CyberSecurity Asset Management

Welcome to this training on Qualys CyberSecurity Asset Management. In this course,

you will learn about the Qualys CyberSecurity Asset Management application and
apply its use cases to discover, organize, prioritize and manage your asset inventory.

1
 Training Documents

• Presentation Slideshow
• LAB Tutorial Supplement

https://qualys.com/learning

2 Qualys, Inc. Corporate Presentation

To follow along, you’ll need our training documents. There are 2 documents. You’ll
get the slide deck in pdf form which includes all the slide notes. The lab tutorial
supplement is to participate in the lab breaks today. It includes links to all the lab
activities.

Both documents are available for download from the Qualys Training & Certification
Portal: https://qualys.com/learning

2
 Playing the Lab Tutorials

3 Qualys, Inc. Corporate Presentation

The lab tutorials are run within the browser and do not require a live Qualys
environment.

• When you click the link to open a lab tutorial, it will open-up in your default Web
browser.
• When the lab tutorial opens, click the icon in the upper-right corner, to maximize
your screen size. You can also change the language in the upper right corner.
• When your ready to play the tutorial, click the start button.

If you would like a live Qualys environment for further experimentation, you can
request a 30-day trial account using this link: https://qualys.com/free-trial

3
 Agenda
q Introduction to CyberSecurity Asset Management (CSAM)
q Stage 1: Discover and Inventory Assets
• Qualys Sensor Overview – Lab
• Network Passive Sensor – Lab
• External Attack Surface Monitoring (EASM) – Lab
• ServiceNow CMDB Integration – Lab
• Normalization, Categorization, and Enrichment – Lab
• Organize & Label Assets – Lab
q Stage 2: Detect and Monitor Security Gaps
• Asset Criticality & Risk – Lab
• Product Lifecycle Management – Lab
• Software Authorization Rules – Lab
q Stage 3: Report and Respond
• Visualize Data Using Dashboards – Lab
• Reports – Lab
• Rule-Based Alerts – Lab

This is the agenda for the course. CSAM will be covered in a 3-stage workflow.

We’ll begin by identifying Qualys sensors that CSAM uses to gather data (including
authenticated IP scanning and Cloud Agents). Passive sensors and External Attack
Surface Management (EASM) are used for discovering and mapping your internal and
external attack surface. CSAM includes ServiceNow CMDB integration and data
enrichment to provide vital context to understand your IT infrastructure. To complete
the discussion of stage 1, we will look at organizing assets with Asset Groups and
setting up rule-based Asset Tags.

In stage 2, we discuss the Asset Criticality Score, TruRisk, lifecycle enrichment of

inventory data, and how to create SW authorization rules.

In stage 3, we will look at dashboarding, custom reports, and configuring rule-based

alerting.

4
This section provides an overview of the CyberSecurity Asset Management solution
and its use cases.
 Inventory Challenges

Identifying and discovering all

assets across complex, hybrid
environments
On-Premises Clouds
Going beyond inventory to
monitor security health and NETW ORKS

identify security tool blind spots VM s

DB

Managing security asset policies BARE M ETAL

based on the role & importance STORAGE

Mobile OT/IoT
Workstations
of the assets Workforce

Automatically identify at-risk

assets and software

We are going to start with the problem modern IT teams have.

You cannot secure, what you do not know. The problem is that visibility today is much
more complicated than visibility even 20 years ago. You used to be able to run a
network mapping tool, find everything in your network, and then start securing it. IT
Inventories provide visibility but omit key security risk context

Today, you have so many more (and different) environments to manage. You may
have a Cloud environment. Does the security team manage that? Or is it IT? Or
maybe you have a Cloud team. Then you have on-premise workstations. That’s IT. You
might also have a mobile workforce and Operations technology (OT), Internet of
things, Industrial internet of things (IIoT), etc. How can you see those assets and
secure them?

Complex, hybrid, constantly changing IT ecosystems make it difficult to identify and

manage security risks & asset health. Risks are increasing as bad actors become
more sophisticated and numerous.

6
 CIS Control 1: Inventory and Control
of Enterprise Assets

https://www.cisecurity.org/controls/inventory-and-control-of-enterprise-assets/

CIS Control number one calls for the inventory, tracking, and remediation of all
enterprise assets. This includes end-user devices, portable & mobile devices,
network devices, non-computing/Internet of Things (IoT) devices, and servers. These
devices can be connected to your infrastructure physically, virtually, remotely, and
within cloud environments. Unauthorized and unmanaged assets should be
identified and then properly removed or remediated.

Assets missing required agents (like policy and security software) need to be
identified and remediated also.

7
Detect Risks and Establish Health with In-Context Data
Authorized & Unauthorized Software vs. Asset Criticality
Assess Risk of external-facing assets
End-of-Support software and hardware for critical assets
Alert and respond to security risks

Understanding the gaps in a network is very difficult.

First, you start with Assets. Simply having an inventory. How many devices are in your
network? How hard is it to get a picture of your managed and unmanaged devices? If
you can get a number of those assets, what do you know about those assets
(context)? What type of hardware and software do you have deployed? What kind of
network traffic flow do you have?

After you know about your devices, which ones are you actively scanning? Or do you
have a Cloud Agent deployed? How close are those unmanaged devices to your
vulnerable devices? Do you have vulnerable software deployed or out-of-date
software?

Are you controlling approved software at all? How much of your software is end-of-
life or end-of-support?

8
 Get More Security w/ CyberSecurity Asset Management

Build a comprehensive Synch with CMDB Detect at-risk assets & Alert, Report &
Inventory to identify applications with in- Respond to identified
managed & unmanaged context enrichment security risks
assets data

Authentication Authorization Subscription Indexing Data Sync Tagging

Service Service Service Service Service Service
Docker/
Logging Monitoring Config Mgmt. Service Registry CI/CD
Kubernetes

Built on the Qualys Cloud Platform!

CSAM adds solutions to address this lead-in discussion:

1. Lifecycle enrichment
2. Authorized/Unauthorized software rules applied to your asset inventory
3. Required software
4. Business context from CMDB
5. Detection of your assets appearing on the Internet (EASM)
6. Alerting and Reporting features

9
 Qualys Asset Management Options

Qualys Asset Management (formerly known as Global IT Asset

Inventory) capabilities are now available in two versions:

• Global AssetView (GAV)

Provides foundational inventory-gathering capabilities for all assets
in your hybrid IT environment, from on-premises servers and PCs
to Cloud instances, containers, Enterprise IoT, and OT
environments

• CyberSecurity Asset Management (CSAM)

Delivers additional capabilities on top of GAV to provide users with
cybersecurity-related content, such as product lifecycle
information, EASM, the ability to define authorized and
unauthorized software, and integration with ServiceNow CMDB,
among others.

Qualys CyberSecurity Asset Management (formerly known as Global IT Asset

Inventory) capabilities are available in two versions:
- Global AssetView (GAV)
- CyberSecurity Asset Management (CSAM)

GAV (which is free) lets you:

- Obtain asset inventory across hybrid environments
- View normalized and categorized hardware and software inventory information
- Add custom tagging to organize your assets and rank their criticality automatically
- Create and view customizable dashboards and widgets
- Search any asset in seconds

On top of GAV, upgrading to CSAM will also include the following:

- Enriched asset data – hardware & software lifecycles, licenses categories, and
more
- Bi-directional synchronization of asset data with your ServiceNow CMDB
- Ability to define and manage authorized and unauthorized software in your
organization
- Customizable reporting to meet internal and external needs (e.g., standards
compliance reporting)
- Alerting via email, Slack, or PagerDuty to inform you about assets requiring
attention

10
- External Attack Surface Management

10
 Feature Comparison
KEY FEATURES GAV
(free)
CSAM

Get complete visibility into your environment

Discover and inventory all your assets
View categorized and normalized hardware and software information
Standardize your inventory
Define criticality and find related assets
Add business context through dynamic tagging
Find and upgrade unsupported software and hardware
Know product lifecycle and support information x
Eliminate unauthorized software from your environment
Quickly identify non-compliant assets x
Be informed about assets requiring attention
Receive notifications to review and define actions x
Inform stakeholders about health of your assets
Create custom reports x
Easily keep your CMDB up to date
Enable 2-way integration to sync with ServiceNow CMDB x

The table in the slide provides a high-level feature comparison between Global
AssetView (GAV) and CyberSecurity Asset Management (CSAM). It is not meant to be
an exhaustive list; you can speak to an account manager for more details on what
CSAM includes over GAV.

GAV is free with any number of agents & passive scanners to give you baseline
visibility of your asset inventory.

CSAM adds context for security-centric visibility with the detection of security gaps,
External Attack Surface Management, CMDB integration, alerting, and response.

11
This is the first major section of the agenda covering the discovery and inventory of
assets within CSAM.
 Discover and Inventory Assets
1
Sta
rt

• Asset Inventory Data Collection

• Deploy Sensors
• Configure CMDB Sync (if using
CMDB solution)
• External Attack Surface Management
CyberSecurity
• Normalization, Categorization & Asset
Enrichment (performed automatically in Management
the Qualys Cloud Platform)
3 2
• Organize and Manage Assets
(configure Asset Tags)

The functionality available in CyberSecurity Asset Management (CSAM) can be

divided into three (3) sets of capabilities:
• Discover and Inventory
• Detect and Monitor
• Report and Respond

Discover and Inventory

Qualys Asset Management begins (step 1) by identifying and managing assets
throughout your enterprise architecture. Qualys has various sensor types that collect
data for you.

Qualys Global AssetView (GAV) / CyberSecurity Asset Management (CSAM) works

with hybrid sensors to continuously discover and dynamically monitor all IT Assets,
across your hybrid environment. GAV/ CSAM uses the data provided by these sensors
and then normalizes and categorizes it into standardized names and structures.

CSAM adds the business context from CMDB sync and External Attack Surface
Management.

Asset Groups and Asset Tags help you to organize and manage assets. Asset Groups
are configured within VMDR. Refer to the VMDR self-paced training for the use cases
and how to configure Asset Groups.

