Qualys CyberSecurity Asset

Management (CSAM)
Lab Tutorial Supplement

1
Table of Contents
GETTING STARTED CSAM ..................................................................................................................................... 3
PASSIVE SENSOR ................................................................................................................................................... 13
BUSINESS CONTEXT FROM CMDB SYNC ........................................................................................................ 17
HARDWARE, SOFTWARE AND OS CLASSIFICATION ................................................................................. 19
ASSET GROUPS AND ASSET TAGS ................................................................................................................... 26
ASSET CRITICALITY SCORE ............................................................................................................................... 34
PRODUCT LIFECYCLE MANAGEMENT ............................................................................................................ 37
SOFTWARE AUTHORIZATION .......................................................................................................................... 40
VISUALIZE DATA USING DASHBOARDS ........................................................................................................ 47
REPORTS ................................................................................................................................................................. 51
RULE-BASED ALERTS .......................................................................................................................................... 57

2
Getting Started CSAM
Qualys CyberSecurity Asset Management (CSAM) is asset management reimagined for
security teams. Global AssetView (GAV) is part of CSAM and works in conjunction with
the Qualys Cloud Platform and Qualys sensors (scanners, cloud connectors, container
sensors, cloud agents, passive sensors and APIs) to continuously discover assets.
Global AssetView (GAV) / CSAM provide you a single source of truth for your assets. It’s
a central location where you can view your data collected from your different sensors
you’ve deployed. Data collected from your sensors automatically populate into asset
inventory. That data is then normalized, categorized, and enriched so you can better
make sense of it and group it in many ways.

GAV and CSAM

GAV (which is free) lets you:
- Obtain asset inventory across hybrid environments
- View normalized and categorized hardware and software inventory information
- Add custom tagging to automatically organize your assets and rank their
criticality
- Create and view customizable dashboards and widgets
- Search any asset in seconds

On top of GAV, upgrading to CSAM will also include:

- Enriched asset data – hardware & software lifecycles, licenses categories, and
more
- Bi-directional synchronization of asset data with your ServiceNow CMDB

3
 - Ability to define and manage authorized and unauthorized software in your
organization
- Customizable reporting to meet internal and external needs (e.g. standards
compliance reporting)
- Alerting via email, Slack or PagerDuty to inform you about assets requiring
attention

The module picker in the Qualys user interface lists both CSAM (paid) and GAV (free) for
all accounts.

Qualys Subscription with GAV

Qualys customers that were using the free version of the Global Asset Inventory (GAI)
application are automatically migrated to GAV. For such accounts, clicking on either the
CSAM or GAV module will always open GAV.

4
Please consult your Qualys TAM for more information on upgrading your Qualys
subscription to include CSAM.

Qualys Subscription with CSAM

For accounts with CSAM included in the subscription, clicking on either the CSAM or
GAV module will always open CSAM.

Discover and Inventory Assets

Qualys Asset Management begins by identifying and managing assets throughout your
enterprise architecture.

5
On the CSAM home page, you can get a snapshot of your overall environment and
configure your environment. It’s a useful baseline point to start you on your journey.

Qualys has various sensor types that collect data for you.

Cloud Agent
Qualys Cloud Agents install locally on the host assets they protect, sending all collected
data to the Qualys Cloud Platform, for analysis.

6
Agents can be downloaded from the Qualys Cloud Agent application or the GAV / CSAM
“Home” page.
Here, you’ll find the same download executables and installation commands, as you
would within the Qualys Cloud Agent application.

Qualys Cloud Agent supports multiple operating systems. For a complete list of
supported operating systems, see the Cloud Agent Getting Started Guide:
https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf
When you deploy agent to your host systems, you get free inventory that will populate
into GAV / CSAM application.
For a detailed discussion of Qualys Cloud Agent deployment and configuration, please
see the “Cloud Agent Self-Paced Training Course” (qualys.com/learning).

Passive Sensor
Qualys Passive Sensor operates in “promiscuous” mode, capturing network traffic and
packets from either a network TAP, or the SPAN port of a network switch.
Simply deploy passive sensors at strategic network locations, to begin monitoring
network traffic and conversations.
Both physical (hardware-based) and virtual sensor appliances are available.
An important advantage to capturing network traffic, comes from the bonus
information collected from network conversations (conversations between
communicating hosts).

7
A passive sensor not only collects the traffic from “managed” company assets, but it also
sees traffic from other host assets and services that are attempting to communicate
with your “managed” host assets (including communications coming from unknown or
“unmanaged” assets).

Please consult the next topic to learn more about Passive Sensor types and deployment
scenarios.

Scanner Appliance
Any Qualys user with scanning privileges has access to Qualys’ pool of Internet-based
Scanner Appliances.

Qualys Hardware-based and Virtual Scanner Appliances can be deployed throughout

your business or enterprise architecture.
Qualys Virtual Scanner appliances are available for multiple virtualization platforms:

8
For a detailed discussion of Scanner Appliance deployment and usage, please see the
“Scanning Strategies and Best Practices Self-Paced Training Course”
(qualys.com/learning).

Cloud Connector
Create connectors for your AWS, Google, and Azure accounts.

Enumerate cloud instances and collect useful metadata such as:

• Instance or virtual machine ID
• Location or region
• External and private IPs
• Installed software and active services
• and much more...

Search Tip: Within the Qualys GAV /CSAM application, use the “inventory.source”
query token, to quickly find AWS, Azure, and Google instances:
o AWS - inventory.source:INSTANCE_ID
o Azure – inventory.source:VIRTUAL_MACHINE_ID
o Google – inventory.source:GCP_INSTANCE_ID

9
Leverage Qualys Cloud Security Assessment (CSA), to identify and correct
misconfigurations.
For more information and details on deploying and using Qualys Connectors, see the
“Cloud Security Assessment and Response Self-Paced Training Course”
(qualys.com/learning).

