AnsweredAssumed Answered

Powershell to count total Vulnerabilities

Question asked by Nate Olsen on Feb 20, 2019

First of all, the big deal here is that you don't have to download the entire knowledge base, which is what I was told by Support. NOT TRUE.

 

I've been working on some Powershell to parse reports for a bit now, and after having run into a couple issues I thought I'd contribute back to the community.

Also, I've noticed that discussions seem to slowly die here before solutions get posted, which leaves everyone else in the dark. Very frustrating.

 

I needed to know the total vulnerability count as of a particular date. It's part of our metrics.

So, let's say that day is "2019-01-08".

The first step is to create a dynamic search list with all the criteria you want in your full count. In this example, it's all Critical Vulnerabilities; Confirmed, Potential, & Informational. Also for this example, they are Published NOT in the last x days. (It can also be useful to use the option for NOT between 1/8/19-some future date, if you need to run it for a while while testing)

 

You're also going to need the ID of this list. You could query the API for all lists and find it there. I've found that when you're viewing the search list criteria, popping it into a new window then right-clicking to make it a tab within chrome is a fairly easy way to find the ID in the URL. Luckily, you won't have to do this very often.

 

So if I want the count all these vulnerabilities and don't want to download the entire knowledgebase

[string]$username = "[username]"
[string]$password = "[password]"

[int]$vuln_list = [dynamic list ID]

$hdrs = @{"X-Requested-With"="powershell"}
$base = "https://qualysapi.qg2.apps.qualys.com/api/2.0/fo"
$body = "action=login&username=$username&password=$password"

$search_uri = "$base/qid/search_list/dynamic/?action=list&ids=$vuln_list"

 

#Open a new session, no visible output

Invoke-RestMethod -Headers $hdrs -Uri "$base/session/" -Method Post -Body $body -SessionVariable sess | Out-Null

 

#Get the output of the dynamic list, then count the QID nodes

$vuln_count = (Invoke-RestMethod -Headers $hdrs -Uri $search_uri -WebSession $sess).SelectNodes("//QID").Count

 

I'm working on getting the API to allow me to update the dynamic search list so that I can run this every month and never have to touch the UI again. So far I cannot get the API to update the dynamic search list. Any suggestions are welcome.

Outcomes