Blog 5: Automate Vulnerability Status Report Generation (Qualys)



Introduction:

Qualys is an award-winning cloud security and compliance solution. It helps businesses simplify IT security operations and lower the cost of compliance by delivering critical security intelligence on demand and automates the full spectrum of auditing, compliance and protection for Internet perimeter systems, internal networks, and web applications.

I'm using Qualys since a year & observed some problems in doing manual activity, which needs solutions to improve routine process, to save efforts & time. Due to some business reasons I didn't build the tool but I'm sharing the entire idea with design & flow of automation.   

Problem Statement:

Daily we used to make Vulnerability status report & have to submit to the management.

Accurate reporting: There’s some issues in Qualys tool with subject to accurate reporting & agent synchronization, due to which we’re getting some false positive report.

Many times we observed fixed vulnerability reopens, or patch has been successfully installed but vulnerability hasn’t fixed due to multiple factors, like this we get many inaccurate reports.

So to make record for patched vulnerability & to share daily vulnerability status report (open & fixed) to management, we’ve to perform this activity.

Other tools: We’re not on relying on one tool, due to inaccuracy & dependency issues. We also have SCCM tool to fix non-patchable vulnerabilities & other vulnerabilities, which Qualys unable to patch due to multiple factors. So to get the patch vulnerability report from vulnerability management tool.

Vulnerability Report includes:

Vulnerability Before Deployment

Vulnerability Mitigated

Vulnerability Open as of today

Asset with Vulnerability Before deployment

Asset with Vulnerability Fixed

This task is manually executed. Procedure are as follows:

Start Qualys

Go-to Patch Management Module

Go-to Job tab

Select any job > click drop-down options > select View progress

Click Download job button

View job report status > Click Download report

Zip file will be downloaded including csv report

Extract zip file > csv report extracted.

Open csv file, following columns will be there:

rowId

ASSET ID

ASSET STATUS

ASSET NAME

ASSET LAST CHECKED-IN TIME

OPERATING SYSTEM

PATCH STATUS

PATCH ID

PATCH TITLE

CATEGORY

SEVERITY

BULLETIN

KB

QID

CVE

REASON

REASON CODE

OS STATUS

EXIT CODE

HTTP STATUS

 

Delete all columns except Patch Title & QID.

Patch Title

QID

 

Create new sheet, (naming VM Report) with following columns, fill necessary details for reporting:

Job Name

Patch Title

Tags name

QID

Vulnerability Before Deployment

Vulnerability Mitigated

Vulnerability Open as of today

Asset with vulnerability  Before deployment

Asset with vulnerability Fixed


Picture 1.0

Perform vlookup in VM report with csv report using Patch title to fetch QID & press enter

§ =vlookup(Patch-title column of VM report, Patch-title column of CSV file, 2)

§ We can do vlookup for single patch or multiple patch.

QID will be collected in VM report file.

Now, use QQL Query for last 5 columns of VM report.

§ Vulnerability Before Deployment:

· SYNTAX: vulnerabilities.vulnerability.qid:[<QID(s) comma's separated>] and vulnerabilities.firstFound:[ <YYYY-MM-DD (TAKE ANY INITIAL DATE BEFORE DEPLOYMENT)> ... <YYYY-MM-DD (DEPLOYMENT DATE)> ]

· Eg: vulnerabilities.vulnerability.qid:[91870, 91875] and vulnerabilities.firstFound:[2017-01-03 ... 2023-01-26]

§ Vulnerability Mitigated:

· SYNTAX: vulnerabilities.vulnerability.qid:[<QID(s) comma's separated>] and vulnerabilities.lastFixed:[<YYYY-MM-DD (DEPLOYMENT START DATE)> ... <YYYY-MM-DD (DEPLOYMENT END DATE)>]

· Eg: vulnerabilities.vulnerability.qid:[91870, 91875] and vulnerabilities.lastFixed:[2023-01-26 ... 2023-02-02]

§ Vulnerability Open as of Today:

· SYNTAX: vulnerabilities.vulnerability.qid:[<QID(s) comma's separated>]