Container Sensor
Qualys Container Sensor is installed on a Docker host as a container application, right
alongside other containers.

Once installed, CS will assess all new and existing Docker images and containers for
vulnerabilities (i.e., Qualys KnowledgeBase).

Types of Container Sensors:

• General – Scan container hosts (Docker, cri-o, containerd).
• Registry – Scan images in public or private registries.
• CI/CD Pipeline – Scan images within CI/CD pipeline (e.g., Jenkins, Bamboo, etc.).

For more information and details on deploying and using Qualys Container Sensors, see
the “Container Security Self-Paced Training Course” (qualys.com/learning).

10
Asset Inventory
The data collected from the various sensors you have deployed in your environment is
populated into CSAM, among other Qualys Applications.

All assets discovered by the various sensors are listed under the Inventory section under
the Assets tab in the Qualys user interface.

CSAM provides a powerful search engine that lets you craft simple or advanced queries
combining multiple asset criteria returning results instantly, so you can find out in 2
seconds:
• How many unmanaged devices are in my environment?
• How many servers are in my environment, and what servers are running an OS
that its vendor recently stopped supporting?
• How many IoT devices are in my environment?
• How many databases are running in my datacentres?
• Which IT assets have a particular piece of software installed?
• How many Lenovo laptops running the latest version of Windows 10 and located
in my India office have a particular vulnerability?
• Etc.

You can perform searches with a click of your mouse, using the faceted search pane or
build custom queries using the “Search” field.
Imagine if you had virtualized hosts but also wanted to see the location of them, you
could easily use a tag to filter. Or, if you want to know all of your notebooks in a given
location, you could use tags to help you find them.

11
You can combine query tokens, values, and Boolean operators to create more complex
search queries.

The “Help” icon (at the right-side of the “Search” field) provides information, syntax,
and examples on how to search.

Navigate to the following URL to view the “Getting Started with CSAM” tutorial:

https://ior.ad/7Hn1

12
Passive Sensor
Most organizations focus on collecting inventory and management of KNOWN assets,
assuming their processes allow them to cover 100% of devices. However not all devices
can be discovered and managed using a single approach (e.g., agent, remote scanning)
Passive sensing technology is designed to identify all devices, allowing IT and Security
teams to discover and remediate coverage gaps.

With Qualys Network Passive Sensor (aka PS), organizations can get complete discovery
of all assets (servers, desktops, printers, smartphones, IoT, OT, etc.).
• The goal of PS is to completely, passively, discover all assets active on
organizations’ networks.
• Passive discovery does not generate any traffic on the network, it evaluates
data flowing on the network.

Use Cases
• Discovery of all assets connected to the network to ensure all devices are
managed appropriately
• Discovery of IoT devices to ensure all devices on the network are identified
• Discovery of OT devices to ensure OT environment is discovered
• Discovery of traffic data (Beta feature) to identify unusual traffic patterns

Availability
PS can be included in your Qualys subscription with any of the below options:
• Available standalone (free subscription)
o Virtual appliances available at no cost
o Physical appliances need to be purchased

• Part of CSAM subscription

o Includes Traffic Analysis (Beta) feature
o Traffic Analysis needs to be enabled separately
o Virtual appliances available at no cost
o Physical appliances need to be purchased

• Part of VMDR subscription

o Virtual appliances available at no cost
o Physical appliance needs to be purchased

13
Physical Appliance
The physical appliance is available in the following configurations sizes (based on data
throughput capabilities):
• 1Gbps: Typically, Passive Sensors with Gigabit interfaces would be sufficient for
an aggregate traffic not exceeding 900 Mbps for up to 5,000 active assets.
• 4Gbps: Passive Sensors with 10G interface may be required to be attached to
discover and profiling up to 10,000 active assets while supporting an aggregate
traffic throughput of 4 Gbps per appliance.
• 10Gbps: Passive Sensors with multiple 10G interfaces may be required to be
attached to discover and profiling up to 20,000 active assets while supporting an
aggregate traffic throughput of 10 Gbps per appliance.

The Management Interface of the sensor appliance is assigned an IP address and must
successfully connect to the Qualys Cloud Platform.
The Sniffing Interface is not assigned an IP address and receives traffic from a network
TAP or the SPAN port of a network switch.
A personalization code is used to bind the appliance to your subscription in the same
way a scanner appliance is deployed.

Please consult the Physical PS appliance User Guide for more information on
configuration requirements and usage:
https://www.qualys.com/docs/qualys-network-passive-sensor-appliance-user-guide.pdf

Virtual Appliance
• Available as Hyper-V or VMware images
• Able to scale up/down throughput based on virtual machine configuration
14
When you deploy from the virtual perspective, the appliance gets deployed on a
VMware ESXi / Microsoft Hyper-V Server.
There are two interfaces, one for management, one for “mirrored” traffic.
The mirrored/sniffing traffic port gets connected to your switch. This is what is watching
the traffic. This doesn’t get an IP.
Management traffic port is what sends the data back to the Qualys Platform. This gets
an IP.
A personalization code is used to bind the appliance to your subscription in the same
way a scanner appliance is deployed.
Please consult the https://www.qualys.com/docs/qualys-network-passive-sensor-virtual-
appliance-user-guide.pdf for more information on resource requirements, configuration,
and usage:

Navigate to the following URL to view the “Passive Sensor Deployment” tutorial:

https://ior.ad/7OZM

Deployment Scenarios
Enterprises that use the Qualys Network Passive Sensors to monitor their networks have
to feed a copy of their network traffic to the sensor. This can be accomplished by
tapping into their network at an appropriate choke point using port mirroring. There

