Qualys Query Language (QQL)

Lab Guide

1
All Material contained herein is the Intellectual Property of Qualys and cannot be reproduced
in any way, or stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, without the express
written consent of Qualys, Inc.

Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is
prohibited.

2
Contents
Account Permissions & Access Privileges ..................................................................................................... 5
LAB 1: Discover Your Scope & User Roles ................................................................................................ 5
Access to Assets ....................................................................................................................................... 6
Permission to Create Dashboards ............................................................................................................ 8
QQL User Interface ..................................................................................................................................... 10
LAB 2: UI Search & Query Components ................................................................................................. 10
Basic Query Syntax & Construction ............................................................................................................ 13
LAB 3: QQL Search Assistant .................................................................................................................. 13
Queries for Asset Inventory ....................................................................................................................... 15
LAB 4: Software, Hardware and OS Categories ...................................................................................... 16
LAB 5: Complex Asset Queries (CSAM required).................................................................................... 20
Use Case: Track Time to Remediation ........................................................................................................ 23
LAB 6: Build “Time to Remediation” Widgets ........................................................................................ 23
VMDR for ITSM ...................................................................................................................................... 32
Use Case: Track Patch Tuesday Vulns......................................................................................................... 34
LAB 7: Patch Tuesday Community Dashboard ....................................................................................... 34
Appendix A: Qualys Administration Utility ................................................................................................. 41
Edit User Roles & Scopes ....................................................................................................................... 41
Appendix B: Qualys Trial Account .............................................................................................................. 45
Schedule Vulnerability Scans ................................................................................................................. 46

3
Introduction
The Qualys Query Language (QQL) training course is designed for intermediate to advanced level Qualys
users, who are ready to extend their data analysis and reporting capabilities with the Qualys Query
Language (QQL).
Candidates will cover basic query syntax and query construction in the VULNERABILITIES section of
Qualys VMDR.
Both basic and advance query features will be covered in Qualys GAV and CSAM.
Candidates must already have a Qualys user account (provided by their employer) with at least three to
four weeks of “accessible” vulnerability scan data and findings.
Candidate accounts must have a minimum of READER level permissions and access to the Qualys VM
and GAV/CSAM modules.

Prerequisites/System Requirements
To perform the exercises in this lab, you will need:
1. Prior experience with Qualys VMDR (Required)
2. Qualys user account (READER permissions or greater) with access to the VM and GAV/CSAM
modules.
3. Plain Text Editor (optional)
4. Web Browser (Current or Stable Release)
– Edge
– Firefox
– Chrome
– Safari
5. Java Browser Plug-in
6. Adobe Acrobat Reader or comparable

Tip: Your browser’s Pop-up Blocking configuration can interfere with the proper functioning of the Qualys
User Interface. Please modify the settings of your Web browser to allow pop-ups from qualys.com.

4
Account Permissions & Access Privileges
The lab exercises in this training course begin in Qualys VMDR (with minimal user account permissions
required). Additional application modules and permissions are then required as candidates progress
into the GAV/CSAM lab exercises.
By the end of this lab you will:
• View the “Roles and Scopes” settings in your user profile.
• Identify your present access privileges and permissions in Qualys VMDR.
• Identify your present access privileges and permissions in Qualys GAV/CSAM.
Complete all the steps in this lab, to help you identify your present permissions and determine which lab
exercises you can successfully complete in this course.

LAB 1: Discover Your Scope & User Roles

1. Login to the Qualys user account provided to you by your company.

2. Select Qualys VMDR (from the application menu).
All users can see their own account information by viewing their user profile.

3. From the VMDR user interface, click the “User Profile” icon in the upper-right corner (above)
and then click the “View Profile” button.

4. Click “Roles and Scope” in the navigation pane (left)

5
 The lab exercises in this course are designed for READER, SCANNER, UNIT MANAGER, and
MANAGER user roles (which are commonly accompanied by the “VM User” role). Additionally,
the “GAV/CSAM User” role will need to be added to your account.

Access to Assets
To run queries successfully, permission to view assets must already be added to your account. Check
that you have assets and findings in VMDR and then perform the same type of test inside GAV or CSAM.

