Create Rules and Actions from Responses tab
The Responses tab in the VMDR application allows you to set up rule based alerting for the resources that might fail certain critical evaluations and thus helps in fixing resource misconfigurations. Instead of monitoring the system actively, using these alerts, you can be aware of changes or significant findings as soon as the rules are met.
Benefits
- Triggers alerts using alerting tokens in the Rule Query.
- Receive alerts using the Trigger Criteria such as Single Match, Time-Window Count Match, and Time-Window Scheduled Match.
- Notifies alerts via Email or Slack messages.
Prerequisites
- Contact your Technical Account Manager to enable this feature for your subscription.
- Permissions: The permissions are assigned from the Qualys Administration application.
- Manager: The Manager role has all the permissions to create, edit, view, and delete the rules.
- Reader and Unit Manager: The Reader and Unit Manager roles have permissions to view the rules.
Related Topics
Alerting Tokens in VMDR
Use the following tokens to define alerting search criteria for Assets, RTIs, and Vulnerability in the Rule Query of the Responses tab:
Generic Tokens
The order of precedence to use the operators is NOT, AND, OR. However, you can use the parenthesis to override the precedence.
Use a boolean query to express your query using NOT logic.
Example
- Show assets that don't have the Windows operating system
not operatingSystem: Windows
Use a boolean query to express your query using AND logic.
Example
- Find assets with certain tag and software installed
tags.name:`Cloud Agent` and software: (name:`Cisco AnyConnect Secure Mobility Client` and version:`3.1.12345`)
Use a boolean query to express your query using OR logic.
Example
- Show findings with one of these tag values
tags.name:Cloud Agent or tags.name:Windows
Alerting Tokens for Assets
Use an integer value to help you find certain Qualys asset IDs (UUIDs), assigned by an agent or a scanner appliance when Agentless Tracking is used.
Examples
- Show this asset ID
assetId: 2918869 - Show asset IDs in this range
assetId: [3546997 .. 12945655] - Show the 2 asset IDs listed
assetId: [3546997,12945655]
Use a date range or specific date to define when assets were created, when first scanned by a scanner appliance, or when agent was installed.
Examples
- Show assets created within certain dates
created:[2016-01-01 ... 2016-01-10] - Show assets created starting 2017-10-01, ending 1 month ago
created:[2017-10-01 ... now-1M] - Show assets created starting 2 weeks ago, ending 1 second ago
created:[now-2w ... now-1s] - Show assets created on a specific date
created:'2018-01-08'
criticalityScorecriticalityScore
Use an integer value (1-5) to help you find assets based on specific criticality score.
Examples
- Show assets with criticality score 5
criticalityScore:5 - Show assets with criticality score 2
criticalityScore:2
interfaces.hostnameinterfaces.hostname
Use quotes or backticks within values to help you find the hostname.
Examples
- Show any findings related to name
interfaces.hostname:xpsp2-jp-26-111 - Show any findings that contain parts of name
interfaces.hostname:"xpsp2-jp-26-111" - Show any findings that match exact value "xpsp2-jp-26-111"
interfaces.hostname:`xpsp2-jp-26-111` - Show any findings related to name (we'll match super domains)
interfaces.hostname:qcentos71sqp3.rdlab.acme.com - Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"
interfaces.hostname:`qcentos71sqp3.rdlab.acme.com`
lastComplianceScanDatelastComplianceScanDate
Use a date range or specific date to define when compliance scans were last conducted. In case of a full compliance scan, all QIDs are triggered. For custom compliance scan specific QIDs are triggered.
Examples
- Show findings with last compliance scan within certain dates
lastComplianceScanDate: [2017-01-01 ... 2017-03-31] - Show findings with last compliance scan starting 2016-10-15, ending 1 month ago
lastComplianceScanDate: [2016-10-15 ... now-1M] - Show findings with last compliance scan starting 2 weeks ago, ending 1 second ago
lastComplianceScanDate: [now-2w ... now-1s] - Show findings with last compliance scan on a specific date
lastComplianceScanDate:'2017-02-18'
Use a date range or specific date to define when full or custom vulnerability scans were last conducted by the agent or scanner. In case of a full vulnerability scan all QIDs are triggered. For custom vulnerability scan specific QIDs are triggered.
Examples
- Show findings with the last vulnerability scan within certain dates
lastVmScanDateScanner: [2017-01-01 ... 2017-02-10] - Show findings with the last vulnerability scan starting 2016-11-01, ending 1 month ago
lastVmScanDateScanner: [2016-11-01 ... now-1M] - Show findings with the last vulnerability scan starting 2 weeks ago, ending 1 second ago
lastVmScanDateScanner: [now-2w ... now-1s] - Show findings with the last vulnerability scan on a specific date
lastVmScanDateScanner:'2017-04-10'
Use quotes or backticks within values to help you find the asset name.
