Qualys Query Language (QQL)

Name
Email

1
 qualys.com/learning

• QQL Quick Start Guide

• QQL LAB Exercises
• QQL Slideshow

The Qualys Training and Certification portal (qualys.com/learning) is your source for all Qualys
training material.

Here you will find the lab exercise document and presentation slides. You will need some type
of pdf file reader, like adobe acrobat, to view these files.

2
 COURSE PREREQUISITES
• Candidates must already have a Qualys user account (provided by their
employer) with “accessible” vulnerability scan data and findings.
• Candidate accounts must have a minimum of READER level permissions and
access to the Qualys VM and GAV/CSAM modules.
• To acquire a free Qualys trial account, see the information provided in “Lab
Appendix B” of the QQL Lab Guide.

It is important for candidate accounts to already have accumulated asset and

vulnerability findings; more is better! Please ensure an adequate number of
vulnerability scans are performed and completed, to provide your queries with data.

3
 Qualys User Account Requirements
Agenda
Introduction to QQL
Qualys Query Language
• QQL User Interface
• Basic Query Syntax & Construction
• Token Data Types
Asset Inventory & Complex Queries
• Asset Categories
• Complex & Nested Queries
• Queries for Asset Tags
Queries for Dashboard Widgets
• Use Case: Track Time to Remediation
• Use Case: Track Patch Tuesday Vulns

4
 QUALYS USER
ACCOUNT
REQUIREMENTS

5
 USER ROLES

o Moving right to left,

permissions are inherited
from one role to the next.
o A “Reader” is the least
privileged user role, while
a “Manager” role has
unrestricted access.

This course is designed for the READER, SCANNER, UNIT MANAGER, and MANAGER
user roles. The query lab exercises in this course are not recommended for the
Auditor, Remediation User, Contact, and User Administrator roles.

Notice how the permissions in this table flow, from right to left; SCANNERS inherit all
permissions provided to READERS, and UNIT MANAGERS inherit all “default”
permissions provided to both SCANNERS and READERS.

MANAGER users are unrestricted. It’s best to keep the number of MANAGER
accounts in your Qualys subscription to a minimum. BEST PRACTICE: limit your
subscription to two MANAGER accounts; one “active” manager and one “backup”
manager. Create UNIT MANAGER accounts for all other administrative tasks.

6
 ACCOUNT PERMISSIONS & ACCESS
PRIVILIGES
QQL Lab Guide, pages 5 – 9

LAB 1: Discover Your Scope and User Roles, p. 5

5 min.

Open the QQL Lab Guide and go to LAB 1, “Discover Your Scope and User Roles,” to
determine which sections of the QQL training course you will be able to complete,
successfully.

7
 WHAT USER ROLES DO YOU HAVE?

1. Ensure your Qualys account has READER, SCANNER, UNIT MANAGER, or

MANAGER privileges.
2. Your account will need the “VM User” role to perform queries in the
VULNERABILITES section of VMDR.
3. Your account will need the “Global AssetView User” or “Global AI User” role, to
perform queries in the INVENTORY section of GAV or CSAM.

8
 APPLICATION MODULE ACCESS

Only a ”Manager” user role (by default) has access to all application
modules.

An “Alert” message will appear when attempting to access Qualys Platform

application modules, where you are missing required UI access permissions.

9
 HOST ASSET ACCESS

If you don’t see

assets in your
account, their
assignment may
still be pending, or
scans may have yet
to be performed.

As long as one meets the minimum user account requirements (READER with VM UI
access) asset and vulnerability findings will appear in the VULNERABILITIES section of
VMDR.

Please ensure assets have been added to your account and vulnerability scans have
been successfully performed.

10
 LAB APPENDIX B

Please use your

company email address
when requesting a
Qualys trial account.

Appendix B in the QQL Lab Guide, provides steps for requesting a Free Qualys Trail
Account.

