Qualys Query Library

The pre-configured rules in the Queries Library are created to provide you with a solution that’s intuitive and easy to implement. You can avail the easy-to-use, predefined set of queries under Configuration > Library > Queries to create alert rules or correlation rules. The correlation rules can be used to group similar events of interest and then to receive notification for the same.

All you must do is select the queries from the library and use them as to create incidents and rules. If required, you can also customize them to suit your organizational requirements. The tailor-made approach drastically reduces the volume of data that needs to be monitored and the complexity around it. It unifies monitoring capabilities, alerts, and event management efforts and enables you to optimize performance with dedicated focus on events that need attention and an immediate action.

Use the Quick Actions menu to view details of the query. You can create alert rules, correlation rules, incident, and report rules using these queries. Select an option from the Quick Action menu to view the appropriate rule wizard.

Queries Library

You have following Queries to select for your organizational needs:

Deletion of critical files by regular users in LinuxDeletion of critical files by regular users in Linux

Deletion of critical files by regular users on Linux refers to the unauthorized or accidental removal of essential system files or directories by non-root users. This can disrupt the normal operation of the system, potentially causing instability, security risks, or even rendering the system unbootable, as these files are necessary for proper system functioning and security.

Query:
platform:Linux and action:Delete and not (actor.userName:`root`)

Modification to SELinux configuration by non-root usersModification to SELinux configuration by non-root users

Modifications to SELinux configurations by non-root users refer to unauthorized changes made by users without administrative privileges to SELinux policy or settings. Since SELinux (Security-Enhanced Linux) enforces strict access controls, altering its configuration can weaken system security, potentially allowing unauthorized access, privilege escalation, or bypassing security restrictions designed to protect sensitive resources.

Query:
(action:Content and (file.name:'/etc/selinux/config') and not (actor.userName:'root')) and platform:Linux

Modification of web server config files such as Apache or Nginx by non-admin usersModification of web server config files such as Apache or Nginx by non-admin users

Modification of web server configuration files (e.g., Apache or Nginx) by non-administrative users refers to unauthorized changes made by users without proper administrative privileges to critical configuration files that control web server settings. Such modifications can compromise the security and functionality of the web server, potentially leading to vulnerabilities, misconfigurations, or unauthorized access to sensitive data or resources.

Query:
(action:Content and (file.name:'.htaccess' or file.name:'httpd.conf' or file.name:'nginx.conf') and not (actor.userName:'root' or actor.userName:'admin')) and (platform:Linux or platform:Windows)

Access to Windows event logs by regular usersAccess to Windows event logs by regular users

Access to Windows Event Logs by regular users refers to unauthorized or unintentional viewing of system logs by non-administrative users. Since event logs contain sensitive information about system activities, user actions, and potential security incidents, unauthorized access can compromise the confidentiality of system operations and potentially reveal vulnerabilities or security breaches.

Query:
(action:Read or action:Delete) and file.fullPath:'C:\Windows\System32\winevt\Logs\*' and not (actor.userName:'NT AUTHORITY' or actor.userName:'admin')

Deletion of critical files by regular users on WindowsDeletion of critical files by regular users on Windows

Deletion of critical files by regular users on Windows refers to unauthorized or unintentional removal of essential system files or configurations by non-administrative users. This can lead to system instability, data loss, or security vulnerabilities, as these files are vital for the proper functioning and security of the operating system.

Query:
platform:Windows and action:Delete and not (actor.userName:’NT AUTHORITY’ or actor.userName:’Admin’)

Overall alerts for sensitive data access by regular users on Windows or Linux systemsOverall alerts for sensitive data access by regular users on Windows or Linux systems

Overall alerts for sensitive data access by regular users on Windows or Linux systems refer to notifications triggered when non-administrative users access confidential or protected data without proper authorization. This can indicate potential security breaches, insider threats, or unauthorized data retrieval, which may compromise privacy, regulatory compliance, or system integrity.

