Create Rules and Actions from Responses tab

The Responses tab in the Variable "vmdr_short" is not defined application allows you to set up rule based alerting for the resources that might fail certain critical evaluations and thus helps in fixing resource misconfigurations. Instead of monitoring the system actively, using these alerts, you can be aware of changes or significant findings as soon as the rules are met.

Benefits

  • Triggers alerts using alerting tokens in the Rule Query.
  • Receive alerts using the Trigger Criteria such as Single Match, Time-Window Count Match, and Time-Window Scheduled Match.
  • Notifies alerts via Email or Slack messages.

Prerequisites

  • Contact your Technical Account Manager to enable this feature for your subscription.
  • Permissions: The permissions are assigned from the Qualys Administration application.
    • Manager: The Manager role has all the permissions to create, edit, view, and delete the rules.  
    • Reader and Unit Manager: The Reader and Unit Manager roles have permissions to view the rules. 

Related Topics

Alerting Tokens in VMDR

Use the following tokens to define alerting search criteria for Assets, RTIs, and Vulnerability in the Rule Query of the Responses tab:

Generic Tokens

The order of precedence to use the operators is NOT, AND, OR. However, you can use the parenthesis to override the precedence.

notnot

Use a boolean query to express your query using NOT logic.

Example

  • Show assets that don't have the Windows operating system
    not operatingSystem: Windows

andand

Use a boolean query to express your query using AND logic.

Example

  • Find assets with certain tag and software installed
    tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)

oror

Use a boolean query to express your query using OR logic.

Example

  • Show findings with one of these tag values
    tags.name:Cloud Agent or tags.name:Windows

Alerting Tokens for Assets

assetIdassetId

Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.

Examples

  • Show this asset ID
    assetId: 2918869
  • Show asset IDs in this range
    assetId: [3546997 .. 12945655]
  • Show the 2 asset IDs listed
    assetId: [3546997,12945655]

createdcreated

Use a date range or specific date to define when assets were created, when first scanned by a scanner appliance, or when agent was installed.

Examples

  • Show assets created within certain dates
    created:[2016-01-01 ... 2016-01-10]
  • Show assets created starting 2017-10-01, ending 1 month ago
    created:[2017-10-01 ... now-1M]
  • Show assets created starting 2 weeks ago, ending 1 second ago
    created:[now-2w ... now-1s]
  • Show assets created on a specific date
    created:'2018-01-08'

criticalityScorecriticalityScore

Use an integer value (1-5) to help you find assets based on specific criticality score.

Examples

  • Show assets with criticality score 5
    criticalityScore:5
  • Show assets with criticality score 2
    criticalityScore:2

interfaces.hostnameinterfaces.hostname

Use quotes or backticks within values to help you find the hostname.

Examples

  • Show any findings related to name
    interfaces.hostname:xpsp2-jp-26-111
  • Show any findings that contain parts of name
    interfaces.hostname:"xpsp2-jp-26-111"
  • Show any findings that match exact value "xpsp2-jp-26-111"
    interfaces.hostname:`xpsp2-jp-26-111`
  • Show any findings related to name (we'll match super domains)
    interfaces.hostname:qcentos71sqp3.rdlab.acme.com
  • Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
    interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`

lastComplianceScanDatelastComplianceScanDate

Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.

Examples

  • Show findings with last compliance scan within certain dates
    lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
  • Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
    lastComplianceScanDate: [2016-10-15 ... now-1M]
  • Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
    lastComplianceScanDate: [now-2w ... now-1s]
  • Show findings with last compliance scan on a specific date
    lastComplianceScanDate:'2017-02-18'

lastVmScanDatelastVmScanDate

Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.

Examples

  • Show findings with the last vulnerability scan within certain dates
    lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
  • Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
    lastVmScanDateScanner: [2016-11-01 ... now-1M]
  • Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
    lastVmScanDateScanner: [now-2w ... now-1s]
  • Show findings with the last vulnerability scan on a specific date
    lastVmScanDateScanner:'2017-04-10'

namename

Use quotes or backticks within values to help you find the asset name.

