Qualys Knowledge: Splunk Vulnerability Management Dashboard

The purpose of this knowledge article is to instruct IT administrators on how to use the Qualys Vulnerability Management dashboard in UNC Splunk > Splunk Shared Tools to facilitate their vulnerability management operations.

In This Article:

Prerequisites

Access to Qualys Index

To use the Qualys Vulnerability Management dashboard, you must have access to the Qualys index in Splunk. You can test this by querying an asset that is being scanned by Qualys in the index. The following is an example query:

index=qualys "HOSTSUMMARY:" HOSTNAME="<YOUR HOSTNAME HERE>"

If the search returns no results, there is likely no access to the Qualys index. In this case, please send a request to ISO-Security to provision access to the Qualys index through Grouper. 

Scanning Assets with Qualys

The dashboard relies on Qualys performing vulnerability scans on an asset(s). This can be done by performing IP-based scanning or Cloud Agent based scanning. Cloud agent based scanning is strongly recommended as it will drastically increase how quickly the dashboard will search data. More information about deploying the Qualys Cloud Agent can be found here.

Tagging Assets in Qualys

This dashboard relies on asset tags for searching the Qualys index. Asset tags need to be applied to assets before they can be searched in this dashboard. Refer to the following article for tagging assets in Qualys. More information about tagging asset in Qualys can be found here.

Dashboard Basics

The Splunk Qualys Vulnerability Management dashboard can be accessed here.

Data Management

Splunk will retain 90 days of searchable data in the Qualys index. Additionally, when an IP scan or Cloud Agent is deactivated in Qualys, vulnerability data will no longer be forwarded to Splunk. 

Filters

Global Time Range

Use the Global Time Range selector to adjust how far back the dashboard will search the Qualys index. When selecting a time range, the smaller the window, the faster the dashboard will load the search results. Time ranges greater than 7 days may take upwards of 5 minutes to load data. 

Because of this, it is strongly recommended that the cloud agent scanning methodology is deployed to your assets so that the time range can be set to 24 hours. Cloud agents are constantly sending asset data to Qualys, which allows for smaller time ranges at search time and thus allows the dashboard to load data quickly. 

If IP-based scanning is being used, the time range will need to be set back to when the IP-based scan last ran. The more the time range increases, the longer it will take for the dashboard to load the data. 

Tag(s) Selector

Use the Tag(s) Selector to select the asset tags to search against in the Qualys index. 

Classification

Use the Classification drop down filter the dashboard to High Protection Obligation assets within the selected tags. 

Dashboard Tabs

There are 3 tabs that can be used in the dashboard: Overview, Vulnerability Workbench and Report Center.

Overview

The Overview tab contains high level metrics of the vulnerability information searched based on the selected filters. These metrics range from Total Assets Scanned, Total Vulnerabilities, Total Active Vulnerabilities and more. 

Vulnerability Workbench

The Vulnerability Workbench tab is designed to help IT administrators quickly identify delinquent or severe vulnerabilities that should be prioritized immediately or during patch cycles. This dashboard includes interactions as well that populates pertinent information about the vulnerabilities such as the RESULTS field from the detected vulnerability. Pay notice to the descriptions of the panels in the dashboard for additional functionality. 

Report Center

The Report Center tab is designed to provide some basic reports for IT administrators to quickly generate and download. The reports included in this tab are Asset Inventory, Vulnerability Summary and Vulnerability Report. Detailed descriptions of these reports are available in the dashboard.

Print Article