· Eg: vulnerabilities.vulnerability.qid:[91870, 91875]

 

§ Asset with Vulnerability Before Deployment:

· SYNTAX: vulnerabilities.vulnerability.qid:[<QID(s) comma's separated>] and vulnerabilities.firstFound:[ <YYYY-MM-DD (TAKE ANY INITIAL DATE BEFORE DEPLOYMENT)> ... <YYYY-MM-DD (DEPLOYMENT DATE)> ]

· Eg: vulnerabilities.vulnerability.qid:[91870, 91875] and vulnerabilities.firstFound:[2017-01-03 ... 2023-01-26]

 

§ Asset with Vulnerability Fixed:

· SYNTAX: vulnerabilities.vulnerability.qid:[<QID(s) comma's separated>] and vulnerabilities.lastFixed:[<YYYY-MM-DD (DEPLOYMENT START DATE)> ... <YYYY-MM-DD (DEPLOYMENT END DATE)>]

· Eg: vulnerabilities.vulnerability.qid:[91870, 91875] and vulnerabilities.lastFixed:[2023-01-26 ... 2023-02-02]

Format should look like this:

Picture 1.1

Execute all queries on portal one-by-one & save the output.

Final report is ready & task has been completed successfully.

Output results (sharing in column format, ideally it should be in row format for multiple patches & queries, as shared screenshot below):

Deployed Date

 

End Date

 

Job Name

 

Patch Title

 

Tags name

 

QQL (Tag Name)

 

QID

 

QQL (Vulnerability Before Deployment)

 

Vulnerability Before Deployment

 

QQL (Vulnerability Mitigated)

 

Vulnerability Mitigated

 

QQL (Vulnerability Open as of today)

 

Vulnerability Open as of today

 

QQL (Asset with vulnerability  Before deployment)

 

Asset with vulnerability  Before deployment

 

QQL (Asset with vulnerability Fixed)

 

Asset with vulnerability Fixed

 


Picture 1.2


Solution:

The objective is the automate this entire above process/activity to save time & efforts.

Technical objective is, to get the numerical output from portal as we’ve query stored in excel sheet, we just need to connect both to get the expected results without performing any manual work like earlier.

For that, we need to automate the process by building application using any programming language (like python, java).

Application lifecycle will be as follows:

 

Picture 1.3

EXPLANATION OF PROCESS:

Once excel sheet is ready with queries & blank output (as shown in pic 1.1).

Start automation application, it’ll fetch queries from excel sheet (we can do manually copy-paste also), & bot will send request to Qualys via Qualys API.

Qualys will process query & respond the output.

Once application/bot will capture the output, it’ll transfer the same to excel sheet.

Same process will continue for all queries one-by-one.

We can use Waterfall SDLC lifecycle model, which is easy & convenient for this project.

This is how entire automation flow for automation application can be built, will execute & process will improve which will result fruitfull.

Technology Requirements:

1. Microsoft Excel

2. Programming/Scripting language (Python, java, JavaScript, etc)

3. Qualys API

 NOTE Sharing idea as per my research & to improve process.




Comments

Popular posts from this blog

Blog 3: Qualys & Morning Dashboard Reporting

Blog 6: CNAP by TRAI: A Game-Changer for India’s Fight Against Cyber Crime & Phone-Based Fraud

๐Ÿ“ฃ ๐‚๐ฒ๐›๐ž๐ซ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐€๐ฅ๐ž๐ซ๐ญ: 35 ๐‚๐ฒ๐›๐ž๐ซ ๐’๐œ๐š๐ฆ๐ฌ ๐‘๐ž๐ฉ๐จ๐ซ๐ญ๐ž๐ ๐ข๐ง ๐š ๐’๐ข๐ง๐ ๐ฅ๐ž ๐ƒ๐š๐ฒ — ๐š๐ง๐ ๐“๐ก๐š๐ญ’๐ฌ ๐‰๐ฎ๐ฌ๐ญ ๐ญ๐ก๐ž ๐“๐ข๐ฉ ๐จ๐Ÿ ๐ญ๐ก๐ž ๐ˆ๐œ๐ž๐›๐ž๐ซ๐