11
 INTRODUCTION TO
QQL

12

12
 ABOUT THE QUALYS QUERY LANGUAGE

§ Core service within the Qualys Cloud Platform; all

applications provide query support.
§ QQL tokens represent the various data, information,
artifacts, and services found within your Qualys account.
§ Strength in its flexibility and ability to combine multiple
conditions into a single query.
§ BEST PRACTICE: Take time to understand the basic QQL
syntax and complex query rules.

QQL is a core service within the Qualys Cloud Platform. QQL tokens represent the
various data, information, artifacts, and services found within your Qualys account.

13
 COMMON QQL SCENARIOS
I need an answer to a one-time question.
Examples:
• How many assets do I have with CVE-2022-30522?
• What does the vulnerability posture look like of host 172.16.35.21?
• How do I get a quick list of database servers that are missing security patches?
Solution: Build and run queries

I want continuous updates on the assets and vulnerabilities that really matter and to identify
important security trends and know when critical security thresholds have been reached.
Examples:
• How many assets failed authentication in the last scanning cycle?
• Am I meeting my SLA to remediate high risk vulnerabilities?
• What is the ratio of critical vulnerabilities to all vulnerabilities discovered?
Solution: Construct Dashboard Widgets

14

Queries provide a fast way to get data and are well-suited when you’re looking for
quick answers, typically to one-time questions.

While a saved query can be used to address recurring questions, turning the saved
query into a Dashboard Widget provides a better solution. Widgets and dashboards
provide continuous visual and graphical (e.g., count, bar, table and pie chart)
representation of data and findings.

14
 VMDR

You will find a “Custom Search” field, along with a “Quick Search” pane, in the
VULNERABILITIES section of VMDR.

Most of the Qualys Platform application modules provide search and query features
that leverage the power and flexibility of the Qualys Query Language. Queries,
widgets and dashboards can be used across multiple apps in Qualys.

The VULNERABILITIES section gives you an integrated, incremental search and browse
experience to help you find assets and vulnerabilities. Choose Vulnerability to
display vulnerability data or Asset for asset data. From there you can easily browse
the data list and explore details.

16
 POLICY COMPLIANCE

Construct queries with “Asset” or “Control” tokens from the POSTURE section of
Policy Compliance.

17
 QQL USER INTERFACE
QQL Lab Guide, pages 10 – 12

LAB 2: UI Search and Query Components, p. 10

5 min.

18

Open the QQL Lab Guide and go to LAB 2, “UI Search and Query Components,” for a
quick tour of the various QQL user interface components.

18
 GAV & CSAM

You’ll find the Quick Search pane and Search fields in the Inventory section of
GAV/CSAM.

19
 BASIC SYNTAX

• In its most basic form, a query consists of at least one token, along with a
targeted value.
• The value is typically separated from the token by a colon. Alternatively,
comparison operators (e.g., <, >, <=, >=, etc...) may be used.

Maximum Character Limits (including alphanumeric, special characters and spaces):

Query Tokens: 256 characters
Query String: 4096 characters

In its most basic form, a query consists of at least one token, along with a targeted
value. The value is typically separated from the token by a colon. Alternatively,
comparison operators (e.g., <, >, <=, >=, etc...) may be used.

Maximum Character Limits (including alphanumeric, special characters and spaces):

• Query Tokens: 256 characters
• Query String: 4096 characters

21
 TOKEN & VALUE HINTS

• Leverage the convenience of the “Search” field assistant, to quickly find tokens
and their appropriate values.
• NOTE: Not all tokens provide a convenient list of values.

The “Search” field assistant, will help you find the token name ... and sometimes it
can even provide you with alternative values. If the token name you provide does not
produce a match, check the context or focus of the “Search” field (i.e., Asset,
Vulnerability, etc...)

22
 BASIC QUERY SYNTAX & CONSTRUCTION
QQL Lab Guide, pages 13 – 14

LAB 3: QQL Search Assistant, p. 13

5 min.