13
This section provides a brief overview of the various Qualys sensors that collect data
from your hybrid IT environment.
 Qualys Sensor Platform

15

The Qualys Platform provides different types of sensors to help you inventory, track,
and even correct enterprise assets. Depending on the function and environment they
serve, Qualys sensors come in many different forms:

• Qualys scanners are available as physical and virtual appliances. Remote Scanners
are Internet-facing and ideal for scanning other Internet-facing assets around the
globe. Local Scanners are deployed on local area networks and are commonly
used to scan assets within reserved or private IP address ranges. These local
scanners can be deployed as physical or virtual appliances.
• There is an EASM Discovery Sensor for External Attack Surface Monitoring which
pulls data from Shodan, Qualys catalog, and other sources. It is separate from the
Remote Scanner.
• Qualys Cloud Agents run as a local process on the host they protect. Qualys agents
support a wide variety of OS platforms. Agents play a special role in VMDR, by
providing the patching and response functions.
• Qualys Passive Sensors can be deployed as physical or virtual appliances. Working
with TAPs and Switches throughout your network, passive sensors operate by
sniffing network traffic sent to the Qualys platform for processing. Passive Sensor
will help you to identify unmanaged assets throughout your network architecture.
• Cloud and SaaS Connectors work with the native services of your cloud and SaaS
providers to identify misconfigurations and security blind spots. Cloud Connectors
can be created for your AWS, Google Cloud, and Microsoft Azure accounts. SaaS

15
 Connectors are available for O365, Google Workspace, Zoom, and Salesforce.
• Qualys Container Sensor downloads as a Docker image and is installed on a Docker
host as a container application, right alongside other container applications. Once
installed, Container Sensor will assess all new and existing Docker images and
containers for vulnerabilities. Presently, there are 3 different types of Container
Sensors. A General Sensor scans images and containers on a single docker host. A
Registry Sensor scans images in public and private Docker registries. A CI/CD
Pipeline Sensor (also referred to as a "Build" sensor), scans images within your
DevOps CI/CD pipeline projects, allowing you to identify and correct vulnerable
images, during the build process.
• Out-of-band sensors help to secure devices on air-gapped networks.
• And finally (during our discussion of CyberSecurity Asset Management) we’ll
examine the prospect of using the Qualys API to share data between the Qualys
Platform and the ServiceNow CMDB.

All these sensors come together, into one comprehensive framework to help you stay
on top of today’s challenging Hybrid IT Environments.

15
 Detect: Comprehensive Inventory

Cloud Agent Inventory Catalog: Categorize, Normalize, Enrich

Physical Scanner
Virtual Scanner Passive Sensor OS/HW/SW EoL/EoS
Cloud Scanner API Mfg./owner/product License type
Market version Category
Data sources
Qualys Sensors
Qualys Cloud Platform (QCP)

Qualys GAV / CSAM aggregate data from all sensors

The Qualys Sensors are all populating the platform with your inventory, vulnerability,
threat, compliance, cloud, and web app data. This gives you your data in one place.

Whenever you are going to build a report, query data, or build a dashboard, you are
using data that has populated into the platform from your sensors. API data that the
Platform obtains includes data from Cloud APIs and CMDB Sync connectors. API
connectors to CMDB also bring in business context and relate IDs to CMDB for
efficient ticketing efforts.

GAV / CSAM aggregate and correlate the data gathered by all Qualys sensors giving
you a comprehensive, detailed inventory of all your hardware and software, as well as
a multi-dimensional view of your global, hybrid IT environment.

16
 LAB

Getting Started CSAM

Please consult pages 3-12 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Tutorial begins on page 12

Page 12 is where the red play arrow is located. Be sure to read through the lab pdf
content. It will give the full context of what the tutorial is trying to show, as well as
prepare you for the certificate exam at the end of the course.

Steps:
1. GAV and CSAM links from the application picker
2. Navigation around the CSAM Getting Started page
3. Viewing the CSAM Inventory section
4. Show the search bar and faceted search filtering
5. Show how to open the Online Help
6. Show the Group Assets by
7. Assets and Software viewing
8. Group Software by

17
This section introduces the Passive Sensor and its role in mapping your internal attack
surface.
 Passive Sensor Use Cases

• Continuously discover and profile network-connected devices

• Continuously enrich existing inventory details in real time
• Monitor your internal attack surface by discovering new unmanaged
devices
• Eliminate blind spots
• Flexible deployment in either physical or virtual appliances
• Traffic analysis
• See conversations between managed and unmanaged devices

19 Qualys, Inc. Corporate Presentation

Because of the unique way the Qualys Passive Sensor collects data (listening or
promiscuous mode), it brings two very important capabilities to GAV/CSAM:
1. Discovery of unmanaged assets
2. Network Traffic Analysis (CSAM only)

The passive sensor helps you eliminate blind spots in your network where you don’t
know what is connecting to your infrastructure.

Qualys Passive Sensor connects to the SPAN port of a switch deployed at layer 2 (e.g.,
distribution layer) for best results. Essentially, it is a traffic sniffer that monitors the
mirrored traffic from the switch in real time.
It discovers assets the moment they connect to the network and start
communicating. It extracts metadata from the network traffic to identify assets, their
attributes and the traffic flows. It then posts this metadata periodically to the Qualys
Cloud Platform.

Note: Passive Sensor does not send full traffic packets to the Cloud unless a specified
sample is initiated by the user for troubleshooting purposes.

New assets are reported within 5-10 minutes. As more information is discovered it is
aggregated across all assets and sent every 15 minutes. Asset information is then
visible through Qualys CSAM.

19
• New assets (not seen before in the Subscription) are flagged as unmanaged assets.
• Existing managed assets (e.g., already scanned or with cloud agent) are enriched.

Additionally, when the subscription is enabled for traffic analysis, summarized traffic
information is sent to the Qualys Cloud Platform every 30 minutes for traffic analysis
use cases.

Passive Sensor comes in a virtual and hardware appliance.

The Getting Started Guide can be found here:

https://www.qualys.com/docs/qualys-network-passive-sensor-getting-started-
guide.pdf

19
 Passive Sensor Deployment

The Passive Sensor is available as a physical and a virtual appliance.

The physical appliance is available in the following configurations:

• 1 Gbps aggregate throughput, up to 5,000 active assets.
• 4 Gbps aggregate throughput, up to 10,000 active assets
• 10 Gbps aggregate throughput, up to 20,000 active assets

For more information on installing the passive sensor physical appliance, refer to the
PS User Guide:
https://www.qualys.com/docs/qualys-network-passive-sensor-appliance-user-
guide.pdf

The virtual appliance is available for Microsoft Hyper-V and VMware platforms and
offers the flexibility to scale up/down throughput based on virtual machine
configuration.

For more information on installing the passive sensor virtual appliance, refer to the PS
User Guide:
https://www.qualys.com/docs/qualys-network-passive-sensor-virtual-appliance-user-
guide.pdf

20
PS appliances can be implemented in different parts of your environment based on
your needs and the characteristics of your network. It supports mirror traffic using
Local SPAN, RSPAN, and ERSPAN methods and can be placed at the Distribution layer
(better accuracy and visibility) or the Core layer (better coverage).

Qualys recommends involving your network team to determine the best fit for the
appliance placement in your network.

For more information on placing the sensor in your network topology, refer to the PS
Deployment Guide:
https://www.qualys.com/docs/qualys-network-passive-sensor-deployment-guide.pdf

20
 Managed and Unmanaged Viewing

The Passive sensor sends your data to the platform based on what is detected.

The first thing that happens is that data for the detected device is checked against the
existing list of managed assets. If the data is for a managed asset, then the data will
be merged with the scanned/agent data for the managed host asset.

If we don’t see the asset, you will see the new asset under your unmanaged asset list.

We know the IP address for everything.

At some point, we will discover the MAC address to IP address and eventually the
hostname. The profile of the asset is being built using metadata from the network
stream.

One asset might have multiple interfaces.

IP + MAC, or IP + Hostname will allow us to merge this data with a managed asset.

If we don't see something that matches that, we list it as an unmanaged asset.

Note: From the VM training, it is a best practice to set up hostname tracking for the
scannable hosts in your subscription. The tracking for scannable hosts can be IP, DNS,

21
or NetBIOS. Scannable host assets that obtain addressing using DHCP, and dynamic
cloud resources, should be set up with hostname tracking.

21
 Discovering Unmanaged Internal Assets

The passive sensor discovers assets when they connect to the network and start
communicating. It extracts metadata from the network traffic to identify assets, their
attributes, and the traffic flows. It then posts this metadata periodically to the Qualys
Cloud Platform.

New assets are reported within 5-10 minutes. As more information is discovered, it is
aggregated across all assets and sent every 15 minutes.

Assets not in the subscription are shown in the Unmanaged viewing of the CSAM
Inventory. Existing managed asset inventory (those scanned or have the Cloud Agent)
is enriched.

Many EASM-sourced assets will show in the Unmanaged viewing; this will be seen in
the next section.

The following QQL syntax can be used to get a list of EASM assets:
• tags.name: `EASM`
• inventory.source: `EASM`

Note: the source will change if the asset becomes a Managed asset.

22
 Unmanaged Assets

• It is common to find unidentified or unknown values within the ”Unmanaged”

assets section of CSAM
• Confidence levels are provided (LOW, MEDIUM, HIGH) for OS and hardware
findings

It is common to find unidentified assets within the "Unmanaged" assets section of

GAV/CSAM. Because some findings in the Unmanaged Assets may lack solid data,
Qualys adds confidence levels (low, medium, high) to the Operating System and
Hardware findings.

In this illustration, the highlight shows Unidentified Operating System, but it has
Hardware details displayed.

For the unmanaged asset, there is a “Feedback” button in View Asset Details –
System Information. You can use this to provide feedback to Qualys researchers to
assist in the accuracy of the operating system and hardware catalog.

23
 Unknown vs Unidentified

operatingSystem.category1:`Unidentified`
- This means there isn’t enough discovered data for Qualys to determine the
hardware/OS/software
- Example: If you ran an unauthenticated scan, but we could not fully fingerprint the OS
- Example: Firewall that prohibits certain scan traffic from fully enumerating host

Hardware.category1:`Unknown`
- There likely is enough data for Qualys to categorize the host, but it’s not cataloged yet
- It is currently being processed against rules and Qualys lab for analysis for
categorization
- Qualys researchers review the data and add to the catalog if something is missing
- This processing happens daily across all asset data

When you see something show up in GAV / CSAM as Unidentified, it means that we
do not have enough data to determine what the Hardware/Software/OS is.

If you see something as Unknown, then it means the attributes are not in the Qualys
catalog. The Qualys Platform has enough data about the asset. This means the data
is currently being reviewed and cataloged by the Qualys research team. The process
of researchers adding to the catalog is a matter of days, and eventually, the Unknown
attribute will become more specific.

This slide also highlights the difference between AssetView (legacy) and GAV /
CSAM:
In AssetView (legacy), everything is unidentified and unknown. There is no
categorization. No license categories. No hardware, software, or OS categories.

In GAV / CSAM, we add the structure of Categorization, Normalization, and

Enrichment.

24
 Traffic Analyzer

An important advantage to capturing network traffic comes from the bonus

information collected from network conversations (conversations between two
communicating hosts). A passive sensor not only sees the network traffic from
“managed” assets (within your account), but it also sees traffic from other host assets
and services that are attempting to communicate with your “managed” host assets
(including communications coming from unknown assets).

Traffic Analyzer shows date-wise traffic volume summary for client-to-server (CTS)
and server-to-client (STC) in tabular and graphical view.

You can use the Group By drop-down for grouping by different factors. For instance,
you can group by traffic families or services/Apps.

