Reporting-Strategies Labs V9

Reporting Strategies and Best Practices
Training Labs
LAB 1: Account Activation and Setup 4
Login to Qualys 4
Update User Profile 8
General Information 8
User Role 10
Notification Options 10
Security 10
Add Hosts Assets 13
Removing Host Assets 14
Create Asset Groups 16
Windows Asset Group 16
Linux Asset Group 17
Perform Authenticated Scan 18
Windows Authentication Record 18
Unix Authentication Record 20
Import Option Profile 23
Launch Windows Authenticated Scan 23
Launch Linux Authenticated Scan 25
Qualys Cloud Agent 26
LAB 2: Threat Protection 27
Activate Threat Protection Trial 27
View and customize Threat Feed 29
Import the Threat Dashboard 32
Add a custom Threat Widget 35
Nested RTI queries 37
LAB 3: AssetView 40
AssetView Queries 40
Grouping search results 48
AssetView Widgets and Dashboards 53
Create a dashboard 53
Create a blank dashboard 55
Add a preconfigured Pie Widget and customize it 57
Add a count Widget 60
Add a Bar Widget 64
Add a Table Widget 65
Import a dashboard 66
Lab 4: VM Dashboard 68
1
Enable VM Dashboard 68
VM Dashboard Filters 69
VM Dashboard 71
Queries 71
Import a dashboard 74
LAB 5: Authentication Report 78
LAB 6: Report Template – Findings Option 80
Qualys Report Template Library 80
Host Based Findings Report Template 80
Create Host Based Findings Report 83
Scan Based Findings Report Template 87
Create Scan Based Findings Report 90
LAB 7: Report Template – Display Options 94
Cloud Agent Host ID 97
EC2 Relation Information 98
LAB 8: Report Template – Filter Options 99
Filtering by Vulnerabilities and Operating System 99
LAB 9: Patch Report 104
LAB 10: Report Scheduling and Distribution 107
Create a User 107
Create a Distribution Group 108
Define Report Distribution Method 109
Assign a user to the template 111
Schedule a Report 112
LAB 11: Purging 115
Purge an IP 115
Removing an IP 119
Appendix A: Cloud Agent Installation 122
Create Cloud Agent Activation Key 122
Windows Agent Installation 124
Command Line Installation 125
Validate CA Installation 125
Locate Host ID 125
View CA Log File (Log.txt) 126
Mac OS Agent Installation 127
2
Locate Host ID 128
Locate CA Log File (qualys-cloud-agent.log) 128
RPM-Based Agent Installation 129
Locate Host ID 132
Debian or Ubuntu Agent Installation 133
Locate Host ID 135
Cloud Agent Inventory 136
3
LAB 1: Account Activation and Setup
This lab will address a few steps needed to setup your Qualys student trial account. These
steps will make it possible to complete the remaining lab exercises in this document.
Login to Qualys
Student account credentials for Self-Paced training classes are automatically generated and
sent to your email inbox, within 2 business days (please enroll with your business or company
email address…public email domains are not supported).
Student account credentials for Instructor-Led training classes are provided by the Qualys class
instructor.
Your student trial account will remain active for 30 days from the date of activation. Please
contact training@qualys.com with account issues or questions.
1. Open your Qualys student trial account message/document.
2. Record the USERNAME from this document and save it in a secure place.
4
**The period at the end of the sentence is NOT a part of the USERNAME.
3. To obtain the password, click the link found in the registration document.
4. On the activation page, enter the OTP code found from the registration document and
click Submit (If it’s been over 30 minutes since you received the registration document,
the OTP code will not work; use the Resend button to generate a new OTP code.
For security, the Login username on this page appears partially obfuscated with ******.
5. Record the PASSWORD from this document.
5
6. Use the link provided to login and activate your Qualys student trial account.
7. Scroll to the bottom and select the checkbox to accept the “Service User Agreement” and
click the “I Agree” button.
6
8. Enter your current password, and then choose a new password (record your new
password).
9. Click the “Save” button, followed by the “Close” button.
10. Log back into your student trial account using your new credentials.
7
Update User Profile
The steps that follow will help you personalize your student user account and make other
adjustments that will provide a more effective training environment.
1. Click on your User ID (located between “Help” and “Logout”) and select the “User Profile”
option.
General Information
Make any necessary adjustments to the “General Information” section of your user profile.
8
2. Update the “E-mail Address” field with your current e-mail address (notifications and
password reset information will be sent to the address you provide).
9
User Role
Different Qualys user accounts, take on different user roles.
3. Click “User Role” in the navigation pane (left) and make note that your student account
user role is: Manager, and you can access your account using the Graphical User Interface
(GUI) or the Application Program Interface (API).
Notification Options
All notifications will be sent to the e-mail address specified in the “General Information”
section.
4. Click “Options” in the navigation pane (left) and make the appropriate selections for the
type of notifications you would like to receive.
Security
Individual security settings can be configured for two-factor authentication, and Security
Questions are provided to facilitate attempts to reset your user password.
10
5. Click “Security” in the navigation pane (left) and take a moment to complete the Security
Questions.
6. Click the “Save” button.
11
Completing these Security Questions is a requirement for using the “Forgot Password” link
found on the Qualys Login page.
12
Add Hosts Assets
The steps that follow will have you add host IPs to your subscription. These IP address “targets”
will be used throughout the entire lab.
**Important Notice about your student account**
With your student trial account, you have permission to scan the target IP addresses provided
by Qualys. You do not have permission to scan any other IP address or web application using
this account.
Best Practice - Before scanning, always get approval to scan IP addresses and/or web
applications. It is your responsibility to obtain this approval.
1. Navigate to the “Assets” section and click on the “Host Assets” tab.
2. Click the “New” button and then click on the “IP Tracked Hosts” option.
13
3. Click “Host IPs” in the navigation pane (left) and enter the following IP address range:
64.41.200.243-64.41.200.250 (8 IPs).
4. Click the “Add” button, followed by “Apply”.
Removing Host Assets

When it is time to retire a host, a MANAGER user can remove it from your account.
14
You’ll find the “Remove IPs” option by clicking the “Actions” button under the “Host Assets”
tab.
15
Create Asset Groups
Asset Groups and Asset Tags make excellent targets for your scans and reports. Create one
Asset Group for your Windows host assets and one for your Linux host assets.
Windows Asset Group

This Asset Group will contain the Windows-based host assets within your Qualys account.
1. Navigate to the “Assets” section, and click on the “Asset Groups” tab.
2. Click the “New” button and then select the “Asset Group…” option.
3. Type “AG: Windows” in the “Title” field.
4. Click “IPs” in the navigation pane and then click the “Select IPs/Ranges” link.
16
5. Click the “Expand” icon to expand the IP address range.
6. Place a check mark next to the following IP addresses:

- 64.41.200.246
- 64.41.200.247
- 64.41.200.248
- 64.41.200.249
7. Click the “Add” button, followed by the “Save” button.
Linux Asset Group

This Asset Group will contain Linux-based host assets within your Qualys account.
1. From the Asset Groups tab click the “New” button and select the “Asset Group…” option.
2. Type “AG: Linux” in the “Title” field.
3. Click “IPs” in the navigation pane (left), and then click the “Select IPs/Ranges” link.
4. Click the “Expand” icon to expand the IP address range.
5. Place a check mark next to the following IP addresses:
- 64.41.200.243
- 64.41.200.244
- 64.41.200.245
- 64.41.200.250
17
6. Click the “Add” button, followed by the “Save” button.
The Qualys Platform automatically creates matching Asset Tags for each Asset Group added
to your account. You’ll find your matching Asset Tags in the AssetView application
(embedded within the “Asset Groups” hierarchy).
Perform Authenticated Scan

Performing vulnerability scans in “authenticated” mode is a recommended best practice.
Create one authentication record for Windows and another for Unix/Linux.
Windows Authentication Record