1. Navigate to the VULNERABILITIES section of VMDR and click the “Asset” button (just below
the “Search” field.

2. Verify your account has access to multiple assets (above).

3. Click the “Vulnerability” button (just right of the “Asset” button).

4. Use the faceted search pane (on the left) to select from the various severity levels.

6
 As you select from the available filtering options, observe that the assets in your account have
vulnerability findings. If you do not see vulnerability findings for your host assets, please perform
any additional scans to generate them.
5. Use the Qualys Application menu to open either Global Asset View (GAV) or CyberSecurity
Asset Management (CSAM).

Although both applications are listed under ASSET MANAGEMENT, your account will only have
access to one.

If you receive a message like the one above, a Manager or Administrative User within your
Qualys subscription will need to grant you access to the “Global AssetView User” or “CSAM
User” role, whichever is appropriate for your subscription.
6. From either the GAV or CSAM user interface, click INVENTORY at the top of the page.

7
 7. Under the “Assets” tab, verify that you can view one or more host assets in your account.

Permission to Create Dashboards

While in the GAV or CSAM application, verify you can create your own dashboards.
1. Click DASHBOARD at the top of the page.

2. Click the gear-shaped icon (on the right) to open the “Dashboard” menu.
3. Verify you have the “Create New Dashboard” option in the menu.
If you do not see the “Create New Dashboard” option, a Qualys Manager or Administrative User
will need to grant you the “Create, Edit, Delete your own dashboards” permission.

8
 Permissions to allow users to
work with Dashboards are
provided separately for
GAV/CSAM and VMDR.
GAV/CSAM Dashboard
permissions are provided by the
“AssetView” module and VMDR
Dashboard permissions are
provided by the “Unified
Dashboard” module.
Candidates require the “Create,
Edit, Delete your own
dashboards” permission (in either
module) to complete the final lab
exercise in this course.

4. Repeat steps 1 through 3 above, from the VMDR Dashboard.

Additional Resources:
Please see Lab Appendix A, for quick look at the Qualys Administration module. For a detailed and in-
depth discussion of the Qualys Administration module, try on of the links below. Lab Appendix B
provides information for requesting a Qualys Trail Account.
Qualys Administration Training Course
https://www.qualys.com/training/course/administration/

Qualys Administration “How To” Tutorials

https://www.qualys.com/training/library/how-to-administration/

Qualys Administration Video Library

https://www.qualys.com/training/library/administration/

9
QQL User Interface
Many applications within the Qualys Platform support QQL and provide one or more ways for you to
leverage the flexibility of ad hoc or custom queries. This lab demonstrates the various UI components
that support QQL throughout the Qualys Platform.

LAB 2: UI Search & Query Components

When navigating or moving from one Qualys application to another, you will typically find a “Search”
field near the top of the UI (for building custom queries) along with a “Quick Search” pane on the left.
1. Login to the Qualys user account provided to you by your company.
2. Select Qualys VMDR (from the application menu).

3. Click VULNERABILITIES (near the top).

The “Quick Search” pane (on the left) provides search options based on common vulnerability and
asset characteristics. Begin building useful queries simply by clicking the various filter options
within the “Quick Search” pane.
The “Custom Search” field (near the top) displays all queries constructed from the “Quick Search”
pane and allows you to build powerful custom queries.
4. With the list of detected vulnerabilities displayed, click one of the SEVERITY options in the
“Quick Search” pane (on the left)
In this example, the “severity 4” vulnerability filter was selected and its corresponding query token
was added to the “Search” field and executed.

5. Leaving your query as-is, click the “plus” symbol (above), at the right side of the “Search” field.

10
 A second field is added to the original query. Notice this additional field is targeting “Assets”
rather than vulnerabilities and therefore requires query tokens that support asset searches.

6. Before you add a query condition to the “Asset” field, click the “Asset” toggle button (just below
the “Search” field.

With the view now in “Asset” mode, the “Quick Search” pane displays Asset-based filters.
7. Click to add one of the Asset filters (from the “Quick Search” pane) to the “Asset” field of your
query.
Continuing with the previous example, the “hardware.manufacturer” token has been added as a
second query condition, to the “Asset” field.

8. Using the query you have constructed, click the “Saved Search” icon (just right of the search
fields) and select the “Save this Search Query” option.

11
 9. Make any changes to the Title and click the “Save” button.
Once a query has been saved, you can use the “Saved Search” icon again to quickly reconstruct it.

10. Remove the “Asset” condition by clicking the “minus” symbol (above) on the right side of the
“Asset” field.

11. Click the “Clear Query” icon to remove the original query condition.
12. Click the Help icon (at the right side of the “Search” field) to go directly to the QQL help context.

