AssetView Dashboards Continued - SLAs and Management Information

Document created by Ian Glennon Employee on Jan 28, 2019Last modified by Robert Dell'Immagine on Feb 1, 2019
Version 4Show Document
  • View in full screen mode

Prioritising activity and management reporting are common concerns for large and small businesses alike.  With Qualys Threat Protection integrated into your dashboards and in Search Lists for your reporting templates, coupled with structured SLAs, management information can be available at your fingertips and remediation activity can be readily assessed and more easily actioned.  This document will demonstrate how to use the Threat Intelligence provided by Threat Protection RTIs in a Management Information dashboard for AssetView and how to build a report template which mirrors this dashboard information. 

 

The dashboard and reports templates shown below are taken from a real-life use-case.  The following Threat Protection Real-Time Threat Indicators (RTIs) are examples of those your organisation may be focused on: Active Attacks, Exploit Kit, High Data Loss, High Lateral Movement, Exploit Public.

 

SLAs

In the example below there are 4 SLA categories: Critical, High, Medium and Low.  Fix times (in brackets) are defined as time since first discovery of the vulnerability.

 

Critical (15 days)High (30 days)Medium (90 days)Low (180 days)
All Confirmed Severity 5 vulnerabilities with any of the RTIsAll Confirmed Severity 5 vulnerabilitiesAll Confirmed Severity 3 or 4 vulnerabilitiesAll Confirmed Severity 1 or 2 vulnerabilities
All Confirmed Severity 3 or 4 vulnerabilities with any of the RTIsAll Potential Severity 4 or 5 vulnerabilitiesAll Potential Severity 1, 2 or 3 vulnerabilities
All Confirmed Severity 1 or 2 vulnerabilities with any of the RTIs

 

MI Dashboard

The dashboard consists of 4 widgets, one for each category.  The query shows the number of assets which have failed the SLA with the reference query showing the number of assets with vulnerabilities within that SLA category overall (failed SLA + within SLA).  Trend lines provide tracking of the SLA over time.

 

An importable version of this dashboard is attached to this document, see below for the download link.

 

 

Widget Format

 

 

The format of the remaining widgets is identical to the first, excepting of course the names and queries.

 

Widget Queries

Critical

The widget's main query below shows assets which meet the SLA criteria.  Note the 'firstFound' syntax at the end of the query which limits the results to those assets with vulnerabilities found over 15 days ago.

vulnerabilities:(typeDetected:"Confirmed" and vulnerability.severity:5 and vulnerability.patchAvailable: "true" AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.highLateralMovement: "true" or vulnerability.threatIntel.publicExploit: "true") and firstFound < now-15d)

The widget's reference query is the same but omits the time at which the vulnerability was first found.

vulnerabilities:(typeDetected:"Confirmed" and vulnerability.severity:5 and vulnerability.patchAvailable: "true" AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.highLateralMovement: "true" or vulnerability.threatIntel.publicExploit: "true"))

High

The main query is as follows

vulnerabilities:(typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [3..4] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: 5 and (vulnerability.threatIntel.activeAttacks: "false" or vulnerability.threatIntel.exploitKit: "false" or vulnerability.threatIntel.highDataLoss:"false" or vulnerability.threatIntel.publicExploit: "false"))) and firstFound < now-30d)

As you can see, this query is considerably more complex than that for the Critical SLA.  This reflects the complexity of this particular SLA category.  Note also the exclusion of RTIs from the second part of the query.  This ensures that the vulnerabilities match the SLA criteria and that results from the Critical category are not double-counted in the High category.

 

The reference query, as with all of the widgets, is identical to the main query but without the firstFound component.

vulnerabilities:(typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [3..4] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: 5 and (vulnerability.threatIntel.activeAttacks: "false" or vulnerability.threatIntel.exploitKit: "false" or vulnerability.threatIntel.highDataLoss:"false" or vulnerability.threatIntel.publicExploit: "false"))))

 

Medium

The main query:

vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [1..2] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: [3..4] and (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true"))) OR (typeDetected: "Potential" and vulnerability.severity: [4..5] and vulnerability.patchAvailable: "true")) and firstFound < now-90d)

The reference query

vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [1..2] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: [3..4] and (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true"))) OR (typeDetected: "Potential" and vulnerability.severity: [4..5] and vulnerability.patchAvailable: "true")))

Low

The main query:

vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and (vulnerability.severity: [1..2] AND NOT (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (typeDetected: "Potential" AND vulnerability.patchAvailable: "true" and vulnerability.severity: [1..3])) and firstFound < now-180d)

The reference query:

vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and (vulnerability.severity: [1..2] AND NOT (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (typeDetected: "Potential" AND vulnerability.patchAvailable: "true" and vulnerability.severity: [1..3])))

 

Report Templates

In order to make this information actionable, the results from each of the SLA categories must be encapsulated into Search Lists for use in Patch Report Templates.  Getting the inclusion and exclusion rules correct is key to ensuring that there is no overlap between the patch requirements.  The result is a set of actionable reports which correspond to the SLA categories and which match the numbers shown in the MI Dashboard.  Threat Protection adds criteria to Search Lists which will include in its list vulnerabilities which match the vulnerability criteria and for which one or more of the selected RTIs are true.

 

In order to do this, we must first create 7 Search Lists which match the SLA categories and the exclusions, as follows.

 

Search List TitleVulnerability CriteriaThreat Protection RTI criteria
CriticalConfirmed Severity 5Active Attacks, Exploit Kit, High Data Loss, Public Exploit
High Without RTIsConfirmed Severity 5None
High With RTIsConfirmed Severity 3 or 4Active Attacks, Exploit Kit, High Data Loss, Public Exploit
Medium Without RTIs

Confirmed Severity 3 or 4

Potential Severity 4 or 5

None
Medium With RTIs

Confirmed Severity 1 or 2

Active Attacks, Exploit Kit, High Data Loss, Public Exploit
Low

Confirmed Severity 1 or 2

Potential Severity 1, 2 or 3

None
TP RTIs *

None

Active Attacks, Exploit Kit, High Data Loss, Public Exploit

 

*The TP RTIs Search List is only used for exclusion, it will exclude all vulnerabilities for which the RTI criteria are true

 

A set of Patch Report templates, one for each of the SLA categories, can now be created using these Search Lists to match the patch report to the SLA and to the information displayed in the MI Dashboard.

 

Inclusions and Exclusions are specified in the Selective Vulnerability Reporting section of the template.

 

 

 

Report Template TitleInclusionsExclusion
SLA Patch Report - CriticalCritical
SLA Patch Report - High

High with RTIs

High without RTIs

Critical
SLA Patch Report - Medium

Medium with RTIs

Medium without RTIs

High with RTIs
SLA Patch Report - Low

Low

TP RTIs

 

Report Scheduling

Typically you would want to schedule reports to coincide with normal patch cycles however with these SLA-focused reports you can schedule them on a more frequent basis as the content will be much reduced.  A typical schedule, assuming daily scanning activity, may follow the rules below, allowing time for the remediation activities within the SLA period while also reflecting the higher frequency required by higher priorities.  Where scan activities are not daily you should adjust the reporting frequency accordingly

 

SLA ReportFrequencyReports per SLA cycle
CriticalDaily15
HighWeekly4
MediumMonthly3
LowQuarterly2
4 people found this helpful

Attachments

Outcomes