Search Your Qualys Data in Splunk

Choose Search & Reporting on the Splunk Home page. Then enter your search query in the search field. Here are some sample search queries to get you started.

Most Prevalent Vulnerabilities 

Host Distribution by OS 

Scan Volume

Hosts not Scanned in more than 30 days 

Search Container Security Data 

Search FIM Data for Events and Incidents

Search EDR Data

Search Activity Log Data

Search Secure Enterprise Mobility Data

Search Policy Compliance Reporting Service Data

Search Cyber Security Asset Management Data

Search CertView Data

Most Prevalent Vulnerabilities

most_prevalent_vulnerabilities

 Host Distribution by OS

search_host_by_os

Scan Volume

search_scan_volume

Hosts not Scanned in more than 30 days

host_scanned_more_than_30days

Search Container Security Data

CS data is in JSON format. TA indexes CS events in a structured format. You can search the CS data in Splunk using DOT notation.

Use these event types to search for different types of container data: cs_image_info_event to search for vulnerabilities of images, qualys_cs_container_details, qualys_cs_container_vuln to search for container data and qualys_cs_container_vuln_summary to search for container vulnerabilities.

For more information on creating search queries to filter CS data, refer to the Splunk Search Reference.

Sample JSON query to filter images matching a registry object in a repo list

Use search query eventtype="cs_image_info_event" to filter the data.

search_cs_data_3

Sample JSON query to search images with a specific vulnerability severity count

Use search query eventtype="cs_image_info_event" "vulnerabilities.severity2Count"="2" to filter the data.
search_cs_data_2

Sample JSON query to search vulnerabilities on running containers

Use search query eventtype=qualys_cs_container_vuln [search eventtype=qualys_cs_container_details state=RUNNING | dedup containerId | fields + containerId] to filter the data.

search_cs_data_4

You can use Debug option to view debug information for one or more data input parameters

debug_cs

Search FIM Data for Events and IncidentsSample query to search for FIM incidents

FIM events, Ignored events and incidents ingested in splunk can be searched using their eventtype. Further, user can search them using SPL of desired filters.

Here are some sample queries for searching FIM data in Splunk.

Sample query to search for FIM events

Use search query eventtype="qualys_fim_event" to filter the data.

Sample query to search for FIM ignored events

Use search query eventtype="qualys_ignored_fim_event" to filter the data.

Sample query to search for FIM incidents

Use search query eventtype="qualys_fim_incident" to filter the data.

search_fim_incidents

Search EDR Data

You can search for specific EDR events that TA has pulled in Splunk from your Qualys account.

Use eventtype="qualys_edr_event" or create your own SPL search query to filter the data.

search_ioc_data

Search Activity Log Data

You can search for specific Activity Log events that TA has pulled in Splunk from your Qualys account.

Use eventtype="qualys_activity_log_event" or create your own SPL search query to filter the data.

search_activity_log

Search Secure Enterprise Mobility Data

You can search for specific Secure Enterprise Mobility (SEM) events that TA has pulled in Splunk from your Qualys account. Use eventtype=“qualys_sem_asset_summary_event” to fetch the asset information and eventtype=“qualys_sem_detection_event” to fetch the asset detection information. You can create your own SPL search query to filter the data.

The Sample search shows asset information for asset summary event.

search_sem_data

Search Policy Compliance Reporting Service Data

You can search for specific Policy Compliance Reporting Service (PCRS) events that TA has pulled in Splunk from your Qualys account. Use eventtype="qualys_pcrs_posture_info_event" to fetch the number of posture events, eventtype="qualys_pcrs_policy_info_event" to fetch the policy information and eventtype="qualys_pcrs_policy_summary" to fetch the policy summary. You can create your own SPL search query to filter the data.

The sample search shows posture info event.

posture_info_event

Sample search shows policy info event.

policy_info_event

The sample search shows policy summary.

policy_summary

Search Cyber Security Asset Management Data

You can search for specific Cyber Security Asset Management (CSAM) assets that TA has pulled in Splunk from your Qualys account. Use foloowing event types

eventtype="qualys_csam_assets" to fetch the asset data,

eventtype="qualys_csam_businessApps" to business app data and

eventtype="qualys_csam_softwares" to fetch the software data.

You can create your own SPL search query to filter the data.The sample search shows CSAM assets.

csam_splunk

The sample search shows CSAM software assets.

csam_assets

The sample search shows CSAM business application.

csam_business asset

Search CertView Data

You can search for specific CertView data that TA has pulled in Splunk from your Qualys account.

Use the following event type

eventtype="qualys_certview_certificates" to fetch the certificate information.

You can create your own SPL search query to filter the data.

The sample search shows Certview certificates.

certview_certs

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.