Assets

Devices or Assets are the entry points for attackers who can gain access to gather sensitive information on the assets or run malicious programs to control your organization's network. Use the Assets tab to secure your devices, such as laptops and desktops and monitors the system information. To ensure all the devices, servers, and networks are secure, you need options to provide robust protection for your assets.

Columns on the Assets Page

The following Assets page screenshot displays EDR Status, Anti-Malware Status, Asset Name, Criticality, System Info, and Tags columns:

Asset Page and its columns.

The following table lists the column names and their descriptions:

Column Name Description
EDR Status Displays one of the following EDR Status for each asset:
  • Active: EDR is enabled its Last Reported Time is within 24 hours.
  • Inactive: EDR is enabled and the Last Reported Time exceeds more than 24 hours.
  • Disabled: EDR is disabled. You can enable EDR from Qualys Cloud Agent application. 
Anti-Malware Status Displays the anti-malware status for each asset. If the anti-malware status is disabled, you can enable it from the Qualys Cloud Agent application.
Name Displays the asset name, last logged-in user, and the asset hardware information.
Criticality Lists the Criticality value of an asset. 
System Info Displays the agent information, including the agent OS, version, and the created date. 
Tags Lists the tags assigned to assets. 

Download Asset Information in CSV Format

You can download the asset information using the Download icon Download Button in CSV format on your local system. The CSV report contains HostNameIP AddressesAgent VersionCriticality ScoreModulesOSLast Logged-In UserTags, and AV Status. The following screenshot is an example of the Download Format window when you click the download icon:

Download button in Assets tab

Assets Quick Actions Menu

Using the Quick Actions menu in the Assets tab allows you to perform common actions from the same page that can also be performed from different tabs. You can perform the actions such as View DetailsView EventsView IncidentsView Anti-malware Scan ReportConnect to hostRequest Forensic Data, and Quarantine Asset.

The following screenshot represents the Quick Actions menu of the Assets page:

Quick Actions Menu of the Assets page.

View Details

The View Details action in the Assets tab provides the asset details, which includes the asset summary, system and network information, open ports, criticality score, and much more. Perform the following steps to view the listed details available in View Details:

  1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
  2. Click View Details.

    View Details option in Quick Actions drop-down of the Assets tab.

    The following screenshot is the Asset Details Summary page that lists the information about the asset:

    Asset Details page.

View Events

The View Events actions in the Assets tab provides the events list of the asset. Perform the following steps to view the listed details available in View Events:

  1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
  2. Select View Events. You are redirected to the Events page of the Hunting tab.

    The Events page lists all the events registered and executed on the asset. The listing of events is based on the token asset.agentId. The following screenshot lists the events and the Quick Action menu:

    Events list and Quick Actions in the Hunting tab.

View Incidents

The View Incidents action in the Assets tab provides the incidents list of the asset. Perform the following steps to view the listed details available in View Incidents:

  1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
  2. Select View Incidents. You are redirected to the Incidents page of the Detection tab.

    The Incidents page lists all the incidents detected on the asset. The listing of incidents is based on the token incident.asset.agentId. The following screenshot lists the incidents and the Quick Action menu:

    Incidents page and quick actions menu.

Connect to Host

The Connect to host option in the Assets tab allows you to execute the Windows shell command on the selected endpoint for investigation purposes.

Prerequisites

  • Windows Agent version 5.2.1 and above.
  • Linux Agent version 6.3.0 and above.
  • GAV agent version 5.3.0 and above.

User Role Permissions

  • Kill Process
  • Delete File Permission

By default, the file path in the remote shell executes in the C drive. Use the help command to view the list of supported commands. You can also use the help command and the supported command to view the syntax and description of the command. For example, to view the syntax and description of users command, use: help users.

Each user can establish only 10 connections at a time. Contact Qualys Support if you need more information for the connection request. 

Accessing Connect to Host

Perform the following steps to access Connect to host option:

  1. From the Assets tab, hover the mouse on any of the assets to view the Quick Actions menu.
  2. Click Connect to host.

    Connect to host option in Quick Actions menu of Assets tab.

    The command prompt takes a few minutes to establish the host connection. If the remote shell fails to connect after three consecutive attempts within the timeframe of 10 minutes, your access gets blocked for 10 minutes. In such a scenario, a message notifies that - Agent is not reachable. Please try after some time.

  3. Once the remote shell is connected, it lists the supported command. Type the command in the Enter command window and click Run to execute the command.

    In the following screenshot, we used the users command as an example:

    Remote shell window, when user clicks Connect to host from the Quick Actions menu

  4. Click the download button  in the shell prompt to download the logs.

  5. Click End Session to close the Remote shell window. 

    If there has been no activity for 5 minutes, a confirmation message is displayed. Click Yes, to stay connected. 