Create a Windows authentication record for a Domain Admin user account:
1. Navigate to the “Scans” section, and click the “Authentication” tab.
2. Click the “Hide Graph” option, near the upper-right corner of the “Overview” pane.
3. Click the “New” button and select the “Windows Record…” option.
4. Enter “Domain Admin” as the “Title” for the Authentication Record.
18
5. Click “Login Credentials” in the navigation pane (left).
6. Leave the “Domain” radio button selected and use the “Domain Type” drop-down menu
to select the “Active Directory” option.
7. Enter “trn.qualys.com” (omit quotes) in the “Domain name” field.
8. Enter “qscanner” (omit quotes) in the “User Name” field and “abc1234!” (omit quotes) in
the “Password” fields.
9. Click the “Save” button to complete the creation of your new Authentication Record.
19
Unix Authentication Record
Create a Unix/Linux authentication record that uses “sudo” for root delegation:
1. Click the “New” button and select the “Unix Record…” option.
2. Type “qscanner with Sudo” in the “Title” field.
3. Click “Login Credentials” in the navigation pane and enter “qscanner” (omit quotes) in the
“User Name” field and “abc1234!” (omit quotes) in the “Password” fields.
20
4. Click “Root Delegation” in the navigation pane and click the “Add Root Delegation”
button on the right.
5. Select “Sudo” from the dropdown menu for “Root Delegation”.
6. Enter “abc1234!” (omit quotes) in the “Password” field.
8. Click “IPs” in the navigation pane (left) and enter the four IPs of your Unix-based host
assets: 64.41.200.243, 64.41.200.244, 64.41.200.245, 64.41.200.250.
9. Click the “Create” button to complete the creation of your new Authentication Record.
21
A distinction between these two authentication records is the noticeable lack of IP addresses
from the Windows Domain record. The IPs for a Windows Domain authentication record are
collected at scan-time, using an API call to the Windows Domain service.
22
Import Option Profile
Authentication isn’t enabled by default and must be selected within an Option Profile. This
exercise will import a pre-defined Option Profile that has Authentication enabled.
1. Navigate to the “Scans” section, and click the “Option Profiles” tab.
2. Click the “New” button and the “Import from Library” option.
3. Select “Authenticated Scan v.1” and click the “Import” button.
4. When prompted, click the “Make Global” button.
Launch Windows Authenticated Scan
1. Navigate to the “Scans” tab, click the “New” button and select the “Scan” option.
23
2. Type “Initial Windows Scan” in the “Title” field.
3. Select “Authenticated Scan v.1” as your Option Profile.
4. In the “Choose Target Hosts from” section, select the “AG: Windows” asset group.
5. Click the “Launch” button to launch the scan.
6. Click the “Close” button to close the “Scan Status” window, when it is displayed.
24
Launch Linux Authenticated Scan
1. From the “Scans” tab, click the “New” button and select the “Scan” option.
2. Type “Initial Linux Scan” in the “Title” field.
3. Select “Authenticated Scan v.1” as your Option Profile.
4. In the “Choose Target Hosts from” section, select the “AG: Linux” asset group.
5. Click the “Launch” button to launch the scan.
6. Click the “Close” button to close the “Scan Status” window, when it is displayed.
25
Qualys Cloud Agent
Although this lab does not provide full coverage of Qualys Cloud Agent, this would be a good
time to deploy an agent or two. You’ll find steps for to complete an agent installation in
Appendix A, at the end of this lab document.
For more information on Cloud Agent installation and deployment, see the Qualys Cloud Agent
Self-Paced training class (qualys.com/learning).
26
LAB 2: Threat Protection
Threat Protection helps you visualize and assess your actual security threats in one place. It is
built on top of AssetView and provides additional options for querying data based on threat. A
vulnerability becomes a greater risk when it has an associated threat.
Threat Protection has an up-to-date feed of the latest threats and how they could potentially
affect your environment. It gives you the ability to prioritize the real threats to your
organization. Threat Protection provides context to your data by correlating your vulnerability
data (obtained via scans/cloud agent) to actual threats.
There are 10 Real-time Threat Indicators (also known as RTI’s) which are used to correlate your
vulnerability data:
• Public Exploit
• Zero Day
• Actively Attacked
• High Lateral Movement
• Exploit Pack
• Easy Exploit
• No Patch Available
• High Data Loss
• Denial of Service
• Malware
• Wormable
• Predicted High Risk
Activate Threat Protection Trial

This exercise will teach you how to activate Threat Protection trial.
1. Using the Application Picker on the top left and navigate to “Threat Protection”.
27
2. Click on “Start 14-Day Trial”.
3. Click on “Confirm” to get started.
28
View and customize Threat Feed
1. Navigate to the “Feed” section under the Threat Protection module.
The Feed is a list of all known threats. The feed helps you prioritize remediation and mitigation
tactics.
2. Find a threat that has at least one “impacted asset” and click on the title of the threat.
Review the information about the threat such as Vulnerability / Mitigation / References etc.
Note: You should have at least one finished scan in order for the “Impacted Assets” count to
show up. If you do see any threats with impacted assets, navigate back to the Vulnerability
Management application and verify the scan status.
29
3. Back to the Feed section, click on the count of Impacted Assets.
You’ll be taken to the “Assets” tab and you’ll see the impacted assets.
4. In the upper-right corner, click the gear icon and select the “Download...” option.
5. Select your preferred format and click “Download”.
6. Navigate back to the Feed section.
30
7. Click on the “Impacted Assets” button on the top-right.
8. Click on “Select”.
31
9. Click the “Browse tags” icon to view the available tags.
10. Select the “AG: Windows” tag.
For every Asset Group that you create, Qualys automatically creates a tag with the same
name.
11. Click OK.
The count of Impacted Assets for all threats will be updated to include only those assets
that match the selected tag.
This option is useful when you want to view your threat exposure for highly critical assets,
such as those for PCI or any other compliance type, or Internet exposed assets.
Import the Threat Dashboard

1. Navigate to the “Dashboard” section.
32
2. Click on the “Actions” button and then click “Create New Dashboard”.
33
3. Select the “Threat Protection” dashboard and click “Next”.
4. Provide a title: “Threat Dashboard”.

5. Select the option “Make this dashboard my default” and click “Create”.
The widgets you see in this dashboard use the Threat Protection RTI’s to populate data.
6. To know more about these RTI’s, click on “Help” on the top-right and then click on
“Online Help”.
This will show you the online help page of Threat Protection.
34
7. Click “Tell me about Real-time Threat Indicators (RTI)”.
Here you’ll find all the RTI’s listed and explanations for each one.
Add a custom Threat Widget

This exercise will teach you how to create a custom Threat Widget.
1. Navigate to the “Assets” section.

2. In the Search bar, delete any existing query and execute the following query:
vulnerabilities.vulnerability.threatIntel.activeAttacks:"true"
and operatingSystem:"Windows"
This query looks for all assets having a Windows operating system and also having a
vulnerability for which an active attack has been observed.
35
3. Click “create widget”.
4. Provide a title: “Windows assets with actively attacked vulns”.

5. Check the box: “Compare with another reference query”.
6. Provide the following query, and press Enter:
operatingSystem:"Windows"
7. Update the Comparison label to “All Windows Assets”.

