通过

QualysKnowledgeBase 表的查询

有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅 查询

按严重性分类的 Qualys 漏洞摘要

返回按严重级别、类别和漏洞类型分组的 Qualys 漏洞的摘要,包括可修补和无法修补的漏洞计数。

QualysKnowledgeBase
| extend SoftwareVendorList = tostring(SoftwareVendor)
| summarize
    VulnerabilityCount = count(),
    PatchableCount = countif(Patchable == "1"),
    UnpatchableCount = countif(Patchable == "0"),
    CveCount = dcount(tostring(CveId)),
    Cves = make_list(CveId),
    Qids = make_list(Qid),
    AffectedVendors = make_set(SoftwareVendorList)
    by SeverityLevel, Category, VulnType
| extend VendorList = strcat_array(AffectedVendors, ", ")
| project
    SeverityLevel,
    Category,
    VendorList,
    VulnType,
    VulnerabilityCount,
    PatchableCount,
    UnpatchableCount,
    CveCount,
    Qids,
    Cves
| order by SeverityLevel desc, VulnerabilityCount desc
| order by SeverityLevel desc, VulnerabilityCount desc

使用威胁情报对漏洞进行夸大

返回具有主动威胁情报指标的 Qualys 漏洞,包括威胁级别和利用信息。

QualysKnowledgeBase
| where isnotnull(ThreatIntelligence) and array_length(ThreatIntelligence) > 0
| mv-expand ThreatIntel = ThreatIntelligence
| where isnotnull(ThreatIntel)
| extend
    ThreatLevel = tostring(ThreatIntel["#cdata-section"]),
    ThreatId = tostring(ThreatIntel.id)
| where isnotempty(ThreatLevel) and isnotempty(ThreatId)
| extend
    IsPciRelevant = PciFlag == "1",
    IsPatchable = Patchable == "1",
    CveCount = array_length(CveId)
| summarize
    ThreatLevels = make_set(ThreatLevel),
    ThreatIds = make_set(ThreatId),
    HighestThreatId = max(toint(ThreatId))
    by TimeGenerated, Qid, VulnTitle, SeverityLevel, Category, VulnType,
       IsPatchable, IsPciRelevant, tostring(CveId), CveCount, tostring(SoftwareVendor),
       tostring(SoftwareProduct), PublishedDatetime, LastServiceModificationDateTime,
       Solution, Consequence
| project
    TimeGenerated,
    Qid,
    VulnTitle,
    SeverityLevel,
    HighestThreatId,
    ThreatLevels,
    ThreatIds,
    Category,
    VulnType,
    IsPatchable,
    IsPciRelevant,
    CveId = parse_json(CveId),
    CveCount,
    SoftwareVendor = parse_json(SoftwareVendor),
    SoftwareProduct = parse_json(SoftwareProduct),
    PublishedDatetime,
    LastServiceModificationDateTime,
    Solution,
    Consequence
| order by SeverityLevel desc, HighestThreatId desc, PublishedDatetime desc
  • Last updated on