15
may be different types of network environments and topologies where it may or may
not be possible to deploy the passive sensor at the same location as the tap point.
Based on these choices, different types of port mirroring options must be exercised:

1. Local SPAN
Switch Port Analyzer (SPAN) is an efficient, high performance traffic monitoring
system. It mirrors traffic from one or more interfaces or VLAN to one or more
interfaces on the same switch. This method is also called as Local SPAN. In this
method appliance is connected to the switch at the same location as the switch
and can be connected directly to one of the switch ports

2. RSPAN
If your network has many Layer 2 switches then it may not be possible to do
local mirroring on each Layer 2 switch and deploy multiple passive sensors
connecting to SPAN port of each Layer 2 switch. To handle this situation, you
need to use Remote Switch Port Analyzer (RSPAN) method to centralize the
mirror traffic from various Layer 2 switches. RSPAN provides remote monitoring
traffic from source ports distributed over multiple switches. It supports source
ports, source VLANs, and destination ports on different switches.

3. ERSPAN
Some enterprises may have a requirement to passively monitor their networks,
including those remotely located, and it may not be possible to install a sensor in
each of the remote locations. To monitor traffic across a WAN or different
networks, you can use Encapsulated Remote Switch Port Analyzer (ERSPAN).

The ERSPAN feature supports source ports, source VLANs, and destination ports
on different switches, which provides remote monitoring of multiple switches
across your network.

ERSPAN allows mirrored traffic to be encapsulated and transported over L3

network to a remote destination. This requires that each location have switches
having ERSPAN capability and the switches be configured to tunnel mirror traffic
to a destination L3 switch/router interface.

Please consult the PS Deployment Guide for more information deployment scenarios and
configuration steps:
https://www.qualys.com/docs/qualys-network-passive-sensor-deployment-guide.pdf

16
Business Context from CMDB Sync
Organizations use ServiceNow to define, structure, and automate the flow of work,
removing dependencies on email and spreadsheets to transform the delivery and
management of services for the enterprise.

ServiceNow stores information about all technical services used in an enterprise in a

Configuration Management Database or CMDB. Within the CMDB, the support
information for each service offering is stored in a Configuration Item (CI) specific to
that service. This information includes the service name and description, assignment
groups, change management approvers and service roles as well as other business
information directly related to the service support.

Qualys CMDB Sync synchronizes Qualys IT asset discovery and classification with the
ServiceNow Configuration Management Database (CMDB) system. Qualys CMDB Sync
automatically updates the ServiceNow CMDB with any assets discovered by Qualys and
with up-to-date information on existing assets, giving ServiceNow users full visibility of
their global IT assets on a continuous basis. Conversely, if an asset is added to the
ServiceNow CMDB, Qualys CMDB Sync will add it to the Qualys asset inventory.

Integration Methods
There are 2 different Qualys apps for ServiceNow CMDB Sync:
• Qualys ServiceNow CMDB Sync App
• Qualys ServiceNow CMDB Sync Service Graph Connector App

Please consult the following link for a detailed description of the Qualys CMDB Sync App:
https://www.qualys.com/docs/qualys-cmdb-sync-v2.pdf

The Qualys CMDB Sync Service Graph Connector App is intended for Service Now
'Orlando’ and later versions.

Please consult the following link for a detailed description of the Qualys CMDB Sync
Service Graph Connector App:
https://www.qualys.com/docs/qualys-asset-inventory-cmdb-sync-ire.pdf

For both integration types, you must have a valid Qualys account subscription with API
Access and access to following modules:
- Qualys Subscription with CSAM (Qualys to ServiceNow Sync)
- CMDB Sync enabled within your Qualys subscription (Qualys to ServiceNow Sync)
- Vulnerability Management (ServiceNow to Qualys Sync)
17
In addition to the above prerequisites, additional plugins must be installed in
ServiceNow if using the Qualys CMDB Sync Service Graph Connector App:

Please consult https://docs.servicenow.com/bundle/orlando-servicenow-

platform/page/product/configuration-
management/concept/c_CMDBIdentifyandReconcile.html for detailed installation steps
for the above plugins.

Business Information Sync

Asset metadata can be synchronized for assets that exist in both ServiceNow and
Qualys. ServiceNow stores business information including owners, environment,
business applications, etc. You can enrich Qualys inventory by importing this business
context. The list of business attributes that can be imported in Qualys includes:
o Status (e.g., in-repair, lost/stolen)
o Organization (Company, Business Unit, Department)
o Owned By - Who owns the asset
o Managed By - Responsible person
o Supported By – Supporting person
o Environment (e.g., Prod/Lab/Test)
o Assigned Location (Country, City)
o Business App/Service name
o Business Criticality

This information helps security teams to better understand the environment, organize
scans, prioritize assets and vulnerabilities and provide accurate scope to remediation
teams.

This business information can be accessed from the CSAM user interface, through
search queries and using Qualys APIs.

Navigate to the following URL to view the “Business Context from CMDB Sync”
tutorial:

https://ior.ad/7MPL

18
Hardware, Software and OS Classification
For IT organizations to make data-powered decisions and drive processes, such data
must be relevant, clean, structured and often enriched with additional data points.

CSAM uses the raw data provided by the sensors and normalizes and categorizes it into
standardized names and structures. It then enriches this data with software and
hardware lifecycles, software type (commercial or open-source), etc.

Hardware Classification
CSAM categorizes hardware assets based on an internally developed classification/
categorization system. The categorization, which gives the user an idea about the
primary function of the product, has been derived from standard industry terms as well
as other well-known industry classification systems.

In order to see assets in CSAM, your authenticated scan or Cloud Agent scan needs to
have run and completed successfully.

The Inventory > Assets tab gives you an overview of assets in your organization.