8. Check the box to “Collect trend data”.
Trending data will start appearing on your widget in 24 hours and it is stored for up to 90
days.
36
9. Add conditional formatting and set the base color to Grey.
10. Click “Add to Dashboard”.
Nested RTI queries

This exercise will teach you how to create nested queries using RTI’s to pinpoint assets with
most critical threats.
1. Navigate to the “Assets” section, click on the “Assets” tab and try these queries in the
search bar:
a. Use this query to look for assets with at least one vulnerability of severity 5 and has an
exploit kit available:
vulnerabilities.vulnerability:(threatIntel.exploitKit:"true
" and severity:"5")
37
This query puts the focus on high severity vulnerabilities for which an exploit kit is
available.
b. Use this query to look for assets with at least one vulnerability of type Denial of
Service and also has an associated malware:
vulnerabilities.vulnerability:(threatIntel.denialOfService:
" true" and threatIntel.malware:"true")
This query focusses on those vulnerabilities that are known to be associated with a
malware and can also a denial of service.
c. Use this query to look for assets with at least one vulnerability for which an active
attack has been observed, and has been scanned in the last one week:
vulnerabilities.vulnerability.threatIntel.activeAttacks:"tr
ue" and lastVmScanDate:[now-1w .. now]
d. Use this query to look for assets with at least one vulnerability of type Zero day, and
also belongs to a specific tag:
vulnerabilities.vulnerability.threatIntel.zeroDay:"true"
and tags.name:"AG: Windows"
e. Use this query to look for assets with at least one vulnerability with a matching exploit
kit:
vulnerabilities.vulnerability.threatIntel.exploitKitName:"N
uclear"
Try other exploit kit names in the above query, such as Angler, Fiesta, Magnitude,
Neutrino and RIG.
f. Use this query to look for assets associated with a high business impact tag, with at
least one vulnerability that can be easily exploited, and the exploit is available
publicly:
vulnerabilities.vulnerability:(threatIntel.easyExploit:"tru
e " and threatIntel.publicExploit:"true") and
tags.businessImpact:"HIGH"
This query puts the focus on your most important assets and combines them with the
Threat Protection RTI’s.
38
g. Use this query to look for assets associated with a high or critical business impact tag,
with at least one vulnerability that has a predicted high risk and has a patch available:
vulnerabilities.vulnerability:(threatIntel.predictedHighRis
k:"TRUE" and patchAvailable:"true") and
tags:(businessImpact:"HIGH" or businessImpact:"CRITICAL")
h. Use this query to look for assets with at least one vulnerability that is considered
wormable and is known to cause high data loss:
vulnerabilities.vulnerability.threatIntel:(wormable:"TRUE"
and highDataLoss:"true")
39
LAB 3: AssetView
AssetView is a cloud-based IT asset inventory service that let you search for information about
any asset that has been either scanned by a Qualys scanner appliance or Qualys Cloud Agent.
AssetView also indexes all your asset discovered by the cloud connectors.
AssetView indexes information such as open ports, services, installed software, hardware, user
accounts, vulnerabilities, threat indicators, compliance posture, file and directory level events,
indicators of compromise, and host asset alerts, allowing you to search and view information
about your assets in one single console.
AssetView also allows you to create widgets and dashboards that can help you visually
represent your inventory, vulnerability and compliance data.
AssetView Queries
This exercise will teach you how to perform queries in the AssetView module.
1. Open the AssetView application.

2. Navigate to the “Assets” section and then click on the “Assets” tab.
Here you’ll find host assets detected from a Qualys vulnerability scan, Qualys Cloud Agent
or from any of the cloud connectors.
40
3. Use the “Quick Actions” menu and click “View Asset Details” for a specific host.
This will show you all details about your asset from a single pane. This includes inventory
and vulnerability data. You’ll also see compliance, file and directory events, indicators of
compromise and continuous monitoring alerts, if these have been enabled for the asset.
41
4. Click the “Close” button to return to the list of Assets.
5. Click on the icon at the right-end of the “Search” field.
42
6. Scroll down until you reach the “Range searches” topic, review these examples.
Range searches are handy when you have a range of values that need to be searched. This
includes IP address ranges, open port ranges, vulnerability severity ranges and date ranges.
Without a range search, your search query would be longer and complex.
Range searches simplify your searches by allowing you to specify an upper range and a
lower range.
7. Try these examples of Range searches in your search bar:
a. Use the below query to check for assets have open ports in the range of 21 to 25:
openPorts.port:[21 .. 25]
b. Use the below query to check for assets that have at least one vulnerability with
severity 3, 4 or 5:
vulnerabilities.vulnerability.severity:[3 .. 5]
c. Use the below query to look for assets with vulnerabilities that were first found in the
last 15 days:
vulnerabilities.firstFound:[now-15d .. now]
43
Once you have this dataset, use the “Group Assets by...” option and select
“Vulnerabilities”. This will show you the matching vulnerabilities.
44
Then click on any Assets count to see the assets that match a specific vulnerability.
When you’re done, remove the “Group Assets by…” setting.
d. Use the below query to look for assets that were updated in the last 7 days. This
includes assets rescanned by a scanner appliance, or host information uploaded by the
Cloud Agent:
updated:[now-7d .. now]
e. Use the below query to look for assets that have interface IP address in the given
range:
interfaces.address:[64.41.200.243 .. 64.41.200.245]
8. Click on the icon at the right-end of the “Search” field.
45
9. Scroll down through the list to get an idea of the different search tokens and parameters
you can use to build your own queries.
10. To test any of these, copy and paste into the Search field.
11. Try the following queries in the search bar:
a. Use the below query to look for assets that have been created (i.e. when first scanned
by a scanner appliance, or when Cloud Agent was installed) in the last 7 days:
created:[now-7d .. now]
Download this dataset and you’ll have a list of assets that have been newly scanned (or
scanned for the first time) in the last 7 days.
b. Use the below query to look for the asset having a specific IP address:
interfaces.address:64.41.200.243
c. Use the below query to look for assets with hostnames ending with a specific string, in
this case, a domain:
interfaces.hostname:"*sjc01.qualys.com"
This query will show you assets that have hostnames matching the subdomain you
specified. Using the same search token, it is also possible to query hostnames matching
a domain (like *.qualys.com).
d. Use the below query to look for assets that have been scanned for vulnerabilities in
the last one week:
lastVmScanDate:[now-1w .. now]
e. Use the below query to look for assets that belong to a specific domain and have not
been scanned in the last 2 weeks:
interfaces.hostname:"*.qualys.com" and not

lastVmScanDate:[now-1w .. now]
This query will show you assets that belong to your domain but have not been scanned
within the defined window.
Note: Using this query in your trial account will not yield any results because the assets
have been scanned recently.
46
f. Use the below query to look for assets having an end-of-life operating system:
vulnerabilities.vulnerability.title:EOL
To view the matched vulnerabilities, click “Group assets by…” and then select
“Vulnerabilities”.
g. Use the below query to look for assets associated with a specific tag name:
tags.name: " AG: Windows"
For each asset group you create, the service automatically creates a tag with the name
same.
h. Use the nested query below to look for assets that have at a vulnerability matching
three pieces of criteria: high severity, patchable, and relating to Internet Explorer:
vulnerabilities.vulnerability:(severity:[4..5] AND
patchAvailable:true AND title:'Internet Explorer')
i. Use the below query to look for assets having vulnerabilities with a matching CVE id:
vulnerabilities.vulnerability:(cveIds:CVE-2016-5270 or
cveIds: CVE-2018-15473)
j. Use the below query to looks for assets with at least one vulnerability that has
severity 5 and was found in the last 30 days:
vulnerabilities: (vulnerability.severity: 5 AND firstFound

> now-30d)
k. Use the below query to looks for assets with confirmed high severity vulnerabilities
for which a patch is available:
47
vulnerabilities:(vulnerability.severity:[4..5] and
vulnerability.types:VULNERABILITY and
vulnerability.patchAvailable:"true")
Grouping search results

