Document toolboxDocument toolbox

monitor.qualys

Introduction

The tags beginning with monitor.qualys identify events generated by Qualys.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as monitor.qualys. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Qualys FIM (File Integrity Monitoring)

monitor.qualys.fim.incident

monitor.qualys.fim.incident

monitor.qualys.fim.event

monitor.qualys.fim.event

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

monitor.qualys.fim.incident

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

approval_status

str

 

marked

bool

 

last_updated_by_date

timestamp

 

last_updated_by_user_name

str

 

last_updated_by_user_id

str

 

filter_to_date

timestamp

 

approval_date

str

 

assign_date

timestamp

 

approval_type

str

 

change_type

str

 

markup_status

str

 

filters

str

 

type

str

 

reviewers

str

 

deleted

bool

 

filter_from_date

timestamp

 

created_by_date

timestamp

 

created_by_user_name

str

 

created_by_user_id

str

 

customer_id

str

 

name

str

 

rule_name

str

 

comment

str

 

disposition_category

str

 

id

str

 

rule_id

str

 

status

str

 

sla_duration_key

str

 

sla_violation_date

str

 

sla_duration_value

int4

 

sla_required

bool

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

monitor.qualys.fim.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

date_time

timestamp

 

file_path

str

 

registry_path

str

 

content_id

str

 

type

str

 

platform

str

 

old_content

str

 

content_status

str

 

old_registry_value_type

str

 

new_content

str

 

customer_id

str

 

action

str

 

id

str

 

class

str

 

severity

int4

 

trust_status

str

 

file_certificate_hash

str

 

profiles

str

 

baseline

bool

 

registry_name

str

 

changed_attributes

str

 

processed_time

timestamp

 

actor_process

str

 

actor_process_id

str

 

actor_image_path

str

 

actor_user_name

str

 

actor_user_id

str

 

old_registry_value_content

str

 

new_registry_value_type

str

 

name

str

 

file_content_hash

str

 

reputation_status

str

 

new_registry_value_content

str

 

asset_agent_id

str

 

asset_interfaces

str

 

asset_last_checked_in

timestamp

 

asset_created

str

 

asset_host_id

str

 

asset_operating_system

str

 

asset_tags

str

 

asset_asset_type

str

 

asset_system_last_boot

timestamp

 

asset_ec2

str

 

asset_last_logged_on_user

str

 

asset_netbios_name

str

 

asset_name

str

 

asset_agent_version

str

 

asset_updated

str

 

incident_id

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