Request Forensic Data

The Request Forensic Data feature allows you to perform forensic analysis of an incident and perform the necessary response action.

Prerequisites
  • Windows Agent version 5.2.1 and above.
  • GAV agent version 5.3.0 and above.

At a time you can send 10 request to generate forensic data. 

Request Forensic Data from Assets tab

To request Forensic Data for a specific asset, perform the following steps on the Assets tab:

  1. Hover the mouse on the required event and click the drop-down icon drop-down icon.

  2. From the Quick Actions menu, click Request Forensic Data. A notification message confirms the request has been submitted. 

    Request Forensic Data option in Quick Actions menu in Assets tab.

  3. Click the Forensics tab to monitor the asset's requested forensic data status.

    Once the request is complete, the Status column displays the result as Success. You can Download, View Asset Details, or Delete the instances from the Quick Actions menu of the Status column in the Forensics tab.

    The data is downloaded for all successful data requests in a .7z folder on your local system. The downloaded file consists of the output files of each script that ran on the Agent. For more information about the scripts executed on the Agent, see Scripts Executed for Forensics

Request Forensic Data from Forensics tab

  1. To request Forensic Data for a specific asset, perform the following steps on the Forensics tab:
  2. Click Request Forensic Data.
  3. Select the asset for which you want the forensic data, in the Request Forensic Data page.

    Once the request is complete, the Status column displays the result as Success. From the Quick Actions menu you can perform the actions Download, View Asset Details, Delete, or View Incident Detailsthe instances from the Quick Actions menu of the Status column in the Forensics tab. 

Auditing Forensic Logs from the Administration Application

Any actions performed on the Forensics tab, can be monitored from the Administration application. The following screenshot is an example of the Activity Logs that lists the action performed in the Forensics tab:

Activity Logs in the Administration application.

Agent Response Time Out Status

If a Forensic Request has been running (in progress status) for more than 15 minutes, the Status column displays the instance as Failed, Agent Response Timed Out. In such a scenario, you need to request the forensic data again. Meanwhile, if there is any response update for the earlier failed request, the status gets updated.

The following screenshot is an example that shows the Failed instance:

Failed instance in the Forensic tab.

Quarantine an Asset

In case of any malicious event, the Quarantine Asset feature restricts the infected host machine from performing any network communication. You can quarantine an asset if its Windows Agent version is 4.9.0 and above and Linux Agent version is 6.0.0 and above. You can Quarantine an Asset from the Incidents or Asset tab.

Quarantine an Asset from the Incidents tab

To quarantine an asset based on the incident description, perform the following steps:

  1. Click the Incident description that you want to quarantine.
  2. In the Summary section, click Quarantine Asset.

    Quarantine Asset

  3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset Configuration will be applicable in the Allowed Applications, if this toggle is enabled.
  4. To add an application, enter a valid application path in the space provided and click Add.

    Add Application Path

  5. To remove an application, click the delete icon against the application path.

    Delete Application Path

  6. Click Execute Response.

    Quarantine Asset Window

    A notification Quarantine Asset request sent successfully. View Request Status is generated.

  7. Click the View Request Status to follow the asset quarantine status.

    Quarantine Asset Window

    Once the asset is successfully quarantined the following status is displayed:

    Quarantine Asset Successful Status

Quarantine an Asset from the Assets tab

To quarantine an asset from the Assets tab, perform the following steps:

  1. In the Assets tab, select the Asset that you want to quarantine. The Agent version should be 4.9.0 and above.
  2. From the Quick Actions menu, click Quarantine Asset.

    Quarantine Asset Window

  3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset will be applicable in the Allowed Applications, if this toggle is enabled.
  4. To add an application, enter a valid application path in the space provided and click Add.

    Add Application Path

  5. To remove an application, click the delete icon against the application path.

    Delete Application Path

  6. Click Execute Response.

    Quarantine Asset Window

    A notification Quarantine Asset request sent successfully. View Request Status is generated.

  7. Click the View Request Status to follow the asset quarantine status.

    Quarantine Asset Window

A quarantined asset will have the Quarantine Asset Icon icon displayed.

Quarantine Asset Window

The Quarantine Asset Icon icon signifies the asset is in progress state.

Quarantine Asset is WIP

Quarantine Asset Configuration from the Configuration tab

From the Configurations tab, you can add the applications that will be allowed while the asset is quarantined.

Perform the following steps to add applications for the Quarantined asset:

  1. In the Configuration tab, select Asset Configuration.
  2. Toggle Allowed Applications.
  3. In the Add Applications field, provide the complete path of the application. You can provide environmental variables in the field. Wild cards inputs are not supported.

