Finding Assets within Qualys Using the Qualys Host ID

Document created by Spencer Brown Employee on Nov 4, 2019Last modified by Spencer Brown Employee on Mar 2, 2020
Version 5Show Document
  • View in full screen mode

Assets can be searched by IP, Hostname, etc.  Another option is to use the UUID written to the endpoint on Windows and Unix operating systems.  We will discuss searching by this identifier below.

 

 Use Case:

For ephemeral IP addresses and with Agentless Tracking and Unified View enabled, it can be difficult to find the scan results from your most recent scan by searching by IP within Asset Search.  This is in part due to the record merging into an existing record from a previous/original scan.

 

Note: this use case is geared more towards ephemeral IP addresses; however, can be used whenever unable to locate an asset by IP, Hostname, NetBIOS, etc.

 

More about Agentless Tracking and Unified View: How to Merge Agent Data 

 

 

Asset Search

 

Vulnerability Management -> Assets -> Asset Search

 

Using QID 45179 Report Qualys Host ID Value

 

 

This will only be populated if scans are completed by the scanner and QID 45179 Report Qualys Host ID Value is found.

 

Agentless Tracking is not enabled by default.  Please see Getting Started with Agentless Tracking 

 

 

Search Tokens

 

Using 'agentId' search token

 

 

 

This same search can be completed in Cloud Agent UI, AssetView and the VM Dashboard

 

Find assets with duplicate Qualys Host IDs

 

1. Download a CSV of a raw vulnerability scan.
2. Rename the file to something meaningful.
3. Open the file and save it to XLSX format.  This step will greatly reduce the file size and allow Excel to perform necessary functions.
4. Remove unnecessary headers and columns.  Be sure to keep columns IP, DNS, NetBIOS, OS, QID, and Results.  Also remove odd IP addresses at the bottom of the sheet.  This step will also reduce the file size.
5. Save the XLSX file before proceeding.
6. Filter the sheet by QID 45179.
7. Ctrl + A to select all and then cut and paste the values into a new Excel tab/sheet.
8. On the new tab, sort the sheet by the results column.
9. Highlight the results column and go to Home > Conditional Formatting > Highlight Cells Rules > Duplicate Values… > Duplicate values with Light Red Fill with Dark Red Text.
10. If any duplicates are found, go to Data > Sort > Sort by Results, Cell Color, Red, On Top.
11. Purge the duplicate servers from Qualys.
12. For affected Windows servers, remove the UUID registry key HKLM\SOFTWARE\Qualys\HostID
13. For affected Linux servers, remove the hostid file from the /etc/qualys directory.
14. Rescan the affected servers at the earliest opportunity.

4 people found this helpful

Attachments

    Outcomes