Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

Queries for the QualysKnowledgeBase table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Qualys vulnerability summary by severity

Returns a summary of Qualys vulnerabilities grouped by severity level, category, and vulnerability type, including counts of patchable and unpatchable vulnerabilities.

QualysKnowledgeBase
| extend SoftwareVendorList = tostring(SoftwareVendor)
| summarize
 VulnerabilityCount = count(),
 PatchableCount = countif(Patchable == "1"),
 UnpatchableCount = countif(Patchable == "0"),
 CveCount = dcount(tostring(CveId)),
 Cves = make_list(CveId),
 Qids = make_list(Qid),
 AffectedVendors = make_set(SoftwareVendorList)
 by SeverityLevel, Category, VulnType
| extend VendorList = strcat_array(AffectedVendors, ", ")
| project
 SeverityLevel,
 Category,
 VendorList,
 VulnType,
 VulnerabilityCount,
 PatchableCount,
 UnpatchableCount,
 CveCount,
 Qids,
 Cves
| order by SeverityLevel desc, VulnerabilityCount desc
| order by SeverityLevel desc, VulnerabilityCount desc

Qualys vulnerabilities with Threat Intelligence

Returns Qualys vulnerabilities that have active threat intelligence indicators, including threat levels and exploit information.

QualysKnowledgeBase
| where isnotnull(ThreatIntelligence) and array_length(ThreatIntelligence) > 0
| mv-expand ThreatIntel = ThreatIntelligence
| where isnotnull(ThreatIntel)
| extend
 ThreatLevel = tostring(ThreatIntel["#cdata-section"]),
 ThreatId = tostring(ThreatIntel.id)
| where isnotempty(ThreatLevel) and isnotempty(ThreatId)
| extend
 IsPciRelevant = PciFlag == "1",
 IsPatchable = Patchable == "1",
 CveCount = array_length(CveId)
| summarize
 ThreatLevels = make_set(ThreatLevel),
 ThreatIds = make_set(ThreatId),
 HighestThreatId = max(toint(ThreatId))
 by TimeGenerated, Qid, VulnTitle, SeverityLevel, Category, VulnType,
 IsPatchable, IsPciRelevant, tostring(CveId), CveCount, tostring(SoftwareVendor),
 tostring(SoftwareProduct), PublishedDatetime, LastServiceModificationDateTime,
 Solution, Consequence
| project
 TimeGenerated,
 Qid,
 VulnTitle,
 SeverityLevel,
 HighestThreatId,
 ThreatLevels,
 ThreatIds,
 Category,
 VulnType,
 IsPatchable,
 IsPciRelevant,
 CveId = parse_json(CveId),
 CveCount,
 SoftwareVendor = parse_json(SoftwareVendor),
 SoftwareProduct = parse_json(SoftwareProduct),
 PublishedDatetime,
 LastServiceModificationDateTime,
 Solution,
 Consequence
| order by SeverityLevel desc, HighestThreatId desc, PublishedDatetime desc

Feedback

Was this page helpful?

Additional resources

  • Last updated on