25
 LAB

Passive Sensor Deployment

Please consult pages 13-17 in the Lab Tutorial

Supplement for details

5 min.
Tutorial begins on page 15

This lab will help you understand how to deploy and configure a Passive Sensor in a
virtual environment.

Steps:
1. Deploy virtual sensor from the Passive Sensor app
2. Generate personalization code
3. Download ESXi image
4. Sensor configuration and define Internal IP range
5. Deploy the OVA file for the passive sensor VM in ESXi
6. Setup VM Networks for each interface
7. Setup Promiscuous mode and virtual switch
8. Setup networking on the VM console
9. Enter the personalization code on the VM console
10. Start scanning and view discoveries
11. View CSAM inventory

26
 External Attack Surface Management (EASM)

This section introduces EASM and mapping your external attack surface.

27
 Dynamic External Attack
Surface creates blind-spots

Attack surface is more dynamic than ever.

20-40% of internet-facing organization’s

assets are unknown to security teams

Many IT and security teams still depend on

spreadsheets to inventory their internet
assets

G E T M O R E S E C U R I T Y .

Your organization’s attack surface is more dynamic than ever, and your infrastructure
configuration changes to adapt to your business needs.
• Many assets become visible on the Internet unintentionally.
• Often these are assets managed by subsidiaries, acquisitions, or other partners.

As per Forrester Report, EASM discovery is finding, on average, 30% new unknown
devices
Qualys EASM findings with 160+ customers
On average discovered ~36% of previously unknown assets
Top 3 large enterprises discovered on avg 130K+ external internet-facing
assets

28
 EASM Use Cases

• Continuously discover and profile Internet-exposed devices

• Continuously enrich existing inventory details in real-time
• Monitor your external attack surface by discovering new unmanaged
devices
• Discover domains, subdomains, and subsidiaries
• Discover open ports, certificates, and applications running on
Internet-exposed assets
• Identify potential vulnerabilities from an outside-in perspective
• EASM uses the same tools an attacker would use for doing recon
against your organization

Qualys External Attack Surface Management (EASM) gives an outside-in view of your
external-facing IT infrastructure. The tools included in CSAM allows you to
continuously monitor your organization’s external attack surface and Internet-
connected assets, track changes, and receive notifications when new assets,
unknown assets, or critical issues are found.

With EASM you can:

• Discover all your domains, subdomains, subsidiaries, and the assets associated
with it
• Discover open ports, certificates, and applications running on exposed assets
• Identify potential vulnerabilities and weaknesses on exposed assets

Contact your Qualys Technical Account Manager to activate EASM for your
subscription. On the CSAM Getting Started page, there will be a Request Now button
to activate EASM. After EASM is activated, you will be subscribed to EASM.

29
 Tools to Manage External Attack Surface

Once EASM is activated for your subscription, you will configure a filter profile. In the
filter profile, you will provide seed values that represent the starting point of the
discovery that will be done on your external attack surface. This process will take a
few hours after the filter profile is saved.

On the CSAM Getting Started page you will have a tile that reports the managed and
unmanaged Internet-exposed assets. There is also a new dashboard that reports
EASM data.

The lab document and tutorial will discuss setting up the filter profile.

Note: The best practice for configuring the filter profile is to adjust the scope if you
see false positives or missing assets (ones available through IP/Netblock, or certificate
but not DNS). This would be done after the initial discovery of your organization. It
takes 2 hours to refresh changes if the filter profile is updated.

The enumeration checkboxes in the filter profile use the Qualys catalog and match
company names via acquisitions. The result is a larger discovery than a simple
Shodan query.

30
 Discovering Unmanaged External Assets

Devices discovered will obtain the EASM tag. This tag has a criticality value of 3
(criticality will be discussed in a later section). You can query this tag or use the
faceted search bar to see the dataset.

The Managed viewing will show assets that Qualys already knows about. These are
scannable hosts or agent assets that are Internet-exposed.

The Unmanaged viewing will show assets that Qualys does not know about that are
Internet-exposed.

EASM assets may appear as managed or unmanaged. If the asset shows as managed,
Qualys was able to correlate externally discovered information to the device already
in your subscription. If the asset shows as unmanaged, then EASM could not
correlate external to internal. EASM will add only unmanaged assets, and it may
update managed asset details.

The Group Assets by External Attack Surface will help view a larger dataset.

The Sources column will show First Found and Last Seen information.

Note: Shodan is a legacy tag, and new usage of monitoring your External Attack
Surface should reference the EASM tag.

31
 Actions For Newly Discovered Devices

The EASM section of CSAM provides tools for acting on newly discovered devices.
The newly discovered devices are from the latest EASM scan date.

“Exclude IP from EASM Discovery” will update the EASM filter profile. The use case
here would be to prune false positives.

The picture in the slide shows only the Unmanaged Newly Discovered devices.

“Activate Qualys VMDR” will add the IP into the subscription to launch vulnerability
scans using Qualys external scanners. This action will only be available for
Unmanaged assets.

32
 Discovery Path

Along the left panel of View Asset details, there is a section for External Attack
Surface viewing.

The tabs will show EASM details:

• DISCOVERY PATH: The asset IP shown can include multiple domains or
subdomains. You can understand how the asset is attributed to your organization.
• EXTERNAL VULNERABILITIES: You can see the vulnerability data for that IP. The
vulnerability data includes vulnerability name, vulnerability score, vulnerability
type, such as Unverified and Verified, and vulnerability summary.
• Note: The vulnerability data is CVE data from Shodan, no external scan
(adding the IP to your subscription) is needed to show data in this tab. This
is so you can get data about your external attack surface immediately; no
Qualys scanning is needed up-front.
• DNS DATA: You can see the DNS data for a particular IP.
• WHOIS DATA: You can see details about who created the asset, such as Creation
date, Domain Name, Registrant email ID, Registrar, and so on.
• SSL: You can see the certificate details, such as whether it's valid, expired, or
expiring.
• OPEN PORTS: You can find the details about unsanctioned services, if any, such as
SSH or RDP are running on the asset.
• APPLICATION STACK: You can see the details about if the asset is using any
unapproved legacy application stack.

33
 LAB

EASM Configuration & Inventory

Please consult pages 18-22 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

10 min.
EASM Configuration, page 22

EASM Inventory, page 22

This lab will help you understand how to activate and configure EASM to discover
externally exposed assets.

Steps in the first lab tutorial:

1. Configure from the CSAM Getting Started Page
2. Discussion and configuring the filter profile
3. EASM panel on the Getting Started Page
4. View EASM dashboard

Steps in the second lab tutorial:

1. EASM section of CSAM
2. Managed/Unmanaged viewing
3. EASM discovered devices obtain EASM tag
4. Viewing newly discovered devices
5. Group By options
6. EASM tag has a criticality of 3
7. Actions menu will allow excluding asset from the filter profile
8. Actions menu will allow you to activate the asset for Qualys external scanning
9. View Asset Details – EASM section
10. Discovery path, external CVE details, DNS, whois, SSL, open ports, application
stack
11. EOL/EOS Software viewing in the EASM section

34
This section provides an overview of Qualys integration with ServiceNow CMDB and
how it helps security teams to gain comprehensive visibility into your IT asset
inventory to immediately flag security and compliance risks.
 Certified ServiceNow CMDB Sync App

• Supports 2-way sync (Qualys to ServiceNow and ServiceNow to Qualys)

• Up-to-date, complete, structured, and enriched ServiceNow CMDB
• Enrich Qualys assets with key CMDB business data
• Synchronization schedules can be configured and saved
• Asset metadata synchronization is performed only for assets already in
both Qualys and ServiceNow
• Optionally, asset information is staged for user approval before being
written to CMDB
• Preconfigured reports

ServiceNow (SN) is a third-party application that stores information about all

technical services used in an enterprise in a Configuration Management Database or
CMDB. Within the CMDB, the support information for each service offering is stored
in a Configuration Item (CI) specific to that service. This information includes the
service name and description, assignment groups, change management approvers,
and service roles as well as other information directly related to the service support.

Traditionally, the Qualys API has been used to extract data from the Qualys Cloud
Platform; data which is then consumed by your third-party applications. However;
with the Qualys ServiceNow CMDB Sync App, metadata can move in both directions.

We can bring in IP addresses of devices not discovered by Qualys so that we can add
them to Active Scanner or deploy Cloud Agent on them and collect inventory - this
allows you to ensure that both Qualys and ServiceNow are in sync.

Qualys asset inventory syncs with ServiceNow’s CMDB, continuously feeding it fresh
data, so the CMDB can accurately map assets’ relationships, connections, hierarchies,
and dependencies. Supports multiple Qualys accounts / API sources for sync.

Qualys can benefit from metadata in the ServiceNow CMDB, and ServiceNow can
benefit from Qualys categorization, normalization, and data enrichment.

36
Asset metadata synchronization is performed only for assets already in Qualys and
ServiceNow (i.e., not for new asset discovery). When assets are synced from CMDB
to Qualys, if Qualys does not have a matching asset, then the IP can be added to VM
and PC.

The 2-way sync is only with CSAM and not GAV. GAV does not support business
context data coming back from a CMDB. CMDB Sync requires CSAM.

36
 ServiceNow Store Apps

There are 2 Qualys apps for ServiceNow CMDB Sync:

• Qualys ServiceNow CMDB Sync App
• Qualys ServiceNow CMDB Sync Service Graph Connector App

For a detailed description of the Qualys CMDB Sync App, go here:

https://www.qualys.com/docs/qualys-cmdb-sync-v2.pdf

The Qualys CMDB Sync Service Graph Connector App is intended for Service Now
'Orlando’ and later versions and includes additional features. The Qualys CMDB Sync
Service Graph Connector App requires the ITOM Visibility license installed in
ServiceNow.

For a detailed description of the Qualys CMDB Sync Service Graph Connector App, go
here: https://www.qualys.com/docs/qualys-asset-inventory-cmdb-sync-ire.pdf

The prerequisites for each app can be seen on the details page in the ServiceNow
online store. Your ServiceNow owner can assist in making the right app selections.

For both integration types, you must have a valid Qualys account subscription with
API Access to the CSAM module (and Vulnerability Management, if doing a VM scan
on imported assets). Also, CMDB Sync must be enabled within your Qualys
subscription.

37
 Initial Configuration and Setup

1. Install the Qualys App (available in ServiceNow Online Store)

2. Add API source (Add Qualys API user credentials and API Server
and Gateway URL)
3. Create schedules, define what data is to be synced and configure
mapping for Business Criticality to Qualys Asset Criticality Score
4. Update Qualys App configuration\property values

Quick Steps to get started with Qualys ServiceNow CMDB Sync:

1. Install the Qualys App - You’ll get the app from the ServiceNow Online store.
Additional plugins need to be installed in ServiceNow, if using the Qualys
ServiceNow Service Graph Connector App. These prerequisite plugin details are
listed in the previous slide.

