vuln.qualys

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags begin with vuln.qualys identifies events generated by Qualys.

Valid tags and data tables

The full tag must have four levels. The first two are fixed as vuln.qualys. The third level identifies the type of events sent. The fourth level identifies the event subtype.

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Qualys	`vuln.qualys.hostdetections` This source tag is used in collector's versions less than 1.5.0	`vuln.qualys.hostdetections`
	`vuln.qualys.hostdetections.xml`	`vuln.qualys.hostdetections`
	`vuln.qualys.hosts`	`vuln.qualys.hosts`
	`vuln.qualys.useractivitylog`	`vuln.qualys.useractivitylog`
	`vuln.qualys.vulnerabilities`	`vuln.qualys.vulnerabilities`

How is the data sent to Devo?

To send logs to these tables, Devo uses a collector that retrieves the required events and sends them to your Devo domain. Contact us to start sending your logs to Devo using the collector.

Table structure

These are the fields displayed in these tables:

vuln.qualys.hostdetections
vuln.qualys.hosts
vuln.qualys.useractivitylog
vuln.qualys.vulnerabilities

vuln.qualys.hostdetections

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
host_id	`str`
asset_id	`str`
ip	`ip4`
tracking_method	`str`
network_id	`str`
os	`str`
os_cpe	`str`
dns	`str`
dns_hostname	`str`
dns_domain	`str`
dns_fqdn	`str`
cloud_provider	`str`
cloud_service	`str`
cloud_resource_id	`str`
ec2_instance_id	`str`
netbios	`str`
qg_host_id	`str`
last_scan_datetime	`timestamp`
last_vm_scanned_date	`timestamp`
last_vm_scanned_duration	`float8`
last_vm_auth_scanned_date	`timestamp`
last_vm_auth_scanned_duration	`float8`
last_pc_scanned_date	`timestamp`
tag_ids	`str`	`join(tag_ids_array, "\|\|\|")`	tag_ids_array
tag_names	`str`	`join(tag_names_array, "\|\|\|")`	tag_names_array
tag_colors	`str`	`join(tag_colors_array, "\|\|\|")`	tag_colors_array
tag_background_colors	`str`		tag_background_colors_array
metadata__ec2__attribute	`str`		metadata__ec2__attribute_array
metadata__google__attribute	`str`		metadata__google__attribute_array
metadata__azure__attribute	`str`		metadata__azure__attribute_array
cloud_tag_names	`str`		cloud_tag_names_array
cloud_tag_values	`str`		cloud_tag_values_array
cloud_tag_last_success_date	`str`		cloud_tag_last_success_date_array
detection_unique_vuln_id	`str`
detection_qid	`str`
detection_type	`str`
detection_severity	`str`
detection_port	`str`
detection_protocol	`str`
detection_fqdn	`str`
detection_ssl	`str`
detection_instance	`str`
detection_results	`str`
detection_status	`str`
detection_first_found_datetime	`timestamp`
detection_last_found_datetime	`timestamp`
detection_times_found	`int8`
detection_last_test_datetime	`timestamp`
detection_last_update_datetime	`timestamp`
detection_last_fixed_datetime	`timestamp`
detection_first_reopened_datetime	`timestamp`
detection_last_reopened_datetime	`timestamp`
detection_times_reopened	`int8`
detection_service	`str`
detection_is_ignored	`int8`
detection_is_disabled	`int8`
detection_affect_running_kernel	`str`
detection_affect_running_service	`str`
detection_affect_exploitable_config	`str`
detection_last_processed_datetime	`timestamp`
rawMessage	`str`			✓
hostchain	`str`			✓
tag	`str`			✓

vuln.qualys.hosts

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host_id	`str`
asset_id	`str`
ip	`ip4`
tracking_method	`str`
network_id	`str`
dns	`str`
dns_hostname	`str`
dns_domain	`str`
dns_fqdn	`str`
cloud_provider	`str`
cloud_service	`str`
cloud_resource_id	`str`
ec2_instance_id	`str`
netbios	`str`
os	`str`
qg_hostid	`str`
last_boot	`timestamp`
serial_number	`str`
hardware_uuid	`str`
last_activity	`timestamp`
agent_status	`str`
cloud_agent_running_on	`str`
tag_ids	`str`	tag_ids_array
tag_names	`str`	tag_names_array
metadata__ec2__attribute	`str`	metadata__ec2__attribute_array
metadata__google__attribute	`str`	metadata__google__attribute_array
metadata__azure__attribute	`str`	metadata__azure__attribute_array
cloud_tag_names	`str`	cloud_tag_names_array
cloud_tag_values	`str`	cloud_tag_values_array
cloud_tag_last_success_date	`str`	cloud_tag_last_success_date_array
last_vuln_scan_datetime	`timestamp`
last_vm_scanned_date	`timestamp`
last_vm_scanned_duration	`int8`
last_vm_auth_scanned_date	`timestamp`
last_vm_auth_scanned_duration	`int8`
last_compliance_scan_datetime	`timestamp`
last_scap_scan_datetime	`timestamp`
owner	`str`
comments	`str`
user_def_value1	`str`
user_def_value2	`str`
user_def_value3	`str`
asset_group_ids	`str`
rawMessage	`str`		✓
hostchain	`str`		✓
tag	`str`		✓

vuln.qualys.useractivitylog

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
date	`timestamp`
action	`str`
module	`str`
details	`str`
user_name	`str`
user_role	`str`
user_ip	`ip4`
rawMessage	`str`	✓
hostchain	`str`	✓
tag	`str`	✓

vuln.qualys.vulnerabilities

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
ip	`ip4`
dns	`str`
netbios	`str`
os	`str`
ip_status	`str`
qid	`int4`
title	`str`
type	`str`
severity	`str`
port	`str`
protocol	`str`
fqdn	`str`
ssl	`str`
cve_id	`str`
vendor_reference	`str`
bugtraq_id	`str`
cvss_base	`str`
cvss_temporal	`str`
cvss3_base	`str`
cvss3_temporal	`str`
threat	`str`
impact	`str`
solution	`str`
exploitability	`str`
associated_malware	`str`
results	`str`
pci_vuln	`str`
instance_str	`str`
category	`str`
scan_reference	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