v1.0)

Dashboard Toolbox - AssetView: Windows Authentication Management (v1.4)

 

 

WARNING: Read Before Downloading

Dashboard and Widget JSON files are not interchangeable between application dashboards. AssetView JSON files may only be used in AssetView and Vulnerability Management JSON files may only be used in Vulnerability Management. If you make a mistake and import a JSON file from one application into the other, you must contact Qualys Support to have the error corrected in the database for your subscription. Again, there is no way to reverse this mistake within the UI, it must be done in the database.

 

Credits

fjimenez This page contains information to create a Scorecard dashboard leveraging data in your Qualys Vulnerability Management subscription. This dashboard is part of AssetView Dashboard Program. If you have any questions regarding the content, please comment below or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc.

 

Dashboard Collaborators:

fjimenez

 

Back to Dashboarding and Reporting

Outcomes