Use the navigation pane on the left to view “How To Search” topics and query tokens for VMDR.

Additional Resources:
Qualys Unified Dashboard Token List
https://docs.qualys.com/en/ud/latest/#t=qql_topics%2Flist_of_all_tokens.htm

QQL User Interface Elements

https://docs.qualys.com/en/ud/latest/#t=qql_topics%2Fqql_user_interface_elements.htm

12
Basic Query Syntax & Construction
The query token is the fundamental element or component of all queries created with the Qualys Query
Language (QQL). Tokens represent various data objects and artifacts found within the Qualys Platform.
To use a token, provide its name, along with an appropriate value. The value is commonly separated
from the token name by a colon. Alternatively, some tokens support the use of comparison operators
(e.g., <, >, <=, >=, etc...).
Filters selected from the “Quick Search” pane add the appropriate token and value to the “Search” field,
automatically. When building queries directly from the “Search” field, token and value hints assist users
in the query construction task.

LAB 3: QQL Search Assistant

The interactive search assistant provides token and value hints, to help you build custom queries. We
will begin our examination of QQL syntax using the interactive QQL search assistant.
1. Login to the Qualys user account provided to you by your company.
2. Select Qualys VMDR (from the application menu).

3. Click VULNERABILITIES (near the top).

By default, your view should be in “Vulnerability” mode (as opposed to “Asset” mode).
4. Type the character “a” inside the “Custom Search” field.

The Query Assistant responds by listing all query tokens containing the character “a.”
5. Scroll down through the list of tokens and highlight individual tokens to view their associated
Syntax Help, on the right.

13
 6. Clear the “Search” field and type the character string “vuln” to display all tokens within the
“vulnerabilities” hierarchy.

7. Use your mouse to select the “vulnerabilities.detectionAge” token near the top of the list.

With a token selected, the query assistant now displays a list of alternative values (in this case a
list of number ranges) that can be selected and added to the token.
8. Select one or more of the listed ranges until a list of vulnerabilities is produced.
**HINT: After selecting one of the date range values, ensure your mouse cursor is inside the
“Search” field, before you press the “Enter” key.

9. Click the “Filters” button to observe which vulnerability QIDs are excluded from the list.
10. Click the “X” symbol (just to the left of the existing query) to clear the “Search” field.

Additional Resources:
Qualys Query Language Syntax
https://docs.qualys.com/en/ud/latest/#t=qql_topics%2Fqualys_query_language_syntax.htm

14
Queries for Asset Inventory
This lab is designed for both GAV and CSAM users. Candidates require either the “Global Asset View
User” or “CSAM User” role to complete the exercises in this lab. The tokens used are supported by
both GAV and CSAM applications.
1. Use the Qualys Application menu to select either Global Asset View (GAV) or CyberSecurity
Asset Management (CSAM).

If step one produces an error like the one depicted below, your account presently lacks permission
to view either the GAV or CSAM modules.

If your account already has GAV or CSAM access, you will be provided with menu options at the top
of the page.
2. Click INVENTORY at the top of the page.

Ensure that assets have been added to your account and scans have successfully completed.

15
LAB 4: Software, Hardware and OS Categories
Building queries to help you identify and locate hardware, operating system, and software assets can be
challenging if you’re unfamiliar with all the different and various asset types and names within your
asset inventory.
GAV and CSAM include two special categories for all hardware, OS, and software assets to help
normalize your complex asset inventory, making it easier for you to build productive queries quickly.

1. From the INVENTORY section of GAV/CSAM, click the “Software” tab, to view the inventory of
discovered software applications.
2. Open the “Group Software by…” drop-down menu (above) and select the “Category” option.
Although other grouping options are provided, the “Category” grouping will allow you to view all
software, hardware, and OS category values that are presently within your Qualys subscription.

If you are uncertain about the types and names of systems and technologies, start with queries
that target “normalized” categories to generate the details you need to build more precise queries.
Asset Categories are divided into two tiers: ‘category1’ and ‘category2.’ The second tier;
category2, represents a subset of category1. For example, in the illustration above notice that

16
 “Application Development” (category1) has both “Programming Languages” and “Development
Tools” as sub-categories (category2).
3. Position your cursor inside the “Search” field and construct a query using one of your category1
values.
Here’s an example using the “Network Application” value (from the previous illustration):
software:(category1:`Network Application`)
As you begin typing the name of the software “category1” token, the Query Assistant will provide
you with various token name options. If you select any one of the token name options provided by
the Query Assistant, it will also provide you with an exhaustive list of category1 values.