Examples

  • Show any findings related to name
    name:QK2K12QP3-65-53
  • Show any findings that contain parts of name
    name:"QK2K12QP3-65-53"
  • Show any findings that match exact value "QK2K12QP3-65-53"
    name:`QK2K12QP3-65-53`

netbiosNamenetbiosName

Use a text value to define the NetBIOS name.

Examples

  • Show assets with this exact name (case sensitive
    netbiosName:EC2AMAZ-19OC2IT
  • Show assets with name starting with "EC2" (case sensitive
    netbiosName:EC2*
  • Show assets with name ending with "c2it" (case insensitive
    netbiosName:*c2it

operatingSystemoperatingSystem

Use quotes or backticks within values to help you find the operating system.

Examples

  • Show any findings with this OS name
    operatingSystem:Windows 2012
  • Show any findings that contain components of OS name
    operatingSystem:"Windows 2012"
  • Show any findings that match exact value "Windows 2012"
    operatingSystem:`Windows 2012`

riskScoreriskScore

Use an integer value (0-1000) to help you find assets based on a specific risk score.

Examples

  • Show assets with risk score 60
    riskScore:60
  • Show assets with risk score 25
    riskScore:25

tags.nametags.name

Use values within quotes or backticks to help you find the asset tag you are looking for.

Example

  • Show any findings that match exact value "Cloud Agent"
    tags.name:`Cloud Agent`

trackingMethodtrackingMethod

Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.

Examples

  • Show this asset tracked by IP
    trackingMethod: IP
  • Show asset tracked by NETBIOS
    trackingMethod: NETBIOS
  • Show assets tracked by EASM
    trackingMethod: EASM

updatedupdated

Use a date range or specific date to define when assets were updated that is when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent).

Examples

  • Show assets updated within certain dates
    updated:[2017-12-01 ... 2018-01-10]
  • Show assets updated starting 2017-10-01, ending 3 months ago
    updated:[2017-10-01 ... now-3M]
  • Show assets updated starting 2 weeks ago, ending 1 second ago
    updated:[now-2w ... now-1s]
  • Show assets updated on a specific date
    updated:'2018-03-10'

Alerting Tokens for Real-Time Threat Indicators (RTI)

vulnerabilities.vulnerability.threatIntel.activeAttacksvulnerabilities.vulnerability.threatIntel.activeAttacks

Use the values true | false to define real-time threats due to active attacks.

Examples

  • Show assets with threats due to active attacks
    vulnerabilities.vulnerability.threatIntel.activeAttacks: true
  • Show assets that don't have threats due to active attack
    vulnerabilities.vulnerability.threatIntel.activeAttacks: false

vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulnsvulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns

Use the values true | false to define real-time threats due to CISA Exploits.

Examples

  • Show assets with threats due to CISA exploit
    vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true
  • Show assets that don't have threats due to CISA exploit
    vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false

vulnerabilities.vulnerability.threatIntel.denialOfServicevulnerabilities.vulnerability.threatIntel.denialOfService

Use the values true | false to define real-time threats due to denial of service.

Examples

  • Show assets with threats due to denial of service
    vulnerabilities.vulnerability.threatIntel.denialOfService: true
  • Show assets that don't have threats due to denial of service
    vulnerabilities.vulnerability.threatIntel.denialOfService: false

vulnerabilities.vulnerability.threatIntel.easyExploitvulnerabilities.vulnerability.threatIntel.easyExploit

Use the values true | false to define real-time threats due to easy exploit.

