Vulnerability Classification - OS/Midware/Application etc - Qualys

Sam Ogden
Tera Guru

‎08-10-2022 03:50 AM

Hi All,

We have recently gone live with the VR module and currently ingest data from Qualys and MS Defender.

From Qualys I can see in the third party library table we can see vendor and product information as well as a category field.  I was wondering if anyone had managed to use this data to create some classification rules to aid in the assignment of the VIs/Remediation Task.  

Thanks in advance

Sam

Labels:
0 Helpfuls
  • 1,213 Views
5 REPLIES 5

Greg Stone1
Tera Contributor

‎08-12-2022 06:38 AM

Hi Sam,

I'm not sure if we are or not, but wanted to reach out to see if you are using Qualys for Secure Configurations as well as VR perhaps. We're having some challenges with that API and just wondered if maybe you're experiencing similar issues.

Thanks,

Greg

0 Helpfuls

Joe Kline
Kilo Guru

‎08-12-2022 02:40 PM

Sam,

While we are, too, just getting started with trying to classify all our QIDs in the Third Party Library, I have two classification rules that we began with, classifying just about half the QIDs.  Both rules use the Category field ... I started with "obvious" easy items and wrote the first rule to be for any Category that is an OS name (AIX, Windows, Linux, etc.) and classified those vulnerabilities as "Platform".  The second rule is based on Category values of things like Database, Web Server, etc. and classified those as "Application".

We have on our backlog list of things to do - to finish adding rules based on Category, strings found in the Summary text, and whatever else we can devise (and get mitigation teams' acceptance and concurrence that we get it right - not easily done) ... In past home-grown similar solutions to decide if the OS administrator or an Application administrator would be responsible to mitigate, I have found several inconsistencies in relying only on the Category field with Qualys content, though.

Hope this helps at least a little.

Joe

0 Helpfuls

Nash Giacoma
Tera Contributor
In response to Joe Kline

‎09-05-2022 12:18 PM

I find it much better to use the data in the vulnerability summary field to build classification rules because then you can use the classification rules for other VR processes

0 Helpfuls

Nash Giacoma
Tera Contributor

‎09-05-2022 12:15 PM

I am having a kind of similar issue.  Is there a way to add additional classifications to the set values of the classification rule?  Right now we only have "Platform" and "Application" but would like to make a 3rd and 4th category (Networking, Encryption Communication Protocols, Mail Server, etc.) before I assign a further downstream classification type (TLS, SSL, SMB etc.)

Is there a way to do this?

0 Helpfuls