vuln.qualys
Introduction
The tags beginning with vuln.qualys identify events generated by Qualys.
Valid tags and data tables
The full tag may have up to 4 levels. The first two are fixed as vuln.qualys. The third level identifies the type of events sent, and the fourth level indicates the event subtype
Technology | Brand | Type | Subtype |
---|---|---|---|
vuln | qualys |
| xml |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
vuln.qualys.hosts | vuln.qualys.hosts |
vuln.qualys.hostdetections This source tag is used in collector’s versions less than 1.5.0 | vuln.qualys.hostdetections |
vuln.qualys.hostdetections.xml This source tag is used in collector’s versions greater than or equal to 1.5.0 | vuln.qualys.hostdetections |
vuln.qualys.useractivitylog | vuln.qualys.useractivitylog |
vuln.qualys.vulnerabilities | vuln.qualys.vulnerabilities |
How is the data sent to Devo?
To send logs to these tables, Devo uses a collector that retrieves the required events and sends them to your Devo domain. Contact us to start sending your logs to Devo using the collector.
Log samples
The following are sample logs sent to each of the vuln.qualys data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
vuln.qualys.hosts
2021-01-20 15:27:12.704 localhost=127.0.0.1 vuln.qualys.hosts: <ID>1000001</ID><IP>192.168.1.2</IP><TRACKING_METHOD>Cloud Agent</TRACKING_METHOD><NETWORK_ID>0</NETWORK_ID><DNS><![CDATA[hostname.my.corp.local]]></DNS><DNS_DATA><HOSTNAME><![CDATA[hostname]]></HOSTNAME><DOMAIN><![CDATA[my.corp.local]]></DOMAIN><FQDN><![CDATA[hostname.my.corp.local]]></FQDN></DNS_DATA><CLOUD_PROVIDER><![CDATA[AWS]]></CLOUD_PROVIDER><CLOUD_SERVICE><![CDATA[EC2]]></CLOUD_SERVICE><CLOUD_RESOURCE_ID><![CDATA[id-resource]]></CLOUD_RESOURCE_ID><!-- <EC2_INSTANCE_ID> tag has been deprecated. Please refer to <CLOUD_RESOURCE_ID> tag for the same information //--><EC2_INSTANCE_ID><![CDATA[id-resource]]></EC2_INSTANCE_ID><OS><![CDATA[Linux]]></OS><QG_HOSTID><![CDATA[1234abcd-1234-5678-abcd-12345678abcg]]></QG_HOSTID><TAGS><TAG><TAG_ID>10000001</TAG_ID><NAME>Tag Name 1</NAME></TAG><TAG><TAG_ID>10000002</TAG_ID><NAME>Tag-Name-2</NAME></TAG><TAG><TAG_ID>10000003</TAG_ID><NAME>Tag-Name-3</NAME></TAG><TAG><TAG_ID>10000004</TAG_ID><NAME>Tag-Name-4</NAME></TAG><TAG><TAG_ID>10000005</TAG_ID><NAME>Tag Name 5</NAME></TAG><TAG><TAG_ID>10000006</TAG_ID><NAME>Tag_Name_6</NAME></TAG><TAG><TAG_ID>10000007</TAG_ID><NAME>Tag-Name-abcd-abcd-abcd-abcd-abcd-abcd-7</NAME></TAG><TAG><TAG_ID>10000008</TAG_ID><NAME>Tag-Name-8</NAME></TAG><TAG><TAG_ID>10000009</TAG_ID><NAME>Tag-Name-9</NAME></TAG></TAGS><LAST_VULN_SCAN_DATETIME>2021-03-12T01:00:00Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2021-03-12T01:00:00Z</LAST_VM_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DATE>2021-03-12T01:00:00Z</LAST_VM_AUTH_SCANNED_DATE> 2021-01-20 15:27:12.704 localhost=127.0.0.1 vuln.qualys.hosts: <ID>1000002</ID><IP>192.168.0.123</IP><TRACKING_METHOD>Cloud Agent</TRACKING_METHOD><NETWORK_ID>0</NETWORK_ID><DNS>server04.my.corp.local</DNS><DNS_DATA><HOSTNAME>server04</HOSTNAME><DOMAIN>my.corp.local</DOMAIN><FQDN>server04.my.corp.local</FQDN></DNS_DATA><NETBIOS>SERVER04</NETBIOS><OS>Windows Server 2012</OS><QG_HOSTID>1234abcd-1234-5678-abcd-12345678ab04</QG_HOSTID><TAGS><TAG><TAG_ID>10000001</TAG_ID><NAME>Tag Name 1</NAME></TAG><TAG><TAG_ID>10000002</TAG_ID><NAME>Tag-Name-2</NAME></TAG><TAG><TAG_ID>10000003</TAG_ID><NAME>Tag-Name-3</NAME></TAG><TAG><TAG_ID>10000004</TAG_ID><NAME>Tag-Name-4</NAME></TAG><TAG><TAG_ID>10000005</TAG_ID><NAME>Tag Name 5</NAME></TAG><TAG><TAG_ID>10000006</TAG_ID><NAME>Tag_Name_6</NAME></TAG><TAG><TAG_ID>10000007</TAG_ID><NAME>Tag-Name-abcd-abcd-abcd-abcd-abcd-abcd-7</NAME></TAG><TAG><TAG_ID>10000008</TAG_ID><NAME>Tag-Name-8</NAME></TAG><TAG><TAG_ID>10000009</TAG_ID><NAME>Tag-Name-9</NAME></TAG></TAGS><LAST_VULN_SCAN_DATETIME>2021-03-12T01:00:00Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2021-03-12T01:00:00Z</LAST_VM_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DATE>2021-03-12T01:00:00Z</LAST_VM_AUTH_SCANNED_DATE><USER_DEF><VALUE_1>CD2-My Location-State</VALUE_1><VALUE_2>My environment</VALUE_2><VALUE_3>CD2-My Location-State</VALUE_3></USER_DEF> 2015-06-10 07:54:08.921 local1=192.168.0.9 vuln.qualys.hosts: <ID>1234567</ID><IP>192.168.1.20</IP><TRACKING_METHOD>IP</TRACKING_METHOD><DNS><![CDATA[server01.somecorp.com]]></DNS><NETBIOS><![CDATA[SERVER01]]></NETBIOS><OS><![CDATA[Windows Server 2016 Standard 64 bit