Examples

  • Show assets with threats due to easy exploit
    vulnerabilities.vulnerability.threatIntel.easyExploit: true
  • Show assets that don't have threats due to easy exploit
    vulnerabilities.vulnerability.threatIntel.easyExploit: false

vulnerabilities.vulnerability.threatIntel.exploitKitvulnerabilities.vulnerability.threatIntel.exploitKit

Use the values true | false to define real-time threats due to the exploit kit.

Examples

  • Show assets with threats due to exploit kit
    vulnerabilities.vulnerability.threatIntel.exploitKit: true
  • Show assets that don't have threats due to exploit kit
    vulnerabilities.vulnerability.threatIntel.exploitKit: false

vulnerabilities.vulnerability.threatIntel.exploitKitNamevulnerabilities.vulnerability.threatIntel.exploitKitName

Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.

Examples

  • Show any findings with this name
    vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler
  • Show any findings that match the exact value
    vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`

vulnerabilities.vulnerability.threatIntel.highDataLossvulnerabilities.vulnerability.threatIntel.highDataLoss

Use the values true | false to define real-time threats due to high data loss.

Examples

  • Show assets with threats due to high data loss
    vulnerabilities.vulnerability.threatIntel.highDataLoss: true
  • Show assets that don't have threats due to high data loss
    vulnerabilities.vulnerability.threatIntel.highDataLoss: false

vulnerabilities.vulnerability.threatIntel.highLateralMovementvulnerabilities.vulnerability.threatIntel.highLateralMovement

Use the values true | false to define real-time threats due to high lateral movement.

Examples

  • Show assets with threats due to high lateral movement
    vulnerabilities.vulnerability.threatIntel.highLateralMovement: true
  • Show assets that don't have threats due to high lateral movement
    vulnerabilities.vulnerability.threatIntel.highLateralMovement: false

vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware

Use the values true | false to define real-time threats due to malware.

Examples

  • Show assets with threats due to malware
    vulnerabilities.vulnerability.threatIntel.malware: true
  • Show assets that don't have threats due to malware
    vulnerabilities.vulnerability.threatIntel.malware: false

vulnerabilities.vulnerability.threatIntel.malwareNamevulnerabilities.vulnerability.threatIntel.malwareName

Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.

Examples

  • Show any findings with this name
    vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
  • Show any findings that match exact value
    vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`

vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch

Use the values true | false to define real-time threats due to no patch available.

Examples

  • Show assets with threats due to no patch available
    vulnerabilities.vulnerability.threatIntel.noPatch: true
  • Show assets that don't have threats due to no patch available
    vulnerabilities.vulnerability.threatIntel.noPatch: false

vulnerabilities.vulnerability.threatIntel.publicExploitvulnerabilities.vulnerability.threatIntel.publicExploit

Use the values true | false to define real-time threats due to public exploit.

Examples

  • Show assets with threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploit: true
  • Show assets that don't have threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploit: false

vulnerabilities.vulnerability.threatIntel.publicExploitNamevulnerabilities.vulnerability.threatIntel.publicExploitName

Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.

Examples

  • Show any findings with this name
    vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
  • Show assets that don't have threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
  • Show assets that don't have threats due to public exploit
    vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`

vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay

Use the values true | false to define real-time threats due to zero day exploit.

Examples

  • Show assets with threats due to zero day exploit
    vulnerabilities.vulnerability.threatIntel.zeroDay: true
  • Show assets that don't have threats due to zero day exploit
    vulnerabilities.vulnerability.threatIntel.zeroDay: false

vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable

Use the values true | false to define real-time wormable threats.

Example

  • Show assets with wormable threats
    vulnerabilities.vulnerability.threatIntel.wormable: "true"

vulnerabilities.vulnerability.threatIntel.predictedHighRiskvulnerabilities.vulnerability.threatIntel.predictedHighRisk

Use the values true | false to define real-time threats due to predicted high risk.

Example

  • Show assets with predicted high risk threat
    vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"

vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitationvulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation

Use the values true | false to define real-time threats due to unauthenticated exploitation risk.