Query:
action:Read and (type:file) and not (actor.userName:'NT AUTHORITY' or actor.userName:'admin' or actor.userName:'root')

Events indicating unauthorized modification of initialization filesEvents indicating unauthorized modification of initialization files

Events indicating unauthorized modification of initialization files refer to instances where critical configuration or startup files are altered without proper authorization. These files, which control the initialization of applications or system services, are often targeted by attackers to compromise system behavior, disrupt operations, or install malicious software. Unauthorized modifications can lead to system instability or security vulnerabilities.

Query:
(platform:’Windows’ and (file.name:win.ini or file.name:system.ini or file.name:boot.ini or file.name:ntuser.dat or file.name:desktop.ini or file.name:hosts or file.name:autoexec.bat or file.name:config.sys or file.name:protocol.ini or file.name: services) and not actor.userName:’NT AUTHORITY\SYSTEM’) or (platform:’Linux’ and (file.name:`lilo.conf` or file.name:`grub` or file.name:`grub.conf` or file.name:`grub.cfg`) and not actor.userName:`root`)

Critical registry key modifications by regular users on WindowsCritical registry key modifications by regular users on Windows

Critical registry key modifications by regular users on Windows refer to unauthorized changes made by non-administrative users to important registry settings that control system configuration and security. These modifications can destabilize the system, compromise security, or allow malicious activities to persist, as the registry holds key information for the proper functioning of the operating system.

Query:
action:Content and (type:value) and not ( actor.userName:'NT AUTHORITY' or actor.userName:'admin')

Modification of system cron jobs by non-root usersModification of system cron jobs by non-root users

Modification of system cron jobs by non-root users refers to unauthorized changes made by users without administrative privileges to scheduled tasks (cron jobs) that automate system processes. Altering these jobs can disrupt system operations, introduce malicious tasks, or create security vulnerabilities by executing unauthorized commands at scheduled times.

Query:
(action:Content and (file.name:'/etc/crontab' or file.name:'/var/spool/cron/crontabs') and not (actor.userName:'root')) and platform:Linux

Modification critical authentication files on LinuxModification critical authentication files on Linux

Modification of critical authentication files on Linux refers to unauthorized changes made to essential files that manage user authentication, such as /etc/passwd, /etc/shadow, or /etc/sudoers. Altering these files can undermine the system's security, enabling unauthorized access, privilege escalation, or bypassing authentication mechanisms, potentially leading to a compromised system.

Query:
platform:’Linux’ and (file.name:`passwd` or file.name:`shadow` or file.name:`password-auth` or file.name:`system-auth` and (action:Delete or action:Security or action:Content))

Modification critical authentication files on WindowsModification critical authentication files on Windows

Modification of critical authentication files on Windows refers to unauthorized changes made to system files that control user authentication, such as password databases or security configurations. Altering these files can compromise the integrity of user access controls, potentially allowing attackers to bypass security measures, escalate privileges, or gain unauthorized access to the system.

Query:  
platform:Windows and (file.name:`sam` or file.name:`ntds.dit` or file.name:`security` or file.name:`system` or file.name:`bootmgr` or file.name:`winlogon.exe` and (action:Delete or action:Security or action:Content))

Executable file modifications in WindowsExecutable file modifications in Windows

Executable file modifications in Windows refer to unauthorized or suspicious changes made to executable files (.exe, .dll, etc.) on the system. These modifications can indicate the presence of malware, tampering, or malicious activity, as altering executable files may allow attackers to inject malicious code, compromise system functionality, or gain unauthorized access to the system.