    Quarantine Asset is WIP

  4. Add the following paths to allow the Qualys Endpoint Protection :

    C:\Program Files\Qualys\QualysEPP\EPUpdateService.exe
    C:\Program Files\Qualys\QualysEPP\downloader.exe
    C:\Program Files\Qualys\QualysEPP\EPSecurityService.exe
    C:\ProgramFiles\Qualys\QualysEPP\ephost.integrity.legacy.exe
    C:\Program Files\Qualys\QualysEPP\EPConsole.exe
    C:\ProgramFiles\Qualys\QualysEPP\EPIntegrationService.exe
    C:\ProgramFiles\Qualys\QualysEPP\EPProtectedService.exeC:\Program Files\Qualys\QualysEPP\bdredline.exe
  5. Click Apply.

Show Quarantined Assets Only

  • To view the list of the Quarantined Assets from the Assets tab, select the Show Quarantined Assets Only checkbox. The following screenshot is an example of the option that lists the quarantined assets:

    Show Quarantined Assets Only option in the Assets tab.

Unquarantine an Asset from the Assets tab

To unquarantine an asset, perform the following steps:

  1. In the Assets tab, select the quarantined asset. From the Actions drop-down menu, select Unquarantine Asset.

    Release Quarantine Asset

  2. In the Unquarantine Asset window, add your comments.
  3. Click Unquarantine Asset.

    A notification Unquarantine Asset request sent successfully. View Request Status is generated.

  4. Click the View Request Status to follow the asset status.

Bulk Unquarantine Assets from the Assets page

The Bulk Unquarantine Assets can be performed using the Qualys Query Language (QQL) tokens or by using the Unquarantine Asset option from the drop-down.

To perform bulk unquarantine action, using the menu option perform the following steps:

  1. From the Actions drop-down menu, select Unquarantine Asset. The following screenshot highlights the option and the bulk selection of the quarantined assets:

    Bulk UnQuarantine Assets

  2. Click Yes on the Confirmation window, which prompts for acknowledgment for performing bulk unquarantine assets. This Confirmation window appears only for bulk unquarantine asset operations when a list of assets is selected through a QQL search.

    Bulk unquarantine confirmation window

  3. A notification Unquarantine Asset request sent successfully. View Request Status is generated. Click the View Request Status to follow the asset status.

    You are redirected to the Activity Log of the Responses tab.

    The Requested Activity column lists the assets that were unquarantined using the bulks option. The following screenshot is an example of the Bulk Unquarantine Assets list in the Responses tab:

    Bulk Unquarantine asset list in responses tab.

Unquarantine an Asset from the Incidents page

To release a quarantined asset, perform the following steps in the Incidents page of the Detections tab:

  1. In the Incidents page, select the required incident description of a quarantined asset.
  2. In the Summary tab, click Unquarantine Asset.

    Release Asset from Incident tab

  3. In the Unquarantine Asset window add your comments.

    Release Asset Window

  4. Click Unquarantine Asset.

    Release Asset Window

    A notification Unquarantine Asset request sent successfully. View Request Status is generated.

  5. Click the View Request Status to follow the unquarantine asset status.

Release Asset Notification

Failed Status Messages

The Status column in the Responses tab lists the assets with the status as Failed. Click on asset, and the Quarantine File window displays the possible failure cause. To resolve the issue, click Retry to successfully quarantine the asset.

Following are some of the remediation request failure causes:

  • Input File is already deleted: The input file does not exist on the endpoint
  • Agent Response Timed Out: If the Quarantine Asset request has been running (In Progress status) for more than 5 minutes, the Status column displays the instance as Agent response timed out. You can perform the action again after the timeout.
  • Error: Unable to quarantine the file: The file or file path is restricted or protected for any delete or move operation.
  • Error: Process does not exist: This error message occurs when the remediated process is not running anymore on the endpoint or is in the terminated state. 
  • Quarantine a file does not exist: The requested file is unavailable at the endpoint. 

The following screenshot is an example of the Agent Response Timed Out:

Quarantine File window with possible failure cause.

Bulk Asset Tagging

Bulk asset tagging efficiently assigns tags or labels to multiple assets at once, often in IT asset management or inventory systems. Organizations that manage many assets, such as computers, servers, or devices, will benefit from this feature.

Steps for Bulk Asset Tagging

To bulk tag assets, perform the following steps in the Assets tab:

  1. Select Assets: You can select the assets you want to tag in bulk.
  2. Choose Tags: After selecting the desired assets, you can select or create tags to apply.
  3. Apply Tags: Once the tags are chosen, you can confirm your action by adding assets to the selected tags. 
  4. Verify Changes: After tagging, reviewing the tagged assets is advisable to ensure everything was applied correctly.