2. Add API Source - Provide the Qualys API Source details. The Qualys API URL you
should use for Server and Asset Inventory Server fields depends on the Qualys
platform where your account is located. For more information on Qualys platform
URLs, see https://www.qualys.com/platform-identification/. After adding the API
source, use ‘Test Connection’ to know if the connection between ServiceNow and
the defined Qualys source is working fine.

3. Create Schedules - Provide details within the Qualys app to create a schedule. You
need to set up at least one schedule. You may eventually want many more. Once
a schedule is successfully created, the sync between the source and CMDB gets
working as per the defined schedule.
- Asset information is automatically enriched with additional contexts such as
lifecycle date and support stage, license category
- For assets that already exist in both, asset metadata can be synchronized
- Optionally, asset information is staged for user approval before being written
to CMDB

38
 - Support for multiple Qualys accounts/API sources

1. Update Properties - The Qualys app has pre-populated configuration\property

values. These values determine the maximum number of assets fetched in a
single API request call (Qualys to ServiceNow sync), the maximum number of
records to be uploaded to Qualys (ServiceNow to Qualys sync), time restrictions
on scheduled run time, and API timeout settings. You can always change these
values to suit your needs.

38
 Business Attributes
CMDB Sync automatically imports business context attributes into Qualys
CSAM from ServiceNow CMDB.

Business Attributes
• Status (e.g., in-repair, lost/stolen)
• Organization (Company, Business Unit, Department)
• Owned By - Who owns the asset
• Managed By - Responsible person
• Supported By – Supporting person
• Environment (e.g., Prod/Lab/Test)
• Assigned Location (Country, City)
• Business App/Service name
• Business Criticality

• Security teams gain a better understanding of the overall IT and business

environment
• Design scanning strategies to meet environmental objectives
• Prioritize remediation tasks by asset and business criticality
• Accurately identify the scope and business impact of remediations tasks

The Qualys CMDB Sync App uses SN APIs. Two new SN APIs are introduced to import
some additional metadata of assets and business app to Qualys.

Below is the list of business attributes currently imported in CSAM:

o Status (e.g., in-repair, lost/stolen)
o Organization (Company, Business Unit, Department)
o Owned By - Who owns the asset
o Managed By - Responsible person
o Supported By – Supporting person
o Environment (e.g., Prod/Lab/Test)
o Assigned Location (Country, City)
o Business App/Service name
o Business Criticality

Business information can be seen in Asset details for assets whose inventory data is
synchronized with SN CMDB. You can also use search queries to filter assets matching
specific business information or Qualys APIs to export asset data, including all
business information.

39
 View Business Information in Asset Details

• Derive relevant context on the way the asset is being used, who owns it, what
department and business service it belongs to, business criticality, etc
• See the list of assets associated with a business app

The Business Information and Business Application information listed in Asset Details
comes from a CMDB pull and provides us relevant context on the way the asset is
being used, who owns it, and what department and business service it belongs to.

Business Information for the app includes the Business Criticality score assigned to it
in ServiceNow. This is a text field and a user-configurable score in ServiceNow. You
can define how Business Criticality maps to the Asset Criticality Score in ServiceNow,
and CSAM automatically assigns these scores to the assets associated with the
Business App in its inventory.

You can also see the list of assets associated with a business app which allows
security teams to look for assets that have the biggest potential for impacting your
business and ensure that they are properly secured.

40
 Use Business Attributes to Search Assets

Use search tokens to filter assets matching specific business information.

CSAM includes multiple search tokens to quickly filter assets matching specific
business attributes imported from a ServiceNow CMDB sync.

The slide illustrates a search query that shows assets with business application
environment as Production.

Business Applications will obtain tags under the “Business Application (CMDB Sync)”
parent tag. The criticality of the tag will adopt what Business Criticality has been set
in ServiceNow. The highest criticality in ServiceNow is 1. If the Business Criticality is
1, Qualys will set 5 for that specific Business Application tag (signifying the highest
criticality). The criticality set to all the tags for an asset will determine the Asset
Criticality, which will be covered in a later section.

41
 Public APIs for CMDB Sync

• Public APIs are for use with other CMDBs (not ServiceNow)
• Qualys Cloud Suite API provides many ways to integrate your
programs and API calls with Qualys capabilities
• CSAM now supports the import of Asset business metadata and
Business app metadata from your CMDB into your Qualys asset
inventory using v2 APIs
• Currently supports a maximum of 250 records for import in one API
call for both Asset and Business app metadata
• The user must have access to the CSAM module with API enabled
for that role
• Imported business attributes are listed on the Asset Details page

Qualys has added business information attributes support for the v2 APIs. You can
now import Asset business metadata (e.g.: asset.org.company, asset.ownedBy, etc.)
and Business app metadata (e.g.: businessApp.name,
businessApp.businessCriticality, etc.) from your CMDB into your Qualys asset
inventory in CSAM. A maximum of 250 records can be imported in one API call.

To use this feature, your account must include CSAM in the subscription. Also, the
user making API requests must have access to the CSAM module with API access
enabled.

For more information on the business attributes supported for API requests, please
consult the CSAM API Guide:
https://www.qualys.com/docs/qualys-gav-csam-api-v2-user-guide.pdf

42
 LAB

Business Context from CMDB Sync

Please consult pages 23-24 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Tutorial begins on page 24

This lab will walk you through the steps to understand how security teams can get
business context in CSAM with ServiceNow CMDB integration.

Steps:
1. Verify CMDB Sync is enabled on CSAM Getting Started page
2. Verify Business Applications asset tag
3. CSAM inventory viewing of the Business Applications tag
4. View Asset Details – Business Information section
5. Discussion on Business Information and Business Application metadata
6. Discussion on Business Criticality value and Qualys mapping to Asset Criticality
7. Viewing associated assets running the same Business Application
8. View the Business query tokens in CSAM
9. View the assets with the highest Business Criticality

43
This topic provides an overview of the Global AV / CSAM capabilities of normalization,
categorization, and enrichment.
 The ambiguity of IT Asset Data

High Volume High Variance

Acquisitions Skype à Microsoft

Product Communicator à Lync à

rebranding Skype for Business à Teams

“A” means “B” lync.exe = Skype for Business

MSFT, Microsoft Corporation,

High Velocity Name variance
Microsoft, microsoft corp, …

8à1 20 à 1
Manufacturer Product

One of the biggest challenges when building an automated asset inventory is the
volume, velocity, and variety of asset changes in the environment.

This challenge is increased exponentially when organizations take full advantage of

the Cloud, which allows organizations to dynamically adjust workloads, such as
compute resources delivered by virtual machines and containers.

Qualys tackles the Volume and Velocity challenges by providing a powerful Cloud
Platform capable of processing asset telemetry in near real-time and then leveraging
that same telemetry to solve multiple use cases for IT Asset Management, Security,
and Compliance through its family of integrated Cloud Platform Apps.

With Qualys GAV / CSAM, customers can tackle the High Variance challenge of asset
data and make their asset inventory consistent and uniform, which is essential for
having inventory clarity and accuracy.

You have a high volume of data, and vendors are constantly changing and rebranding
themselves. This makes it difficult to categorize your data. Qualys has taken that idea,
and we normalize your information for you. So, when Microsoft acquired Skype,
those products became Microsoft, and we can categorize them under one company
name.

45
 Qualys Normalization, Categorization & Enrichment

Raw Asset Data – We start with the raw asset data. This is the information collected
from your sensors and sent to the platform.

Qualys normalization and categorization – here is where we take that data, and we
break it down by manufacturer, owner, product, Version, edition, and category. This
happens after the data is retrieved using a sensor. Every standardized product in the
technology catalog belongs to a 2-level taxonomy, for example, “Computer / Server”
or “Database / RDBMS”, which helps organize all assets in multiple dimensions.

Enrichment – Finally, we tell you if it’s end-of-support and end-of-life, what type of
license it has, and the risk associated with those things.

The catalog is continuously curated with a focus on completeness, relevance, and

data quality. This process transforms the global IT asset inventory into a multi-
dimensional and structured set of information so that you can make better business
decisions.

46
 Normalize Searches with Asset Categories

Hardware OS
hardware.category1: value1 operatingSystem.category1: value1
hardware.category2: value2 operatingSystem.category2: value2
hardware.category: value1 / value2 operatingSystem.category: value1 / value2

Software
software:(category1: value1)
software:(category2: value2)
software:(category: value1 / value2)

Use hardware, software, and OS tokens to help “normalize” your query

conditions to uncover more precise asset details.

The hardware, operating system, and software categories can be handy when
performing asset searches within the CyberSecurity Asset Management application.

To build a query, choose a token and provide a value. Combine category1 and
category2 values using the generic "category" token (a slash character must separate
the category1 and category2 values).

The Qualys catalog is vast. In the CSAM Inventory section, use the following to
determine value1 and value2:
• Group Assets by – Hardware – Category
• Group Assets by – Operating System – Category
• Software – Group Software by – Category

This will show the category 1 and category 2 values of the Qualys catalog that match
your asset population.

47
 Software License

Commercial - software:(license.category:`Commercial`)
• Supported by a vendor

Open Source - software:(license.category:`Open Source`)

• Open to public and free for use

Attribute Examples Search Token

license category Open Source, Commercial software.license.category
*license subcategory GPL, Apache 2.0, BSD, … software.license.subcategory

Find your commercial vs open-source software.

Why does this matter? If you look at an environment, you can see millions of
software deployed. It could be the case where your department, or organization,
needs to cut down on the number of licenses or find assets with underutilized
software.

Because we are categorizing, it quickly gives you insight into all commercial software.

The subcategory token defines the license model. This is because not all Commercial
software is pay-for. Some Commercial software is free, and some is subscription-
based.

48
 LAB
Hardware, Software and OS Classification

Please consult pages 25-31 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

Hardware Classification, page 28

15 min.

OS Classification, page 29

Software Classification, page 30

Software – Commercial and EOL, page 31

This lab will walk you through the hardware, OS, and software categorization features
in CSAM.

Steps:
1. View the Hardware categories with the bar chart
2. Explanation about cat1 and cat2 levels of categorization
3. Group Assets by – Hardware – Manufacturer – Lenovo
4. Group Assets by – Operating System – Edition

Steps for the second lab:

1. View the Operating System categories with the bar chart
2. Group Assets by – Operating System – Name
3. View all servers with Windows 2016
4. Group Assets by – Operating System – Edition – Datacenter

Steps for the third lab:

1. View the Software categories with the bar chart
2. Group Software by – Category – Browsers
3. Change to Software viewing
4. Group Software by – Product – Edition – Publisher

Steps for the fourth lab:

49
1. Use the faceted search to filter Commercial software
2. Use the faceted search to further filter down to EOL within 3 months
3. Group Software by – Product – Edition

49
 Organize & Label Assets

In this section, we will talk about organizing assets using Asset Groups and Asset Tags.