Query:
file.name:'*.exe' or file.name:'*.bat' or file.name:'*.cmd' or file.name:'*.msi' or file.name:'*.vbs' or file.name:'*.ps1' or file.name:'*.jar' or file.name:'*.dll'

Modification of sudoers file by non-root usersModification of sudoers file by non-root users

Modification of the sudoers file by non-root users refers to unauthorized changes made by users without administrative privileges to the sudoers configuration file, which controls user permissions for executing commands with elevated privileges. Altering this file can grant unauthorized users elevated access, potentially allowing them to execute privileged commands, escalate their privileges, or compromise system security.

Query:
(action:Content and file.fullPath:'/etc/sudoers' and not (actor.userName:'root')) and platform:Linux

Modification of hosts fileModification of hosts file

Modification of the hosts file refers to unauthorized changes made to the system's hosts file, which maps domain names to IP addresses. These alterations can redirect network traffic, enabling attacks such as man-in-the-middle or phishing attacks by misdirecting users to malicious sites, disrupting network operations, or bypassing security measures.

Query:
(file.name:'hosts' or file.name:'hosts.txt') and not (actor.userName:'root' or actor.userName:'admin' or actor.userName:'NT AUTHORITY')

Executable file modifications in linuxExecutable file modifications in linux

Executable file modifications in Linux refer to unauthorized or suspicious changes made to executable files (such as those with .bin, .elf, or other executable extensions) on the system. These alterations can signal potential malware infections, unauthorized tampering, or malicious activity, as modifying executable files can allow attackers to inject malicious code, alter system behavior, or gain unauthorized control over the system.

Query:
file.name:'*.sh' or file.name:'*.bin' or file.name:'*.run' or file.name:'*.py' or file.name:'*.pl' or file.name:'*.php' or file.name:'*.jar' or file.name:'*.desktop' or file.name:'*.elf'

Malicious or suspicious hashes dropped in critical locations on the hostMalicious or suspicious hashes dropped in critical locations on the host

Malicious or suspicious hashes dropped in critical locations on the host refer to the presence of harmful or potentially harmful files identified by their unique hash values in sensitive or important directories of a system. These files may indicate malware, unauthorized programs, or other security threats that have been placed intentionally in high-priority areas, potentially compromising the host system's integrity or functionality.

Query:
reputationStatus:MALICIOUS or reputationStatus:SUSPICIOUS

Security log deletion on Windows hostSecurity log deletion on Windows host

Security log deletion on a Windows host refers to the removal or clearing of event logs that record security-related events, such as login attempts, access to sensitive data, or system changes. This action can obscure evidence of unauthorized activity or attacks, making it harder to detect security breaches or conduct forensic investigations.

Query:
platform: Windows and file.fullPath: 'C:\Windows\System32\winevt\Logs' and action: Delete

Deletion of database filesDeletion of database files

Deletion of database files refers to the unauthorized or accidental removal of critical database files, such as those containing stored data, indexes, or configurations. This can lead to data loss, corruption, and disruption of services, potentially compromising the integrity, availability, and security of the database system.

Query:
action:Delete and (file.name:*.db or file.name:*.sql)

Log file deletion on Linux hostLog file deletion on Linux host

Log file deletion on a Linux host refers to the removal of system or application log files, which can hinder the ability to monitor and troubleshoot the system. Deleting these logs may be an attempt to cover up malicious activities or system issues, leading to a loss of valuable data for security auditing, debugging, or forensic analysis.

Query:
platform:Linux and file.fullPath:’/var/log’ and action: Delete

Modifications to mount points in Linux by non-root usersModifications to mount points in Linux by non-root users

Modifications to mount points in Linux by non-root users refer to unauthorized changes made by users without administrative privileges to system mount points, which define how storage devices and file systems are accessed. Altering these settings can lead to unauthorized access to sensitive data, disrupt system operations, or allow attackers to manipulate file systems and mount malicious devices.

Query:
(action:Content and file.fullPath:'/etc/fstab' and not (actor.userName:'root')) and platform:Linux

Related Topics

Events

Event Insights

Incidents

Configuration of correlation rules to auto create incidents

Configuration of rule-based alerts for events and incidents