Edition]]></OS><QG_HOSTID><![CDATA[1234abcd-1234-5678-abcd-12345678abcd]]></QG_HOSTID><LAST_VULN_SCAN_DATETIME>2019-01-01T01:00:00Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2019-01-01T01:00:00Z</LAST_VM_SCANNED_DATE><LAST_VM_SCANNED_DURATION>456</LAST_VM_SCANNED_DURATION><LAST_VM_AUTH_SCANNED_DATE>2019-01-01T01:00:00Z</LAST_VM_AUTH_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DURATION>456</LAST_VM_AUTH_SCANNED_DURATION><USER_DEF><VALUE_1><![CDATA[Code01]]></VALUE_1><VALUE_2><![CDATA[Server]]></VALUE_2></USER_DEF> 2015-06-10 07:54:08.922 local1=192.168.0.9 vuln.qualys.hosts: <ID>1234568</ID><IP>192.168.1.21</IP><TRACKING_METHOD>Cloud Agent</TRACKING_METHOD><DNS>server02</DNS><NETBIOS>SERVER02</NETBIOS><OS>Windows Server 2012 R2 Standard 64 bit Edition</OS><QG_HOSTID>1234abcd-1234-5678-abcd-12345678abce</QG_HOSTID><LAST_VULN_SCAN_DATETIME>2020-01-01T01:00:00Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2020-01-01T01:00:00Z</LAST_VM_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DATE>2020-01-01T01:00:00Z</LAST_VM_AUTH_SCANNED_DATE><COMMENTS>My comment</COMMENTS> 2021-01-20 15:27:12.704 localhost=127.0.0.1 vuln.qualys.hosts: <ID>123456</ID><IP>192.168.1.2</IP><TRACKING_METHOD>Cloud Agent</TRACKING_METHOD><NETWORK_ID>0</NETWORK_ID><DNS><![CDATA[hostname.my.corp.local]]></DNS><DNS_DATA><HOSTNAME><![CDATA[hostname]]></HOSTNAME><DOMAIN><![CDATA[my.corp.local]]></DOMAIN><FQDN><![CDATA[hostname.my.corp.local]]></FQDN></DNS_DATA><CLOUD_PROVIDER><![CDATA[AWS]]></CLOUD_PROVIDER><CLOUD_SERVICE><![CDATA[EC2]]></CLOUD_SERVICE><CLOUD_RESOURCE_ID><![CDATA[id-resource]]></CLOUD_RESOURCE_ID><!-- <EC2_INSTANCE_ID> tag has been deprecated. Please refer to <CLOUD_RESOURCE_ID> tag for the same information //--><EC2_INSTANCE_ID><![CDATA[id-resource]]></EC2_INSTANCE_ID><OS><![CDATA[Linux]]></OS><QG_HOSTID><![CDATA[1234abcd-1234-5678-abcd-12345678abcg]]></QG_HOSTID><LAST_VULN_SCAN_DATETIME>2021-03-12T01:00:00Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2021-03-12T01:00:00Z</LAST_VM_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DATE>2021-03-12T01:00:00Z</LAST_VM_AUTH_SCANNED_DATE> 2021-01-20 15:27:12.704 localhost=127.0.0.1 vuln.qualys.hosts: <ID>7933740</ID><IP>10.4.4.1</IP><TRACKING_METHOD>IP</TRACKING_METHOD><NETWORK_ID>63010</NETWORK_ID><DNS><![CDATA[10-4-4-1.sample.qualys.com]]></DNS><DNS_DATA><HOSTNAME><![CDATA[10-4-4-1]]></HOSTNAME><DOMAIN><![CDATA[sample.qualys.com]]></DOMAIN><FQDN><![CDATA[10-4-4-1.sample.qualys.com]]></FQDN></DNS_DATA><OS><![CDATA[Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP]]></OS> 2021-01-20 15:27:12.704 localhost=127.0.0.1 vuln.qualys.hosts: <ID>2872568</ID><IP>10.10.25.182</IP><TRACKING_METHOD>IP</TRACKING_METHOD><NETBIOS><![CDATA[COM-REG-SLES102]]></NETBIOS><OS><![CDATA[Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP / Linux 2.6]]></OS><LAST_VULN_SCAN_DATETIME>2017-02-05T19:48:17Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2017-02-05T19:48:17Z</LAST_VM_SCANNED_DATE><LAST_VM_SCANNED_DURATION>988</LAST_VM_SCANNED_DURATION><LAST_VM_AUTH_SCANNED_DATE>2017-02-05T19:48:17Z</LAST_VM_AUTH_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DURATION>988</LAST_VM_AUTH_SCANNED_DURATION><LAST_COMPLIANCE_SCAN_DATETIME>2016-10-09T16:23:26Z</LAST_COMPLIANCE_SCAN_DATETIME><LAST_SCAP_SCAN_DATETIME>2018-08-29T08:44:54Z</LAST_SCAP_SCAN_DATETIME><OWNER>utwrx_kg</OWNER><COMMENTS><![CDATA[#RFDS#@]]></COMMENTS><USER_DEF><VALUE_1><![CDATA[###$#R]]></VALUE_1><VALUE_2><![CDATA[###RFESF#]]></VALUE_2><VALUE_3><![CDATA[#RFE#]]></VALUE_3></USER_DEF><ASSET_GROUP_IDS>473828,474410,474821,475800,476176,477561,477562,478906,479441,479442,485951,548754,549447,553596,553598,558368,568715,572525,573976,573983,573985,607336,833161,891118,957062,1077977,1311813,1604575,1642904</ASSET_GROUP_IDS> 2021-01-20 15:27:12.704 localhost=127.0.0.1 vuln.qualys.hosts: <ID>135151</ID><IP>10.97.5.247</IP><TRACKING_METHOD>EC2</TRACKING_METHOD><DNS><![CDATA[i-0bb87c3281243cdfd]]></DNS><EC2_INSTANCE_ID><![CDATA[i-0bb87c3281243cdfd]]></EC2_INSTANCE_ID><OS><![CDATA[Amazon Linux 