on Jan 28, 2019Prioritising activity and management reporting are common concerns for large and small businesses alike. With Qualys Threat Protection integrated into your dashboards and in Search Lists for your reporting templates, coupled with structured SLAs, management information can be available at your fingertips and remediation activity can be readily assessed and more easily actioned. This document will demonstrate how to use the Threat Intelligence provided by Threat Protection RTIs in a Management Information dashboard for AssetView and how to build a report template which mirrors this dashboard information.
The dashboard and reports templates shown below are taken from a real-life use-case. The following Threat Protection Real-Time Threat Indicators (RTIs) are examples of those your organisation may be focused on: Active Attacks, Exploit Kit, High Data Loss, High Lateral Movement, Exploit Public.
SLAs
In the example below there are 4 SLA categories: Critical, High, Medium and Low. Fix times (in brackets) are defined as time since first discovery of the vulnerability.
| Critical (15 days) | High (30 days) | Medium (90 days) | Low (180 days) |
|---|---|---|---|
| All Confirmed Severity 5 vulnerabilities with any of the RTIs | All Confirmed Severity 5 vulnerabilities | All Confirmed Severity 3 or 4 vulnerabilities | All Confirmed Severity 1 or 2 vulnerabilities |
| All Confirmed Severity 3 or 4 vulnerabilities with any of the RTIs | All Potential Severity 4 or 5 vulnerabilities | All Potential Severity 1, 2 or 3 vulnerabilities | |
| All Confirmed Severity 1 or 2 vulnerabilities with any of the RTIs |
MI Dashboard
The dashboard consists of 4 widgets, one for each category. The query shows the number of assets which have failed the SLA with the reference query showing the number of assets with vulnerabilities within that SLA category overall (failed SLA + within SLA). Trend lines provide tracking of the SLA over time.
An importable version of this dashboard is attached to this document, see below for the download link.
Widget Format
The format of the remaining widgets is identical to the first, excepting of course the names and queries.
Widget Queries
Critical
The widget's main query below shows assets which meet the SLA criteria. Note the 'firstFound' syntax at the end of the query which limits the results to those assets with vulnerabilities found over 15 days ago.
vulnerabilities:(typeDetected:"Confirmed" and vulnerability.severity:5 and vulnerability.patchAvailable: "true" AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.highLateralMovement: "true" or vulnerability.threatIntel.publicExploit: "true") and firstFound < now-15d)
The widget's reference query is the same but omits the time at which the vulnerability was first found.
vulnerabilities:(typeDetected:"Confirmed" and vulnerability.severity:5 and vulnerability.patchAvailable: "true" AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.highLateralMovement: "true" or vulnerability.threatIntel.publicExploit: "true"))
High
The main query is as follows
vulnerabilities:(typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [3..4] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: 5 and (vulnerability.threatIntel.activeAttacks: "false" or vulnerability.threatIntel.exploitKit: "false" or vulnerability.threatIntel.highDataLoss:"false" or vulnerability.threatIntel.publicExploit: "false"))) and firstFound < now-30d)
As you can see, this query is considerably more complex than that for the Critical SLA. This reflects the complexity of this particular SLA category. Note also the exclusion of RTIs from the second part of the query. This ensures that the vulnerabilities match the SLA criteria and that results from the Critical category are not double-counted in the High category.
The reference query, as with all of the widgets, is identical to the main query but without the firstFound component.
vulnerabilities:(typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [3..4] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: 5 and (vulnerability.threatIntel.activeAttacks: "false" or vulnerability.threatIntel.exploitKit: "false" or vulnerability.threatIntel.highDataLoss:"false" or vulnerability.threatIntel.publicExploit: "false"))))
Medium
The main query:
vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [1..2] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: [3..4] and (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true"))) OR (typeDetected: "Potential" and vulnerability.severity: [4..5] and vulnerability.patchAvailable: "true")) and firstFound < now-90d)
The reference query
vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and ((vulnerability.severity: [1..2] AND (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (vulnerability.severity: [3..4] and (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true"))) OR (typeDetected: "Potential" and vulnerability.severity: [4..5] and vulnerability.patchAvailable: "true")))
Low
The main query:
vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and (vulnerability.severity: [1..2] AND NOT (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (typeDetected: "Potential" AND vulnerability.patchAvailable: "true" and vulnerability.severity: [1..3])) and firstFound < now-180d)
The reference query:
vulnerabilities:((typeDetected: "Confirmed" AND vulnerability.patchAvailable: "true" and (vulnerability.severity: [1..2] AND NOT (vulnerability.threatIntel.activeAttacks: "true" or vulnerability.threatIntel.exploitKit: "true" or vulnerability.threatIntel.highDataLoss:"true" or vulnerability.threatIntel.publicExploit: "true")) OR (typeDetected: "Potential" AND vulnerability.patchAvailable: "true" and vulnerability.severity: [1..3])))
Report Templates
In order to make this information actionable, the results from each of the SLA categories must be encapsulated into Search Lists for use in Patch Report Templates. Getting the inclusion and exclusion rules correct is key to ensuring that there is no overlap between the patch requirements. The result is a set of actionable reports which correspond to the SLA categories and which match the numbers shown in the MI Dashboard. Threat Protection adds criteria to Search Lists which will include in its list vulnerabilities which match the vulnerability criteria and for which one or more of the selected RTIs are true.
In order to do this, we must first create 7 Search Lists which match the SLA categories and the exclusions, as follows.
| Search List Title | Vulnerability Criteria | Threat Protection RTI criteria |
|---|---|---|
| Critical | Confirmed Severity 5 | Active Attacks, Exploit Kit, High Data Loss, Public Exploit |
| High Without RTIs | Confirmed Severity 5 | None |
| High With RTIs | Confirmed Severity 3 or 4 | Active Attacks, Exploit Kit, High Data Loss, Public Exploit |
| Medium Without RTIs | Confirmed Severity 3 or 4 Potential Severity 4 or 5 | None |
| Medium With RTIs | Confirmed Severity 1 or 2 | Active Attacks, Exploit Kit, High Data Loss, Public Exploit |
| Low | Confirmed Severity 1 or 2 Potential Severity 1, 2 or 3 | None |
| TP RTIs * | None | Active Attacks, Exploit Kit, High Data Loss, Public Exploit |
*The TP RTIs Search List is only used for exclusion, it will exclude all vulnerabilities for which the RTI criteria are true
A set of Patch Report templates, one for each of the SLA categories, can now be created using these Search Lists to match the patch report to the SLA and to the information displayed in the MI Dashboard.
Inclusions and Exclusions are specified in the Selective Vulnerability Reporting section of the template.
| Report Template Title | Inclusions | Exclusion |
|---|---|---|
| SLA Patch Report - Critical | Critical | |
| SLA Patch Report - High | High with RTIs High without RTIs | Critical |
| SLA Patch Report - Medium | Medium with RTIs Medium without RTIs | High with RTIs |
| SLA Patch Report - Low | Low | TP RTIs |
Report Scheduling
Typically you would want to schedule reports to coincide with normal patch cycles however with these SLA-focused reports you can schedule them on a more frequent basis as the content will be much reduced. A typical schedule, assuming daily scanning activity, may follow the rules below, allowing time for the remediation activities within the SLA period while also reflecting the higher frequency required by higher priorities. Where scan activities are not daily you should adjust the reporting frequency accordingly
| SLA Report | Frequency | Reports per SLA cycle |
|---|---|---|
| Critical | Daily | 15 |
| High | Weekly | 4 |
| Medium | Monthly | 3 |
| Low | Quarterly | 2 |