Monday, July 23, 2018

Splunk Vulnerability Lookup Tool Using the Qualys Knowledge Base

By Tony Lee

Are you a Splunk + Qualys customer? If so, are you downloading the Qualys Knowledge Base data? Hint: This us usually accomplished by enabling the Qualys TA knowledge base input.  Chances are pretty good that you are since that data is used by the Qualys Splunk app to map Qualys QID codes to human readable names of vulnerabilities.

While this is very useful for the Qualys app's dashboards, we took the by-product of the mapping to the next level by creating a Vulnerability Lookup dashboard (see Figure 1 below) to be used by humans in a more flexible way that has nothing to do with the Qualys scans themselves. This dashboard provides SOC analysts the ability to search the knowledge base by QID, title of the vulnerability, CVE, and even vendor reference numbers such as MS or KB numbers.  Best of all, we included the code at the bottom of the article for anyone to use.  :-)

Figure 1:  Vulnerability Lookup dashboard

Understanding the Data

Once the Knowledge Base data is downloaded to the search head (per Qualys instructions), try to search for it. In a Splunk search box, copy and paste the following.

| inputlookup qualys_kb_lookup

If you see results, you are all set to use the dashboard code at the bottom of the article.

Figure 2:  Sample KB data.  If you see data returned with this query, you should be good to go.


If you are going to spend the time and resources downloading the Qualys Knowledge Base, you might as well benefit twice by getting a handy localized vulnerability lookup tool at no extra cost. We hope this proves useful to others.  Enjoy!

Dashboard Code

  <label>Vulnerability Lookup</label>
  <description>Enter the known field below</description>
  <!-- Add time range picker -->
  <fieldset autoRun="false" submitButton="true">
    <input type="text" searchWhenChanged="true" token="qid">
      <label>Enter the QID.  ex: 90464</label>
    <input type="text" searchWhenChanged="true" token="title">
      <label>Enter the Title.  ex: *August 2017*</label>
    <input type="text" searchWhenChanged="true" token="cve">
      <label>Enter the CVE.  ex: *2017-0272*</label>
    <input type="text" searchWhenChanged="true" token="vr">
      <label>Enter the Vendor Reference (MS or KB).  ex: *08-067* or *4022747*</label>
          <query>| inputlookup qualys_kb_lookup | rename VULN_TYPE as TYPE | table  QID, SEVERITY, TYPE, TITLE, CATEGORY, PATCHABLE, CVSS_BASE, CVSS_TEMPORAL, CVE, VENDOR_REFERENCE, PUBLISHED_DATETIME | fillnull | search TITLE="$title$" QID=$qid$ CVE=$cve$ VENDOR_REFERENCE=$vr$</query>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>

No comments:

Post a Comment