Software tokens are formatted using the nested “shortcut” notation (including the colon separator
and parenthesis). This nested approach is required for software tokens.
4. To execute your query, ensure your cursor is placed in the “Search” field and press the “Enter”
key.

Results will be displayed as categories while the “Category” filter is still applied.
5. Remove the “Category” filter, to view individual software applications and their associated
details.

17
 Individual software applications are displayed, providing details that can now be used to “tune”
your queries to produce more accurate results.

6. Use the “Quick Actions” menu for any software application to view its installation instances.

7. While viewing the installation instance details, take note of the active query at the top.
This query provides specific asset details (like name, version number, and hardware platform) that
can be leveraged to build more effective queries in the future. Continue to use the general asset
categories as the starting point for uncovering asset details and constructing more robust and
accurate queries.
8. Use the navigation arrow (in the upper-left corner) to return to the Software Inventory tab.
9. Click to remove the active query from the “Search” field.

18
 The steps just completed for the “software” category can also be used with “Operating System”
and “Hardware” categories.

10. Navigate to the “Assets” tab and repeat the steps above, using the “Group Assets by…” drop-
down menu to select the “Operating System” category and then repeat for the “Hardware”
category.

Additional Resources:
View Assets in CSAM
https://docs.qualys.com/en/csam/2.16.1.0/index.htm#t=inventory%2Fview_assets.htm

Software, Hardware, and OS Categories Tutorial (Watch It)

https://ior.ad/9EV3

19
LAB 5: Complex Asset Queries (CSAM required)
OBJECTIVE: Combine multiple asset conditions together into a single, complex query.

* Laptop and desktop workstations running personal databases are not to be included in either query.

Select from the following token/value pairs to complete each query challenge:
– operatingSystem.category2:Server
– operatingSystem.lifecycle.stage:EOL/EOS
– software:(lifecycle.stage:EOL/EOS)
– software:(category1:Databases)

QUERY 1: Servers Running EOL/EOS Databases

This first challenge uses three of the four token/value pairs provided. All three conditions are required;
therefore, the Boolean “and” operator is needed for all logical comparisons.
1. Open the Qualys CSAM application and navigate to the INVENTORY section.

2. From the “Assets” tab (above), type the condition for Servers into the “Search” field and press
Enter to execute the query.

3. Next, add the condition for Databases (above), and press Enter to execute the query.

4. Finally, combine the End-of-Support software condition with the Database condition, to
create an “End-of-Support Database” outcome (use the “and” operator to combine both
conditions).
This last step requires the shortcut naming convention for the ‘software’ token hierarchy.
5. With all three conditions provided, press Enter to execute the query.
The software token’s “nested” structure ensures that the “Database” and “End-of-Support
Software” conditions are evaluated together.

20
Nested “Shortcut” Approach
Two or more tokens from the same hierarchy can use a “shortcut” naming convention, when added to
the same query. This technique is required for ’software’ tokens.

Nested “shortcut” approach steps:

software:(license.category:”Open Source”) and
software:(lifecycle.stage:EOL/EOS) and
software:(category1:Databases)

1. Combine or consolidate common token attributes.

2. Nest the remaining unique elements (along with their appropriate values) within a set of
parentheses.
3. Common attributes are separated from the unique attributes by a colon.

QUERY 2: Databases on Servers with EOL/EOS Operating Systems

This second challenge also uses three of the four token/value pairs. Once again, the Boolean “and”
operator is needed for all logical comparisons.
1. From the “Assets” tab within the INVENTORY section of Qualys CSAM, clear the “Search” field,
if it has an existing query.
2. Begin with the condition for Databases and test your initial query:
software:(category1:Databases)

3. After the initial query is successful, add the Server and End-of-Support OS conditions; use
parenthesis to ensure these conditions are evaluated together:
(operatingSystem.category2:Server and operatingSystem.lifecycle.stage:EOL/EOS)

The “shortcut” naming convention may be used but is optional for the ‘operatingSystem’
namespace hierarchy.
4. Press Enter to execute and test the query.