2016.09]]></OS><METADATA><EC2><ATTRIBUTE><NAME><![CDATA[latest/dynamic/instance-identity/document/region]]></NAME><LAST_STATUS>Success</LAST_STATUS><VALUE><![CDATA[us-east-1]]></VALUE><LAST_SUCCESS_DATE>2017-03-21T13:39:38Z</LAST_SUCCESS_DATE><LAST_ERROR_DATE></LAST_ERROR_DATE><LAST_ERROR><![CDATA[]]></LAST_ERROR></ATTRIBUTE><ATTRIBUTE><NAME><![CDATA[latest/dynamic/instance-identity/document/instanceId]]></NAME><LAST_STATUS>Success</LAST_STATUS><VALUE><![CDATA[i-0bb87c3281243cdfd]]></VALUE><LAST_SUCCESS_DATE>2017-03-21T13:39:38Z</LAST_SUCCESS_DATE><LAST_ERROR_DATE></LAST_ERROR_DATE><LAST_ERROR><![CDATA[]]></LAST_ERROR></ATTRIBUTE><ATTRIBUTE><NAME><![CDATA[latest/dynamic/instance-identity/document/accountId]]></NAME><LAST_STATUS>Success</LAST_STATUS><VALUE><![CDATA[205767712438]]></VALUE><LAST_SUCCESS_DATE>2017-03-21T13:39:38Z</LAST_SUCCESS_DATE><LAST_ERROR_DATE></LAST_ERROR_DATE><LAST_ERROR><![CDATA[]]></LAST_ERROR></ATTRIBUTE></EC2></METADATA><LAST_VULN_SCAN_DATETIME>2017-03-21T13:39:38Z</LAST_VULN_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2017-03-21T13:39:38Z</LAST_VM_SCANNED_DATE><LAST_VM_SCANNED_DURATION>229</LAST_VM_SCANNED_DURATION><LAST_VM_AUTH_SCANNED_DATE>2017-03-21T13:39:38Z</LAST_VM_AUTH_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DURATION>229</LAST_VM_AUTH_SCANNED_DURATION><LAST_COMPLIANCE_SCAN_DATETIME>2017-03-21T13:21:51Z</LAST_COMPLIANCE_SCAN_DATETIME>
And this is how the log would be parsed:
Field | Value | Type | Source field name | Field transformation | Extra fields |
---|---|---|---|---|---|
eventdate |
|
| |||
host_id |
|
| <ID> | ||
asset_id |
|
| <ASSET_ID> | ||
ip |
|
| <IP> | ||
tracking_method |
|
| <TRACKING_METHOD> | ||
network_id |
|
| <NETWORK_ID> | ||
dns |
|
| <DNS> | ||
dns_hostname |
|
| <DNS_DATA><HOSTNAME> | ||
dns_domain |
|
| <DNS_DATA><DOMAIN> | ||
dns_fqdn |
|
| <DNS_DATA><FQDN> | ||
cloud_provider |
|
| <CLOUD_PROVIDER> | ||
cloud_service |
|
| <CLOUD_SERVICE> | ||
cloud_resource_id |
|
| <CLOUD_RESOURCE_ID> | ||
ec2_instance_id |
|
| <EC2_INSTANCE_ID> | ||
netbios |
|
| <NETBIOS> | ||
os |
|
| <OS> | ||
qg_hostid |
|
| <QG_HOSTID> | ||
tag_ids |
|
| <TAGS><TAG><TAG_ID> | The XML array obtained from the source has been joined using the separator string "|||" | |
tag_names |
|
| <TAGS><TAG><NAME> | The XML array obtained from the source has been joined using the separator string "|||" | |
metadata__ec2__attribute |
|
| <METADATA><EC2><ATTRIBUTE> | ||
metadata__google__attribute |
|
| <METADATA><GOOGLE><ATTRIBUTE> | ||
metadata__azure__attribute |
|
| <METADATA><AZURE><ATTRIBUTE> | ||
cloud_tag_names |
|
| <CLOUD_PROVIDER_TAGS><CLOUD_TAG><NAME> | The XML array obtained from the source has been joined using the separator string "|||" | |
cloud_tag_values |
|
| <CLOUD_PROVIDER_TAGS><CLOUD_TAG><VALUE> | The XML array obtained from the source has been joined using the separator string "|||" | |
cloud_tag_last_success_date |
|
| <CLOUD_PROVIDER_TAGS><CLOUD_TAG><LAST_SUCCESS_DATE> | The XML array obtained from the source has been joined using the separator string "|||" | |
last_vuln_scan_datetime |
|
| <LAST_VULN_SCAN_DATETIME> | ||
last_vm_scanned_date |
|
| <LAST_VM_SCANNED_DATE> | ||
last_vm_scanned_duration |
|
| <LAST_VM_SCANNED_DURATION> | ||
last_vm_auth_scanned_date |
|
| <LAST_VM_AUTH_SCANNED_DATE> | ||
last_vm_auth_scanned_duration |
|
| <LAST_VM_AUTH_SCANNED_DURATION> | ||
last_compliance_scan_datetime |
|
| <LAST_COMPLIANCE_SCAN_DATETIME> | ||
last_scap_scan_datetime |
|
| <LAST_SCAP_SCAN_DATETIME> | ||
owner |
|
| <OWNER> | ||
comments |
|
| <COMMENTS> | ||
user_def_value1 |
|
| <USER_DEF><VALUE_1> | ||
user_def_value2 |
|
| <USER_DEF><VALUE_2> | ||
user_def_value3 |
|
| <USER_DEF><VALUE_3> | ||
asset_group_ids |
|
| <ASSET_GROUP_IDS> | ||
rawMessage |
|
| ✓ | ||
hostchain |
|
| ✓ | ||
tag |
|
| ✓ | ||
raw |
|
| ✓ |
vuln.qualys.hostdetections
2021-04-01 01:00:00.123 localhost=127.0.0.1 vuln.qualys.hostdetections.xml: <HOST><ID>12345678</ID><ASSET_ID>654321</ASSET_ID><IP>192.168.1.3</IP><TRACKING_METHOD>IP</TRACKING_METHOD><NETWORK_ID>0</NETWORK_ID><OS>VMware ESXi 6.7.0</OS><OS_CPE>cpe:/o:vmware:esxi:5.1.0:</OS_CPE><DNS>myserver.resources.example.com</DNS><DNS_DATA><HOSTNAME>myserver</HOSTNAME><DOMAIN>resources.example.com</DOMAIN><FQDN>myserver.resources.example.com</FQDN></DNS_DATA><LAST_SCAN_DATETIME>2021-04-18T20:06:23Z</LAST_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2021-04-18T20:06:07Z</LAST_VM_SCANNED_DATE><LAST_VM_SCANNED_DURATION>2840</LAST_VM_SCANNED_DURATION><LAST_VM_AUTH_SCANNED_DATE>2020-10-12T20:04:35Z</LAST_VM_AUTH_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DURATION>970</LAST_VM_AUTH_SCANNED_DURATION><TAGS><TAG><TAG_ID>1</TAG_ID><NAME>Tag Name 1</NAME></TAG><TAG><TAG_ID>2</TAG_ID><NAME>Tag-Name-2</NAME></TAG><TAG><TAG_ID>3</TAG_ID><NAME>Tag-Name-3</NAME></TAG><TAG><TAG_ID>4</TAG_ID><NAME>Tag-Name-4</NAME></TAG><TAG><TAG_ID>5</TAG_ID><NAME>Tag_Name_5</NAME></TAG></TAGS><DETECTION><QID>123</QID><TYPE>Info</TYPE><SEVERITY>1</SEVERITY><PORT>443</PORT><PROTOCOL>tcp</PROTOCOL><RESULTS>GET / HTTP/1.0\\nHost: myserver.resources.example.com\\n\\n\\n\\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">\\n\\n<html lang="en">\\n<head>\\n<meta http-equiv="content-type" content="text/html; charset=utf8">\\n<meta http-equiv="refresh" content="0;URL='/ui'"/>\\n</head>\\n</html></RESULTS><FIRST_FOUND_DATETIME>2020-09-20T19:48:47Z</FIRST_FOUND_DATETIME><LAST_FOUND_DATETIME>2021-04-18T20:06:07Z</LAST_FOUND_DATETIME><TIMES_FOUND>34</TIMES_FOUND><IS_DISABLED>0</IS_DISABLED><LAST_PROCESSED_DATETIME>2021-04-18T20:06:23Z</LAST_PROCESSED_DATETIME></DETECTION></HOST> 2021-04-01 01:00:00.123 localhost=127.0.0.1 vuln.qualys.hostdetections.xml: <HOST><ID>12345678</ID><ASSET_ID>654321</ASSET_ID><IP>192.168.1.3</IP><TRACKING_METHOD>IP</TRACKING_METHOD><NETWORK_ID>0</NETWORK_ID><OS>VMware ESXi 6.7.0</OS><OS_CPE>cpe:/o:vmware:esxi:5.1.0:</OS_CPE><DNS>myserver.resources.example.com</DNS><DNS_DATA><HOSTNAME>myserver</HOSTNAME><DOMAIN>resources.example.com</DOMAIN><FQDN>myserver.resources.example.com</FQDN></DNS_DATA><LAST_SCAN_DATETIME>2021-04-18T20:06:23Z</LAST_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2021-04-18T20:06:07Z</LAST_VM_SCANNED_DATE><LAST_VM_SCANNED_DURATION>2840</LAST_VM_SCANNED_DURATION><LAST_VM_AUTH_SCANNED_DATE>2020-10-12T20:04:35Z</LAST_VM_AUTH_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DURATION>970</LAST_VM_AUTH_SCANNED_DURATION><TAGS><TAG><TAG_ID>1</TAG_ID><NAME>Tag Name 1</NAME></TAG><TAG><TAG_ID>2</TAG_ID><NAME>Tag-Name-2</NAME></TAG><TAG><TAG_ID>3</TAG_ID><NAME>Tag-Name-3</NAME></TAG><TAG><TAG_ID>4</TAG_ID><NAME>Tag-Name-4</NAME></TAG><TAG><TAG_ID>5</TAG_ID><NAME>Tag_Name_5</NAME></TAG></TAGS><DETECTION><QID>234</QID><TYPE>Info</TYPE><SEVERITY>1</SEVERITY><RESULTS>Some of the ports filtered by the firewall are: 21, 22, 23, 25.\\n\\nListed below are the ports filtered by the firewall.\\nNo response has been received when any of these ports are probed.\\n21-23,25,53,110-112,\\n123,135,445,\\n32768-32790</RESULTS><FIRST_FOUND_DATETIME>2017-07-19T15:48:09Z</FIRST_FOUND_DATETIME><LAST_FOUND_DATETIME>2021-04-18T20:06:07Z</LAST_FOUND_DATETIME><TIMES_FOUND>201</TIMES_FOUND><IS_DISABLED>0</IS_DISABLED><LAST_PROCESSED_DATETIME>2021-04-18T20:06:23Z</LAST_PROCESSED_DATETIME></DETECTION></HOST> 2021-04-01 01:00:00.123 localhost=127.0.0.1 vuln.qualys.hostdetections.xml: <HOST><ID>12345678</ID><ASSET_ID>654321</ASSET_ID><IP>192.168.1.3</IP><TRACKING_METHOD>IP</TRACKING_METHOD><NETWORK_ID>0</NETWORK_ID><OS>VMware ESXi 6.7.0</OS><OS_CPE>cpe:/o:vmware:esxi:5.1.0:</OS_CPE><DNS>myserver.resources.example.com</DNS><DNS_DATA><HOSTNAME>myserver</HOSTNAME><DOMAIN>resources.example.com</DOMAIN><FQDN>myserver.resources.example.com</FQDN></DNS_DATA><LAST_SCAN_DATETIME>2021-04-18T20:06:23Z</LAST_SCAN_DATETIME><LAST_VM_SCANNED_DATE>2021-04-18T20:06:07Z</LAST_VM_SCANNED_DATE><LAST_VM_SCANNED_DURATION>2840</LAST_VM_SCANNED_DURATION><LAST_VM_AUTH_SCANNED_DATE>2020-10-12T20:04:35Z</LAST_VM_AUTH_SCANNED_DATE><LAST_VM_AUTH_SCANNED_DURATION>970</LAST_VM_AUTH_SCANNED_DURATION><TAGS><TAG><TAG_ID>1</TAG_ID><NAME>Tag Name 1</NAME></TAG><TAG><TAG_ID>2</TAG_ID><NAME>Tag-Name-2</NAME></TAG><TAG><TAG_ID>3</TAG_ID><NAME>Tag-Name-3</NAME></TAG><TAG><TAG_ID>4</TAG_ID><NAME>Tag-Name-4</NAME></TAG><TAG><TAG_ID>5</TAG_ID><NAME>Tag_Name_5</NAME></TAG></TAGS><DETECTION><QID>345</QID><TYPE>Info</TYPE><SEVERITY>1</SEVERITY><PORT>443</PORT><PROTOCOL>tcp</PROTOCOL><RESULTS>NAME VALUE\\n(0)CERTIFICATE 0 \\n(0)Version 3 (0x2)\\n(0)Serial Number ca:35:12:ab:cd:12:34:56 \\n(0)Signature Algorithm sha256WithRSAEncryption\\n(0)ISSUER NAME \\ncommonName CA\\n domainComponent vsphere\\n domainComponent local\\n countryName US\\n stateOrProvinceName California\\n organizationName myserver02.resources.example.com\\n organizationalUnitName VMware Engineering\\n(0)SUBJECT NAME \\ncountryName AU\\n stateOrProvinceName California\\n localityName Palo Alto\\n organizationName VMware\\n organizationalUnitName VMware Engineering\\n commonName myserver.resources.example.com\\n emailAddress email@somedomain.com\\n(0)Valid From Sep 1 16:27:06 2020 GMT\\n(0)Valid Till Sep 1 16:27:06 2025 GMT\\n(0)Public Key Algorithm rsaEncryption\\n(0)RSA Public Key (2048 bit)\\n(0) RSA Public-Key: (2048 bit)\\n(0) Modulus:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(0) 01:23\\n(0) Exponent: 65537 (0x10001)\\n(0)X509v3 EXTENSIONS \\n(0)X509v3 Subject Alternative Name