Create Rules and Actions from Responses tab
The Responses tab in the VMDR application allows you to set up rule based alerting for the resources that might fail certain critical evaluations and thus helps in fixing resource misconfigurations. Instead of monitoring the system actively, using these alerts, you can be aware of changes or significant findings as soon as the rules are met.
Benefits
- Triggers alerts using alerting tokens in the Rule Query.
- Receive alerts using the Trigger Criteria such as Single Match, Time-Window Count Match, and Time-Window Scheduled Match.
- Notifies alerts via Email or Slack messages.
Prerequisites
- Contact your Technical Account Manager to enable this feature for your subscription.
- Permissions: The permissions are assigned from the Qualys Administration application.
- Manager: The Manager role has all the permissions to create, edit, view, and delete the rules.
- Reader and Unit Manager: The Reader and Unit Manager roles have permissions to view the rules.
Related Topics
Alerting Tokens in VMDR
Use the following tokens to define alerting search criteria for Assets, RTIs, and Vulnerability in the Rule Query of the Responses tab:
Generic Tokens
The order of precedence to use the operators is NOT, AND, OR. However, you can use the parenthesis to override the precedence.
notnot
Use a boolean query to express your query using NOT logic.
Example
- Show assets that don't have the Windows operating system
not operatingSystem: Windows
andand
Use a boolean query to express your query using AND logic.
Example
- Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)
oror
Use a boolean query to express your query using OR logic.
Example
- Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows
Alerting Tokens for Assets
assetIdassetId
Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Examples
- Show this asset ID
assetId: 2918869
- Show asset IDs in this range
assetId: [3546997 .. 12945655]
- Show the 2 asset IDs listed
assetId: [3546997,12945655]
createdcreated
Use a date range or specific date to define when assets were created, when first scanned by a scanner appliance, or when agent was installed.
Examples
- Show assets created within certain dates
created:[2016-01-01 ... 2016-01-10]
- Show assets created starting 2017-10-01, ending 1 month ago
created:[2017-10-01 ... now-1M]
- Show assets created starting 2 weeks ago, ending 1 second ago
created:[now-2w ... now-1s]
- Show assets created on a specific date
created:'2018-01-08'
criticalityScorecriticalityScore
Use an integer value (1-5) to help you find assets based on specific criticality score.
Examples
- Show assets with criticality score 5
criticalityScore:5
- Show assets with criticality score 2
criticalityScore:2
interfaces.hostnameinterfaces.hostname
Use quotes or backticks within values to help you find the hostname.
Examples
- Show any findings related to name
interfaces.hostname:xpsp2-jp-26-111
- Show any findings that contain parts of name
interfaces.hostname:"xpsp2-jp-26-111"
- Show any findings that match exact value "xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111`
- Show any findings related to name (we'll match super domains)
interfaces.hostname:qcentos71sqp3.rdlab.acme.com
- Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`
lastComplianceScanDatelastComplianceScanDate
Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.
Examples
- Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31]
- Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M]
- Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s]
- Show findings with last compliance scan on a specific date
lastComplianceScanDate:'2017-02-18'
lastVmScanDatelastVmScanDate
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
- Show findings with the last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10]
- Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M]
- Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s]
- Show findings with the last vulnerability scan on a specific date
lastVmScanDateScanner:'2017-04-10'
namename
Use quotes or backticks within values to help you find the asset name.
Examples
- Show any findings related to name
name:QK2K12QP3-65-53
- Show any findings that contain parts of name
name:"QK2K12QP3-65-53"
- Show any findings that match exact value "QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`
netbiosNamenetbiosName
Use a text value to define the NetBIOS name.
Examples
- Show assets with this exact name (case sensitive
netbiosName:EC2AMAZ-19OC2IT
- Show assets with name starting with "EC2" (case sensitive
netbiosName:EC2*
- Show assets with name ending with "c2it" (case insensitive
netbiosName:*c2it
operatingSystemoperatingSystem
Use quotes or backticks within values to help you find the operating system.
Examples
- Show any findings with this OS name
operatingSystem:Windows 2012
- Show any findings that contain components of OS name
operatingSystem:"Windows 2012"
- Show any findings that match exact value "Windows 2012"
operatingSystem:`Windows 2012`
riskScoreriskScore
Use an integer value (0-1000) to help you find assets based on a specific risk score.
Examples
- Show assets with risk score 60
riskScore:60
- Show assets with risk score 25
riskScore:25
trackingMethodtrackingMethod
Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.
Examples
- Show this asset tracked by IP
trackingMethod: IP
- Show asset tracked by NETBIOS
trackingMethod: NETBIOS
- Show assets tracked by EASM
trackingMethod: EASM
updatedupdated
Use a date range or specific date to define when assets were updated that is when re-scanned by a scanner appliance, or when host data uploaded to the Enterprise TruRisk™ Platform by an agent).
Examples
- Show assets updated within certain dates
updated:[2017-12-01 ... 2018-01-10]
- Show assets updated starting 2017-10-01, ending 3 months ago
updated:[2017-10-01 ... now-3M]
- Show assets updated starting 2 weeks ago, ending 1 second ago
updated:[now-2w ... now-1s]
- Show assets updated on a specific date
updated:'2018-03-10'
Alerting Tokens for Real-Time Threat Indicators (RTI)
vulnerabilities.vulnerability.threatIntel.publicExploitNamevulnerabilities.vulnerability.threatIntel.publicExploitName
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
- Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
- Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Alerting Tokens for Vulnerability
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
- Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80
- Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25
vulnerabilities.firstFoundvulnerabilities.firstFound
Use the date range or specific date to define when findings were first found.
Examples
- Show findings first found within certain date
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30]
- Show findings first found starting 2015-10-01, ending 1 month ag
vulnerabilities.firstFound:[2015-10-01 ... now-1M]
- Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:[now-2w ... now-1s]
- Show findings first found on certain dat
vulnerabilities.firstFound:'2016-11-11'
vulnerabilities.lastFoundvulnerabilities.lastFound
Use a date range or specific date to define when findings were last found.
Examples
- Show findings last found within certain dates
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15]
- Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound:[2016-01-01 ... now-1M]
- Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:[now-2w ... now-1s]
- Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11'
- Show findings last found within certain number of days
vulnerabilities.lastFound: [91..180]
- Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
- Show findings with severity by 5
vulnerabilities.severity:5
vulnerabilities.statusvulnerabilities.status
Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
- Show vulnerabilities with Fixed status
vulnerabilities.status:FIXED
vulnerabilities.typeDetectedvulnerabilities.typeDetected
Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
Example
- Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Example
- Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
- Show any findings related to description
vulnerabilities.vulnerability.description:remote code execution
- Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote code execution"
- Show any findings that match exact value "remote code execution
vulnerabilities.vulnerability.description:`remote code execution`
vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os
Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.
Examples
- Show any findings related to this OS value
vulnerabilities.vulnerability.os:windows
- Show any findings that contain parts of OS value
vulnerabilities.vulnerability.os:"windows"
- Show any findings that match exact value "windows"
vulnerabilities.vulnerability.os:`windows`
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
- Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code Execution
- Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote Code"
- Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`