21
BONUS QUERY: EOL/EOS Database Running on Server with EOL/EOS Operating System
This bonus challenge uses all four token/value pairs. Once again, the Boolean “and” operator is needed
for all logical comparisons.
1. From the “Assets” tab within the INVENTORY section of Qualys CSAM, clear the “Search” field,
if it has an existing query.
2. Begin with the condition for EOL/EOS Databases and test your initial query.
3. After the initial query is successful, add the Server with EOL/EOS operating systems.
4. Press Enter to execute the query.
5. Apply the shortcut naming convention to all tokens in this query.

Additional Resources:
Complex Query One Tutorial (Watch it)
https://ior.ad/9ERO

Complex Query Two Tutorial (Watch it)

https://ior.ad/9ES0

Bonus Query Challenge Tutorial (Watch it)

https://ior.ad/9xpC

Asset Criticality Score & Asset Tags Tutorial (Watch it)

https://ior.ad/9EUZ

22
Use Case: Track Time to Remediation
Time to Remediation begins when a vulnerability is detected for the first time on its host and ends when
the vulnerability is remediated by patch or other means.

LAB 6: Build “Time to Remediation” Widgets

The “Time to Remediation” widgets created in the following steps highlight different ways to use the
“Numerical” widget type.
Before you build a widget, create an empty dashboard where it can be easily stored.
1. Open The Qualys VMDR application module.

2. From the DASHBOARD section of VMDR, click the “Unified Dashboard” icon (upper-left) and
then click the “plus sign” icon to create a new dashboard.

3. Click the “Build from Scratch” button.

23
4. Provide a name and description (dashboard names must be unique).
5. Click the “Create Dashboard” button.
Although a blank dashboard has been created, you’ll need to return to the DASHBOARD section
to view it.

6. Click the navigation arrow to return to the DASHBOARD section.

Keep this “blank” dashboard open; you’ll add a widget in the following steps.

24
TTR “0-3 Days” Widget
This first widget provides the total count of vulnerabilities remediated within zero to three days.

7. At the top of the dashboard, click the “plus” icon to add a widget.

8. Click the “Build your widget” button.

9. Type “TTR 0-3 Days” in the “Widget Name” field.

10. Click Query Settings in the navigation pane (on the left).

11. Click the “Vulnerability” radio button to display results as vulnerabilities.

25
12. Click the “Add Vulnerability Query” link to add the “Vulnerability” query field and enter the
following query:
vulnerabilities.ttr.firstFound:[0..3]
13. Click to open the “Filters” menu and remove (uncheck) the “Fixed” vulnerability filter.

14. Click outside of the “Filters” menu to apply the new settings.
15. Click Advanced Settings in the navigation pane (on the left).

16. Click to enable Trending.

17. Click “Test and Preview” followed by “Add to Dashboard” (upper-right corner).

18. Select the TTR Dashboard you just created and click the “Add” button.

26
 The “TTR 0-3 DAYS” widget displays the current number of vulnerabilities fixed between zero and
three days. It will take a couple of days for the trend line to develop.

TTR “0-3 Days” Ratio Widget

This next widget will demonstrate the “Ratio” function provided by the “Numerical” widget.

1. Click the “plus sign” icon (upper-right corner) to add another widget.

2. Click the “Build your widget” button.

3. Under Widget Details, type “TTR 0-3 Day Ratio” in the “Widget Name” field.

4. Under Function Type, select the “Ratio” radio button.

5. Select the check box to “Show Ratio as Percentage (%).”
6. Click Query Settings in the navigation pane (left).

27
7. Working first with the query at the top, display the query results as vulnerabilities.

8. Click the “Filter” icon and remove (uncheck) the “Fixed” vulnerability filter.
9. Just below the “Asset Query” field, click the “Add Vulnerability Query” link.
10. In the “Vulnerability Query” field, enter the query to list vulnerabilities remediated in zero to
three days:
vulnerabilities.ttr.firstFound:[0..3]
11. Type “TTR 0-3 Day Vulns” in the “Output Name” field.
12. Click the “Test and Preview” button.
With the initial query added and tested, you’ll now provide a reference or comparison query to
provide the component needed to calculate the ratio when the targeted vulns are compared to
ALL fixed vulnerabilities.

13. Click the “Filter” icon for the “reference” query and remove (uncheck) the “Fixed”
vulnerability filter.
14. Just below the “Asset Query” field, click the “Add Vulnerability Query” link.
15. In the “Vulnerability Query” field, enter the query to target ALL fixed vulnerabilities:
vulnerabilities.status:FIXED

28
16. Type “All Fixed Vulns” in the “Output Name” field.

