Identification of Stale Records with Agentless Tracking and Unified View Enabled

Document created by Spencer Brown Employee on Apr 17, 2020
Version 1Show Document
  • View in full screen mode

Stale records can occur when Agentless Tracking and Unified View are enabled and Qualys is unable to retrieve the Qualys Host ID during a remote scan.  This typically due to authentication failures or permissions issues to the asset.  To understand these scenarios in more detail, please watch: Agentless Tracking and Unified View (2 of 2) on Vimeo

 

Identification of Stale Records by Qualys Query Language (QQL)

 

Qualys Query Language

lastVmScanDate<now-8d and trackingMethod:IP

vulnerabilities.vulnerability.qid:"105015" or vulnerabilities.vulnerability.qid:"105053" or vulnerabilities.vulnerability.qid:"45180"

 

QQL logic explained: Assets will be returned if the following criteria is met:

  • Last VM scan is greater than 7 days
  • Any of the following Information Gathered are present

    -IG 105015 Windows Authentication Failed

    -IG 105053 Unix Authentication Failed

    -IG 45180 Report Qualys Host ID Access Errors

  • Asset is tracked via IP

Note: you may want to include a filter to limit scope based on tag

  • tags.name: "TAG NAME HERE"

 

Screenshot of query:

 

Screenshot of widget below:

 

 

Identification of Stale Records by Tag

 

Groovy Tag 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;

def today = new Date();
scan_stale_threshold = 8

return today.minus(asset.lastVmScanDate.toDate()) >= scan_stale_threshold &&
( asset.resultsForQid(105015) ||
asset.resultsForQid(105053) ||
asset.resultsForQid(45180)
)

asset.getTrackingMethod(IP)

 

Tag logic explained: Assets will be tagged if the following criteria is met:

  • Last VM scan is greater than 7 days
  • Any of the following Information Gathered are present

    -IG 105015 Windows Authentication Failed

    -IG 105053 Unix Authentication Failed

    -IG 45180 Report Qualys Host ID Access Errors

  • Asset is tracked via IP

Note: you may want to include a filter to limit scope based on tag

  • asset.hasTag("TAG NAME HERE")

 

Screenshot of tag below:

 

Purge Stale Records

 

Once assets are identified and validated, you can purge via UI or API

 

Qualys is making enhancements to Agentless Tracking and Unified View which will prevent these stale records from being generated upon failed authentication or access issues to the Qualys Host ID.

Attachments

    Outcomes