19
Here you can view bar charts for the top hardware categories. Clicking a specific bar
from the chart allows you to view the list of assets for the specific category.

A query is automatically populated in the search bar based on the click you make. You
can also use the faceted search on the left which allows you to filter this data further by
tag and manufacturer.

Imagine if you had virtualized hosts but also wanted to see the location of them, you
could easily use a tag to filter. Or, if you want to know all of your notebooks in a given
location, you could use tags to help you find them. CSAM categorizes your hardware in
this way.

20
CSAM provides a structured hierarchy for hardware that allows filtering, grouping and
aggregation at different granularity levels (e.g. Category, Manufacturer, Product, and
Model). If you would like to identify all the hardware categories in your account,
navigate to the "Assets" tab, click "Group Assets by.." select Hardware and then
Category.

CSAM follows a two-level classification system – namely Level 1 Category and Level 2
Category

- Level 1 category: Major/ broad category to which the hardware asset belongs.
- Level 2 category: Subcategory, i.e specific to the product’s primary function.

Examples:

21
a) "Lenovo ThinkPad P50 20EN001LUS " → Computers / Notebook → Level 1:
Computers, Level 2: Notebook
b) “Fuji Xerox ApeosPort-IV C7780” → Printers / Multi-Function Printer (MFP) → Level 1:
Printers, Level 2: Multi-Function Printer (MFP)

CSAM is capable of categorising hardware assets related to IT, OT, IOT/ IIOT. There are
currently 19 Level 1 categories and 90 Level 2 categories for classifying hardware assets
in CSAM.

Clicking on the asset count for any of the category will show a filtered list of all matching
assets in the resulting page

Navigate to the following URL to view the “Hardware Classification” tutorial:

http://ior.ad/7OeV

Operating System Classification

Similar to hardware classification, normalized data in CSAM has operating systems
categorized based on an internally developed classification/ categorization system.

22
It follows a two-level classification system – namely Level 1 Category and Level 2
Category.
- Level 1 Category: Indicates the operating system family.
- Level 2 Category: Indicates whether the operating system is for client, server or
virtualized environments.

Example:
a) "Apple macOS High Sierra" → Mac / Client → Level 1: Mac, Level 2: Client
b) "VMware ESXi" → Virtualization / Hypervisor Type-1 (Bare Metal) → Level 1:
Virtualization, Level 2: Hypervisor Type-1 (Bare Metal)

There are currently 13 Level 1 categories and 5 Level 2 categories for classifying
operating systems.

You can group assets by their OS, OS category levels, publisher, name, architecture,
market version, update level and edition.

Navigate to the following URL to view the “OS Classification” tutorial:

https://ior.ad/7Of3
23
Software Classification
Normalized data in CSAM also has software applications categorized based on an
internally developed classification/ categorization system.

It follows a two-level classification system similar to hardware and OS.

- Level 1 Category: Major or broad category to which the software application
belongs.
- Level 2 Category: Subcategory, i.e. specific to the product's core function.

Examples:
a) McAfee Endpoint Security Platform → Security / Endpoint Protection → Level 1:
Security, Level 2: Endpoint Protection
b) Oracle MySQL → Databases / RDBMS → Level 1: Databases, Level 2: RDBMS

Few other examples of categories:

Application Development / Framework
Security / Endpoint Management and Security
Application Development / Development Tool
Network Application / Internet Browser
Storage / Backup and Recovery etc.

There are currently 29 Level 1 categories and 149 Level 2 categories for classifying
software applications. Qualys is continuously updating its taxonomy for classifying more
diverse range of software products, so these numbers are subject to change.

The Inventory > Software tab gives you an overview of all software in your organization.

Navigate to the following URL to view the “Software Classification” tutorial:

https://ior.ad/7Ofe

Software License Type

The software license category indicates the type of license under which the software
product is available, followed by the particular license model the product follows.

There are two types of licenses that exist: Commercial and Open Source.
1. Commercial : The product is available under proprietary license i.e the publisher
retains intellectual property rights such as copyright of the source code

24
 Examples:

a) "Microsoft Edge" Licensing: Commercial / Free

b) "Adobe Photoshop" Licensing: Commercial / Licensed

2. Open Source: Open source software is distributed with source code that may be
freely accessed, used, modified and shared by its users. However, terms and
conditions for sharing and modifying the source code vary by the type of open
source license used. The Second value denotes the model of the Open Source
License that the software follows.

Examples:

a) "MongoDB" Licensing: Open Source / GNU Affero General Public License v3

(AGPL-3.0)
b) "PHP" Licensing: Open Source / PHP License (PHP-3.0)

CSAM currently has coverage of around 75 unique Open Source license models captured
till date.

Navigate to the following URL to view the “Software-Commercial and EOL” tutorial:

https://ior.ad/7Ofl

25
Asset Groups and Asset Tags
There are many ways to organize the host assets within your Qualys subscription,
including geographic location, service or function, device type, operating system, asset
owner, IP address range (netblock), and more.

Although the methods listed above are common, you may choose other grouping or
labelling methods that are unique to your company or organization.

The proper use of Asset Groups and Asset Tags will allow you to effectively organize and
manage host assets. Asset Groups and Asset Tags can be combined to accomplish
numerous objectives, such as:

• Creating targets for scanning, reporting, and remediation.

• Assigning access privileges to user accounts.
• Host identification and inventory management.

One thing to keep in mind is having a naming convention for every Asset Tag and every
Asset Group. This will allow you to query your assets in a more structured way without
requiring that you memorize every tag you have created.