Examples
- Show any findings related to name
name:QK2K12QP3-65-53 - Show any findings that contain parts of name
name:"QK2K12QP3-65-53" - Show any findings that match exact value "QK2K12QP3-65-53"
name:`QK2K12QP3-65-53`
Use a text value to define the NetBIOS name.
Examples
- Show assets with this exact name (case sensitive
netbiosName:EC2AMAZ-19OC2IT - Show assets with name starting with "EC2" (case sensitive
netbiosName:EC2* - Show assets with name ending with "c2it" (case insensitive
netbiosName:*c2it
Use an integer value (0-1000) to help you find assets based on a specific risk score.
Examples
- Show assets with risk score 60
riskScore:60 - Show assets with risk score 25
riskScore:25
Select the tracking method for the assets (IP, DNSNAME, NETBIOS, INSTANCE_ID, and etc.)Select from names in the drop-down menu.
Examples
- Show this asset tracked by IP
trackingMethod: IP - Show asset tracked by NETBIOS
trackingMethod: NETBIOS - Show assets tracked by EASM
trackingMethod: EASM
Use a date range or specific date to define when assets were updated that is when re-scanned by a scanner appliance, or when host data uploaded to the Enterprise TruRisk™ Platform by an agent).
Examples
- Show assets updated within certain dates
updated:[2017-12-01 ... 2018-01-10] - Show assets updated starting 2017-10-01, ending 3 months ago
updated:[2017-10-01 ... now-3M] - Show assets updated starting 2 weeks ago, ending 1 second ago
updated:[now-2w ... now-1s] - Show assets updated on a specific date
updated:'2018-03-10'
Alerting Tokens for Real-Time Threat Indicators (RTI)
Use the values true | false to define real-time threats due to active attacks.
Examples
- Show assets with threats due to active attacks
vulnerabilities.vulnerability.threatIntel.activeAttacks: true - Show assets that don't have threats due to active attack
vulnerabilities.vulnerability.threatIntel.activeAttacks: false
Use the values true | false to define real-time threats due to CISA Exploits.
Examples
- Show assets with threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: true - Show assets that don't have threats due to CISA exploit
vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns: false
Use the values true | false to define real-time threats due to denial of service.
Examples
- Show assets with threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: true - Show assets that don't have threats due to denial of service
vulnerabilities.vulnerability.threatIntel.denialOfService: false
Use the values true | false to define real-time threats due to easy exploit.
Examples
- Show assets with threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: true - Show assets that don't have threats due to easy exploit
vulnerabilities.vulnerability.threatIntel.easyExploit: false
Use the values true | false to define real-time threats due to the exploit kit.
Examples
- Show assets with threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: true - Show assets that don't have threats due to exploit kit
vulnerabilities.vulnerability.threatIntel.exploitKit: false
Use quotes or backticks within values to help you find the exploit kit name. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.exploitKitName: Angler - Show any findings that match the exact value
vulnerabilities.vulnerability.threatIntel.exploitKitName: `Angler`
Use the values true | false to define real-time threats due to high data loss.
Examples
- Show assets with threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: true - Show assets that don't have threats due to high data loss
vulnerabilities.vulnerability.threatIntel.highDataLoss: false
Use the values true | false to define real-time threats due to high lateral movement.
Examples
- Show assets with threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement: true - Show assets that don't have threats due to high lateral movement
vulnerabilities.vulnerability.threatIntel.highLateralMovement: false
vulnerabilities.vulnerability.threatIntel.malwarevulnerabilities.vulnerability.threatIntel.malware
Use the values true | false to define real-time threats due to malware.
Examples
- Show assets with threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: true - Show assets that don't have threats due to malware
vulnerabilities.vulnerability.threatIntel.malware: false
Use quotes or backticks within values to help you find the malware name. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ - Show any findings that match exact value
vulnerabilities.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
vulnerabilities.vulnerability.threatIntel.noPatchvulnerabilities.vulnerability.threatIntel.noPatch
Use the values true | false to define real-time threats due to no patch available.
Examples
- Show assets with threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: true - Show assets that don't have threats due to no patch available
vulnerabilities.vulnerability.threatIntel.noPatch: false
Use the values true | false to define real-time threats due to public exploit.
Examples
- Show assets with threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: true - Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploit: false
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Examples
- Show any findings with this name
vulnerabilities.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass - Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass" - Show assets that don't have threats due to public exploit
vulnerabilities.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
vulnerabilities.vulnerability.threatIntel.zeroDayvulnerabilities.vulnerability.threatIntel.zeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Examples
- Show assets with threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: true - Show assets that don't have threats due to zero day exploit
vulnerabilities.vulnerability.threatIntel.zeroDay: false
vulnerabilities.vulnerability.threatIntel.wormablevulnerabilities.vulnerability.threatIntel.wormable
Use the values true | false to define real-time wormable threats.