17. With both queries (initial and reference) provided, click the “Test and Preview” button.
18. Click “Add to Dashboard.”

19. Select your dashboard and click the “Add” button.

29
MTTR “0-3 Day” Widget
This next widget will demonstrate the “Mean Time to Remediation” function provided by the
“Numerical” widget.

1. Click the “plus sign” icon (upper-right corner) to add another widget.

2. Click the “Build your widget” button.

3. Under Widget Details, type “MTTR 0-3 Days” in the “Widget Name” field.
4. Under Function Type, select the “Average” radio button.
Time to Remediation (First Found) is select by default.
5. Click Query Settings in the navigation pane (left).
6. Click to “Add Vulnerability Query.”
7. Enter the query to list vulnerabilities remediated in 0 – 3 days:
vulnerabilities.ttr.firstFound:[0..3]
8. Click Test and Preview followed by Add to Dashboard.

9. Select your dashboard and click Add.

30
The illustration above depicts the three widget types just created in this exercise (your actual
results may vary).
A. A total of 14 vulnerabilities were remediated between zero and three days (since
they were first detected).
B. This accounts for 21.88% of all vulnerabilities that were remediated.
C. The average or “Mean Time to Remediation” for this group of vulns is two days.

Continue to add widgets for the remaining TTR ranges until your “Time to Remediation”
dashboard is complete or customize your other dashboards with TTR and MTTR widgets.

31
VMDR for ITSM
Qualys VMDR directly integrates with ITSM solutions such as ServiceNow to automate vulnerability
management across traditional IT and Security team boundaries. Let's understand how VMDR can be
used to shorten your Mean Time to Remediation using ServiceNow.

Challenges Solutions using VMDR for ITSM

• Provides unified security and IT threat

response paths for faster remediation
• Lack of visibility between IT and Security
• Automates vulnerability management by
Teams
using an integrated (closed-loop) ticketing
• Tracking using spreadsheets and PDF
solution
reports
• Vulnerability findings are assigned to their
• Need for faster remediation
appropriate owner, automatically
• Expensive ticketing solutions
• ITSM is included with VMDR

VMDR for ITSM provides “rule-based” vulnerability imports; risk and patch recommendations as ITSM
tickets. Enable CMDB Sync in Qualys CSAM, to automatically correlate assets and user group data for
correct ticket assignment and CI matching.

VMDR for ITSM Requirements

• Qualys account with API access (Manager level privileges required).
• An Instance of ServiceNow ITSM (production or development).
• Ensure ServiceNow CMDB is up to date and reconciled with newly identified assets.
• Instances size is based on the number of open vulnerabilities in your environment:

This feature requires two applications available in the ServiceNow Store. Qualys Core App and the
Qualys VMDR app.

32
Additional Resources:
Time to Remediation Widgets Tutorial (Watch it)
https://ior.ad/9xrT

VMDR for ITSM Video Tutorial

https://vimeo.com/723255182

Qualys VMDR for ServiceNow User Guide

https://www.qualys.com/docs/qualys-vmdr-servicenow-user-guide.pdf

33
Use Case: Track Patch Tuesday Vulns
Qualys releases assessment tests (QIDs) for vulnerabilities that are fixed in the Microsoft security
bulletins, as a part of the Patch Tuesday release each month. Details of these vulnerabilities are
published regularly as a part of the Qualys Security Alerts.
Qualys provides a dashboard and widgets for the Patch Tuesday releases. Widget queries are created
from the monthly Qualys Security Alert posts, including the QIDs released for the monthly Patch
Tuesday cycle.

LAB 7: Patch Tuesday Community Dashboard

This lab exercise provides steps for acquiring the Patch Tuesday Dashboard and modifying and updating
widgets for successive monthly security update publications.

1. Click the link provided below to open the Qualys Community Dashboard Toolbox for “Patch
Tuesday” vulnerabilities.
https://success.qualys.com/discussions/s/article/000007482

34
2. Scroll down past the monthly query updates and continue to scroll until you reach the “Patch
Tuesday” dashboard JSON file attachments.
Keep scrolling until you eventually reach the download links, which are not too far from the
bottom of the page.