Asset Groups
Asset Groups were the first asset management tool provided by Qualys VM. Simply
create an Asset Group, give it an appropriate name, and manually add host IP addresses.
Alternatively, hosts can be added to Asset Groups by their DNS or NetBIOS names. Here
are some important characteristics of an Asset Group:
• Used to assign access privileges to user accounts.
• Contains a “Business Impact” setting that is used to calculate Business Risk.
• Can be used as a target for mapping, scanning, reporting, and remediation.
• A single host can be a member of multiple Asset Groups.
• Nesting one Asset Group inside another is not supported. *
• Created and updated manually. *

* The last two items in this list are addressed using Asset Tags. Asset Tags are updated
automatically and dynamically. Asset Tag “nesting” is the recommended approach for
designing functional Asset Tag “hierarchies” (parent/child relationships).

26
Generally, it is best to use Asset Groups as a breakdown for your geographic locations.
You’ll typically be adding your groups by IP range, instead of instances of individual IP
addresses.

Also, make sure to use a naming convention to better help you find Asset Groups and
their corresponding “Asset Group Tags” later.

Qualys recommends adding the “AG:” prefix to Asset Group names. Other naming
conventions that help to distinguish Asset Group members (such as location, function,
device type, etc...) will make it easier for other Qualys users in your account to identify
and use Asset Groups, effectively.

IP addresses are often associated or directly linked to some domain name(s). You may
associate domain names with the IP addresses in your Asset Groups.

Business risk is the product of an Asset Group’s “Average Security Risk” and its “Business
Impact” setting. Once an Asset Group’s Average Security Risk is calculated, its associated
Business Risk can then be determined.

27
A “Critical” Asset Group will receive a higher Business Risk score than a “High” or
“Medium” Asset Group that has the same security risk average. Asset Groups with a
“Minor” or “Low” impact, will receive even lower Business Risk scores, helping you to
prioritize patching and remediation tasks for your most important assets. By default,
Asset Groups are created with “Business Impact” set to High.

Navigate to the following URL to view the “Asset Groups” tutorial:

https://ior.ad/7MWO

Asset Tags
Asset Tags provide a flexible, scalable, and dynamic solution to help you label and
identify hosts. Asset tags are continuously updated, when new data and information is
provided by Qualys Sensors, including Scanner Appliances and Cloud Agents.
CSAM is a core component of the Qualys Cloud Platform and it provides a centralized
location for creating and managing Asset Tags.

Create Hierarchy
Asset Tags are organized into hierarchical structures or parent/child relationships. Some
tags serve both a Parent and Child role.

28
Many tag hierarchies begin with a static “parent” that serves as a “placeholder” for its
dynamic “child” tags. Tags located at higher levels of the hierarchy reflect a broader
scope of host assets, while tags at lower levels of each hierarchy represent a more finite
set of assets. A single host asset can have multiple tags, simultaneously.

Dynamic Rule-Based Tags

Dynamic Asset Tags are created using various types of Asset Tag Rule Engines. These
tags are automatically updated as new information is received from Qualys Sensors. The
“Asset Inventory” rule engine allows you to build tags using the Qualys Query Language
and various query tokens, including the hardware, OS, and software category tokens.

Operating System Tags

Often, you’ll want to build reports or create widgets and dashboards by operating
system. By creating a tagging structure which will automatically tag your hosts, you’ll be
able to easily report, filter, and query by operating system.

The “Asset Inventory” rule engine and the “operatingSystem” query token provide a
convenient way to label host by their OS.

29
In the above illustration, the Asset Inventory query token operatingSystem.category1 is
set to filter out all hosts with the Windows OS.
When testing your queries, hosts that meet the query conditions(s) will Pass, while all
other hosts will Fail.

Using the “Evaluate Rule on Creation option (while building or editing a tag) will add the
tag to host that have already been scanned.

When you create a dynamic tag, it is applied to all scanned hosts that match the rule
you defined. You can filter the assets list to show only those that match your new tag
rule.

When you create static tags, you need to apply it manually to your asset from the
Inventory tab.

Navigate to the following URL to view the “Dynamic Rule-Based Tags” tutorial:

https://ior.ad/7O2M
30
Example Queries
To build a dynamic tag for Relational Database Management Systems, use the “Asset
Inventory” rule engine with the following query:

software:(category:Databases / RDBMS)

The first value (Databases) is separated from the second value (RDBMS) by the slash
(“/”) symbol.

To build the same tag exclusively for “Server” host assets, use the “Asset Inventory” rule
engine with this modified query:

software:(category:Databases / RDBMS) and

operatingSystem.category2:server

The Boolean operator “AND” combines the query from the previous example, with an
additional query token/condition. Boolean operators AND, OR and NOT can be
leveraged to build accurate and effective queries.

Recommendation
Use the discussion on the Qualys Community to build your Asset Group and Asset Tags
for your own organization. You can practice in the trial account you are using, but
building a good asset management system of well-formed tags and Asset Groups are
critical to having a functional security program and clean implementation in Qualys.

Here is a checklist of steps to take before you start scanning and deploying your agents.
This will save you time when it comes time to building your own scans, reports,
dashboards, and queries.

Checklist:
• Build Asset Groups based on the physical locations in your organization
• Create Asset Tagging hierarchies for the following (see the discussion link above
for how to build them):
o Operating System
§ All different operating systems in your environment
o Host Type
§ Cisco devices

31
 § Workstations
§ Servers
§ Printers
§ Etc.
o Authentication Results
§ Devices where sudo isn’t being used
§ Where is NTLM v1 used?
§ Where is NTLM v2 used?
§ Where is Kerberos used?
o Informational
§ Firewall detected
§ Sticky keys enabled
§ Is this host configured via DHCP?
§ Do we think there was interference when we ran our scan?
§ Is the host stale ( or hasn’t been scanned in X days)?
o Registry Settings
§ Critical Registry access denied
§ Hardware info not accessible
§ Installed Patches not accessible
§ Installed software not accessible
§ System info not accessible
o Agentless Tracking
§ Agentless Tracking Errors
§ Agentless Tracking used
o Web Servers
§ IIS
§ Apache

32
 § Web Server stopped responding
o Cloud-Based Tags
§ Running assets
§ Terminated assets
§ Stopped assets

33
Asset Criticality Score
With GAV/CSAM, you can apply tags manually or configure rules for automatic
classification of your assets in logical, hierarchical, business-contextual groups. And you
can assign Asset Criticality through tags to establish asset priorities.