50
 Organizing & Labeling Assets – Use Cases
Groups and Tag are used for:

• Setting up vulnerability and compliance scans

Good Practice: Use Asset Groups

• Building reports
Good Practice: Use Asset Tags

• Creating queries, widgets, and dashboards

Good Practice: Use Asset Tags

• Assigning Qualys user access and scope on

assets in your subscription
Good Practice: Use Groups or Tags
depending on the application

Before getting into the scanning process, or Cloud Agent deployment process, you’ll
want to think about how you want to organize your assets. Think about how you will
report, who will get the reports, and what type of data should be in the report.
Here are some good practices for asset management.
• Use the Asset Groups you built previously to run your scans.
• Use Asset Tags for reporting, widgets, and dashboards.
• Asset Groups and Asset Tags are used to grant users access to certain assets in
Qualys.

Asset Groups are created within VM/VMDR. Asset Tags can be created in many
places within the Qualys Platform, but they are managed in GAV/CSAM.

51
 What are Asset Groups?

• Logical groups (buckets) of host assets or domain assets

• It makes scanning, mapping, and reporting more efficient

• Limit the scope of network security audits to subsections of

your network

• Distribute assets to multiple users to facilitate delegation of

responsibilities

Asset Groups are set up within VM/VMDR. Instead of typing in IP address ranges for
your scan targets, you can organize these IP blocks into Asset Groups. This will allow
you to organize and reference the Asset Group as a target for your scan or the source
for a report. Asset Groups can also be targets for map scans.

Another use case for Asset Groups is distributing or delegating access to other Qualys
users.

Asset Groups are created using IP addresses.

52
 Asset Group Attributes

• An IP address can exist in as many Asset Groups as needed

• Asset Groups cannot be nested
• Static - they do not change unless you manually change
them
• Should be IP ranges, not individual lists of IPs

An Asset Group is a logical container for IP addresses. We recommend building them

by full IP ranges and not individual IP addresses.

We recommend using Asset Tags to organize assets around criteria such as Operating
System, device type, business priority, etc. It is best to build Asset Groups by IP
range/location.

An IP address may belong to more than one Asset Group. It is not possible to nest
Asset Groups (a group within a group).

53
 Asset Group Setup

Use Asset Group for geographic

locations

Establish a naming convention

Example: All Asset Groups start
with “AG:”

Map out how you’d like to divide

up your IP address space, so a
hierarchy exists

Asset Group names like a file

system

Thoughtfully planning your Asset Group structure will save time scanning your hosts
with a scanner appliance and when going to report. Understanding how you want to
build your scans, and reports will be a piece of this puzzle.

In this example, you see a hierarchy-like structure manually built for a Chicago
location. There are ALL groups for both internal (private IP addressing) and external
(public IP addressing) Asset Groups. From there, there are smaller groups to identify
the specific buildings or network segments.

We recommend prefixing Asset Group names with “AG:”

This is so that when a corresponding tag gets created, you can easily identify the
Asset Groups created in VM/VMDR.

By using this type of naming convention, you can find all assets in any building or any
location very easily. You can also build widgets to visually monitor data for them
easily. Reporting becomes easy by referencing the top-level group to see data for all
of Chicago. The Asset Groups for each building reflect where you should deploy
scanner appliances and then scan those locally (instead of trying to scan all of
Chicago from one location).

Example queries:
• Show all internal assets regardless of location

54
tags.name:” – Internal”

• Show all external assets regardless of location

tags.name:” – EXT”

54
 Asset Groups

• For every Asset Group, a

tag with the same name is
automatically created

• The tag has the same IP

range defined in the Asset
Group

• These tags are nested

under the parent tag called
“Asset Groups”

For every Asset Group that you create, you’ll find a tag with the same name. It has
the same IP range as defined in the Asset Group. These tags are all nested under a
parent tag called “Asset Groups”.

Having these Asset Group tags makes them usable in AssetView queries, widgets, and
dashboards.

55
 Asset Tags
Asset Tagging provides a more flexible and scalable way to label and organize the
assets in your subscription.
Automated
Static Tags
discovery
§ Assigned manually to host assets
and tagging
§ Commonly used as the starting point of an Asset Tag
Hierarchy

Dynamic Tags
§ Host assignment is determined by Asset Tag Rule
Engine
§ Tags dynamically change with updates to host

Asset Tag Hierarchy

§ Tags are typically nested, creating various parent/child
relationships
§ Targeting a parent tag automatically includes its child
tags

56 Qualys, Inc. Corporate Presentation

Asset Tagging provides a flexible and scalable way to automatically label and organize
the assets in your environment and ensures that your scans and reports are always
synchronized with your dynamic business
environment

Basic Asset Tag behaviors and characteristics:

Static tags: You can build static tags that you manually assign to selected host assets
within your account. Static tags are commonly used to establish the starting point for
individual asset tag hierarchies.
Dynamic tags: These are automatically assigned to host assets, based on their rule
engine. Asset tag rule engines focus on different host attributes, and when these
attributes change, so do their respective tags.

Asset tags are commonly grouped or organized into Asset Tag Hierarchies. These
hierarchies allow you to nest one asset tag below another, creating various
parent/child relationships (the idea or objective is to build
child tags that represent a subset of host assets by their associated parent tag).

Qualys Platform will already create the following tags for you:
• Business Units
• Asset Groups
• Cloud Agent

56
• Internet Facing Assets
• Passive Sensor

56
 System Created Tags

Qualys will automatically create some tags for you:

• Business Units
• Asset Groups
• Asset Search
• Cloud Agent
• Internet Facing Assets
• Passive Sensor
• EASM

Business Units
Business Units tag is a parent tag. The child tags underneath are for the business
units in your account that are created. Assets in a business unit are automatically
assigned the tag for that BU.

Asset Groups
Asset Groups tag is a parent tag. The child tags underneath are for the asset groups
in your account. Assets in an asset group are automatically assigned the tag for that
asset group. You create Asset Groups in VMDR.

Asset Search Tags

Asset Search Tags is a parent tag. The child tags underneath are tags you create from
the Asset Search area of VMDR.

Cloud Agent
Cloud Agent tag is created by the system and will be applied to all assets that have
the Cloud Agent deployed. This is a quick way to reference your asset population
with agents deployed.

Internet Facing Assets

Internet Facing Assets tag is created and assigned to an asset if it has a public-facing
IP address.

57
Newer Tags:
• Unmanaged: All passively sensed assets that do not have a cloud agent or have not
been scanned by Qualys scanner have this tag.
• Passive Sensor: All assets reported by the passive sensor appliance have this tag.
• ICS_OCA: The assets sensed from project files uploaded by the user in the
Industrial Control System (ICS) module have this tag.
• EASM: All assets reported by Qualys External Attack Surface Monitoring have this
tag.
• Shodan: This is a legacy tag applied to assets when Qualys pulls information from
Shodan. EASM is the tag you should reference when navigating your external
inventory.
• Default Dashboard Access Tag: This tag is added to new dashboards to allow by
default all users to view all dashboards.

57
 Dynamic Rule-Based Tags

• The “Asset Inventory” rule

engine allows you to build
tags using query tokens,
including the Hardware, OS,
and Software category
tokens
• Other “dynamic” rule engines
are also available

Learning to build queries is a very useful skill, in the Qualys UI. From queries, you can
build both Dashboard Widgets and Asset Tags.

When building Asset Tags, the ”Asset Inventory” rule engine can leverage the
GAV/CSAM inventory tokens for hardware, OS, and software categories.

Other dynamic rule engines available:

• Asset Name Contains
• Business Information
• Asset Inventory
• IP Address in Range(s)
• IP Address in Range(s) + Network(s)
• Open Ports
• Cloud Asset Search
• Vuln(QID) Exist
• Groovy Scriptlet
• Asset Search

58
 Using a naming convention with Asset Tags

AWS Instance tags Asset Groups (tags auto-generated from

groups)
• Region based: • AG: PHOENIX - EXT - DMZ - WEB SERVER
• AWS: Mumbai VLAN
• AG: Phoenix - Internal - Sales Office
• AWS: Ohio
• AG: PHOENIX - EXT - RED NETWORK
• Instance-type based:
Operating System tags: Type of Asset:
• AWS: t2.micro • OS: Windows 7 • Type: Domain
• OS: Red Hat Controller
• AWS: t2.large • Type: ESX Server
• OS: MacOS
• Instance-state based: • Type: Server
• AWS: Running Software based tags:
• AWS: Terminated • Software: Office installed
• Software: Java installed
• AWS: Stopped

Following a standard naming convention for your asset tags is very important. This
will make it easy to organize and search for them.

Examples:
• Type: Domain Controller
• SW: iTunes
• OS: Ubuntu

Here you see examples of tags. It helps you easily query for and find assets with a
particular tag.

59
 Ensure your Assets are tagged by OS

1. Tag all assets with OS: tag.

• Use Qualys documentation for examples and best practices:
• https://qualys-secure.force.com/discussions/s/article/000005819

2. Use the following search to find everything not tagged:

not tags.name: “OS: ”

Choose tag names that are descriptive, but brief.

To help organize Asset Tag hierarchies, avoid mixing multiple types of rule engines in
a single hierarchy.

With this design structure in place, multiple Asset Tags can be combined when
selecting targets for scanning and reporting.

Here is a community article to help maximize the potential of your tagging strategy:
https://success.qualys.com/discussions/s/article/000005819

60
 Asset Tag Hierarchy
• Child tags do not inherit
attributes of their parent
tags.

• Tags should be limited

to a single attribute, not
multiple (i.e. ”Dallas
Workstations” is both a
location and a device
type)

• Multiple tags can be

combined when
selecting targets for
scanning and reporting

It is a best practice to choose descriptive tag names that are brief. To help organize
Asset Tag hierarchies, avoid mixing multiple types of rule engines in a single hierarchy.
With this design structure in place, multiple Asset Tags can be combined when
selecting targets for scanning and reporting.

The root level tag is a parent tag, and underneath is child tags. It is important to note
that child tags do not inherit the properties of a parent. This means you will want to
group tags around common criteria. You will end up with a hierarchy that looks
something like the slide.

In doing this, you’ve set the foundation for tagging and made things easier to sort and
filter later, when it comes time to build your dashboards, widgets, and reports.
Multiple tags can be combined when selecting scan targets or report sources.

