Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Qualys vulnerability summary by severity
Returns a summary of Qualys vulnerabilities grouped by severity level, category, and vulnerability type, including counts of patchable and unpatchable vulnerabilities.
QualysKnowledgeBase
| extend SoftwareVendorList = tostring(SoftwareVendor)
| summarize
VulnerabilityCount = count(),
PatchableCount = countif(Patchable == "1"),
UnpatchableCount = countif(Patchable == "0"),
CveCount = dcount(tostring(CveId)),
Cves = make_list(CveId),
Qids = make_list(Qid),
AffectedVendors = make_set(SoftwareVendorList)
by SeverityLevel, Category, VulnType
| extend VendorList = strcat_array(AffectedVendors, ", ")
| project
SeverityLevel,
Category,
VendorList,
VulnType,
VulnerabilityCount,
PatchableCount,
UnpatchableCount,
CveCount,
Qids,
Cves
| order by SeverityLevel desc, VulnerabilityCount desc
| order by SeverityLevel desc, VulnerabilityCount desc
Qualys vulnerabilities with Threat Intelligence
Returns Qualys vulnerabilities that have active threat intelligence indicators, including threat levels and exploit information.
QualysKnowledgeBase
| where isnotnull(ThreatIntelligence) and array_length(ThreatIntelligence) > 0
| mv-expand ThreatIntel = ThreatIntelligence
| where isnotnull(ThreatIntel)
| extend
ThreatLevel = tostring(ThreatIntel["#cdata-section"]),
ThreatId = tostring(ThreatIntel.id)
| where isnotempty(ThreatLevel) and isnotempty(ThreatId)
| extend
IsPciRelevant = PciFlag == "1",
IsPatchable = Patchable == "1",
CveCount = array_length(CveId)
| summarize
ThreatLevels = make_set(ThreatLevel),
ThreatIds = make_set(ThreatId),
HighestThreatId = max(toint(ThreatId))
by TimeGenerated, Qid, VulnTitle, SeverityLevel, Category, VulnType,
IsPatchable, IsPciRelevant, tostring(CveId), CveCount, tostring(SoftwareVendor),
tostring(SoftwareProduct), PublishedDatetime, LastServiceModificationDateTime,
Solution, Consequence
| project
TimeGenerated,
Qid,
VulnTitle,
SeverityLevel,
HighestThreatId,
ThreatLevels,
ThreatIds,
Category,
VulnType,
IsPatchable,
IsPciRelevant,
CveId = parse_json(CveId),
CveCount,
SoftwareVendor = parse_json(SoftwareVendor),
SoftwareProduct = parse_json(SoftwareProduct),
PublishedDatetime,
LastServiceModificationDateTime,
Solution,
Consequence
| order by SeverityLevel desc, HighestThreatId desc, PublishedDatetime desc