Example
- Show assets with wormable threats
vulnerabilities.vulnerability.threatIntel.wormable: "true"
Use the values true | false to define real-time threats due to predicted high risk.
Example
- Show assets with predicted high risk threat
vulnerabilities.vulnerability.threatIntel.predictedHighRisk: "true"
Use the values true | false to define real-time threats due to unauthenticated exploitation risk.
Example
- Show assets with unauthenticated exploitation threat
vulnerabilities.vulnerability.threatIntel.unauthenticatedExploitation: "true"
Use the values true | false to define real-time threats due to remote code execution risk.
Example
- Show assets with remote code execution threat
vulnerabilities.vulnerability.threatIntel.remoteCodeExecution: "true"
Use the values true | false to define real-time threats due to ransomeware vulnerability.
Example
- Show assets with ransomeware threat
vulnerabilities.vulnerability.threatIntel.ransomware: "true"
Use the values true | false to define real-time threats due to privilege escalation risk.
Example
- Show assets with privilege escalation threat
vulnerabilities.vulnerability.threatIntel.privilegeEscalation: "true"
Use the values true | false to filter real-time threats due to Solorigate/Sunburst risk.
Example
- Show assets with Solorigate/Sunburst threat
vulnerabilities.vulnerability.threatIntel.solorigateSunburst: "true"
Alerting Tokens for Vulnerability
vulnerabilities.detectionScorevulnerabilities.detectionScore
Use an integer value (0-100) to help you find vulnerabilities based on specific detection score.
Examples
- Show vulnerabilities with detection score 80
vulnerabilities.detectionScore:80 - Show vulnerabilities with detection score 25
vulnerabilities.detectionScore:25
vulnerabilities.disabledvulnerabilities.disabled
Use the values true | false to define vulnerabilities are disabled or enabled.
Example
- Show findings with vulnerabilities disabled
vulnerabilities.disabled:TRUE
vulnerabilities.firstFoundvulnerabilities.firstFound
Use the date range or specific date to define when findings were first found.
Examples
- Show findings first found within certain date
vulnerabilities.firstFound:[2017-10-21 ... 2017-10-30] - Show findings first found starting 2015-10-01, ending 1 month ag
vulnerabilities.firstFound:[2015-10-01 ... now-1M] - Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerabilities.firstFound:[now-2w ... now-1s] - Show findings first found on certain dat
vulnerabilities.firstFound:'2016-11-11'
vulnerabilities.ignoredvulnerabilities.ignored
Use an integer value to help you find vulnerabilities that have been marked as ignored.
Example
- Show vulnerabilities that are marked as ignore
vulnerabilities.ignored:TRUE
vulnerabilities.instancevulnerabilities.instance
Use a text value to help you find vulnerabilities found on a certain instance.
Example
- Show vulnerabilities found in this instance
vulnerabilities.instance:oracle
vulnerabilities.lastFoundvulnerabilities.lastFound
Use a date range or specific date to define when findings were last found.
Examples
- Show findings last found within certain dates
vulnerabilities.lastFound:[2015-10-21 ... 2016-01-15] - Show findings last found starting 2016-01-01, ending 1 month ago
vulnerabilities.lastFound:[2016-01-01 ... now-1M] - Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerabilities.lastFound:[now-2w ... now-1s] - Show findings last found on certain date
vulnerabilities.lastFound:'2016-01-11' - Show findings last found within certain number of days
vulnerabilities.lastFound: [91..180] - Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound:'2017-01-12' AND vulnerability.patchAvailable:TRUE)
vulnerabilities: (lastFound: AND vulnerability.patchAvailable:TRUE)
vulnerabilities.nonExploitableServicevulnerabilities.nonExploitableService
Use the values true | false to define vulnerabilities that exist on non-exploitable services.
Example
- Show findings on non-exploitable services
vulnerabilities.nonExploitableService:TRUE
vulnerabilities.nonRunningKernelvulnerabilities.nonRunningKernel
Use the values true | false to view vulnerabilities found on the non-running kernel.
Examples
- Show detections found on non-running Kernel
vulnerabilities.nonRunningKernel:TRUE - Show detections found on running Kernel
vulnerabilities.nonRunningKernel:FALSE
vulnerabilities.portvulnerabilities.port
Use an integer value to help you find vulnerabilities found on a certain port.
Example
- Show vulnerabilities found on this port
vulnerabilities.port:443
vulnerabilities.protocolvulnerabilities.protocol
Use a text value (UDP or TCP) to define the port protocol.