DNS:myserver.resources.example.com\\n(0)X509v3 Authority Key Identifier keyid:01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67\\n(0)Authority Information Access CA Issuers - URI:https://myserver02.resources.example.com/afd/vecs/ca\\n(0)Signature (256 octets)\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(0) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1)CERTIFICATE 1 \\n(1)Version 3 (0x2)\\n(1)Serial Number 01:23:45:67:89:ab:cd:ef \\n(1)Signature Algorithm sha256WithRSAEncryption\\n(1)ISSUER NAME \\ncommonName CA\\n domainComponent vsphere\\n domainComponent local\\n countryName US\\n stateOrProvinceNameCalifornia\\n organizationName myserver02.resources.example.com\\n organizationalUnitName VMware Engineering\\n(1)SUBJECT NAME \\ncommonName CA\\n domainComponent vsphere\\n domainComponent local\\n countryName US\\n stateOrProvinceName California\\n organizationName myserver02.resources.example.com\\n organizationalUnitName VMware Engineering\\n(1)Valid From Nov 17 16:30:39 2019 GMT\\n(1)Valid Till Nov 14 16:30:39 2029 GMT\\n(1)Public Key Algorithm rsaEncryption\\n(1)RSA Public Key (2048 bit)\\n(1) RSA Public-Key: (2048 bit)\\n(1) Modulus:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:\\n(1) 01:23\\n(1) Exponent: 65537 (0x10001)\\n(1)X509v3 EXTENSIONS \\n(1)X509v3 Subject Key Identifier 01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67\\n(1)X509v3 Subject Alternative Name email:email@someotherdomain.com, IP Address:127.0.0.1\\n(1)X509v3 Key Usage critical\\n(1) Certificate Sign, CRL Sign\\n(1)X509v3 Basic Constraintscritical\\n(1) CA:TRUE, pathlen: 0\\n(1)Signature (256 octets)\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef\\n(1) 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef</RESULTS><FIRST_FOUND_DATETIME>2020-06-07T19:53:31Z</FIRST_FOUND_DATETIME><LAST_FOUND_DATETIME>2021-04-18T20:06:07Z</LAST_FOUND_DATETIME><TIMES_FOUND>55</TIMES_FOUND><IS_DISABLED>0</IS_DISABLED><LAST_PROCESSED_DATETIME>2021-04-18T20:06:23Z</LAST_PROCESSED_DATETIME></DETECTION></HOST>
And this is how the log would be parsed:
Field | Value | Type | Source field name | Field transformation | Extra fields |
---|---|---|---|---|---|
eventdate |
|
| |||
host_id |
|
| <ID> | ||
asset_id |
|
| <ASSET_ID> | ||
ip |
|
| <IP> | ||
tracking_method |
|
| <TRACKING_METHOD> | ||
network_id |
|
| <NETWORK_ID> | ||
os |
|
| <OS> | ||
os_cpe |
| <OS_CPE> | |||
dns |
| <DNS> | |||
dns_hostname |
|
| <DNS_DATA><HOSTNAME> | ||
dns_domain |
| <DNS_DATA><DOMAIN> | |||
dns_fqdn |
| <DNS_DATA><FQDN> | |||
cloud_provider |
|
| <CLOUD_PROVIDER> | ||
cloud_service |
|
| <CLOUD_SERVICE> | ||
cloud_resource_id |
|
| <CLOUD_RESOURCE_ID> | ||
ec2_instance_id |
|
| <EC2_INSTANCE_ID> | ||
netbios |
|
| <NETBIOS> | ||
qg_host_id |
|
| <QG_HOSTID> | ||
last_scan_datetime |
|
| <LAST_SCAN_DATETIME> | ||
last_vm_scanned_date |
|
| <LAST_VM_SCANNED_DATE> | ||
last_vm_scanned_duration |
|
| <LAST_VM_SCANNED_DURATION> | ||
last_vm_auth_scanned_date |
|
| <LAST_VM_AUTH_SCANNED_DATE> | ||
last_vm_auth_scanned_duration |
|
| <LAST_VM_AUTH_SCANNED_DURATION> | ||
last_pc_scanned_date |
|
| <LAST_PC_SCANNED_DATE> | ||
tag_ids |
|
| <TAGS><TAG><TAG_ID> | The XML array obtained from the source has been joined using the separator string "|||" | |
tag_names |
|
| <TAGS><TAG><NAME> | The XML array obtained from the source has been joined using the separator string "|||" | |
tag_colors |
|
| <TAGS><TAG><COLOR> | The XML array obtained from the source has been joined using the separator string "|||" | |
tag_background_colors |
|
| <TAGS><TAG><BACKGROUND_COLOR> | The XML array obtained from the source has been joined using the separator string "|||" | |
metadata__ec2__attribute |
|
| <METADATA><EC2><ATTRIBUTE> | ||
metadata__google__attribute |
|
| <METADATA><GOOGLE><ATTRIBUTE> | ||
metadata__azure__attribute |
|
| <METADATA><AZURE><ATTRIBUTE> | ||
cloud_tag_names |
|
| <CLOUD_PROVIDER_TAGS><CLOUD_TAG><NAME> | The XML array obtained from the source has been joined using the separator string "|||" | |
cloud_tag_values |
|
| <CLOUD_PROVIDER_TAGS><CLOUD_TAG><VALUE> | The XML array obtained from the source has been joined using the separator string "|||" | |
cloud_tag_last_success_date |
|
| <CLOUD_PROVIDER_TAGS><CLOUD_TAG><LAST_SUCCESS_DATE> | The XML array obtained from the source has been joined using the separator string "|||" | |
detection_qid |
|
| <DETECTION><QID> | ||
detection_type |
|
| <DETECTION><TYPE> | ||
detection_severity |
|
| <DETECTION><SEVERITY> | ||