23

Open the QQL Lab Guide and go to LAB 3, “QQL Search Assistant” and learn how to
leverage the Search Assistant to construct your queries.

Users must place cursor in “Search” field and press ”Enter” key to execute query.

23
 TOKEN DATA TYPES

Become familiar with the data types of the tokens you use:
§ Character, Character string
§ Integer, Integer range
§ Date, Date range
§ Boolean

Knowing the token data types will help you to build more effective queries.

24
 CHARACTER STRING

vulnerabilities.vulnerability.title
Use quotes or backticks to specify a vulnerability title.

Show findings for Microsoft vulnerabilities (unbroken character string):

vulnerabilities.vulnerability.title:Microsoft

Show findings for Microsoft Edge (character string with blank space):
vulnerabilities.vulnerability.title:”Microsoft Edge"

Show findings for Microsoft Edge Security Updates for April 2020:
vulnerabilities.vulnerability.title:`Microsoft Edge Security Update for April 2020`

If you open the QQL help context and read the “vulnerabilities.vulnerability.title”
token’s description, you won’t find a reference to the “character string” data type.
The presence of the word “quotes” and “backticks” provides a clue that the data type
is of character string.

The “Character String” data type requires no adjustment when using a single
“unbroken” character string as the value. However, double quotes or backticks are
required, when the value contains more than one character string (separated by
blank space).

NOTE: Comparisons are performed on separate string components or elements,

when quotes are added. Backticks must contain the contents of the complete
character string and cannot be used to make partial string comparisons.

25
 INTEGER

riskScore
Use an integer value (0-1000) to help you find assets
based on a specific TruRisk score.
----------------------------------------------------------------------------
Show assets with a risk score equal to 800.
riskScore:800

Show assets with a Severe risk score (greater than 850)

riskScore > 850

Show assets with Medium or High scores

riskScore:[500 .. 849]

Qualys True Risk Score combines the Criticality Score of a single host with a weighted
average of its combined vulnerability detections. While the Qualys Detection Score
provides a useful metric for measuring the impact of a single vulnerability, the Asset
Risk Score places the vulnerability in the context of other vulnerabilities discovered
on the same host.

26
 INTEGER & NUMBER RANGE

Use brackets or parenthesis, depending on your intended outcome.

• Greater than 850 and less than 1000:

(850 .. 1000)
greater than (
• Greater than or equal to 850 and less than or
equal to 1000: less than )
[850 .. 1000] greater than or equal to [
• greater than 850 and less than or equal to 1000:
less than or equal to ]
(850 .. 1000]
• greater than or equal to 850 and less than 1000:
[850 .. 1000)

Use brackets or parenthesis, depending on your intended outcome.

27
 DATE & DATE RANGE

vulnerabilities.vulnerability.published
Use a date range or specific date to specify when vulnerabilities were published in the
KnowledgeBase.
-----------------------------------------------------------------------------------------------------------------------
Show vulnerabilities published on a specific date.
vulnerabilities.vulnerability.published:2022-07-19 yyyy-mm-dd
Show all vulnerabilities published before a specified date.
vulnerabilities.vulnerability.published < 2010-01-01

Show vulnerabilities published within calendar year 2021.

vulnerabilities.vulnerability.published:[2021-01-01 .. 2021-12-31]

Show vulnerabilities published between Jan. 1, 2022, and now.

vulnerabilities.firstFound:[2022-01-01 .. now]

Date & Date Range queries use a default “yyyy-mm-dd” format.

28
 Past Future
29

Use the reserved word “now” to perform date calculations and comparisons.

EXAMPLES:

vulnerabilities.lastfound > 2023-8-7

vulnerabilities.lastfound > now-90d

vulnerabilities.lastfound:[2023-08-07 .. 2023-11-07]

vulnerabilities.lastfound:[now-90d .. now]

29
 BOOLEAN

vulnerabilities.vulnerability.qualysPatchable
Use the values true | false to identify vulnerabilities that can be patched by
Qualys.
-----------------------------------------------------------------------------------------------------
Show vulnerabilities with patch available via Qualys
vulnerabilities.vulnerability.qualysPatchable: "true"

Show vulnerabilities with patch not available via Qualys

vulnerabilities.vulnerability.qualysPatchable: "false"

Boolean data types require a value of TRUE or FALSE.