Asset Tag Criticality

You can set the asset criticality score between 1 to 5. Score 1 being the lowest criticality
and 5 being the highest criticality assigned to an asset, when selected.

Types of Tags where user can enable and assign Criticality Score or disable Criticality
Score :
• Dynamic tag
• Static Tag
• IFA(Internet facing asset tag) - The only system tag for which we can add asset
criticality score.
• Asset groups

Asset Criticality
CSAM automatically calculates the Asset Criticality Score of an asset based on highest
aggregated criticality.
34
Example: Asset A1 has three tags attached with Criticality Scores as listed in the table.
Tag Criticality Score
T1 2
T2 4
T3 *Null

So the Criticality Score for this asset is 4.

*Note that tag criticality score for system tags will always be Null. We cannot assign any
criticality to them. Example : Cloud agent , Business Unit etc.

Criticality for Asset Group Tags

Assets that are part of the current Business Criticality of Asset Groups in VM are
mapped to their respective criticality levels.
Following mapping is used

1. Critical Business Group - Level 5 ACS

2. High Business Group - Level 4 ACS
3. Medium Business Group - Level 3 ACS
4. Minor Business Group - Level 2 ACS
5. Low Business Group - Level 1 ACS

ACS - Asset Criticality Score

Inventory Asset list Page

Criticality Score calculation for asset can be seen on the click of Score in the Inventory
section.

35
Default criticality score for asset is 2 (If there is no tag having Criticality Score attached
to it.)

In case the criticality score assigned to the tag is updated, like from 4 to 5, the Criticality
Score for associated assets will be updated following the subsequent scan or in the
event of a modification to the existing tag rule or when a new tag is assigned to an asset
or alternately, when an existing tag is removed from the asset and on tag re-evaluation.

Navigate to the following URL to view the “Asset Criticality Score” tutorial:

https://ior.ad/7MPK

36
Product Lifecycle Management
End-of-life and End-of-support software and obsolete hardware pose a risk to
organizations. Not only organizations are unable to get support that can incur into
extended downtimes and technical issues that lead into decreased performance and
productivity, but it can also affect internal and external compliance.

Together with a comprehensive IT reference catalog, and the normalization of discovery

data to it, CSAM provides a clean and categorized asset inventory that significantly
increases the fidelity on which organizations can make decisions about their inventory.

Hardware Lifecycle Management

CSAM provides hardware vendor lifecycle dates and support details. CSAM currently has
lifecycle information for over 100 hardware manufacturers and over 45,000 models.
And these numbers are subject to change as Qualys continuously adds new hardware
manufacturers, products and models to its catalog.

37
You can use multiple search tokens in CSAM to quickly filter assets based on their
hardware lifecycle information.

You can review detailed hardware lifecycle information to identify assets requiring
replacement or upgrade.

Using this information, organizations can analyze how end-of-life and end-of support
may affect their current assets and plan accordingly (e.g. technology refreshes,
extended warranty and support, etc.)

Software Lifecycle Management

CSAM also provides software vendor lifecycle dates and support details, so that
organizations can analyze how end-of-life and end-of-support software on their
environment may pose risk and potential productivity impact (e.g. lack of patches,
incompatibility with future OS/applications, etc.)

38
You can use multiple search tokens in CSAM to quickly filter assets and software based
on the software lifecycle information.

You can find out what software/OS is end-of-life or end-of-support now and within a
future timeframe, so that you can assess impact and plan proper remediation (e.g.
technology refresh, OS compatibly checks, budgeting, etc.)

This gives IT teams some notice on when software updates are needed. You can also
search on end-of-support.

Navigate to the following URL to view the “Product Lifecycle Management” tutorial:

https://ior.ad/7MPM

39
Software Authorization
Unauthorized software is a big problem for many organizations. Any software that is not
authorized is likely unmanaged without proper patching, updates, configurations, and
security protocols. Attackers are constantly looking for vulnerable targets. Unauthorized
software increases the risk of outsiders gaining access to sensitive data.

This capability, included with CSAM:

• Provides a key NIST requirement to help organizations automate tracking and
alerting of unauthorized software.
• Leverages a well-structured software catalog (with normalization &
categorization) to deliver this capability.
• Enables organizations to define unauthorized & authorized software lists using
rules
• Enables organizations to track, monitor and report on authorized and
unauthorized software in the inventory.

Create Rules
Rules help you to track and report installations of authorized and unauthorized software
based on user defined lists.

Rules can be configured for a subset of devices on the basis of tags.

40
Rules are designed for specific groups of assets. For example, while browsers are
commonly authorized for use on desktop and laptop systems, they add greater risk to a
host and should NOT be authorized for production servers.

Asset may be associated with multiple rules.

You can create rules to define the following software authorization:

1. Authorized
2. Unauthorized
3. Needs review

Software Version\Update Criteria

Rules support criteria for software versions and updates.