detection_port |
|
| <DETECTION><PORT> | ||
detection_protocol |
|
| <DETECTION><PROTOCOL> | ||
detection_fqdn |
|
| <DETECTION><FQDN> | ||
detection_ssl |
|
| <DETECTION><SSL> | ||
detection_instance |
|
| <DETECTION><INSTANCE> | ||
detection_results |
|
| <DETECTION><RESULTS> | ||
detection_status |
|
| <DETECTION><STATUS> | ||
detection_first_found_datetime |
|
| <DETECTION><FIRST_FOUND_DATETIME> | ||
detection_last_found_datetime |
|
| <DETECTION><LAST_FOUND_DATETIME> | ||
detection_times_found |
|
| <DETECTION><TIMES_FOUND> | ||
detection_last_test_datetime |
|
| <DETECTION><LAST_TEST_DATETIME> | ||
detection_last_update_datetime |
|
| <DETECTION><LAST_UPDATE_DATETIME> | ||
detection_last_fixed_datetime |
|
| <DETECTION><LAST_FIXED_DATETIME> | ||
detection_first_reopened_datetime |
|
| <DETECTION><FIRST_REOPENED_DATETIME> | ||
detection_last_reopened_datetime |
|
| <DETECTION><LAST_REOPENED_DATETIME> | ||
detection_times_reopened |
|
| <DETECTION><TIMES_REOPENED> | ||
detection_service |
|
| <DETECTION><SERVICE> | ||
detection_is_ignored |
|
| <DETECTION><IS_IGNORED> | ||
detection_is_disabled |
|
| <DETECTION><IS_DISABLED> | ||
detection_affect_running_kernel |
|
| <DETECTION><AFFECT_RUNNING_KERNEL> | ||
detection_affect_running_service |
|
| <DETECTION><AFFECT_RUNNING_SERVICE> | ||
detection_affect_exploitable_config |
|
| <DETECTION><AFFECT_EXPLOITABLE_CONFIG> | ||
detection_last_processed_datetime |
|
| <DETECTION><LAST_PROCESSED_DATETIME> | ||
rawMessage |
|
| ✓ | ||
hostchain |
|
| ✓ | ||
tag |
|
| ✓ | ||
raw |
|
| ✓ |
vuln.qualys.useractivitylog
2021-05-01 16:10:42.242 localhost=127.0.0.1 vuln.qualys.useractivitylog: 2019-05-10T06:30:23Z,request,auth,API: /api/2.0/fo/asset/host/vm/detection/index.php,testuser,Reader,123.45.67.89 2021-05-01 16:10:42.242 localhost=127.0.0.1 vuln.qualys.useractivitylog: 2021-03-01T01:01:01Z,options,map,"map (ref: map/123456789.30005) options: Information gathering: Netblock Hosts Only, Perform live host sweep, Ignore all RST packets, Standard TCP port list, Standard UDP port list, Netblock: 123.45.0.0-123.45.255.255, ICMP Host Discovery, target: 123.45.0.0_16_public.subnet",testuser,Reader,
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
date |
|
| |
action |
|
| |
module |
|
| |
details |
|
| |
user_name |
|
| |
user_role |
|
| |
user_ip |
|
| |
rawMessage |
|
| ✓ |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
vuln.qualys.vulnerabilities
2021-05-01 01:10:00.293 localhost=127.0.0.1 vuln.qualys.vulnerabilities: {"ip": "192.168.3.4", "dns": null, "netbios": null, "os": "Linux 3.13", "ip_status": "host scanned, found vuln", "qid": 38794, "title": "SSL/TLS Server supports TLSv1.1", "type": "Vuln", "severity": "1", "port": "443", "protocol": "tcp", "fqdn": "", "ssl": "yes", "cve_id": null, "vendor_reference": "Deprecating TLS 1.0 and TLS 1.1", "bugtraq_id": null, "cvss_base": "2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)", "cvss_temporal": "2.2 (E:U/RL:U/RC:C)", "cvss3_base": "3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)", "cvss3_temporal": "3.4 (E:U/RL:U/RC:C)", "threat": "The scan target supports version 1.1 of the TLS protocol. That version is in the process of being deprecated and is no longer recommended. Instead the newer versions 1.2 and/or 1.3 should be used. The TLSv1.1 protocol itself does not have any currently exploitable vulnerabilities. However some vendor implementations of TLSv1.1 have weaknesses which may be exploitable. \nThis QID is posted as potential, when servers require client certificates and we cannot complete the handshake. \n\nNOTE: On March 31, 2021 Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) are formally deprecated.\nRefer to Deprecating TLS 1.0 and TLS 1.1 (https://tools.ietf.org/html/rfc8996)", "impact": "Supporting TLSv1.1 by itself does not necessarily have any harmful consequences, but it is no longer considered best practice because of bad past experience with some vendor implementations of TLSv1.1.", "solution": "Disable the use of TLSv1.1 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.