Example

  • Show assets with unauthenticated exploitation threat
    vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"

vulnerabilities.vulnerability.threatIntelremoteCodeExecutionvulnerabilities.vulnerability.threatIntelremoteCodeExecution

Use the values true | false to define real-time threats due to remote code execution risk.

Example

  • Show assets with remote code execution threat
    vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"

vulnerabilities.vulnerability.threatIntel.ransomwarevulnerabilities.vulnerability.threatIntel.ransomware

Use the values true | false to define real-time threats due to ransomeware vulnerability.

Example

  • Show assets with ransomeware threat
    vulnerabilities.vulnerability.threatIntel.ransomware: "true"

vulnerabilities.vulnerability.threatIntel.privilegeEscalationvulnerabilities.vulnerability.threatIntel.privilegeEscalation

Use the values true | false to define real-time threats due to privilege escalation risk.

Example

  • Show assets with privilege escalation threat
    vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"

vulnerabilities.vulnerability.threatIntel.solorigateSunburstvulnerabilities.vulnerability.threatIntel.solorigateSunburst

Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.

Example

  • Show assets with Solorigate/Sunburst threat
    vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"

Alerting Tokens for Vulnerability

vulnerabilities.detectionScorevulnerabilities.detectionScore

Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.

Examples

  • Show vulnerabilities with detection score 80
    vulnerabilities.detectionScore:80
  • Show vulnerabilities with detection score 25
    vulnerabilities.detectionScore:25

vulnerabilities.disabledvulnerabilities.disabled

Use the values true | false to define vulnerabilities are disabled or enabled.

Example

  • Show findings with vulnerabilities disabled
    vulnerabilities.disabled:TRUE

vulnerabilities.firstFoundvulnerabilities.firstFound

Use the date range or specific date to define when findings were first found.

Examples

  • Show findings first found within certain date
    vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
  • Show findings first found starting 2015-10-01, ending 1 month ag
    vulnerabilities.firstFound:[2015-10-01 ... now-1M]
  • Show findings first found starting 2 weeks ago, ending 1 second ago
    vulnerabilities.firstFound:[now-2w ... now-1s]
  • Show findings first found on certain dat
    vulnerabilities.firstFound:'2016-11-11'

vulnerabilities.ignoredvulnerabilities.ignored

Use an integer value to help you find vulnerabilities that have been marked as ignored.

Example

  • Show vulnerabilities that are marked as ignore
    vulnerabilities.ignored:TRUE

vulnerabilities.instancevulnerabilities.instance

Use a text value to help you find vulnerabilities found on a certain instance.

Example

  • Show vulnerabilities found in this instance
    vulnerabilities.instance:oracle

vulnerabilities.lastFoundvulnerabilities.lastFound

Use a date range or specific date to define when findings were last found.

Examples

  • Show findings last found within certain dates
    vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
  • Show findings last found starting 2016-01-01, ending 1 month ago
    vulnerabilities.lastFound:[2016-01-01 ... now-1M]
  • Show findings last found starting 2 weeks ago, ending 1 second ago
    vulnerabilities.lastFound:[now-2w ... now-1s]
  • Show findings last found on certain date
    vulnerabilities.lastFound:'2016-01-11'
  • Show findings last found within certain number of days
    vulnerabilities.lastFound: [91..180]
  • Show findings last found on 2017-01-12 with patch available
    vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
    vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)

vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService

Use the values true | false to define vulnerabilities that exist on non-exploitable services.

Example

  • Show findings on non-exploitable services
    vulnerabilities.nonExploitableService:TRUE

vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel

Use the values true | false to view vulnerabilities found on the non-running kernel.

Examples

  • Show detections found on non-running Kernel
    vulnerabilities.nonRunningKernel:TRUE
  • Show detections found on running Kernel
    vulnerabilities.nonRunningKernel:FALSE

vulnerabilities.portvulnerabilities.port

Use an integer value to help you find vulnerabilities found on a certain port.