3. Click the “Patch Tuesday 2024 Dashboard” link and save the JSON file to your desktop or some
other location that is easy for you to access.
4. After successfully downloading the Patch Tuesday dashboard JSON file, open the VMDR
application module and navigate to the DASHBOARD section.

5. Click the “Unified Dashboard” icon (above) and select the “Manage Dashboards” option.

6. Click Import Dashboard.

35
7. Provide a unique name for your dashboard.

8. Click the “Browse” button and add the Patch Tuesday dashboard JSON file.
9. Click Import.

10. Locate your imported dashboard and click its “star” icon to add it to your list of favorites.
11. Click the navigation arrow (upper-left corner) to return to the DASHBOARD section of VMDR.

The “January” detection widgets have already been updated with the published “January” query.

36
Total Detections
The “Total Detections” widget includes both “Active” and “Fixed” vulnerabilities.

1. Open the “JANUARY TOTAL DETECTIONS” widget in the Widget Editor.

2. Click Query Settings in the navigation pane (on the left).

Here you can observe the “January” QID values provided by the Patch Tuesday Dashboard
Toolbox, on the Qualys Community.
3. Click the “Cancel” button (upper-right) to return to the Patch Tuesday Dashboard.

37
Total Open Detections
The “Open Detections” widget focuses on “Active” vulnerabilities.

1. Open the “JANUARY TOTAL OPEN DETECTIONS” widget in the Widget Editor.
2. Click Query Settings in the navigation pane (on the left).
This widget contains an initial query and a second “reference” query for comparison.

Although both queries contain the same QID conditions, the initial query (top) excludes
vulnerabilities that have already been fixed. The comparison query (bottom) has all filters
removed and includes vulnerabilities that are fixed, disabled, or ignored.
3. Click the “Cancel” button (upper-right) to return to the Patch Tuesday Dashboard.

38
Total Detections by Severity and Status
This “Table” widget lists all “Patch Tuesday” detections including their severity and status.

1. Open the “JANUARY TOTAL DETECTIONS BY SEVERITY AND STATUS” widget in the Widget
Editor.
2. Click Query Settings in the navigation pane (on the left).

Just like the previous widget examples, the “January” query string has already been added.
3. Under Data Representation, select the “Collapsed” radio button.
The grouping function is enabled when data is collapsed and disabled when expanded.
4. Just below, click the “Group By” drop-down menu and select QDS Range.
5. Click the “Test and Preview” button followed by the “Save” button.

39
Monthly Patch Tuesday Updates

The remaining successive monthly widgets are configured with a default query, hence the “No Data
Available” messages that you see.

Watch for new query strings each month on the Patch Tuesday Dashboard Toolbox page (Qualys
Community) and use the Widget Editor to replace the “default” query strings with the published
update.

Additional Resources:

Patch Tuesday Dashboard Tutorial (Watch it)

https://ior.ad/9JgB

Patch Tuesday Dashboard Toolbox

https://success.qualys.com/discussions/s/article/000007482

Qualys Security Alerts

https://www.qualys.com/research/security-alerts/

40
Appendix A: Qualys Administration Utility

Edit User Roles & Scopes

Users with MANAGER level privileges can extend or restrict other user account permissions. This lab
appendix outlines the steps that Qualys Managers or Administrative Users can take to grant other
Qualys users access to the modules and permissions needed to complete the lab exercises in this course.

Add VM User Role to Account

This user role typically already accompanies READER, SCANNER, and UNIT MANAGER accounts. The
“VM User” role provides UI access to Qualys VM and VMDR.

This role is required to successfully run queries in the VULNERABILITIES section of Qualys VMDR. No
further action is required, if the “VM User” role has already been assigned.

41
Add GAV or CSAM User Role to Account
By default, the “GAV User” and “CSAM User” roles do NOT accompany READER, SCANNER, and UNIT
MANAGER accounts and will typically need to be added to the accounts of users participating in this QQL
training course.

The “Global Asset View User” and “CSAM User” roles provide UI access to Qualys Global Asset View and
CSAM respectively. No further action is required, if either role has already been assigned.

Add “Create, Edit, Delete your own dashboards” Permission

The “Create, Edit, Delete your own dashboards” permission is assigned within the Asset Management
(AssetView) module or the Unified Dashboard module. The permissions in each module impact
different Qualys applications.

This permission is not assigned to READER, SCANNER, and UNIT MANAGER roles (by default) and will
typically need to be added to the accounts of users participating in this QQL training course.

