I am currently learning to be proficient in Qualys scanning. I mostly use the Qualys top 20 profile right now, but I am just wondering if anyone has any good advice on what filters to use or if anyone has any custom profiles they use.
If you are not already aware, the first thing you might want to look at is the free lab-based, instructor-led training we provide. If you can't find an upcoming session near you, we often provide web-based sessions. See https://community.qualys.com/community/training for schedule and registration.
The class goes into details around your questions. Meanwhile, much of what you do will likely depend upon your specific needs; however, as a general good practice I often reccomend to scan for all vulnerabilities (keep in mind we use an iterative intelligent process), and then selectively report. We seperate scanning from reporting.
Take a look at the Initial Options Profile. Once you have a scan completed with that, I reccomend you review the Provided Search Lists, and make a couple of your own Search Lists. These Search Lists are used within Report Templates, which can help fine-tune reporting based upon your scan results.
Thanks for the reply. Thats kind of what I figured. I have completed and graduated from the training actually but don't remember a whole lot of content regarding custom search lists, and I was more looking for an idea of what other people use in their organizations. I do run the initial options, Qualys top 20 and the 2008 Sans20 options as I'm trying to determine how we want to run the scans. My boss just suggested asking the community what they might use.
No problem. Glad you were able to attend the training.
Have a look for example at the Qualys top 20 Option Profile. The difference really is between doing a Complete Vuln detection or doing a Custom (selective) vuln detection. That Option Profile (the HOW to scan) is doing custom vuln detection and is using a Search List, and only scanning for those particular vulnerabilities identified in the Search List.
If you are scanning for complete vulnerabilities, you can use the same Search List to report upon those same vulnerabilities.
Ask yourself, if there is a reason why you couldn't or wouldn't do a complete vulnerability scan. Then selectively report.
Consider as well -- if you did a scan using the Initial Options, was the using the Qualys Top 20 redundant? Again if you had already done the former, scanning for the latter wouldn't be neccessary -- just use the same search list provided in the latter instead in a Report Template.
That makes sense. When I first began running scans I tried a few different ones to "get the hang of it". I guess the idea my boss has is to make it easier for us to cut out some of the vulnerabilities detected and really focus on say vulnerabilities with a critical level of 4-5 for instance or a list of top 10 in the wild. Just examples. We have quite a bit of patch management to do and are mostly coming up with alot of stuff to sift through.
Perfect. And even while we provide default report templates and Search Lists, that provide for what you need. Have a look at those Search Lists or create your own, and you will find that you can create a Search List to identify only Confirmed (and/or Potential) 4 and 5 vulnerabilities. Create Report Template, and add that Search List. Your report will only report upon those 4 and 5s.
Might I also suggest you also look at the Patch Templates. Create a Patch Template adding a Search List that looks for only 4s and 5s, exploitbable and patchable vulnerabilities.
Best wishes and I hope this was helpful.
Retrieving data ...