This exercise will teach you how to group your AssetView search results.
1. Erase any previous queries that may have been left in the “Search” field.
2. Execute the following query:
operatingSystem: "windows"
48
3. Use the “Group assets by...” dropdown menu to select the “Open Port” option.
The results from the query are now grouped by open ports, along with the number of hosts
associated with each port number.
49
4. Click the “Show assets” link to return to your original list of assets.
5. Erase any previous queries that may have been left in the “Search” field.
50
6. Use the “Group assets by...” dropdown menu to select the “Operating System” option.
The host assets are now grouped by operating systems, along with the number of hosts
associated with each operating system.
7. From the list of displayed operating systems, click the count of “Windows Server 2012”.
This will form a query in the search box.
8. Click “Save” above the search box to save this query.
9. Provide a title: “Windows 2012 Assets”, click the checkbox “Add this search to your
favorite”, and click “Save”.
51
The saved search is now available in the “Saved Searches” dropdown.
52
AssetView Widgets and Dashboards
Just about any query that you build can be used to create a Dashboard Widget that displays
useful graphics and/or statistics.
In the next set of exercises, you’ll learn how to create widgets and add them to a dashboard.
Create a dashboard
This exercise will teach you how to import an existing dashboard.
1. In the AssetView application, navigate to the “Dashboard” section.
2. To import a new dashboard, click on “Actions” and click “Create New Dashboard”.
You’ll see a list of pre-configured dashboards to select from.
53
3. Scroll down and select “WannaCry and Shadow Brokers” and click “Next”.
54
4. Provide a title: “WannaCry and Shadow Brokers”
5. Click “Create”.
The dashboard will be imported. Scroll through and review the widgets.
6. Click on the “Missing MS17-010 Patch” widget to see the assets that are missing the
patch.
This information is based on the latest scan data or data collected by Cloud Agents.
7. Click on the gear icon on the top-right and click Download. Choose your format and
download this data.
Create a blank dashboard
This exercise will teach you how to import a blank dashboard. This dashboard will be used to
add Widgets.
1. Under the “Dashboard” section, click “Actions” and then click “Create New Dashboard”.
55
2. Scroll down and select the “Blank” dashboard and click “Next”.
56
3. Provide a title - “Custom VM Dashboard”.
4. Select the checkbox – “Make this dashboard my default”.
5. Click “Create”.
The blank dashboard has now been imported. This can be used to add your custom widgets.
Add a preconfigured Pie Widget and customize it
This exercise will teach you how to import a preconfigured Widget to your dashboard.
1. To add a preconfigured Widget, click “Add Widget”.
2. From the list of available widgets, select the “Assets updated today” widget, and click
“Add to Dashboard”
57
This widget shows the count of assets that have been updated in the last 1 day. This could
be a result of the asset being scanned by the Qualys Scanner Appliance or the Qualys Cloud
Agent installed on the host asset uploading data to the platform.
If your assets have been scanned in the last one day, your widget will appear like shown
above.
If your assets have not been scanned in the last one day, your widget query won’t have any
matching results and it will appear like shown above.
58
3. To customize the widget, use the menu on the top-right corner of the Widget and click
“Configure Widget”.
59
4. Change the Widget Title: “Assets updated in the last 7 days”
Note that this is a Pie Widget.
5. Update the Query:
updated > now-7d
6. Change the Sort direction to “Ascending”.

7. Click “Save”.
8. Click “AG: Windows” on the widget to view the matching assets.
This shows you all assets that belong to the tag “AG: Windows”, that have been updated in
the last 7 days. This update could be from a vulnerability scan or from data sent by the
Cloud Agent.
Add a count Widget
This exercise will teach you how to create a count Widget.
1. Navigate to the “Assets” section and click on the “Assets” tab.

2. In the search bar, execute the following query
operatingSystem:"Windows" and
vulnerabilities.vulnerability.severity:"5"
60
3. Click on “create widget”.
4. Provide a title: “Windows assets with Sev 5 Vulns”

5. Check the box: “Compare with another reference query”
Note: If you do not provide another reference query to compare against, the service
automatically compares your matching asset count against the total count of all assets.
61
6. Click “Add conditional formatting...” and then click “Set base color to...”
7. Click the box next to “Set base color to...” and select the green color.
62
8. Click “Add conditional formatting...” and then click “When the value is...”
9. Click “equal to 500”, then select “more than”, select “a custom value”, type “10%”, press
Enter.
63
10. Click the box and change the color to Amber.
Add a Bar Widget
This exercise will teach you how to create a Bar Widget.

vulnerabilities.vulnerability.severity:[1 .. 5]

4. Change the widget type to “Bars”.
5. Provide a title: “Severity Distribution of Vulnerabilities”

6. Change the Categories to “vulnerabilities.severity”.
7. Change the Sort direction to “Descending”.
64
8. Check the box for “Show Legend”.
Add a Table Widget
This exercise will teach you how to create a Table Widget.

tags.name:*
This will show you all assets that match at least one tag.
4. Click the “Table” widget type.
65
5. Provide a title: “Asset distribution across tags”
6. Select the radio button to “Group assets”
7. Change the “Sort by” field to “count”.
8. Change the “Sort direction” to “Descending”.
Import a dashboard
AssetView allows you to import pre-configured readymade dashboards. This exercise will teach
you how to import a preconfigured dashboard.
1. Use the “Actions” menu and click “Import New Dashboard”.
66
2. Provide a title: “SSL Dashboard”
3. Click “Choose File”
The dashboard files can be downloaded from https://qualys.com/learning. After logging in,
click the name of the course to download the files.
4. Select the file called “SSL_TLS_MGMT_Dashboard.json” file.

5. Click Import.
6. Similarly import the following dashboards:
- SLA_and_Management_Information_dashboard.json
- SevenMonkeys_dashboard.json
67
Lab 4: VM Dashboard
VM Dashboard gives you a complete and continuously updated view of all your VM assets – on-
prem, endpoints and in the cloud, in one place within the VM module. Vulnerability and
security results are correlated from VM scans and cloud agents
Note: Before performing the queries, it is a good idea to look at the query formatting best
practices - Dashboard Toolbox - Improving Dashboard Performance through Query Formatting
and Filters
Enable VM Dashboard
1. Open the Vulnerability Management application.
2. Navigate to the Dashboard section.
3. Click on the link that says “Find out more and get started”.
68
The VM Dashboard will now be activated.
VM Dashboard Filters
This exercise will teach you how to perform queries in the VM Dashboard module.
1. Navigate to the Vulnerabilities section.
69
2. Select the filter for Severity 5.
3. Select the filter for “Local” Category.
70
4. Select the filter for “Confirmed” type detected.
As you select the filters on the left-hand side, a query will be automatically formed in the
search bar.
VM Dashboard
Queries
The VM Dashboard allows you form queries based on assets or vulnerabilities. Results of the
queries can also be viewed in the form of assets or vulnerabilities.
1. Select Vulnerability from the dropdown.
71
This will allow you to use vulnerability related tokens.
2. Try these examples in your search bar:
a. Use the below query to check vulnerabilities that were last found in the last 7 days:
vulnerabilities.lastFound>now-7d
b. Use the below query to look for vulnerabilities associated with a specific port number
and protocol:
vulnerabilities.port:443 and vulnerabilities.protocol:TCP
Use the “Group By” filter and set it to “Age”.
Click the vulnerability count associated with a date range to view the matching
vulnerabilities.
c. Use the below query to look for vulnerabilities associated with a specific vendor and
product name:
vulnerabilities.vulnerability:(vendors.vendorName:Microsoft
and vendors.productName:active_directory)
72
Click “Asset” to view assets that match your query.
Note: Be sure to remove the “Group By: Age” filter.
d. Use the below query to view the different status filters available for vulnerabilities:
vulnerabilities.status:
The VM Dashboard allows you to search for all vulnerability statuses – NEW, ACTIVE,
FIXED and REOPENED.
To look for NEW vulnerabilities, try vulnerabilities.status: NEW
3. Select Asset from the dropdown and select the display option to Assets.
4. Try these examples in your search bar:
a. Use the below query to check for assets with a specific username configured:
accounts.username:Administrator
73
Try replacing “Administrator” with “Guest”.
b. Use the below query to check for assets not scanned in the last 30 days:
lastVmScanDate>now-30d
Try other date ranges like now-7d
c. Use the below query to check for assets with a specific software name:
software.name:VMware
d. Use the below query to check for vulnerabilities detected by Cloud Agent:
trackingMethod:QAGENT
Import a dashboard
The new VM dashboard allows you to import pre-configured readymade dashboards. This
exercise will teach you how to import a preconfigured dashboard.
74
1. Navigate to the Dashboard section.
2. Click on the Settings icon and then click “Import New Dashboard”.
75
3. Provide a title – “Scorecard Dashboard”.
4. Click Browse.
5. Select the file – “Scorecard Dashboard.json”
The dashboard files can be downloaded from https://qualys.com/learning. After logging in,
click the name of the course to download the files.
6. Click Import.
7. Use the dropdown on the top left to select the dashboard you just imported.
8. Similarly import the following dashboards:
a. Top 5 Vendor Open Vulns Sev3-5