61
 Tagging - Starter Checklist

OS - Specific Operating Systems

Host Type - Workstation vs Server
Authentication Results
Windows Registry - See where Qualys didn’t get the right access
Stale Assets - Old Assets that haven’t been assessed in X days
Cloud Based Tags
Activation Keys - For Cloud Agents
Firewall Detected - To see if a firewall is impacting your scan results

OS specific – This will allow you to build reports with tags specific to an operating
system. Most organizations want to report based on OS.
Device type – This is so you can filter reports and dashboards based on servers or
workstations, and evaluate risks at the device type level
Auth Record – By tagging auth records, you can see which ones are being used
Windows Registry – This will allow you to troubleshoot devices to which Qualys didn’t
have the right access.
Stale Assets – You can filter out assets that haven’t been scanned in X days from your
reports
Cloud-Based Tags – Any asset deployed in AWS, GCP, or Azure can be tagged in a
variety of ways and often needs to be separate from your corporate environment
Activation Keys – This is so you can track assets with agents provisioned out of given
centers, and report on Cloud Agent assets specifically
Firewall Detected – This is so you can see if there may be a firewall impacting the
scan you’re running.

62
 LAB

Asset Groups and Asset Tags

Please consult pages 32-39 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Asset Groups, page 34

Dynamic Rule-Based Tags, page 36

This lab will walk you through the steps to create Asset Groups and Asset Tags.

Steps:
1. Navigate to VMDR
2. Create an Asset Group for all internal assets located in Chicago
3. Discuss the importance of “AG:” prefix in the group name

Steps for the second lab:

1. Creation of a tag for Windows-based operating systems
2. Set the Criticality score to 3
3. Select Asset Inventory dynamic rule
4. Test the tag rule for operatingSystem.category1:`Windows`
5. Click Evaluate Rule on Creation
6. Repeat the previous steps for Linux-based operating systems
7. Set the Criticality score to 3
8. Select Asset Inventory dynamic rule
9. Test the tag rule for operatingSystem.category1:`Linux`
10. Click Evaluate Rule on Creation

63
This is the second major section of the agenda covering asset prioritization, lifecycle
enrichment, and SW authorization.
 Detect and Monitor Security Gaps 1
Sta
rt

• Asset Prioritization (Define Asset

Criticality Score)

• Product Lifecycle Management

(EOL/EOS/Obsolete hardware and CyberSecurity
software automatically identified Asset
through enrichment in QCP) Management

3 2
• Software Authorization (configure
rules to identify
authorized/unauthorized software)

Detect and Monitor

In the next step (step 2), you can detect unsupported hardware, OS, and software,
identify unauthorized software and use Asset Criticality Scores to prioritize assets for
a response.

65
This section covers Asset Criticality and Qualys TruRisk.
 Qualys TruRisk

• Qualys TruRisk places detected vulnerabilities within the context of

your critical and non-critical host assets to help you remediate and fix
the vulnerabilities that count
• Qualys TruRisk is comprised of three components:
• Qualys Detection Score (QDS) /* token = vulnerability.detectionScore */
• Asset Criticality Score (ACS) /* token = criticalityScore */
• Asset Risk Score (ARS) /* token = riskScore */

• Both QDS and ARS are calculated values, while ACS is assigned to assets via
Asset Tags

67 Qualys, Inc. Corporate Presentation

Customers have struggled with optimizing how they prioritize responding to

vulnerabilities. Using CVSS, EPSS, or even the Qualys severity levels will net
thousands, or even millions, of vulnerabilities. This makes it near impossible for
limited resources to figure out where priorities are. TruRisk is the brand, but the
scoring comprises 3 components discussed over the next few slides. This scoring
system considers just how critical the asset (or services it runs) is to your business,
and then an understanding of the real risk of all the vulnerabilities on it.

Qualys TruRisk places detected vulnerabilities within the context of your critical and
non-critical host assets to help you remediate and fix the vulnerabilities that count.

Qualys TruRisk is comprised of three components:

1. Qualys Detection Score (QDS) /* token = vulnerability.detectionScore */

2. Asset Criticality Score (ACS) /* token = criticalityScore */
3. Asset Risk Score (ARS) /* token = riskScore */

QDS and ARS are calculated values, while ACS is assigned to assets via Asset Tags.

67
A deep dive into TruRisk can be found here:
https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-
into-data-driven-science-behind-qualys-trurisk

67
 Asset Criticality Score

• An assets criticality score is determined by its assigned Asset Tags

• A default score of 2 is used for assets without assigned tags

An asset criticality score is determined by its assigned Asset Tags. A default score of 2
is used for assets without assigned tags.

68
 Asset Criticality Score Calculation

• Asset Criticality
Score (1-to-5)
assigned to Asset
Tags by users
• Assets are then
assigned the
highest criticality
score (evaluated
across all Asset
Tags presently
assigned to the
asset)

The INVENTORY section displays all assets where Qualys has collected data. Clicking
on the Criticality score of an asset displays all the Asset Tags assigned to the asset
along with their configured Criticality Scores. The Asset Criticality Score (ACS) is
automatically calculated based on the highest aggregated criticality across all tags
assigned to the asset.

In this illustration, the asset has multiple tags with Criticality Scores of 5, 4, and 3. So
the Asset Criticality Score of the asset is 5, that is, the highest Criticality Score among
the assigned tags.

If the tags associated with your assets do not have a criticality score set, by default,
the asset criticality score 2 will be applied to that asset.

Asset criticality helps to focus your security prioritization efforts on high-importance

and high-risk assets, by defining key business and technical context. Typically, asset
criticality is derived from the function, environment, and service the asset provides to
the business.

ACS has a big effect on the asset's risk score. It is very important to have a solid
tagging structure and criticality values set that reflect the importance of your assets,
or the services that run on them. Many customers have asked questions about why
an asset would have a low-risk score, but high QDS scores. The reason for that is the

69
criticality of the asset is low. There should be a company policy for defining critical
assets and medium assets and low assets. This is very important because if
everything is critical, then nothing is critical.

69
 Qualys Detection Score

• Qualys Detection Score (QDS) begins with the CVSS base score of
detected vulnerabilities (i.e., technical vulnerability details)
• It then adds temporal factors such as Threat Intelligence (including
exploit code maturity, associated malware, active threat actors, and
vulnerabilities trending on the dark web)

• Mitigating and remediating controls related to the exposure are

included in the QDS calculation

• The critical range indicates CVSS score is critical, there is a

weaponized exploit available, and there is evidence of exploitation by
threat actors

Qualys Detection Score (QDS) begins with the CVSS base score of detected
vulnerabilities. It then adds temporal factors such as Threat Intelligence (including
exploit code maturity, associated malware, active threat actors, and vulnerabilities
trending on the dark web) and mitigating and remediating controls related to the
exposure.

QDS range is 1-100 and has four levels: Critical (90-100), High (70-89), Medium (40-
69), and Low (1-39). QDS is derived from the following factors:
a. Vulnerability technical details (e.g., CVSS base score)
b. Vulnerability temporal details (Is the exploit code mature? Is the vuln associated
with ransomware?)
c. Vulnerability remediation details (Has the vendor released a patch?)

QDS considers:
• CVSS Score
• External Threat Intelligence (exploit code maturity, malware, active threat actors,
and vulnerabilities trending on the dark web).
• Mitigating Controls (CIDs) associated with the vulnerability (host-specific).
• Remediating Controls or patches

70
 Asset Risk Score

• Asset Risk Score (ARS) combines the Criticality Score of a single host
with a weighted average of its combined vulnerability detections
• While the Qualys Detection Score provides a useful metric for measuring
the impact of a single vulnerability, the Asset Risk Score places the
vulnerability in the context of other vulnerabilities discovered on the
same host

ARS = ACS * {wc(Avg(QDSc)) + wh(Avg(QDSh)) + wm(Avg(QDSm)) + wl(Avg(QDSl))}

Asset Risk Score (ARS) combines the Criticality Score of a single host with a weighted
average of its combined vulnerability detections. While the Qualys Detection Score
provides a useful metric for measuring the impact of a single vulnerability, the Asset
Risk Score places the vulnerability in the context of other vulnerabilities discovered
on the same host.

Ultimately, this overall risk score for measuring an asset's health is next level. It
includes the severity of vulnerabilities, exploits, trend dynamics, how critical the asset
is, location, and business information from CMDB. This speeds up prioritization,
ranking, and remediation.

71
 LAB

Asset Criticality Score

Please consult pages 40-42 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Tutorial begins on page 42

This lab will walk you through configuring Asset Criticality Scores on Asset Tags.

Steps:
1. Viewing the most critical assets from the CSAM Getting Started page
2. View the Asset Criticality score in the CSAM inventory
3. Discussion on setting the criticality of an asset tag
4. Default criticality is set to 2
5. Edit the criticality of a tag
6. Discussion of the criticality values 1 to 5
7. View the change in asset count after assigning criticality scores for the tags
8. Search query for the highest Asset Criticality Scores
9. View that the ACS is the highest of the assigned tags
10. View that an asset will have ACS of 2 if its tags do not have a criticality set

72
This section provides an overview of the product lifecycle management feature in
CSAM.
 Identify Unsupported Software and Hardware

• Identify EOL/EOS software and hardware

• Plan hardware refresh and software upgrades
• Secure your environment by eliminating unsupported software
and hardware

Every product has a lifecycle. The lifecycle begins when a product is released and
ends when it’s no longer supported.

End-of-life (EOL) or End-of-Sale (EOS) is an expression commonly used by software

and hardware vendors respectively to indicate that a product or version of a product
has reached the end of usefulness in the eyes of the vendor. And End-of-Support
(EOS) or Obsolete (OBS) is an expression used by software and hardware vendors
respectively to indicate when a product is no longer serviced via upgrades, patches,
or maintenance.

Many vendors announce the EOL/EOS/OBS dates for their products far in advance.

EOL/EOS/OBS software and hardware are exposed to vulnerabilities that may be

exploited by attackers.

On the CSAM Getting Started page, the tile seen in the picture will give product
lifecycle information.

With CSAM, we automatically apply our extensive EOL/EOS/OBS product catalog to

your IT inventory, highlighting not only current hardware and software that are end-
of-life and end-of-support/obsolete. This gives you the ability to proactively plan for
addressing this security risk.

74
 Lifecycle Stage
hardware.lifecycle.stage:value

operatingSystem.lifecycle.stage:value
software:(lifecycle.stage:value)

Hardware OS Software Associated Risk

Generally Available Generally Available Generally Available Low - Product updates and security patches are
(GA) (GA) (GA) readily available.
End-of-Sale (EOS) End-of-Life (EOL) End-of-Life (EOL) Elevated - While product enhancements and
updates have ended, security patches may still be
provided.
Obsolete (OBS) End-of-Service End-of-Service High – Product features and updates as well as
(EOS) (EOS) security patches have ended.

Lifecycle Stage tokens provide the current state of hardware, OS, and
software assets.

The Lifecycle stage information for hardware includes General Availability, End-of-
Sale, and Obsolete (equivalent to End-of-Service).

The term "Obsolete" was chosen because the acronym for End-of-Service (EOS) is the
same as End-of-Sale, which would create a conflict.