30
 ASSET INVENTORY
QUERIES

31

31
 NORMALIZED CATEGORIES

• It can be challenging to remember specific asset names and versions.

• Searching on “normalized” categories provides a good starting point.

When assessment scans are performed by a Qualys sensor, the raw asset data is
collected within the Qualys Platform and then categorized to make it easier for you to
find your assets.

Here in this table, we have examples of OS, hardware, and software assets discovered
by a Qualys sensor. The raw data collected may potentially contain many characters
and may be formatted in an unfamiliar way. For this reason, Qualys provides
categories that make it easier for you to search or query your assets.

32
 ASSET CATEGORY QUERY TOKENS
OS Hardware

operatingSystem.category1: Unix hardware.category1: Computers

operatingSystem.category2: Server hardware.category2: Server
operatingSystem.category: Unix / Server hardware.category: Computers / Server

Software

software:(category1: Databases)
software:(category2: RDBMS)
software:(category: Databases / RDBMS)

The Qualys Query Language provides “Asset Category” tokens for you to include OS,
Hardware and Software conditions in your queries. Category2 is a subcategory of
Category1

33
 QUERIES FOR ASSET INVENTORY
QQL Lab Guide, pages 15 – 22

LAB 4: Software, Hardware and OS Categories, p. 16

10 min.

34

Open the QQL Lab Guide and go to LAB 4, “Software, Hardware and OS Categories,”
to become familiar with the categories presently available in your account.

34
 SOFTWARE TOKEN

The search assistant automatically formats “software” tokens using the

nested approach.

The search assistant automatically formats “software” tokens using the nested
approach.

35
 CSAM ASSET ENRICHMENT

Qualys CSAM provides more asset enrichment data to help you identify hardware
devices, operating systems, and software that no longer receive security patches and
support from their vendors. Qualys even provides specific “End of Support” dates so
you can query for expected and future risk.

CSAM distinguishes between commercial and open-source software and provides

dozens of Software License subcategories
(e.g., Free, Licensed, Open Source, Public Domain, Subscription, and Trial).

37
 LIFECYCLE STAGE TOKENS
hardware.lifecycle.stage:OBS
operatingSystem.lifecycle.stage:EOL/EOS
software:(lifecycle.stage:EOL/EOS)

Hardware OS Software Associated Risk

Generally Available Generally Available Generally Available Low - Product updates and security patches are
(GA) (GA) (GA) readily available.
End-of-Sale (EOS) End-of-Life (EOL) End-of-Life (EOL) Elevated - While product enhancements and
updates have ended, security patches may still be
provided.
Obsolete (OBS) End-of-Service End-of-Service High – Product features and updates as well as
(EOL/EOS) (EOL/EOS) security patches have ended.

Lifecycle Stage tokens in CSAM provide the current state of hardware,

OS, and software assets.

Build queries to evaluate the present or current Lifecycle Stage of your assets using
the “lifecycle.stage” query tokens. Queries can potentially identify assets in your
account that are at greater risk, because they are no longer receiving patches or
security updates.

38
 SOFTWARE LICENSE CATEGORY &
SUBCATEGORY TOKENS
• Commercial – Supported by vendor.

• Open Source – Free for public use.

• Trial – Limited time or use.

Qualys CyberSecurity Asset Management distinguishes between commercial and

open-source software and provides dozens of Software License subcategories such as
Freeware, Public Domain, Trial, Subscription and Licensed.