\nThe following openssl commands can be used to do a manual test:\nopenssl s_client -connect ip:port -tls1_1\n\nIf the test is successful, then the target support TLSv1.1", "exploitability": null, "associated_malware": null, "results": "TLSv1.1 is supported", "pci_vuln": "no", "instance": null, "category": "General remote services", "scan_reference": "scan/123456789.10001"} 2021-05-01 01:10:00.293 localhost=127.0.0.1 vuln.qualys.vulnerabilities: {"ip": "192.168.2.103", "dns": "host103.mycorp.example.com", "netbios": "HOST103", "os": "Windows Server 2008 R2 Standard 64 bit Edition Service Pack 1", "ip_status": "host scanned, found vuln", "qid": 90803, "title": "Microsoft Combined Security Update for Microsoft Office, Windows, .NET Framework and Silverlight (MS12-034)", "type": "Vuln", "severity": "5", "port": "", "protocol": "", "fqdn": "", "ssl": "no", "cve_id": "CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0164, CVE-2012-0165, CVE-2012-0176, CVE-2012-0167, CVE-2012-0180, CVE-2012-0181, CVE-2012-1848", "vendor_reference": "MS12-034", "bugtraq_id": "53335, 53358, 53363, 53347, 53360, 53351, 53327, 53324", "threat": "Microsoft Components are prone to multiple vulnerabilities.\n \nA remote code execution vulnerability exists in the way affected components handle a specially crafted TrueType font file. (CVE-2011-3402,CVE-2012-0159)\n \nA remote code execution vulnerability exists in Microsoft .NET Framework that can allow a specially crafted Microsoft .NET Framework application to access memory in an unsafe manner. This occurs when the Microsoft .NET Framework improperly allocates a buffer in memory. (CVE-2012-0162)\n \nA denial of service vulnerability exists in the way .NET Framework compares the value of an index. (CVE-2012-0164)\n \nA remote code execution vulnerability exists in the way GDI+ handles validation of specially crafted EMF images. (CVE-2012-0165)\n \nA remote code execution vulnerability exists in Microsoft Silverlight that can allow a specially crafted Silverlight application to access memory in an unsafe manner. (CVE-2012-0176)\n \nAn elevation of privilege vulnerability exists in the way the Windows kernel-mode driver manages the functions related to Windows and Message handling. (CVE-2012-0180)\n \nAn elevation of privilege vulnerability exists in the way the Windows kernel-mode driver manages Keyboard Layout files. (CVE-2012-0181,CVE-2012-1848)\n \nAffected Software: \nWindows XP, Windows Server 2003, Vista, 2008, Windows 7, 2008 R2 \nMicrosoft .NET Framework 3.0 Service Pack 2 \nMicrosoft .NET Framework 3.5.1 \nMicrosoft .NET Framework 4 \nMicrosoft Office 2003 Service Pack 3 \nMicrosoft Office 2007 Service Pack 2 \nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 \nMicrosoft Office 2010 Service Pack 1 \nMicrosoft Silverlight 4 \nMicrosoft Silverlight 5\n \nThis security update is rated Critical.\n Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): May 2012 Security Updates Are On ECE For XPe SP3 and Standard 2009 (http://blogs.msdn.com/b/embedded/archive/2012/05/29/may-2012-security-updates-are-on-ece-for-xpe-sp3-and-standard-2009.aspx) (KB2656405, 2656407, 2659262, 2676562, 2686509) \nJune 2012 Security Updates are Live on ECE for XPe and Standard 2009 (http://blogs.msdn.com/b/embedded/archive/2012/07/03/june-2012-security-updates-are-live-on-ece-for-xpe-and-standard-2009.aspx) (KB2656405, 2686509, 2676562, 2656407, 2659262) \nDecember 2012 Security Updates are Live on ECE for XPe and Standard 2009 (http://blogs.msdn.com/b/windows-embedded/archive/2012/12/31/december-2012-security-updates-are-live-on-ece-for-xpe-and-standard-2009.aspx) (KB2690729, 2636927) ", "impact": "Successful exploitation allows an attacker to execute arbitrary code and take complete control of the affected system.", "solution": " Patch: \nFollowing are links for downloading patches to fix the vulnerabilities:\n MS12-034: Windows XP Service Pack 3 (http://www.microsoft.com/download/details.aspx?familyid=b2ea7a8d-a537-441c-8e80-2ba4ac37e320) MS12-034: Windows XP Service Pack 3 (http://www.microsoft.com/download/details.aspx?familyid=9a4db1b4-15b2-4fae-83c4-a86331425c9e) MS12-034: Windows XP Service Pack 3 (http://www.microsoft.com/download/details.aspx?familyid=8d341077-8fcd-4666-a27e-2141a04a321e) MS12-034: Windows XP Service Pack 3 (http://www.microsoft.com/download/details.aspx?familyid=954e8ae9-9247-496a-bbde-76981c49e3b3) (shortened by Devo) MS12-034: Microsoft Silverlight 5 (http://www.microsoft.com/download/details.aspx?familyid=fb1258e2-f3df-4a3d-b809-abec619a0c63)", "exploitability": "Source: Core Security\r\nReference:CVE-2012-0181\r\nDescription:Microsoft Windows Win32k Keyboard Layout Vulnerability Exploit (MS12-034) - Core Security Category : Exploits/Local\r\nReference:CVE-2012-0181\r\nDescription:Microsoft Windows Win32k Keyboard Layout Vulnerability Privilege Escalation Exploit (MS12-034) - Core Security