b. Unremediated Scorecard
c. Top 10 Assets Scorecard
Note: After importing the dashboard, use the dropdown to select and view the imported
dashboard.
76
77
LAB 5: Authentication Report
Create an Authentication Report to identify authentication PASS/FAIL results and troubleshoot
authentication issues.
IMPORTANT: You must have at least one “Finished” authenticated scan to create an
Authentication Report.
Best Practice - Schedule this report to run frequently to help you manage and address
authentication issues.
1. Navigate to the “Reports” section, and then click on the “Reports” tab.
2. Click “New” and then select “Authentication Report”.
3. Provide a title – “Initial Auth Report”
78
4. Set the report format to HTML.
5. Select the “AG: Windows” and “AG: Linux” asset groups as your report source.
6. Click “Run”.
Passed – Authentication was successful.
Failed – Authentication failed. Review the “Cause” column.
Passed* - Authentication was successful but with insufficient privileges
Not Attempted – The scanner appliance was unable to locate an authentication record for
the asset or authentication was not turned on in the Option Profile.
The hosts used in the Qualys Training Lab are impacted by multiple factors, and results may vary
from day-to-day.
Make a note of all host IPs that did not successfully pass authentication. You’ll want to avoid
these IPs in the reporting lab exercises.
79
LAB 6: Report Template – Findings Option
The Scan Report Template is the most popular way to filter and prioritize vulnerability findings.
In the forthcoming labs, you will investigate the different functionality of the Scan Report
Template, starting first with the “Findings” options.
IMPORTANT: A host scan or assessment must be performed prior to building a vulnerability

report. The scan or assessment data can be collected using either a Qualys Scanner Appliance or
Qualys Cloud Agent.
Qualys Report Template Library

The “Findings” section of a Scan Report Template provides separate options for Host Based
Findings and Scan Based Findings. This lab will begin with an example of a “Host Based
Findings” report that uses one of the standard templates provided by Qualys.
Customized report template examples are then provided for both Host Based and Scan Based
reports.
Host Based Findings Report Template

Create a custom report template using Host Based Findings.
1. Navigate to the “Reports” section, and then click on the “Templates” tab.
2. Click the “New” button and select “Scan Template…” option.
80
3. Type “Host Based Report Template” in the “Title” field.
4. Select the “Make this a globally available template” check box.
Templates that are “globally available” can be used by other Qualys users to create their
own reports (using this custom template).
5. Click “Findings” in the left navigation pane and ensure the “Host Based Findings” radio
button is selected.
Host Based Findings gives you the most comprehensive and up to date picture of your
vulnerability status. It encompasses the latest vulnerability data from all of your scans.
6. For now, leave the “Include trending” option unchecked.
Although “trending” is a common option for reports that use Host Based Findings, it will not
be useful until you have performed vulnerability scans and assessments for several days (to
establish some type of vulnerability history).
You may return to this exercise after several days of scanning, to experiment with the
“Include trending” option.
6. Scroll down to the “Choose Host Targets” section.
7. Use the “Asset Groups” drop-down menu to select “AG: Windows” as your report targets.
81
Alternatively; you can click the “Add Tag” link, to select the tags that match your Asset
Groups. Both tags were automatically created when you added the asset groups to your
account.
Hint: to use Asset Tags, after clicking the “Add Tag” link, click the “Browse tags” icon
and expand the “Asset Groups” hierarchy .
IMPORTANT: The target you select here, will become the “default” for all reports created
with this template. Avoid using the built-in Asset Group called “All” as a report template
target (especially for accounts that have a significant number of host assets). To avoid
creating reports that require significant processing time, Qualys recommends using more
specific or focused targets.
8. Locate the “Hosts with Cloud Agents” section (bottom).
This section only applies to host assets running Qualys Cloud Agent. By default, an agent
host produces AGENT data. If you decide to scan an agent host, it will also produce SCAN
data.
The “Hosts with Cloud Agents” options allow you to choose the type of data (scan or agent)
that will appear in your reports. The default setting is “All data” which will display both
AGENT and SCAN data in the same report (as separate instances).
82
9. For now, leave the “Hosts with Cloud Agents” options unselected.
If you use the instructions in Appendix A to deploy Cloud Agent, return to this exercise later
and experiment with the different options.
10. Navigate to the “Display” section and scroll down to “Include the following detailed
results in the report”.
11. Enable the checkboxes for “Vulnerability Details” and “Results”.
Create Host Based Findings Report

Use your customized host-based findings report template to generate (run) a report.
83
1. Use the “Quick Actions” menu of your “Host Based Report Template” and click Run.
84
2. Type “Host Based Findings Report” in the “Title” field.
3. Notice, the “Host Based Findings Template” is configured in the “Report Template” field.
4. Select “HTML pages” in the “Report Format” field.
5. Notice, the “Report Source” is automatically set to the targets you selected, when
creating your custom template.
While the GUI allows you to change these options, reports that are generated through
Qualys’ Application Program Interface (API), often do not have the option to select a
different target. For this reason, Qualys recommends avoiding the use of the Asset Group
called “All” when creating a report template.
85
6. Click the “Run” button.
7. When your report is displayed, scroll down to the “Detailed Results” section and expand
any vulnerability.
If your assets have been scanned only once, the vulnerabilities will have a “New” status. If
they have been scanned more than once, they will have an “Active” status.
Also, notice the “First Detected,” “Last Detected,” “Times Detected,” and “Last Fixed” dates
that track the evolution of any finding.
This information can help you determine the time it has taken to fix a vulnerability; from the
time it was first detected.
Also, if there is a wide gap between “Last Detected” date and the report date, this may be
an indicator that you need to perform another scan.
8. Close the report.
86
Scan Based Findings Report Template
Scan Based Findings have the benefit of building reports that isolate or target a single scan but
can also be used to isolate or target a single host. In this section, you will build a template that
uses Scan Based Findings, to create a report that targets one host in one scan. This technique
will save you report processing time by focusing on the host of interest while eliminating those
that are irrelevant.
1. Navigate to Reports > Templates > New > Scan Template.

2. Give your template a title, “Scan Based Findings - Single Host”.
3. In the findings tab, select “Scan Based Findings”.

Notice that you no longer have the ability to choose Asset Groups, Tags, or individual IP
addresses after selecting this option. Scan Based findings allow you select from saved scan
results. When running a report with this template, you will be prompted to select the scan
results.
Because Scan Based Findings do not reflect any “historical” or “future” vulnerability findings,
they are said to represent a “snapshot” in time; each scan represents one snapshot.
87
88
4. In the “Display” tab, under “Include the following detailed results in the report” section,
select all the checkboxes.
5. Click the “Filters” tab.

6. Scroll to the “Vulnerability Filters” section and under “State” click the “Active” checkbox
next to “Potential Vulnerabilities” and “Information Gathered”.
Notice, these two boxes were not checked by default.
7. Click “Save” to save your template.
89
Create Scan Based Findings Report
1. Using the “Quick Actions” menu, “Run” the report.
90
2. Give your report a title of “Single Host Report”.
3. Scroll to the bottom of the window and click “Next”.
4. Select a scan containing the host 64.41.200.249 .