Example
- Show vulnerabilities found on TCP protoco
vulnerabilities.protocol:TCP
vulnerabilities.severityvulnerabilities.severity
Use an integer value to view the severity level set by you to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu. If you do not set the severity level, its level will be the same as the level set by Qualys.
Example
- Show findings with severity by 5
vulnerabilities.severity:5
vulnerabilities.statusvulnerabilities.status
Select a status (for example, Active, Fixed, New, or Reopened) to find vulnerabilities with certain statuses. Select from names in the drop-down menu.
If you select the status as Fixed, the list will only show vulnerabilities that have been fixed in the last 365 days.
Example
- Show vulnerabilities with Fixed status
vulnerabilities.status:FIXED
vulnerabilities.typeDetectedvulnerabilities.typeDetected
Select a detection type (for example, Confirmed, Potential, or Information) to find assets with vulnerabilities of this type. Select from names in the drop-down menu.
Example
- Show findings with this type
vulnerabilities.typeDetected:Confirmed
vulnerabilities.vulnerability.criticalityvulnerabilities.vulnerability.criticality
Select a criticality (for example, "CRITICAL", "HIGH", "MEDIUM", "LOW", or "NONE") to find assets with vulnerabilities of this type. Select from names in the drop-down menu. If a QID does not have a CVSSv3 Base score, the CVSSv2 Base score takes priority.
The following list of criticality defines the CVSS Score from 0.0 to 10.0:
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Example
- Show vulnerabilities with HIGH criticality
vulnerabilities.vulnerability.criticality: "HIGH"
vulnerabilities.vulnerability.cveIdsvulnerabilities.vulnerability.cveIds
Use a text value to find the CVE name.
The CVE in the query is case-sensitive and must be used in capital case.
Example
- Show findings with CVE name CVE-2015-0313
vulnerabilities.vulnerability.cveIds:CVE-2015-0313
vulnerabilities.vulnerability.descriptionvulnerabilities.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description.
Examples
- Show any findings related to description
vulnerabilities.vulnerability.description:remote code execution - Show any findings that contain "remote" or "code" in description
vulnerabilities.vulnerability.description:"remote code execution" - Show any findings that match exact value "remote code execution
vulnerabilities.vulnerability.description:`remote code execution`
vulnerabilities.vulnerability.osvulnerabilities.vulnerability.os
Use quotes or backticks within values to help you find the operating system that was detected with vulnerabilities.
Examples
- Show any findings related to this OS value
vulnerabilities.vulnerability.os:windows - Show any findings that contain parts of OS value
vulnerabilities.vulnerability.os:"windows" - Show any findings that match exact value "windows"
vulnerabilities.vulnerability.os:`windows`
vulnerabilities.vulnerability.patchAvailablevulnerabilities.vulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patches available.
Examples
- Show findings with patch available
vulnerabilities.vulnerability.patchAvailable:TRUE - Show findings with no patch available
vulnerabilities.vulnerability.patchAvailable:FALSE
vulnerabilities.vulnerabilty.qidvulnerabilities.vulnerabilty.qid
Use an integer value to define the QID.
Example
- Show findings with QID 90405
vulnerabilities.vulnerability.qid: 90405
vulnerabilities.vulnerability.qualysPatchablevulnerabilities.vulnerability.qualysPatchable
Use the values true | false to define that can be patched at Qualys.
Examples
- Show vulnerabilities with patches available at Qualys
vulnerabilities.vulnerability.qualysPatchable:"TRUE" - Show vulnerabilities with patches not available at Qualys
vulnerabilities.vulnerability.qualysPatchable:"FALSE"
vulnerabilities.vulnerability.rebootRequiredvulnerabilities.vulnerability.rebootRequired
Use the values true | false to find vulnerabilities that need a reboot.
Example
- Show vulnerabilities that need reboot
vulnerabilities.vulnerability.rebootRequired: TRUE
vulnerabilities.vulnerability.titlevulnerabilities.vulnerability.title
Use quotes or backticks within values to help you find the title.
Examples
- Show any findings related to this title
vulnerabilities.vulnerability.title:Remote Code Execution - Show any findings that contain "Remote" or "Code" in title
vulnerabilities.vulnerability.title:"Remote Code" - Show any findings that match exact value "Remote Code"
vulnerabilities.vulnerability.title:`Remote Code`
vulnerabilities.vulnerability.vendors.productNamevulnerabilities.vulnerability.vendors.productName
Use a text value to find the vendor product name.
Example
- Show findings with this vendor product name
vulnerabilities.vulnerability.vendors.productName:Windows
vulnerabilities.vulnerability.vendors.vendorNamevulnerabilities.vulnerability.vendors.vendorName
Use a text value to find the vendor name.
Example
- Show findings with this vendor name
vulnerabilities.vulnerability.vendors.vendorName:Adobe