Each product can be configured to match against a specific Version or Version Updates
(Release)

41
Further, a user can configure rule matching under following categories for a single
product:
o Any
Will apply the rule to all versions of the selected product
o Specific Versions
Will apply rule to the selected subset of product's version
o In Between Versions
Will apply rule to versions of the product which have order between than the
two selected versions. Please note that the selected versions are excluded in
the matching criteria
o Above
Will apply rule to versions of the product which have version greater than the
selected version. Please note that the selected version is excluded in the
matching criteria
o Below
Will apply rule to versions of the product which have version less than the
selected version. Please note that the selected version is excluded in the
matching criteria

Rule Processing Workflow

An asset qualifies for rules, if:
• It has tags
• It has software

42
 • It has matching rules based on inclusion and exclusion tags

For a newly created asset, software authorization rule won't be applied to the asset
because tag evaluation happens after the asset creation. In subsequent scan, the
software authorization rule will be applied to the asset.
If an asset is qualifies for rule processing, we match each software on such an asset
against the software configured in each category for the asset. If there is a match:
• We will compare the matching product's version and see if it applies based on
the set version/update criteria AND utilizing the rule order attribute.
• If the criteria results are true, an authorization flag will be set for the software

Rules are applied on the basis of rule order precedence.

We will start matching from highest priority first, and skip software which has already
been categorized for the given asset, as we go down the order.

For example, if Bit Torrent software is marked "Unauthorized" in a rule with Order
Number 1 and "Authorized" in another rule with Order Number 2, then that software
will set as "Unauthorized" as it is processed by the first rule which has the higher
priority.

Navigate to the following URL to view the “Software Authorization from Rules Tab”
tutorial:

https://ior.ad/7MPJ

43
Software Inventory
The Inventory -> Software tab gives an overview of the software on the assets in your
organization, such as software license, platform, lifecycle related information, end of life
details of a software, authorized/unauthorized software, etc.

You can add a particular software to an authorization rule and view the authorization
rule associated with the software.

To add a software to the authorization rule, click Add To Authorization Rule from
the Quick Actions menu.

44
If the software doesn't have any update, you'll see only one radio button - "Entire
Product" and it is auto-selected.

Select Authorization from the drop down list, choose existing rule or create new rule in
which the selected software will be added.

Navigate to the following URL to view the “Software Authorization from Software
Tab” tutorial:

https://ior.ad/7OGZ

Rule Conflicts
Make sure you have not selected the same specific software (with version and/or
update) in different categories.

If you select the same specific software in two different categories, it will show an error
message while creating a rule. For example, if you select `MySQL’ product with 'Specific
- Version = 5.7' criteria in the 'Unauthorized' category and `MySQL’ product with 'Below
- Version = 7.6' criteria in the 'Authorized' category for the same rule, the “MySQL 5.7”

45
will be considered in both the categories, which is conflicting. Doing so will result in an
error when saving the rule as illustrated above.

Also selecting Version and Update criteria in different categories for the same product is
prohibited. For example, you are not allowed to select `MySQL’ product with 'Version'
criteria in the ‘Authorized' category and `MySQL’’ product with 'Update' criteria in the
‘Unauthorized' category for the same rule. Doing so will result in an error when saving
the rule as illustrated above.

46
Visualize Data Using Dashboards
Having collected all of the asset inventory data, we need a way to view and understand
it. Getting a summary of your inventory from multiple perspectives is critical when
organizing your IT and Security programs.

There are multiple ways to get data with Qualys – queries, widgets and dashboards,
reports templates and APIs.

Option User Access Interactive Report Data

Format

Dashboards Qualys Users YES PDF

On-demand QQL Queries Qualys Users NO CSV

Report Templates Qualys Users NO CSV

APIs (bulk data export) Qualys Users NO CSV, JSON

Third Party Integration Non-Qualys Users NO Varies depending

(ServiceNow, etc.) on third party
application

Queries are the fastest way to get data and are best-suited when you’re looking for
quick answers, typically to one-time questions. Examples include – how many of my
assets have not been scanned in the past 30 days, how many hosts with a specific
operating system or software exist, etc.

Widgets and dashboards allow for visual representation of data and are built using
queries. They are suitable for data that needs to be constantly monitored. Examples
include – assets with EOL/EOS software, assets with unauthorized software, assets with
open-source database instances, distribution of operating systems, etc.

This includes count, bar, table, and pie graph widgets.

47
Qualys provides ready to use templates for dashboards and widgets that you could
quickly add to your list of dashboards and start monitoring your assets.

New templates are regularly published to the template library in your Qualys account.

Amongst the templates, choose the one that suits your need of data population for your
assets and create a dashboard.

You could add more widgets to dashboard, edit existing widgets, change the layout of
widgets and many more things in your dashboard.

For a detailed discussion on building custom dashboards and widgets, please see the
“Reporting Strategies and Best Practices Self-Paced Training Course”
(qualys.com/learning).

48
The main focus of most attacks targeting different organizations, is client data. So as a
security professional you are focused on security of that data. Databases are the
primary location of company data so you really want to understand your database
landscape and identify any potential security concerns. So you can have a dashboard
focused on database servers.

This dashboard illustrated above is one of many that we have and is highly configurable
to show the view you need to accomplish your job.

It immediately shows us a summary of key data:

• Total assets with database instances
• Internet facing database servers
• Unmanaged database server assets
• High criticality database server assets
• Etc.
Along with grouping by category, geolocation, publishers as well as associated business
apps.

The key point here is that this one dashboard gives you a comprehensive at-a-glance
view of your database landscape, highlighting areas of concern.

Let’s consider the ‘Unmanaged Assets with database’ widget for instance. We know
about the number of ransomware attacks happening and one thing that security teams
are worried about is identifying databases they don’t know about and therefore are
vulnerable to attack.

49
Going into the “unmanaged” asset details, you can see the incoming and outgoing traffic
and we can track it by app/service. This information comes from our Passive Sensor and
the way we’re able to determine if a database is installed is by checking the network
traffic on assets.