5. In the “IP Restriction” field, add this IP:
- 64.41.200.249
91
Use the IP Restriction feature to limit your report to only select IP’s.
6. Click the “Run” button.
92
The report gives you the scan results for just the one host you entered. Your results include
all confirmed and potential vulnerabilities to go along with information gathered QIDs. The
details you see will depend on the options configured in the Template – this case, Text
Summary, Vulnerability Details and Results.
93
LAB 7: Report Template – Display Options
This lab will now move from the “Findings” options within a Scan Report Template, to the
“Display” options. You can use the various display options to add graphics and summary
information to your reports, as well as selecting the details that will be provided for each
vulnerability.
You will typically want to adjust the display options for different user groups within your
organization.
Start by creating a new Scan Report Template.
1. Navigate to Reports > Templates.
2. Use the Quick Actions menu and edit the template created earlier called “Host Based
Report Template”.
94
3. Navigate to the “Display” section.
95
4. Enable the following graphics:
a. Vulnerabilities by Status
b. Vulnerabilities by Severity
c. 10 Most Prevalent Vulnerabilities
Graphics that show data over time (like ‘Business Risk by Asset Group over Time) can be
enabled only if “Include Trending” is enabled under the “Findings tab”.
5. In the “Custom Footer” section, add the text – “CONFIDENTIAL – FOR INTERNAL USE
ONLY”.
6. Click the “Test” button.
In this “test”, you’ll see the report with the three graphs included, and at the bottom of the
report you’ll see a footer containing your text. All of the host details are the same.
7. Close the “test” report.
8. After closing the report, change the “Sort by” from “Host” to “Vulnerability”.
10. Close the “test” report and save your template.
96
Cloud Agent Host ID
Checking the “Host Details” check box will include the Qualys Host ID (UUID) in your reports ,
which is the unique identifier associated with its Cloud Agent host. (to use “Host Details” you
must change the “Sort by” field back to the “Host” option).
97
EC2 Relation Information
You can also view EC2 related information. If reporting against assets deployed in AWS, it’s
recommended you build a separate report for those hosts. By clicking this checkbox, you will
get all of the metadata provided by the EC2 connector.
98
LAB 8: Report Template – Filter Options
This lab will now explore more functionality of the “Filter” options within a Scan Report
Template. You can use the various filter options to narrow down the assets and vulnerabilities
on which to create reports.
Filtering by Vulnerabilities and Operating System

Create a report template to analyze (filter) vulnerabilities by a specific operating system.
A Search List is one of the most powerful and versatile filtering tools within the Vulnerability
Management application. Adding a Search List to a Report Template will allow your reports to
focus on specific types and groups of vulnerabilities.
You will find a Search List tab within the “Scans,” “Reports,” and “KnowledgeBase” sections of
the Vulnerability Management application.
1. Navigate to “Reports” and then click “Search Lists”.

2. Click “New” and then click “Import from Library…”.
3. Select all the Search Lists and click Import.
4. When prompted, click “Make Global”.
5. Navigate to the “Templates” tab.
99
6. Use the Quick Actions menu and edit the template called “Host Based Report Template”.
7. Under the “Display” section, set the “Sort by” to “Host”.
100
8. Navigate to the “Filter” section and select “Custom” under “Selective Vulnerability
Reporting”.
9. Click “Add Lists” and add the “Microsoft Vulnerabilities v.1” search list.
By adding the “Microsoft Vulnerabilities v.1” Search List to the “Filter” options in this
template, your reports will now focus on the confirmed Microsoft Vulnerabilities (instead of
all of the vulnerabilities) found on each host.
You can create your own custom Search Lists that allow your reports to focus (filter) on
different types of vulnerabilities, severity levels, or any other criteria found within the Search
List editor, including vulnerabilities impacted by known threats.
11. Close the report once you are finished.
101
Next we will filter the report further by just reporting on assets with Windows 7.
12. Scroll down the template and locate “Included Operating Systems”.
13. Deselect all the operating systems by clicking on the “Select/Deselect All” checkbox.
14. Scroll down the list of operating systems and expand Windows, then select Windows 7.
15. Click the “Test” button to run the report.
102
Depending on how successful the authentication was it is possible that you will see some
assets on which we do not know the exact operating system type.
16. Close the report when you are finished.

17. Return to the “Filter” options in your template, scroll down to the “Superseded Patches”
section and click the “Exclude Superseded Patches” checkbox.
Your report will show the QIDs which have the latest patches needed to remediate your
vulnerabilities.
18. Click the “Test” button to run the report.
19. After viewing the “test” report, close it.
20. Save the template.
103
LAB 9: Patch Report
In this section you will use the Patch Report template to create a Patch Report. Patch reports
provide current patch information for fixing vulnerabilities and prioritizing remediation tasks. A
patch report identifies the most recent fixes for detected vulnerabilities in your account, so you
can apply the fewest patches necessary to fix your vulnerabilities. Note that a patch report
includes only vulnerabilities that have available patches and excludes vulnerabilities that cannot
be patched.
1. Navigate to the Reports section and click on the Reports tab.

2. Click “New” and then select “Patch Report”.
104
3. Provide a title – “Patch Report”.
4. From the Report Template dropdown, select “Critical Patches Required v.1”.
105
When prompted, click “Make Global”. This will make the template available for other users
in your subscription.
5. From the Report Format dropdown, select “Online Report”.
6. Under Asset Groups, remove “All” and include “AG: Windows”.
7. Click Run.
106
LAB 10: Report Scheduling and Distribution
This lab will walk you through the process of creating a user and distributing reports in different
ways.
Create a User
1. Navigate to Users > Users > New > User.

2. Fill in the “General information” tab with your information and use an email address you
can access.
3. Under the “User Role” tab, select the User Role of “Reader”.
4. Under the “Options” tab, turn off all notifications.
6. Open the email account you identified as the email address of the new user.
7. In a new browser (i.e. use Firefox, if you’ve been using IE), activate the new user.
8. Switch back to the browser where you are logged in as your “Manager” user.
107
Create a Distribution Group
In this section you will create a distribution group. This will allow you to see how to distribute
reports to users who do *not* have a Qualys user account.
1. Navigate to Users > Distribution Groups > New > Distribution Group.
2. Give a title of “System Administrators”.
3. Under the “Email List” section, locate the “Also include the following email addresses”
field.
4. Enter an email address that you can access from your present location.
You now have created a Distribution Group. This allows you to send reports to users who do
not have Qualys user accounts.
108
Define Report Distribution Method
1. Navigate to Reports > Setup > Scheduled Reports.
109
The options you have for distribution are below:
• Attachment or Link - As noted, if the report is under 5 MB, it will be sent as an
attachment. If it’s over 5 MB, a link will be sent. The person receiving the report does
not have to have a Qualys user account, they will still receive the report. Note, when
sent as an attachment, a copy of that report (possibly containing host vulnerability
information) is on your email server.
• Attachment Only - If the report is under 5 MB, it will be sent to the user. Otherwise, the
user will have to log in to Qualys. Be sure the users you are distributing the report to
*can* log in to the Qualys UI, otherwise you will create a manual process for yourself to
get them the report.
• Link Only - This is a good way to distribute a report to non-Qualys users. You can send
an email to them with a link for them to download the report. It is recommended that
you password protect the report you send them.
• Don’t Send the Report - Only use this if sending the report to people who have a Qualys
account. They need to log in to get the report. This makes users authenticate.
2. Click the “Link Only” option.
110
Assign a user to the template
1. Navigate to Reports > Templates.

2. Find the “Technical Report” template.
3. Use the “Quick Actions” menu to edit the template.
4. Navigate to the “User Access” tab and add the user you created earlier.
5. Save the Report Template.
111
Schedule a Report
1. Navigate to Reports > Schedules > New > Scan Report > Template Based…
112
2. Provide a title: “Scheduled Report”.
3. Find the “Technical Report” template where you added the new user.
4. Select a report format of “PDF”.
5. From Asset Groups, remove “All, and add the “AG: Windows” asset group.
6. At the bottom, select the “Scheduling” checkbox.