39
 CSAM SOFTWARE & OPEN PORT RULES

• AUTHORIZED SOFTWARE • Create rules in Qualys

CSAM to identify
required software,
unauthorized software,
• UNAUTHORIZED SOFTWARE and unauthorized
ports.
• Leverage the
’openPorts:’ and
• UNAUTHORIZED PORTS ‘software:’ tokens in
searches and queries.

40 Qualys, Inc. Corporate Presentation

Use these additional tokens to quickly locate instances of unauthorized software,

software that needs to be reviewed, and unauthorized host services ports.

40
 COMBINE
MULTIPLE ASSET
CONDITONS
§ software:(category2:RDBMS)
§ operatingSystem.category2:Server
§ software:(lifecycle.stage:EOL/EOS)
§ hardware.lifecycle.stage:OBS
§ operatingSystem.lifecycle.stage:EOL/EOS)
§ asset.hasMissingSoftware:true
§ openPorts:(authorization:Unauthorized)
§ software:(authorization:Unauthorized)
§ not software:(license.subcategory:Licensed)
41

The enhanced data and advanced features provided by Qualys CSAM provide you
with dozens of additional asset conditions including conditions that identify potential
security gaps. Any number of these conditions can be combined to create a complex
query; one that may require nesting.

You’ll need to understand complex query rules and syntax, before you can
successfully combine multiple conditions into a single query.

41
 COMPLEX QUERIES

Connect query tokens and conditions using logical (Boolean) operators:

1. NOT *
2. AND *
3. OR*
<condition_1> OR <condition_2> AND NOT <condition_3>

Queries are evaluated from left to right with special precedence given to
specific Boolean operators.

* Operators are listed in order of precedence. Parenthesis can be used to override the normal order.

Complex queries combine two or more tokens or conditions. Queries are evaluated
from left to right, with special precedence given to any Boolean operators.

Parenthesis can be used to override the default order of precedence.

Maximum Character Limits (including alphanumeric, special characters and

spaces): Query Tokens: 256 characters, Query String: 4096 characters

42
 NESTED “SHORTCUT” APPROACH
Two or more tokens from the same hierarchy can use a “shortcut” naming
convention, when added to the same query. This technique is required for
’software’ tokens.
software:(license.category:”Open Source”) and
software:(lifecycle.stage:EOL/EOS) and
software:(category1:Databases)

1. Combine or consolidate the common token attributes.

2. Nest the remaining unique elements (along with their appropriate values) within a set of
parenthesis.
3. Common attributes are separated from the unique attributes by a colon.

RESULT:
software:(license.category:`Open Source` and
lifecycle.stage:EOL/EOS and category1:Databases)

Two or more tokens from the same hierarchy can use a “shortcut” naming convention, when
added to the same query. This technique is required for ’software’ tokens.

43
 QUERIES FOR ASSET INVENTORY
QQL Lab Exercise Document, pages 15 – 22

LAB 5: Complex Asset Queries, p. 20

10 min.

44

Open the QQL Lab Guide and go to LAB 5, “Complex Asset Queries” and learn to
model potential security gaps by combining multiple conditions together into a single,
complex query.

44
Accurately label assets in your inventory and adjust when asset characteristics
change, automatically.

Accurately assign criticality scores to assets and adjust when asset characteristics
change, automatically.

Asset Tag rule engines that support QQL, allow you to construct queries that target
multiple risk factors, simultaneously.

Create more specific Asset Tag rules with QQL.

 ASSET TAG RULE ENGINES

• Rule engines that support QQL are ideal for building tags with multiple conditions.
• All Asset Tag types provide the option to enable/configure an Asset Criticality Score.
46

The ability to target multiple conditions, makes Asset Tags that support QQL, ideal for
accurately labeling host assets, as well as assigning criticality scores to assets.