42
Select the “Create, Edit, Delete your own dashboards” permission within the Asset Management
(AssetView) module, to provide access to the GAV and CSAM Dashboard sections.
Select the “Create, Edit, Delete your own dashboards” permission within the Unified Dashboard
module, to provide access to the VMDR Dashboard section.

Participants in the QQL Training Course, can perform the “Queries for Dashboard Widgets” lab, from
either the GAV/CSAM Dashboard or the VMDR Dashboard.

Allow User To View Assets

Providing UI access to required Qualys modules is an important first step to meeting the requirements
for this course. The second equally important step involves providing user accounts with the access to
view your subscription and account assets. In the “Administration” module, this second step can be
accomplished in the “Edit Scope” section of a user’s Roles and Scopes.

Add Asset Tags to this section to allow users to view their assigned assets and objects. In the example
above, a READER user has been given permission to view both Windows and Linux assets and the “San
Jose” Asset Group.

43
Alternatively, select the check box near the top of the “Edit Scope” section, to provide a user with VIEW
access to all asset objects within your account.

This option provides VIEW access, exclusively. Other asset and object permissions, such as Create, Edit,
and Delete, are provided back in the “Roles” section of the user’s account.

44
Appendix B: Qualys Trial Account
Although this QQL Training Course is designed to leverage your own user account data, the information
in this lab appendix will help you to acquire a free Qualys Trail Account and generate vulnerability and
asset findings.

1. To acquire a free trial account, open your Web browser and navigate to:
https://www.qualys.com/free-trial/
2. After providing your work email address, first and last names, and company name, click the “Next”
button.
3. Select the option(s) that meet your needs and click the “Submit” button.
4. After your request is received, a Qualys trial account is sent to the work email address you
provided. Please use the information and credentials in the email message, to activate your
account. If you need assistance activating your account, please reply directly to the activation
email message.
5. Once you have activated your trial account successfully, save your new account credentials in a
safe place (e.g., password vault, password manager, secure device, etc…).

45
Schedule Vulnerability Scans
This exercise will walk you through the steps to schedule a daily vulnerability scan. You may begin to
perform queries against the scan findings, after the first scan has completed successfully. You should
have an adequate scan history collected within a couple of weeks.

1. Navigate to the “Assets” section in Qualys VMDR and select the “Address Management” tab. Click
the “New” button and select the “IP Tracked Addresses” option.
Here are the active public IP addresses (nine total) presently in the training lab environment:
64.41.200.233, 64.41.200.234, 64.41.200.235, 64.41.200.236, 64.41.200.238, 64.41.200.242,
64.41.200.245, 64.41.200.247, 64.41.200.248.

2. Add all nine addresses to the “IPs” field, ensure Vulnerability Management (VM) is selected and
click the Add button.

46
 IP addresses that are successfully added to your “scannable” subscription are listed under the
“Address Management” tab (above).

3. To schedule scans for the IPs added to your account, navigate to the “Scan” section and select the
“Schedules” tab.
4. Click the “New” button and select the “Schedule Scan” option.

47
5. Type “Daily VM Scan” in the “Title” field (above).

6. Click “Target Host” in the left navigation pane (above) and click the “Select” link, just to the right
of the “IPv4 Addresses/Ranges” field.

7. Select the check box at the top of the list (to check all IPs) and click the “Add” button.

48
8. Ensure targeted IP addresses are displayed in the “IPv4 Addresses/Ranges” field (above).

9. Click “Scheduling” in the left navigation pane and select a start date and time that will allow your
scan to start within the next couple of hours. Adjust the time zone as needed.
10. Leave the “Occurs” field set to Daily.
11. Configure the option to end this scheduled task after 30 occurrences (to coincide with your 30-day
trial account).
12. Click the “Save” button.

49
 The scheduled task is displayed under the “Schedules” tab and will begin running at its appropriate
time.

By default, an External Scanner (from the Qualys Internet-based Scanner Pool) is assigned to this
scheduled task.

13. Navigate to the “Scans” tab to view scans that are currently running as well as those that have
already finished.
You may begin to perform queries against the scan findings, after the first scan has completed
successfully. You should have an adequate scan history collected within a couple of weeks.
For more details and information covering the topic of Vulnerability Scanning, please see the
Qualys “Vulnerability Management” and “Scanning Strategies & Best Practices” training courses
(qualys.com/learning)

50