7. Schedule your report to run within the next 15 minutes and end it after 1 occurrence.
Make sure you select the appropriate time zone.
8. Click the “Notification” checkbox.
9. Next to “Email to”, click “Add Group” and add the distribution group you created earlier.
10. Provide a Subject and Custom Message.
113
11. Select “Password protect downloads of this report” and provide a password.
12. Click the “Schedule” button.
114
LAB 11: Purging
IP’s may need to be purged or removed.
Purging is recommended when the host is being decommissioned or used in a completely new
role – new operating system, new applications, new purpose. This ensures that security data
collected from previous scans of the host does not affect reporting moving forward.
Removing is recommended when the IP is no longer needed to be scanned.
Purge an IP
Purging an IP will remove the scan data without removing the IP from your account. Once
removed, host data cannot be recovered.
1. Navigate to the Assets section and click on the Host Assets tab.
2. Expand your IP range.
3. Click the symbol next to 64.41.200.243.
115
4. Click Purge.
116
5. Verify the IP to be purged and click Purge.
117
6. Click Confirm to start purging.
Purging can take a while. When the purging operation is complete, click the symbol again to
view the host information.
118
All host information such as hostname, operating system, last scan date, tags, comments,
vulnerabilities, and tickets have been removed.
Removing an IP
When an IP is removed, associated host-based scan data is permanently removed, and the IP is
no longer available for scanning and reporting.
119
1. Use the Actions menu and click “Remove IPs”.
2. Click “Select IPs/Ranges”.
120
3. Expand the IP range.
4. Select 64.41.200.250 and click Add.
5. Click Remove.
6. Click Confirm.
When the remove operation has been completed, 64.41.200.250 will be removed from the
subscription.
121
Appendix A: Cloud Agent Installation
Qualys Cloud Agent (CA) provides data collection and security services to host assets running
supported operating systems.
Because this is a training/learning activity, Qualys recommends performing the CA installation
on a “nonessential” lab host used for testing purposes.
If you elect to install CA on your “everyday” laptop or desktop computer, be sure to uninstall
the agent before your student trial account expires.
You must have administrative or root access to your target host to successfully perform the
Cloud Agent installation. The target host must have Internet access, and a clear path to the
Qualys Cloud Platform.
Create Cloud Agent Activation Key

Before you can install Cloud Agent on a target host, you must first generate an activation key.
Activation Keys allow you to manage and control the distribution of agents throughout your
organization.
1. Use the Application drop-down menu to open the Cloud Agent application.
The Cloud Agent application is your command and control center for deploying and
managing agents.
2. Click A) the “Agent Management” menu, followed by B) the “Activation Keys” tab, and
then click C) the “New Key” button.
Each activation key will specify: the Qualys application modules supported, Asset Tags
assigned to agent hosts, or any activation key limitations.
3. Give this key the title of “Mobile Device Key”.

4. Select the checkboxes for the VM and PC applications.
5. Do not set any limits on this activation key.
Potential limits include:
§ Maximum number of agents installed (using this key)
§ Key expiration date
If both limits are selected, the key will expire when the first limit is reached.
122
6. Click the “Create” link (just below the Title) to add an Asset Tag to this key.
The “Tag Creation” wizard will walk you through the steps to create an Asset Tag. Adding
an Asset Tag will make it easier to identify agents installed with this key.
7. Type “Mobile Device” in the “Name” field and click the “Continue” button.
8. Leave the Rule Engine set to the “No Dynamic Rule” option and click the “Continue”
button, followed by the “Finish” button.
The “No Dynamic Rule” is used here, because it allows you to control the placement of this
Asset Tag (i.e. no random or dynamic behavior).
The “Mobile Device” tag will now be placed on all agent hosts created with this key. You will
use this same tag later, to assign agent hosts to their appropriate Configuration Profile.
9. With the “Mobile Device” tag added to this key, click the “Generate” button.
Once your activation key is successfully generated, it can be used with any of the supported
operating systems.
You can download the agent installation programs or acquire the installation commands
anytime; just click the “Install Instructions” button that matches your targeted OS.
10. For now, click the “Close” button.
The exercise steps that follow, provide instructions for a Windows, Mac, or Unix agent
installation. A single installation will suffice for this lab (i.e., you do not need to perform
more than one installation).
123
Windows Agent Installation
The installation steps that follow support Windows XP SP3 or greater. If your target host is
running a Mac or Unix-based OS, you may skip these steps and proceed to the next “OS
Installation” section.
** IMPORTANT: You must have administrative access to the target Windows host, to
successfully perform the Cloud Agent installation steps that follow.
1. Open a Web browser (e.g. Edge, IE, Chrome, Firefox, etc...) on the target Windows host
and login to your student trial account (https://qualysguard.qg3.apps.qualys.com/).
If you are installing to a Windows Server, you will typically need to launch “Server Manager”
and disable the “IE Enhanced Security Configuration” option for the Local Server.
2. Open the Cloud Agent (CA) application, navigate to the “Agent Management” section, and
click the “Activation Keys” tab.
3. Use the “Quick Actions” menu of your activation key to select the “Install Agent” option.
4. Click the “Install instructions” button for the “Windows (.exe)” option.
5. Copy and paste the installation command into a plain text document and save the
document as ‘windows_install.txt’ to the Desktop of your target Windows host.
6. Click the “Download .exe file” button and save the Cloud Agent installation file (.exe) to
the Desktop of your target Windows host.
7. After the download is complete, click the “Close” button.
The Desktop of your target Windows host should now contain both files:
1) windows_install.txt and 2) “QualysCloudAgent” installation file (.exe).
124
Command Line Installation
Although this lab uses a simple ‘command line’ technique to install Cloud Agent, other
techniques and/or third-party applications can be leveraged to automate your Cloud Agent
deployments.
1. Open a “Command Prompt” window on the target Windows host.
2. Navigate to the Desktop, or the directory that contains the Cloud Agent installation
program (QualysCloudAgent.exe).
3. Use the “dir” command to verify the existence of the installation program file.
If you do not see the “QualysCloudAgent” installation file (.exe) navigate to its correct
location before executing the installation command.
4. Open the text file that contains your Cloud Agent installation command (i.e.,
windows_install.txt).
5. Copy and paste the Cloud Agent installation command into the “Command Prompt”
window and press the “Enter” key.
The agent installation program will execute with your Activation Key and Customer ID.
Validate CA Installation
To verify the success of your installation, look for the Cloud Agent process within Windows Task
Manager.
1. Open the Windows Task Manager and verify Qualys Cloud Agent is running (Ensure you
are viewing processes from all users).
2. Close the Windows Task Manager.
Locate Host ID
All agent host assets are automatically assigned a Universally Unique ID (UUID) by Qualys. For a
Windows host, this Host ID can be found in the Windows Registry.
3. From a “Command Prompt” window, open the Windows Registry Editor (i.e., regedit.exe)
and navigate to HKLM\SOFTWARE\Qualys.
The value in the “HostID” field will be used to track the vulnerability findings history for this
host.
If the HostID is not displayed, your newly installed agent may still be completing some
preliminary tasks within its manifest.
4. Close the Windows Registry Editor.
125
View CA Log File (Log.txt)
You can use the Cloud Agent log file to monitor agent activity. You will find the log file for a
Windows host in the ProgramData (hidden) folder.
5. Use Windows Explorer or a Command Prompt window to navigate to the following

directory path:
C:\ProgramData\Qualys\QualysAgent
A Windows host may deny access to the QualysAgent folder. In this event, simply copy of
the QualysAgent folder to your Desktop and use the copy to complete the next step.
6. Use any text editor, such as Notepad, to open and view file Log.txt.
*Note: a Windows XP host uses a different directory path for its agent log file:
C:\Documents and Settings\All Users\Application Data\Qualys\QualysAgent
7. Once your Cloud Agent installation is complete and successfully validated, return to your
original host (and Web browser) to complete the remaining lab exercises.
126
Mac OS Agent Installation
If you have already completed a Windows agent installation, or your target host is running a
Unix-based OS, you may skip these steps and proceed to the next section.
The installation steps that follow support Mac OS 10.12 or higher.
** IMPORTANT: You must have root or root-equivalent access to the target Mac host, to
successfully perform the Cloud Agent installation steps that follow.
1. Open a Web browser (e.g. Chrome, Firefox, or Safari) on the target Mac host and login to
your student trial account (https://qualysguard.qg3.apps.qualys.com/).
4. Click the “Install instructions” button next to the “Mac (.pkg)” option.
5. Copy and paste the installation commands into a plain text document and save the
document as ‘mac_install.txt’ to the Desktop of the target Mac host.
There are two (2) commands. Each command begins with ‘sudo’.
6. Click the “Download .pkg” button and save the Cloud Agent installation file (.pkg) to the
Desktop of your target Mac host.
The Desktop of your target Mac host should now contain both files:
1) mac_install.txt and 2) “qualys-cloud-agent” installation file(.pkg).