Asset Tag rule engines that support QQL include:

• Business Information
• Asset Inventory
• Cloud Asset Search

46
 ASSET INVENTORY RULE ENGINE

Use the “Asset

Inventory” rule
engine to combine
Hardware, OS,
and Software
categories with
conditions that
reflect asset
§ software:(category2:RDBMS) security gaps.
§ software:(lifecycle.stage:EOL/EOS)
§ operatingSystem.category2:Server
§ operatingSystem.lifecycle.stage:EOL/EOS)

The “Asset Inventory” rule engine supports QQL along with hardware, OS, and
software “category” tokens, as well as many of the tokens seen earlier that highlight
asset security gaps.

47
 SPECIFY ASSET CONDITIONS

Leverage the
power and
flexibility of the
“Asset Inventory”
rule engine and
QQL to precisely
define targeted
asset conditions.
hardware.category2:Server or operatingSystem.category2:Server

Using QQL, any number of asset conditions can be combined to accurately identify
and label host assets.

In this example both hardware.category and software.category tokens are used to

target “server-based” assets. Keep in mind that your own conditions for defining
servers may be different.

48
 QUALYS TRURISK

• Once the query conditions are properly defined, adjust the Asset Criticality
Score (ACS) accordingly.

Once your appropriate ”server” conditions are defined using QQL, the appropriate
Asset Criticality Score can be configured for the very same host assets.

49
 ADJUST ACS FOR RISK FACTORS

ACS =

ACS =

50

Extending the example of the “server-based” assets, you could add more conditions
to the original query that identify specific security gaps that potentially raise an assets
criticality score.

50
 BEST PRACTICE
• Leverage Asset Tags and rule engines
that support QQL, to accurately label and
assign criticality scores to assets in your
inventory.
• Dynamic tags automatically adjust to
changes in asset settings and conditions.

51

As a best practice, leverage Asset Tags and rule engines that support QQL, to
accurately label and assign criticality scores to assets in your inventory. Dynamic tags
automatically adjust to changes in asset settings and conditions.

51
 USE CASE:
TRACK TIME TO
REMEDIATION
(TTR)

52

52
 vulnerabilities.ttr.firstFound

Provide a value (in number of days) to list vulnerability findings based on their
time to remediation*. The token only accepts range values.
------------------------------------------------------------------------------------------------------
Show vulnerability findings remediated within three days:
vulnerabilitiies.ttr.firstFound:[0 .. 3]

Show vulnerability findings that were remediated after one year:

vulnerabilitiies.ttr.firstFound:[366 .. +]

* The time to remediation is calculated based on the date a vulnerability is “first found” or detected.

The ‘vulnerabilities.ttr.firstFound’ token returns the number of remediated

vulnerabilities, when provided with a targeted number of days.

The number of days value must be formatted as a number range; it will not accept a
single integer value.

Total time to remediation is calculated using the “first found” date for each detected
vulnerability.

53
 MEAN TIME TO REMEDIATION

Mean Time to Remediation is part of the “Average” function in a “Numerical” widget.

The “Mean Time to Remediation” widget is designed to calculate the average amount
of time it takes to remediated targeted vulnerabilities.

Like the others it uses the “Numerical” widget type, but instead of the count or ratio
function, it uses the Average function (along with the Time to Remediation option);
producing the Mean Time To Remediation widget.

54
 TIME TO REMEDIATION WIDGETS

Construct TTR widgets using the “Numerical” widget type.

Use any of the “Time to Remediation” widgets within new or existing dashboards.

55
 TRACKING TIME TO REMEDIATION
QQL Lab Exercise Document, pages 23 – 33

LAB 6: Time to Remediation Widgets, p. 23

10 min.

56

Open the QQL Lab Guide and go to LAB 6, “Time to Remediation Widgets” and
leverage the “Numerical” widget type to build different kinds of “Time to
Remediation” widgets.
1. Numerical Widget w/ Trending
2. Numerical Widget w/ Ratio
3. Numerical Widget w/ MTTR (avg.)

56
 TIME TO REMEDIATION DASHBOARD

57

Combine TTR widgets together in a “Time to Remediation” dashboard.