Example

  • Show vulnerabilities found on this port
    vulnerabilities.port:443

vulnerabilities.protocolvulnerabilities.protocol

Use a text value (UDP or TCP) to define the port protocol.

Example

  • Show vulnerabilities found on TCP protoco
    vulnerabilities.protocol:TCP

vulnerabilities.severityvulnerabilities.severity

Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.

Example

  • Show findings with severity by 5
    vulnerabilities.severity:5

vulnerabilities.statusvulnerabilities.status

Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.

If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.

Example

  • Show vulnerabilities with Fixed status
    vulnerabilities.status:FIXED

vulnerabilities.typeDetectedvulnerabilities.typeDetected

Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.

Example

  • Show findings with this type
    vulnerabilities.typeDetected:Confirmed

vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality

Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.

The following list of criticality defines the CVSS Score from 0.0 to 10.0:

  • None: 0.0
  • Low: 0.1-3.9
  • Medium: 4.0-6.9
  • High: 7.0-8.9
  • Critical: 9.0-10.0

Example

  • Show vulnerabilities with HIGH criticality
    vulnerabilities.vulnerability.criticality: "HIGH"

vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds

Use a text value to find the CVE name.

The CVE in the query is case-sensitive and must be used in capital case.

Example

  • Show findings with CVE name CVE-2015-0313
    vulnerabilities.vulnerability.cveIds:CVE-2015-0313

 

vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description

Use quotes or backticks within values to help you find the vulnerability description.

Examples

  • Show any findings related to description
    vulnerabilities.vulnerability.description:remote code execution
  • Show any findings that contain "remote" or "code" in description
    vulnerabilities.vulnerability.description:"remote code execution"
  • Show any findings that match exact value "remote code execution
    vulnerabilities.vulnerability.description:`remote code execution`

vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os

Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.

Examples

  • Show any findings related to this OS value
    vulnerabilities.vulnerability.os:windows
  • Show any findings that contain parts of OS value
    vulnerabilities.vulnerability.os:"windows"
  • Show any findings that match exact value "windows"
    vulnerabilities.vulnerability.os:`windows`

vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable

Use the values true | false to define vulnerabilities with patches available.

Examples

  • Show findings with patch available
    vulnerabilities.vulnerability.patchAvailable:TRUE
  • Show findings with no patch available
    vulnerabilities.vulnerability.patchAvailable:FALSE

vulnerabilities.vulnerabilty.qidvulnerabilities.vulnerabilty.qid

Use an integer value to define the QID.

Example

  • Show findings with QID 90405
    vulnerabilities.vulnerability.qid: 90405

vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable

Use the values true | false to define that can be patched at Qualys.

Examples

  • Show vulnerabilities with patches available at Qualys
    vulnerabilities.vulnerability.qualysPatchable:"TRUE"
  • Show vulnerabilities with patches not available at Qualys
    vulnerabilities.vulnerability.qualysPatchable:"FALSE"

vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired

Use the values true | false to find vulnerabilities that need a reboot.

Example

  • Show vulnerabilities that need reboot
    vulnerabilities.vulnerability.rebootRequired: TRUE

vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title

Use quotes or backticks within values to help you find the title.

Examples

  • Show any findings related to this title
    vulnerabilities.vulnerability.title:Remote Code Execution
  • Show any findings that contain "Remote" or "Code" in title
    vulnerabilities.vulnerability.title:"Remote Code"
  • Show any findings that match exact value "Remote Code"
    vulnerabilities.vulnerability.title:`Remote Code`

vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName

Use a text value to find the vendor product name.

Example

  • Show findings with this vendor product name
    vulnerabilities.vulnerability.vendors.productName:Windows

vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName

Use a text value to find the vendor name.

Example

  • Show findings with this vendor name
    vulnerabilities.vulnerability.vendors.vendorName:Adobe