Using QQL to Automate Patch Selection for Windows and Linux Assets

You can use Qualys Query Language (QQL) to provide the criteria that associates selective patches to a deployment job. QQL ensures that all the latest patches that qualify based on the criteria are automatically associated to a job without a manual intervention. This saves time and ensures that the critical patch updates and vulnerabilities are addressed regularly. Although, you can use QQL for a run-once job, QQL is optimally utilized for recurring jobs.

QQL is available only for the deployment jobs and not for the rollback jobs. Since rollback patch jobs are executed for selective patches and rarely used, the QQL option is not provided for the rollback job.

Consider this!

- The number of patches that will be installed based on the QQL are calculated just before the job is triggered.

- If the job is set to the agent time zone, the QQL will run once on the first time zone and the same list of patches will be installed to agents across all time zones.

- For optimum performance, only missing and non-superseded patches that match the QQL criteria are added to the job. Every time the job runs only the latest patches will be deployed. For Linux QQL, there is no patch supersedence.

- QQL is only applicable for Deployment jobs. You cannot use a QQL to deploy a rollback job.

- Use of QQL and Patch List is mutually exclusive and you can use only either one to create a job.

- The patches count is not displayed when you create a job using QQL. Patches count will be displayed only when the job is triggered at least once.

- Only the first 2000 patches in the descending order of the published date will be sent in the QQL-based job manifest.

- Once the job is triggered, the patches count for a particular job run will not be updated.

- For a recurring job, the patch list will be freshly assessed based on the QQL for each job run.

- You can edit a deployment job that is created by selecting patches from the Patch list to run on QQL instead. In this case, the previously selected patches will be replaced with the patches that match the QQL criteria. Similarly, you can edit jobs created using QQL to overwrite and manually select the patches that are associated with a job.

- If the QQL is resolved for some patches but those patches don’t apply to agents in the deployment job, the status of the Agent will be set to Not Applicable. If the QQL gets resolved to 0 patches, then the status of the Agent will be set to No Patch Available

Example 1 Installing patches released on Patch Tuesday automatically

Generally, an admin has to keep an eye on the patches that are released on every Patch Tuesday by Microsoft and manually select these patches that must be deployed on assets. You can create a job based on QQL and schedule a recurring job on every 2nd Thursday of a month.

To automate the patch installation, create a deployment job with the following parameters:


Create the following job schedule:

QQL Job Schedule

Example 2 Installing critical patches for Chrome and Internet Explorer

To ensure that the browsers receive the critical updates, you can create a weekly recurring job to ensure critical patches are deployed.

To automate patch installation for Google Chrome and Microsoft Internet Explorer, create a job with following parameters:

appFamily:Chrome OR appFamily: "Internet Explorer"


Create the following job schedule:


Example 3 QQL for security patches

To ensure that none of the important security patches are missed, you can setup a job with the following parameters.



Create the following job schedule:


Example 4 Create a Patch Job to Address all Vulnerabilities with Severity 5

To ensure that all vulnerabilities with severity 5 are addressed, you can setup a job with the following QQL.

Vulnerability Severity 5

Example 5 Create a Patch Job to Address Vulnerabilities that linked to Malware

To ensure that all vulnerabilities linked to malware are addressed, you can setup a job with the following QQL.


Deploying Patch Jobs on Assets

Scheduling Jobs