Qualys Assetview is the vendor-preferred way to search in Qualys. Admittedly, its Elasticsearch interface is slick. But Assetview doesn’t usually let you search by MAC address even though the field exists. So here’s how to search by MAC address in Qualys using other functionality in the tool.
Qualys Asset Search has the ability to search based on the presence of a QID and its results. So you can search on QID 43007 containing the results of the MAC address you want. If Qualys finds a match, it pulls up the machine you are looking for.
Search by MAC address in Qualys Asset Search
Asset Search doesn’t get much love, but Qualys has quietly improved its functionality the last couple of years, adding the ability to search specific findings, including informational findings.
To search by MAC address in Qualys, the most reliable way is to navigate to Vulnerability Management > Assets > Asset Search. Under Asset Groups, choose All. Scroll down to the section marked With the following attributes. Under QID, enter 43007. Under the field with results, select containing, then enter the MAC address you want. Then click Search.
If Qualys has found the MAC address in an authenticated scan, you’ll get the results.
Why is authentication required?
Qualys gets the MAC address from querying the operating system, not from the network layer. Tenable gathers this information regardless. I’ll admit, this is a case of not being able to please everyone. When I worked at Qualys, I had an irate customer chew me out and tell me Qualys was too hard on his network. And yet I know from my sysadmin days that asking systems politely for their MAC addresses is easier on your network than asking the network for that information.
When you have customers screaming at you that your scans are too hard on the network, and others wanting more information, you have to draw the line somewhere. Qualys drew it in a different place than Tenable did. I’m sure both companies had good reasons for making the decisions they made. Neither tool is perfect, but they improve at a faster rate than patch deployment tools.
Why you can’t search by MAC address in Qualys Assetview
Qualys Assetview exposes a field called interfaces.macaddress but it doesn’t normally populate it unless you have the Qualys Cloud Agent loaded on the machines. Why? Qualys wants you to load the cloud agent, even if you aren’t paying for it. Admittedly the agent does gather a lot of useful information even when it’s in inventory-only mode. But many companies are hesitant to load yet another agent on their machines. Sure, recent Intel and AMD CPUs ought to be able to handle the load just fine, but IT departments have very long memories, and if you’re too aggressive with your agent settings, you can under some circumstances run the CPU utilization up over 30 percent.
I wish Qualys would populate the interfaces.macaddress field with the results from QID 43007, but I guess there just aren’t enough customers asking for it.