Another snapshot view is Internet Facing assets. As security teams consider database
server risk, visibility on the internet is one key aspect that can drive attacks. Database
servers should be carefully reviewed to verify if they should have this kind of exposure.

The Asset Criticality measure allows the team to track the importance to the business of
assets. This can be overlayed along with other in-context data to better find assets that
need to be addressed quickly.

So as a security admin, all of this information lets you quickly and easily focus on high
risk database instances so that you can address them quickly by updating or removing
them.

Navigate to the following URL to view the “Visualize Data Using Dashboards” tutorial:

https://ior.ad/7Pud

50
Reports
Mandates like FedRAMP and PCI require you to track all assets and software, as well as
continuously monitor their security gaps. With CSAM you can easily generate reports so
you can demonstrate compliance. Reporting includes configurable out-of-the-box
templates, for example to address FedRAMP requirements. You can also generate
reports to provide information about your environment to internal or external
stakeholders using our reporting function.

Asset Details Report

This report shows asset inventory data for selected assets based on host information
(attributes).

51
You can select the asset scope for the report using asset name, asset tags or using
queries.

Once you create report, it shows 'Accepted' status. Once report execution is finished, it
will shows status as 'Completed' and you'll be able to download the report.

The attributes selected in the report will be column headers in the CSV report.

Software Details Report

This report shows detailed report of the selected assets based on software and host
information (attributes).

52
Compliance Report
This report shows detailed report of the assets for FedRAMP compliance based on
software and host information (attributes).

This report that satisfies your auditors without you having to manually extract and
aggregate the data or push the data to a 3rd party and do manual scripting. This makes
your job much simpler and quicker.

Navigate to the following URL to view the “Asset Details, Software Details and
Compliance Reports” tutorial:

https://ior.ad/7MPO

53
Interactive Report
This report provides an interactive workflow and focuses on asset health issues instead
of just inventory data. By correlating security gaps with asset context and business
context, the Interactive Report will help you to “zero in” on the most critical asset health
issues so that you can address them quickly.

After selecting one or more asset tags as your targeted assets, you are provided a
summary of all assets that are in scope and the area of concern.

Internet Facing Assets

Hosts with public interfaces are at greater risk because of their exposure to the Internet,
especially with vulnerabilities that can be exploited without authentication. The risk
becomes even more significant if the same host has unauthorized and EOL/EOS
software. So, you need to have visibility into assets with such an exposure.

From here, you can pivot further on assets of interest by applying various filters. The
filter options are provided in three categories:

Business Context
It’s important to consider the business impact of an asset when prioritizing assets for
security gap analysis. Here, you can select Asset Criticality, Department and Asset
Support Groups as filters.

54
With the slider set to the position illustrated above, only assets with Criticality score of 4
and 5 will be considered for the report.

Department and Asset Support Group filters are based on business information derived
from CMDB sync and provide additional means to refine your asset scope.

Asset Categories
You can also use Level 1, hardware (server, desktop, mobile device, network device,
etc.) and OS (Windows, Linux, Mac, etc.) category filters which gives the user an idea
about the primary function of the product, to pivot on specific asset categories. The
categories listed in the report are based on the assets that are mapped to the selected
asset tags.

Security Gap
And lastly, you can filter assets based on the security gap area such as EOL/OBS
hardware, EOL/EOS software or OS and unauthorized software.

55
Once your filter options have been selected, click the “Generate Report” button.

The displayed assets and software will reflect the priority options you specify.

At the top, you can see a summary of count of assets or software instances (depending
on whether you are in the Assets or the Software section of the result) with a security
gap. Clicking on these cards/numbers filters assets/software as per the identified
security gap.

Navigate to the following URL to view the “Interactive Report” tutorial:

https://ior.ad/7OWM

56
Rule-Based Alerts
Rule-based alerts provide ongoing detection, automatically triggering alerts for critical
events based on real-time activity. This eliminates the need to manually search the
same event or security gaps over and over by leveraging time-saving automation.

In CSAM, you can configure rules to monitor critical events and define actions to send
you alert messages if events/incidents matching the condition are detected.

You can set rules and create actions under the 'RESPONSES' tab.

On the RESPONSES tab:

1. Define Actions → Configure rule actions to specify one or more actions to be

performed when events matching a condition are detected. You can set alerts to be
sent by Email, PagerDuty, or Post to Slack.

2. Set up your rules in the Rule Manager tab → Here you create a rule with a specific
criteria and then determine a course of action for any instance that meet that the
criteria.
Let’s say your goal here is to track all databases that are going to be EOS in 6
months. You want some time to react and address the issue before they actually go
EOS.
The QQL query to configure for this rule is:
software:(category1:`Databases` and component:`Server`
and lifecycle.eos:[now+179d ... now+180d])

Using this type of alert, your security teams can always stay on top of EOL/EOS
software in your environment.

57
Currently CSAM only supports the single match that is one alert for one match.

Asset Tokens
CSAM also supports use of tokens within the message body which work as placeholders
or variables for data values that populate when the search completes. You can include a
variety of search tokens pertaining to asset search, cloud metadata search and
others. All 3 action types (Email, Slack, PagerDuty) support the use of tokens.

58
When a condition matching the rule is detected, the alert that is generated will include
the asset name, asset criticality score, hardware category, OS of the asset, etc.
depending on the tokens inserted in the message body.

When a rule is triggered based on trigger criteria, CSAM will send to your configured
account alerts that will have details of the events.

59
The illustration above is for an email type alert action.

3. Monitor all the alerts in Activity Tab → Monitor alerts that were sent after the rules
were triggered. Users can monitor all the action events in this tab.

Navigate to the following URL to view the “Rule-Based Alerts” tutorial:

https://ior.ad/7MPN
https://ior.ad/7Jl1

60