deployment.
The Mac Agent installation file (.pkg) must be installed from a “Terminal” window. Do NOT
attempt to install this file using typical Mac GUI techniques.
1. Open a “Terminal” window on the target Mac host.
2. Navigate to the Desktop, or the directory that contains the Cloud Agent installation file
(.pkg).
3. Use the “ls” command to verify the existence of the installation package.
127
If you do not see the “qualys-cloud-agent” installation file (.pkg) navigate to its correct
4. Open the text file that contains your Cloud Agent installation commands (i.e.,
mac_install.txt).
5. Copy and paste only the first “sudo” command of this file into the “Terminal” window and
press the “Enter” key.
This first command unpacks and installs the Cloud Agent package.
6. When the first command has completed, copy and paste the remainder of the
mac_install.txt file (i.e., the second “sudo” command) into the “Terminal” window, and
This second command runs a shell script that that restarts the Cloud Agent service and
activates your license key.
To verify the success of your “command line” installation, look for the Cloud Agent process.
1. Use the “ps –e” command, to verify ‘qualys-cloud-agent’ is running.
ps -e | grep qualys
Locate Host ID
All agent host assets are automatically assigned a Qualys Host ID (UUID). For a Mac host, this
Host ID can be found at /etc/qualys/hostid.
2. From a Terminal window, execute the following command:
sudo cat /etc/qualys/hostid
Locate CA Log File (qualys-cloud-agent.log)

Mac host in the /var/log/qualys directory.
sudo cat /var/log/qualys/qualys-cloud-agent.log

128
RPM-Based Agent Installation
If you have already completed a Windows or Mac OS agent installation, or your target host is
running Debian or Ubuntu OS, you may skip these steps and proceed to the next section.
RPM-based Linux operating systems include:
§ Red Hat Enterprise Linux,
§ CentOS,
§ Fedora,
§ OpenSuSE,
§ SuSE,
§ Amazon Linux, and
§ Oracle Enterprise Linux.
** IMPORTANT: You must have root or root-equivalent access to the target host, to successfully
perform the Cloud Agent installation steps that follow.
1. Open a Web browser (e.g. Chrome or Firefox) on the target UNIX host and login to your
student trial account (https://qualysguard.qg3.apps.qualys.com/).
4. Click the “Install instructions” button next to the “Linux (.rpm)” option.
129
document as ‘unix_install.txt’ to the Desktop of the target Unix host.
6. Click the “Download. rpm file” button and save the Cloud Agent installation file (.rpm) to
the Desktop of your target Unix host.
The Desktop of your target Unix host should now contain both files:
1) unix_install.txt and 2) “qualys-cloud-agent” installation file (.rpm).
130
deployment.
7. Open a “Terminal” window on the target Unix host.
(.rpm).
9. Use the “ls” command to verify the existence of the installation file.
If you do not see the “qualys-cloud-agent” installation file (.rpm) navigate to its correct
unix_install.txt).
11. Copy and paste only the first command line of this file into the “Terminal” window and
unix_install.txt file (i.e., the second command) into the “Terminal” window, and press the
“Enter” key.
131
5. Use the “ps –e” command, to verify ‘qualys-cloud-ag’ is running.

ps -e | grep qualys
Locate Host ID
Unix host, this Host ID can be found at /etc/qualys/hostid.

Unix host in the /var/log/qualys directory.

132
Debian or Ubuntu Agent Installation
If you have already completed a Windows, Mac OS, or RPM-Based Linux agent installation, you
do not need to perform these installation steps and may proceed to the next section.
** IMPORTANT: You must have root or root-equivalent access to the target host, to successfully
perform the Cloud Agent installation steps that follow.
1. Open a Web browser (e.g. Chrome or Firefox) on the target UNIX host and login to your
student trial account (https://qualysguard.qg3.apps.qualys.com/).
4. Click the “Install instructions” button next to the “Linux (.deb)” option.
document as ‘unix_install.txt’ to the Desktop of the target Unix host.
133
6. Click the “Download. deb file” button and save the Cloud Agent installation file (.deb) to
the Desktop of your target Unix host.
The Desktop of your target Unix host should now contain both files:
1) unix_install.txt and 2) “qualys-cloud-agent” installation file (.deb).

deployment.
13. Open a “Terminal” window on the target Unix host.
(.deb).
15. Use the “ls” command to verify the existence of the installation file.
If you do not see the “qualys-cloud-agent” installation file (.deb) navigate to its correct
unix_install.txt).
17. Copy and paste only the first command line of this file into the “Terminal” window and
unix_install.txt file (i.e., the second command) into the “Terminal” window, and press the
“Enter” key.
134
9. Use the “ps –e” command, to verify ‘qualys-cloud-ag’ is running.

ps -e | grep qualys
Locate Host ID
Unix host, this Host ID can be found at /etc/qualys/hostid.

Unix host in the /var/log/qualys directory.

135
Cloud Agent Inventory
At this point, you may return to your original host (and Web browser), if you installed Cloud
agent on a separate host.
It typically takes a few minutes for a new Agent Host to appear under the “Agents” tab.
1. Click the “Widget” icon in the upper-right corner to refresh your view.
In addition to the “Mobile Device” tag created by your Activation Key, a “Cloud Agent” Asset
Tag is automatically placed on your agent host.
Additional objects and indicators will be added, as your newly installed agent continues to
work through its initial manifest.
136

Reporting-Strategies Labs V9

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reporting-Strategies Labs V9

Uploaded by

Copyright:

Available Formats

Reporting Strategies and Best Practices

1. Open your Qualys student trial account message/document.

9. Click the “Save” button, followed by the “Close” button.

6. Click the “Save” button.

4. Click the “Add” button, followed by “Apply”.

Removing Host Assets

Windows Asset Group

3. Type “AG: Windows” in the “Title” field.

6. Place a check mark next to the following IP addresses:

7. Click the “Add” button, followed by the “Save” button.

Linux Asset Group

2. Type “AG: Linux” in the “Title” field.

4. Click the “Expand” icon to expand the IP address range.

5. Place a check mark next to the following IP addresses:

Perform Authenticated Scan

Windows Authentication Record

1. Navigate to the “Scans” section, and click the “Authentication” tab.

4. Enter “Domain Admin” as the “Title” for the Authentication Record.

7. Enter “trn.qualys.com” (omit quotes) in the “Domain name” field.

2. Type “qscanner with Sudo” in the “Title” field.

5. Select “Sudo” from the dropdown menu for “Root Delegation”.

6. Enter “abc1234!” (omit quotes) in the “Password” field.

7. Click the “Save” button.

3. Select “Authenticated Scan v.1” and click the “Import” button.

4. When prompted, click the “Make Global” button.

Launch Windows Authenticated Scan

3. Select “Authenticated Scan v.1” as your Option Profile.

5. Click the “Launch” button to launch the scan.

2. Type “Initial Linux Scan” in the “Title” field.

3. Select “Authenticated Scan v.1” as your Option Profile.

5. Click the “Launch” button to launch the scan.

Activate Threat Protection Trial

3. Click on “Confirm” to get started.

11. Click OK.

Import the Threat Dashboard

4. Provide a title: “Threat Dashboard”.

Add a custom Threat Widget

1. Navigate to the “Assets” section.

4. Provide a title: “Windows assets with actively attacked vulns”.

7. Update the Comparison label to “All Windows Assets”.

Nested RTI queries

1. Open the AssetView application.

5. Click on the icon at the right-end of the “Search” field.

7. Try these examples of Range searches in your search bar:

When you’re done, remove the “Group Assets by…” setting.

8. Click on the icon at the right-end of the “Search” field.

interfaces.hostname:"*.qualys.com" and not

tags.name: " AG: Windows"

vulnerabilities: (vulnerability.severity: 5 AND firstFound

Grouping search results

2. Execute the following query:

This will form a query in the search box.

8. Click “Save” above the search box to save this query.

This exercise will teach you how to import an existing dashboard.

1. In the AssetView application, navigate to the “Dashboard” section.

You’ll see a list of pre-configured dashboards to select from.

Create a blank dashboard

Add a preconfigured Pie Widget and customize it

1. To add a preconfigured Widget, click “Add Widget”.

Note that this is a Pie Widget.

5. Update the Query:

updated > now-7d

6. Change the Sort direction to “Ascending”.

8. Click “AG: Windows” on the widget to view the matching assets.