Values for the hardware.lifecycle.stage token include the following: EOS, GA, INTRO,
Not Applicable, OBS, Unknown

OS & SOFTWARE LIFECYCLE

General availability (GA) - When the product became available for purchase.
End-of-Life (EOL) - No longer marketing, selling, building new features, or promoting
products (Security patches may still be provided).
End-of-Service (EOS) – Date product is no longer serviced via upgrades, patches, or
maintenance.

Values for the “operatingSystem.lifecycle.stage” token includes: EOL, EOL/EOS, GA,

Not Applicable, Unknown

75
Values for the “software:(lifecycle.stage” token include: EOL, EOL/EOS, GA, Not
Applicable, OS Dependent, Unknown

75
 LAB

Product Lifecycle Management

Please consult pages 43-45 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Tutorial begins on page 45

This lab will walk you through the steps to understand how CSAM provides vital
information regarding product lifecycle stages.

Steps:
1. Display all EOL software from the Product Lifecycle tile on the Getting Started
page
2. Click Commercial on the faceted search
3. The dataset is all EOL Commercial software
4. Display all EOS hardware from the Product Lifecycle tile on the Getting Started
page
5. View Asset Details – System Information
6. View Asset Details – Installed Software

76
This section helps you to define and create a list of Authorized and Unauthorized
software and track the result in your IT environment.
 Need for Software Authorization

Control 2: Inventory and Control of Software Assets

CSC 2-1: Establish and Maintain a Software Inventory
CSC 2-2: Ensure Authorized Software is Currently Supported
CSC 2-3: Address Unauthorized Software
CSC 2-4: Utilize Automated Software Inventory Tools
CSC 2-5: Allowlist Authorized Software
….
https://www.cisecurity.org/controls/

Proactive tracking of unauthorized and authorized software is a key tool to reduce

security risks and improve the health of your assets. We often see customers driven
by regulatory or other requirements that need them to have a security policy that
defines authorized and unauthorized software lists and can implement such policies.

The Center for Internet Security (CIS), Critical Security Control 2 (CSC 2) is focused on
the Inventory of Authorized and Unauthorized Software. It states that organizations
must:
“Actively manage (inventory, track, and correct) all software (operating systems and
applications) on the network so that only authorized software is installed and can
execute, and that unauthorized and unmanaged software is found and prevented
from installation or execution”.

Organizations need an easy way to set up a policy and operationalize it in their IT

inventory.

CSAM allows you to define software authorization rules and apply them to a selected
set of assets.

78
 Tracking Authorized & Unauthorized Software
Define, track, and alert installations of authorized/unauthorized software

• Define software rules for

specific scope by asset tags

• Rules can include list of

authorized and
unauthorized software
products, including software
that needs review

• Identify and track assets

with unauthorized software
installations

• Establish structured alerts

for at-risk applications

In CSAM, you can create rules to define software authorization (required, authorized,
unauthorized, and needs review). Rules help you track and report authorized,
unauthorized, and missing software installations based on user-defined lists.

For example, your organization may have a policy that states no web browser apps
should be allowed on production database assets (because many vulnerabilities are
identified on browsers). In this example, you can identify your production database
assets using dynamic tags and set up an Unauthorized rule identifying browser apps
of any version. From there, you can set up rule-based alerting for monitoring
purposes, use the interactive report to identify security gaps; or use authorization
tokens to make widgets for monitoring on a dashboard.

79
 Create Rules

Software & Asset Purge Rules can be created in the Rules section of CSAM

80 Qualys, Inc. Corporate Presentation

You can create SW Authorization and Asset Purge Rules from the Rules section of
CSAM.

A second method, shown in the slide picture, is in the Inventory section under SW
viewing, you can select SW from the dataset and on the quick actions menu you can
add the SW to a rule.

You can create as many rules as you need.

Asset Purge Rules can be created for Cloud Agents or Cloud Provider metadata. The
rule will run daily once it is created.

80
 Software Rule Types

Create rules to track software that is required, authorized, unauthorized, or

needs a manual review

81 Qualys, Inc. Corporate Presentation

To help you meet the objective of CIS Control 2, CSAM provides three different types
of software rules:
1. Authorized
2. Unauthorized
3. Needs Review

The option “Add Software from Golden Image Asset” can be used to generate a
software rule that defines a required software stack. Once the golden image asset is
selected, its software stack will be marked as Required. Then you can scope the rule
to your production assets to report if they have missing software. The use case for
this is to standardize the software stack of your production assets in order to detect
security gaps.

There is a custom report in CSAM that reports assets missing required software. The
following query tokens can be used to manually locate assets missing required
software:

asset.hasMissingSoftware
missingSoftware.category1
missingSoftware.category2
missingSoftware.name
missingSoftware.product

81
missingSoftware.publisher

Note that the software inventory data here come from authenticated scans from a
scanner appliance or Cloud Agent scans of assets associated with the selected Asset
Tag(s).

81
 Rule Precedence

• Rules at the top of the list have precedence over the rules below
• Click the “Reorder” button to move rules higher or lower

Rules at the top have precedence over the rules below. Use the “Reorder” button to
adjust the order of your rules.

By default, any newly created rule is placed at the bottom of the list in Disabled
status.

82
 LAB

Software Authorization

Please consult pages 46-52 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

10 min.
Software Authorization from Rules Tab,
page 49

Software Authorization from Software

Tab, page 51

This lab will walk you through the steps to configure rules for software authorization
in your Qualys account.

Steps:
1. Click Manage Rules from the Software Authorizations tile on the CSAM Getting
Started page
2. Create Rule
3. Select Database Servers tag to scope the rule
4. Add Commercial software to the list to an Authorize rule
5. Specify version criteria
6. Add Needs Reviewed Software
7. Show that the rule is created in Disabled status upon creation
8. Enable the rule manually
9. Discussion of the priority order
10. Reorder a set of rules

Steps for the second lab:

1. CSAM – Inventory – Software
2. View Authorization Rule
3. Add To Authorization Rule
4. Select Authorize
5. Select Create New Rule

83
6. The rule creation wizard has been prepopulated to authorize the Cloud Agent
software, specific update

83
This is the third, and final, major section of the agenda covering dashboards, reports,
and configuring rule-based alerting.
 Report and Respond
t
1
p ea Sta
rt
Re

• Visualize Data (use dashboards

to identify at risk assets)

• Reports (configure reports for IT

and compliance requirements) CyberSecurity
Asset
• Configure Rule-Based Alerts Management
(define criteria for alert notifications)
3 2

Report and Respond

The final step (step 3) involves using reports (templates and dashboards) to keep
track of all asset inventory and using rule-based asserts to notify you of critical events
such as unauthorized software installations, low disk space events, etc.

85
This topic covers focusses on using dashboards to easily and quickly see what parts of
your environment are at risk.
 Use Dashboards for Better Visualization

• Dashboards are interactive reports and Create Dashboards using

offer a powerful way to visualize data in Templates (least effort)
one place
OR
• CSAM supports the Unified Dashboard
Import Dashboards and Widgets
Framework (UDF) which brings together
from Qualys Community
information from multiple Qualys
(some effort)
applications into a single place for
visualization OR
Dashboards and Reporting Resources - Start Here Create Dashboards and Widgets
https://qualys-secure.force.com/discussions/s/article/000005975 from scratch
How To - Import a Dashboard (most effort)
https://qualys-secure.force.com/discussions/s/article/000006212

Queries, widgets, and dashboards can be used across multiple apps in Qualys,
including in CSAM. These reporting tools help you get the required data fast.

CSAM supports the Unified Dashboard Framework (UDF), which brings information
from all Qualys applications into a single place for visualization. UD provides a
powerful new dashboarding framework and platform service that will be consumed
and used by all other products to enhance the existing dashboard capabilities.

You can create your dashboard using existing widget templates we provide, customize
existing widgets, or create your widgets from scratch to suit your needs.

87
 Track Database Instances and Security Gaps

• Discover, Inventory &

Categorize Databases
with criticality
• Identify unmanaged
Database server assets
• Track & Manage
Unauthorized database
software policies
• Manage Database
lifecycle for EOL, EOS

• Apply key business data

from CMDB to gain
additional context

Using dashboards, you can get a better visualization of your overall database
inventory and track its security gaps.
You can use dashboard widgets to:
• Discover and organize your database apps and instances
• Identify unmanaged database server assets
• Identify Internet-exposed database servers
• Track and manage unauthorized database instances using security policies
• Track and manage the database software lifecycle
• Use business information synchronized from ServiceNow CMDB sync (support
group info, business apps with database servers, etc.) to apply business context
and prioritize remediation of critical assets

The picture in the slide is a dashboard built to show the asset health for all global
database servers.

88
 Reduce Risk by Managing Software Lifecycle
• Looking at individual
assets or software for
lifecycle information is
time-consuming

• Use dashboards to see

parts of your
environment that are at
risk quickly

• Know about upcoming

lifecycle events to plan
ahead

End-of-Support (EOS) software is no longer actively managed or patched by vendors.

Over time, such software becomes more and more susceptible to vulnerabilities
because the attack surface is no longer a moving target. This creates opportunities for
attack scripts that can be distributed to less skilled attackers who do not have to
understand how they work to use them. And organizations need to know ahead of
time about software getting EOL or EOS since it takes months of planning to address.
Qualys hears about situations where organizations realize a software product is going
EOS a month or two beforehand. Then the organization must scramble to upgrade or
remove such software, causing huge upheaval in their business.

It would help if you saw what parts of your environment are at risk quickly. You don’t
have time to look at each asset or software product. That’s where visualization
through dashboards comes into play.

The picture in the slide is a dashboard built to monitor EOL and End of Support
software for an organization’s assets.

89
 Out-of-Box Dashboard Templates

90 Qualys, Inc. Corporate Presentation

You can use the out-of-box Dashboard and Widget Templates, or you can create your
custom Dashboards and Widgets.

The picture in this slide shows the External Attack Surface Management dashboard
template.

90
 Visually Monitor the External Attack Surface

The EASM out-of-box template has prebuilt widgets for monitoring all Internet-
exposed devices.

91
 Create Widget From Query

Widgets can be added to a dashboard using the Widget template library, or the
hamburger menu in the Inventory section.

The Widget template library is accessible from the dashboard section by clicking on
the “plus sign” icon to add a widget. You can select from out-of-box widget templates
that report CSAM data or other Qualys app modules.

92
 LAB

Visualize Data Using Dashboards

Please consult pages 53-56 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Tutorial begins on page 56

This lab will walk you through the steps of using dashboards for the visualization of
key assets and security data in your Qualys account.