Category : Exploits/Local\r\nReference:CVE-2011-3402\r\nDescription:Microsoft Windows TrueType Font Parsing Vulnerability DoS (MS11-087) - Core Security Category : Denial of Service/Local\r\nReference:CVE-2011-3402\r\nDescription:Microsoft Windows TrueType Font Parsing Vulnerability Clientside DoS (MS11-087) - Core Security Category : Denial of Service/Client Side\r\nReference:CVE-2011-3402\r\nDescription:Microsoft Windows TrueType Font Parsing Vulnerability Local Exploit (MS11-087) - Core Security Category : Exploits/Local\r\n\r\nSource: Metasploit\r\nReference:CVE-2011-3402\r\nDescription:Windows Gather Forensics Duqu Registry Check - Metasploit Ref : /modules/post/windows/gather/forensics/duqu_check\r\nLink:https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/forensics/duqu_check.rb\r\n\r\nSource: The Exploit-DB\r\nReference:CVE-2012-0181\r\nDescription:Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034) - The Exploit-DB Ref : 18894\r\nLink:http://www.exploit-db.com/exploits/18894\r\n\r\nSource: ExploitKits\r\nReference:CVE-2011-3402\r\nDescription:WINDOWS XP, 2003, 2008 TrueType Font Parsing Vulnerability\r\nLink:http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html\r\n\r\n", "associated_malware": "Source: Trend Micro\r\nMalware ID:TROJ_TFONT.A\r\nRisk:Low\r\nType:Trojan\r\nPlatform:Windows 2000; Windows XP; Windows Server 2003\r\nLink:http://about-threats.trendmicro.com/Malware.aspx?name=TROJ_TFONT.A&language=us\r\nMalware ID:EXPL_ANOGRE.BO\r\nRisk:Low\r\nType:Trojan\r\nPlatform:Windows 2000; Windows Server 2003; Windows XP (32-bit; 64-bit); Windows Vista (32-bit; 64-bit); Windows 7 (32-bit; 64-bit)\r\nAliases:Win32/Exploit.CVE-2011-3402.P trojan(Eset)\r\nLink:http://about-threats.trendmicro.com/Malware.aspx?name=EXPL_ANOGRE.BO&language=us\r\nMalware ID:EXPL_ANOGRE.AN\r\nRisk:Low\r\nType:Trojan\r\nPlatform:Windows 2000; Windows Server 2003; Windows XP (32-bit; 64-bit); Windows Vista (32-bit; 64-bit); Windows 7 (32-bit; 64-bit)\r\nAliases:Exploit.Win32.CVE-2011-3402.b (Kaspersky), Exploit:Win32/Anogre.gen!A (Microsoft), Exploit.Win32.CVE-2011-3402 (Ikarus), W32/CVE_2011_3402.B!exploit (Fortinet), Win32/Exploit.CVE-2011-3402.J (NOD32)\r\nLink:http://about-threats.trendmicro.com/Malware.aspx?name=EXPL_ANOGRE.AN&language=us\r\nMalware ID:TROJ_DROPPR.GAP\r\nRisk:Low\r\nType:Trojan\r\nPlatform:Windows 2000; Windows Server 2003; Windows XP (32-bit; 64-bit); Windows Vista (32-bit; 64-bit); Windows 7 (32-bit; 64-bit)\r\nLink:http://about-threats.trendmicro.com/Malware.aspx?name=TROJ_DROPPR.GAP&language=us\r\n\r\n", "results": "%programfiles%\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Presentationcore.dll Version is 3.0.6920.5442\n%ProgramFiles(x86)%\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Presentationcore.dll Version is 3.0.6920.5442\n...", "pci_vuln": "yes", "instance": null, "category": "Windows", "scan_reference": "scan/123456789.10001"} 2021-05-01 01:10:00.293 localhost=127.0.0.1 vuln.qualys.vulnerabilities: {"ip": "192.168.2.9", "dns": "my-api.local.example.com", "netbios": "MY-API", "os": "Windows 2012/8", "ip_status": "host scanned, found vuln", "qid": 45056, "title": "HTTP Methods Returned by OPTIONS Request", "type": "Ig", "severity": "1", "port": "80", "protocol": "tcp", "fqdn": "ip-192-268-2-9.ec2.internal", "ssl": "no", "cve_id": null, "vendor_reference": null, "bugtraq_id": null, "cvss_base": null, "cvss_temporal": null, "cvss3_base": null, "cvss3_temporal": null, "threat": "The HTTP methods returned in response to an OPTIONS request to the Web server detected on the target host are listed.", "impact": "N/A", "solution": "N/A", "exploitability": null, "associated_malware": null, "results": "Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS", "pci_vuln": "no", "instance": null, "category": "Information gathering", "scan_reference": "scan/123456789.10002"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
ip |
|
| |
dns |
|
| |
netbios |
|
| |
os |
|
| |
ip_status |
|
| |
qid |
|
| |
title |
|
| |
type |
|
| |
severity |
|
| |
port |
|
| |
protocol |
|
| |
fqdn |
| ||
ssl |
|
| |
cve_id |
|
| |
vendor_reference |
|
| |
bugtraq_id |
|
| |
cvss_base |
|
| |
cvss_temporal |
|
| |
cvss3_base |
|
| |
cvss3_temporal |
|
| |
threat |
|
| |
impact |
|
| |
solution |
|
| |
exploitability |
|
| |
associated_malware |
|
| |
results |
|
| |
pci_vuln |
|
| |
instance_str |
|
| |
category |
|
| |
scan_reference |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
rawMessage |
|
| ✓ |