57
 CHALLENGE
Many IT teams don’t have
the tools to detect
vulnerabilities, and many
Cybersecurity teams don’t
have the tools to fix
vulnerabilities.
How can you reduce your
Mean Time to Remediation
(MTTR)?

While “Time to Remediation” Dashboards and Widgets provide an effect way to

monitor and measure patching and remediation performance, many organizations
still struggle with the gap between Security (that has the tools to find vulnerabilities)
and IT (that has the tools to patch vulnerabilities). Too many steps between Security
and IT, allow attackers to weaponize vulnerabilities 2x faster than the time it takes to
patch them.

Vulnerability detections that lack business context do not accurately reflect the value
or criticality of their associated assets, making it difficult to prioritize vulns for the
most critical hosts.

58
 VMDR FOR SERVICENOW ITSM

• Integrated (closed-loop) ticketing solution

between Qualys and ServiceNow, to
automate vulnerability management.
• Imported Qualys vulnerability findings will
reveal NEW as well as FIXED vulnerabilities.
• Vulnerability findings are assigned to their
appropriate owner, automatically.
• ServiceNow tickets can be closed
automatically for vulnerabilities with a FIXED
status.
• ITSM is included with VMDR.

59

Information Technology Service Management (ITSM) is a set of workflows and tools

for optimally developing, delivering and managing IT services. ITSM is used to handle
incidents, service requests, problems and changes; typically linked through an ITSM
platform such as ServiceNow.

Qualys provides VMDR for ServiceNow, to reduce orchestration between Security and
IT teams and reduce your Mean Time to Remediation. This is accomplished through a
“closed-loop” ticketing solution between Qualys and ServiceNow.

Both New and Fixed vulnerability findings are imported from Qualys into ServiceNow,
where they are then assigned to their appropriate owner.

ServiceNow tickets can be automatically closed, when Fixed vulnerability findings are
imported from Qualys.

This ITSM integration is included with your Qualys VMDR license.

There are 2 Qualys apps at the ServiceNow Online Store needed for ITSM:
• Qualys Core
• Qualys VMDR

59
 BEST PRACTICE

VMDR for ITSM improves

orchestration between IT and
Security teams and reduces Mean
Time to Remediation

60

As a best practice, leverage VMDR for ITSM to improve orchestration between IT and
Security teams and reduce Mean Time to Remediation.

60
 USE CASE:
TRACK PATCH
TUESDAY VULNS

61

61
 62

You’ll find the Patch Tuesday Unified Dashboard on the Qualys Community:
https://success.qualys.com/discussions/s/article/000007482

62
 DOWNLOAD DASHBOARD JSON FILE

You’ll find the Patch Tuesday Dashboard JSON files near the bottom of the page.

63

Keep scrolling until you reach the dashboard file attachments near the bottom of the
page.

63
January widgets are already populated with the January query string.

64
 MONTHLY WIDGETS

January widgets already contain the January query string, but successive monthly
widgets contain a default query

After downloading and importing the Patch Tuesday dashboard, you’ll discover that
most of the widgets are not yet displaying data.

Initially, the widgets in this dashboard contain a default query:

vulnerabilities.vulnerability:(qid:’0’); one with a vulnerability QID number of zero,
which presently does not exist, hence the “No Data Available” message.

65
 66

You can acquire the Patch Tuesday queries each month, from the “Patch Tuesday
Dashboard” community page.

A query complete with token name and values is provided on top. Only the list of
token values are provided on the bottom.

66
 MONITOR PATCH TUESDAY VULNS
QQL Lab Exercise Document, pages 34 – 40

LAB 7: Patch Tuesday Community Dashboard, p. 34

10 min.

67

Open the QQL Lab Guide and go to LAB 7, “Import and Update the Patch
Tuesday Dashboard,” to track and monitor “Patch Tuesday” vulnerabilities.

67
 Thank You
[email protected]

Send your training questions to the Qualys Training Team.

[email protected]

68