Steps:
1. Viewing of a database dashboard
2. Viewing widget showing database servers visible on the Internet
3. View Asset Details – Asset Summary to see public IP and confirm asset is visible
on the Internet
4. View Asset Details – Installed Software to confirm Microsoft SQL Server is
installed
5. Viewing widget showing unmanaged assets with database software installed
6. View Asset Details – Traffic Summary to view incoming and outgoing traffic to the
asset
7. The unmanaged database asset is a security risk found by the Passive Sensor
8. Viewing widget showing database servers with the highest asset criticality
9. Filter with the faceted search to only Open-Source database software
10. Verify the Software Lifecycle and software authorization rules that have been
applied to know security gaps

93
This section provides an overview of steps to build customized reports for tracking
asset and software inventory, compliance, and security gaps.
 Reporting

• Generate reports to meet industry and standards compliance needs

• Two types of reports are available:

o Custom Inventory and Compliance Reports – Focused on showing
details and attributes of your asset and software inventory
o Interactive Report – Focused on identifying security gaps

CSAM allows you to create customized reports for assets, software, missing software,
FedRAMP compliance, and externally exposed assets. These reports are focussed on
inventory data.

In addition, CSAM also provides an interactive workflow that helps users identify and
list security gaps across a set of assets of given asset tag(s).

95
 Custom Inventory and Compliance Reports

• Select from out-of-the-box report templates

• Define asset scope and filter attributes displayed in the report

You can create three types of reports:

• Asset Details - shows a detailed report of the selected assets based on host
information (attributes).
• Software Details – shows a detailed report of the selected assets based on
software and host information (attributes).
• Compliance Report – shows a detailed report of the assets for FedRAMP
compliance based on software and host information (attributes)
• Missing Software Details – shows a detailed report of the selected assets based on
missing software and host information (attributes)
• Externally Exposed Asset Details – shows a detailed report of the selected assets
based on EASM details (domain, subdomain, vulnerabilities, open ports,
certificate, whois, application stack)

96
 Report Source

In the Report Source step, you can define the scope of the assets to be included in
the report. You can select assets with asset name, asset tag, or use query tokens. You
can also define the source type to only include Managed, Unmanaged, or All assets.

97
 Display Options

The report type determines the selectable column headers in the CSV report

In the Report Display step, you can select attributes for the column headers. The slide
picture shows an example that the attributes you can select depend on the report
type.

Additionally, you can set up Notifications via an alert action.

Step 4 of the wizard allows for the report to be regularly scheduled.

98
 Interactive Report

• Identify security and configuration gaps on critical assets

• Similar to the VMDR Prioritization Report

Like the VMDR Prioritization report, the interactive report provides an interactive
workflow that helps users identify and list security gaps across a set of assets of given
asset tag(s). It focuses on issues rather than the entire inventory. It allows users to
quickly understand the issues that can be highlighted and help them quickly narrow
down the issues with interactive filters.

The use case is to identify security gaps, instead of reporting inventory details or
attributes. You can filter off the Asset Criticality Score, business context (from the
CMDB sync), HW/OS categories, and the lifecycle and unauthorized rules that you
have setup.

In the slide picture, the EASM tag is used to generate a report showing security gaps
of all Internet-exposed assets discovered by EASM.

99
 View Matching Security Gap Results

• Asset-Centric – a result list of assets matching all the security gaps

• Software-Centric – a result list of software security gaps
• Missing Software-Centric – a result list of missing required software

Asset-Centric Results
As a report user, you can view the assets that match ANY (or multiple) of the
"Security Gaps" you configured for review in the Interactive Report.
Just below the "Assets" tab, you can see a summary of counts of issues:
• Unauthorized Software
• Missing Required Software
• EOS Software
• EOL Software
• OBS Hardware
• EOS Hardware
• EOS OS
• EOL OS

Clicking on these cards/numbers filters assets per the identified security gap.

Software-Centric Results
As a report user, you can view the list of software that matches ANY (or multiple) of
the "Software Security Gaps" you configured for review in the Interactive Report.
Below the "Software" tab, there is a summary of counts of issues:
• Unauthorized Software
• End-of-Support Now
• End-of-Support Within 3 Months

100
• End-of-Life Now
• End-of-Life Within 3 Months

Clicking on these cards/numbers filters the corresponding Software Releases.

Missing Software-Centric Results

As a report user, you can view the list of missing required software on the assets with
security gaps. The software name, publisher, category, and number of installations is
displayed.

100
 Security Gaps Widget

The Interactive Report can be exported as a widget to visually monitor

security gaps on a dashboard

Exporting the Interactive Report to your dashboard will generate a Security Gaps
widget.

The report can also be saved-downloaded as a CSV or PDF file.

101
 LAB

External Attack Surface Reports

Please consult pages 57-64 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

10 min.
EASM Domain Details Report, page 61

EASM Tag Interactive Report, page 64

This lab will show how to create two different EASM reports. The first activity will
generate a report using the domain details template on 2 assets discovered by EASM.
The second activity will show security gaps for assets that have obtained the EASM
tag through discovery.

Steps:
1. Discussion of CSV report types
2. Create Domain Details Report
3. Discussion of the report wizard
4. Add assets to scope the report
5. Discussion of the report display and schedule
6. View the report generated and download

Steps for the second lab:

1. CSAM – Reports – Create Interactive Report
2. Select EASM tag
3. Discussion on the Interactive Report information and filtering
4. Generate Report
5. Discussion on viewing and how to filter the report dataset
6. Save as a PDF file
7. Export the report to the dashboard as a widget
8. Verify the report in the report list

102
9. Verify widget data

102
This section covers rule-based alert configuration to notify users about asset health
issues requiring their attention.
 Alerting

Immediately notify your teams of important security gaps impacting the overall
health and security hygiene of critical assets.

• Rule/QQL-driven
alerts
• Out-of-box
templates
• Email, Slack, or
PagerDuty
notifications

To effectively manage your inventory, you should set up Responses (notifications) to

alert you about conditions requiring attention (e.g. hardware or software end-of-life
events, installations of unauthorized software, etc.).

You can configure rules to monitor critical events that satisfy the conditions specified
in a rule and send you alert messages if events/incidents matching the condition are
detected. The alert message will have the event details.

104
 Configure New Action

Step 1: Configure a rule action that will be referenced in the alert rule.

Step 1 – Configure a rule action that will be referenced in the alert rule. You can
configure a rule action under the Actions tab in the Response section. Provide a name
and a description for the action and select an action from the Select Action drop-
down. Provide the settings for configuring the messaging system that Qualys will use
to send alerts.

105
 Action Types

CSAM supports three (3) mechanisms for alerting:

• Select Send Email (Via Qualys) to receive email alerts. Specify the recipients’ email
IDs who will receive the alerts, the subject of the alert message, and the
customized alert message. Note that based on the configuration settings, you will
see either of the two options.
• Select “Send to PagerDuty” to send alerts to your PagerDuty account. Provide the
service key that CSAM will require to connect to your PagerDuty account. In
Default Message Settings, specify the subject and the customized alert message.
• Select “Post to Slack” to post alert messages to your Slack account. Provide the
Webhook URI that CSAM will use to connect to your slack account to post alert
messages. In Default Message Settings, specify the subject of the alert message
and the customized alert message.

106
 Configure New Rule

Step 2: Configure a rule specifying events you want to monitor,

criteria for triggering the rule, and actions to be taken on those
events.

Step 2 – Configure a rule to generate alerts for critical events. You can configure rules
under the Rule Manager tab in the Response section.

When a rule is triggered based on a condition match, CSAM will send you alerts using
the configured action type that will have details of the events.

107
 Rule Configuration

Provide the required details in the respective sections to create a new rule:
- In the Rule Information section, provide a name and description of the new rule in
the Rule Name and Description
- In the Rule Query section, specify a query for the rule. The system uses this query
to search for events. The query illustrated in the slide looks for all unauthorized
software installations detected on the last day. Use the Test Query button to test
your query. This will indicate if there are any events matching the defined criteria
currently present in the environment.
- Click Sample Queries link to select from predefined queries. These queries cover
product lifecycle, software authorization, or other items such as open ports or
insufficient server storage for alerting.

External Attack Surface Alerts

You can create rule-based alerts for your externally exposed assets with queries, or by
using an existing template.

Use the following tokens to create rule-based EASM alerts:

• Asset.org.name
• Asset.isp
• Asset.asn
• Asset.domain
• Asset.subdomain

108
• whoIs.creationDate
• whoIs.registrantOrg
• whoIs.registrantEmailId
• whoIs.registrar

Examples of alerts:
You can set an alert for the externally exposed assets discovered in the last 8 days
from a particular domain.
You can set an alert for externally exposed assets created in the last 2 hours.

108
 Insert Tokens

• Insert tokens in the

message body to
include relevant asset
information in the
alert

• Supported for all

action types (Email,
Slack, PagerDuty)
• Only tokens that help
in asset scoping or Data values for inserted
those that are directly tokens are populated when
related to the alert search completes
evaluation are
supported

The Recipient, Subject, and Message are automatically populated within the rule
based on the selected Actions type.

Qualys also supports using tokens within the message body, which work as
placeholders or variables for data values that populate when the search
completes. You can include a variety of search tokens like asset search, cloud
metadata search, and others. All 3 action types (Email, Slack, PagerDuty) support
using tokens in the message body.

Only tokens that help in asset scoping or those directly related to the alert evaluation
are supported for alert rule creation. For instance, an AWS/Azure/GCP search token is
only applicable if you have the relevant cloud connector configured in your Qualys
account.

When a condition matching the rule is detected, the generated alert will include the
asset name, asset criticality score, hardware category, OS of the asset, etc. depending
on the tokens inserted in the message body.

109
 Manage Alerts

Step 3: Monitor all the alerts that were sent after the rules were
triggered.

Step 3 – Monitor all the alerts sent after the rules are triggered.

The Activity tab lists all the alert activities for the selected timeframe. Here you will
see each alert, rule name, success or failure in sending the alert message, action
chosen for the rule, matches found for the rule, and the user who created the rule.

Here you can search for alerts using our search tokens, select a period to view the
rules triggered during that time frame, click any bar to jump to the alerts triggered in
a certain timeframe, and use these filters to group the alerts by rule name, action
name, email recipients and status.

110
 LAB

Rule-Based Alerts

Please consult pages 65-68 in the Lab Tutorial

Supplement for instructions to perform this lab activity.

5 min.
Tutorial begins on page 68

The tutorial will step you through the process of creating a rule-based alert.

Steps:
1. Discussion of the alert options (email, Slack, PagerDuty)
2. CSAM – Responses section
3. Define an Email Action
4. Setup of the Email Action
5. Rule Manager – New Rule
6. Use pre-defined sample query for found Unauthorized Software in the last 1 day
7. Test the query for matches
8. Select the Email Action that was configured
9. Insert Qualys tokens into the email message body
10. Save the rule-based alert
11. Verify the last triggered date and time
12. Verify alerts triggered in the Activity section
13. Faceted search can be used to filter the search for triggered rules

111
 Thank You
[email protected]

Please contact the Qualys Training Team ([email protected]) with your questions.

112