Advanced Qualys configurations and modifications

Configure advanced optional modifications and streamline some of the data specifically for the Qualys integration. Most of these modifications require coding or advanced ServiceNow or Qualys Vulnerability Integration expertise.

Add dot-walk fields from your third-party table to your vulnerable item form

Adds dot-walk fields to your vulnerable item from your third-party table to use in choice lists, scripts and so on.

Before you begin

Role required: admin

About this task

The Vulnerability(vulnerability_task) field references the Vulnerability(sn_vul_vulnerability) table. The QID information imported from Qualys is put in the third-party Vulnerability Entries (sn_vul_third_party_entry) table. The third-party Vulnerability Entries table is extended from the Vulnerability table, and the third-party table contains fields that are not in the Vulnerability table.

Procedure

  1. Navigate to Vulnerability > Vulnerabilities > Vulnerable Items.
  2. Right click on a hamburger menu of any of the columns in the Vulnerable Items list to bring up the Configure menu and choose Dictionary.
    Dictionary entry
  3. In the Dictionary Entries list, click New.
  4. Fill in the fields on the form, as appropriate:
    Once you enter a Type, the other choices become available.
    Table 1. Dictionary Entries
    Field Description
    Table Defines the table in which the element is created. Pre-filled with Vulnerable Item [sn_vulnerable_item]. Do not change.
    Type Enter Reference. Defines the field type of column that the dictionary entry represents.
    Column label Enter Third-Party Entry. Defines a unique label for the column. The label appears on list headers and form fields for the column. When you create a new column, the column name is populated automatically based on the label, which is prefixed with u_ to indicate that it is custom.
    Column name u_third_party_entry is generated automatically.
    Max length Provides a logical limit for the size of string fields to determine how the system displays them in the user interface. Also how to map them to physical database data types.
    Application Pre-filled with Qualys Vulnerability Integration. Do not change.
    Active Check the box to activate the entry. Enables or disables the field.
    Read only Determines whether users can change the field value. When this check box is selected, users cannot change the value. The data for the field is calculated and displayed by the system.
    Mandatory Determines whether this field must contain a value to save a record.
    Display Indicates that this field is the display value display value for reference fields.
    Table 2. Dictionary Entry tabs
    Tab Description
    Reference Specification* Enter Third-Party Entry

    Makes the field into a reference field.

    Choice List Specification Allows users to see a list of suggested values.
    Default value Allows you to specify a default value that is generated dynamically based on a dynamic filter.
  5. Click Submit.
  6. Navigate to System Import Sets > Administration > Transform Maps
  7. Search for the Qualys Detection List Transform map in the list and open.
  8. Click New under the Field Maps tab to add a new field mapping.
    1. Change Target field to Third-Party Entry.
    2. Check the Use source script box.
    3. Edit the Source script as follows:
      answer = (function transformEntry(source) {
      var qid = "QID-" + source.u_qid.toString();
      return qid;
      })(source);
  9. Click Submit.
    The target field u_third_party_entry appears in the Field Maps list.

Add a source field

Adds a field to show the source of the Vulnerable Item.

Before you begin

Role required: admin
Note: Ensure that you are in the Qualys Vulnerability Integration scope.

Procedure

  1. Navigate to Vulnerability > Vulnerabilities > Vulnerable Items.
  2. Right click on a hamburger menu of any of the columns in the Vulnerable Items list to bring up the Configure menu and choose Dictionary.
    Dcitionary entry
  3. Click New on the Dictionary Entries form.
  4. Fill in the fields on the form, as appropriate:
    Once you enter a Type, the other choices become available.
    Table 3. Dictionary Entries
    Field Description
    Table Defines the table in which the element is created. Pre-filled with Vulnerable Item [sn_vulnerable_item]. Do not change.
    Type Enter Choice. Defines the field type of column that the dictionary entry represents.
    Column label Enter Source. Defines a unique label for the column. The label appears on list headers and form fields for the column. When you create a new column, the column name is populated automatically based on the label, which is prefixed with u_ to indicate that it is custom.
    Column name u_source is generated automatically.
    Max length Provides a logical limit for the size of string fields to determine how the system displays them in the user interface. Also how to map them to physical database data types.
    Application Pre-filled with Qualys Vulnerability Integration. Do not change.
    Active Check the box to activate the entry. Enables or disables the field.
    Read only Determines whether users can change the field value. When this check box is selected, users cannot change the value. The data for the field is calculated and displayed by the system.
    Mandatory Determines whether this field must contain a value to save a record.
    Display Indicates that this field is the display value display value for reference fields.
    Table 4. Dictionary Entry tabs
    Tab Description
    Reference Specification*

    Makes the field into a reference field.

    Choice List Specification Allows users to see a list of suggested values.
    Default value Allows you to specify a default value that is generated dynamically based on a dynamic filter.
  5. Click on the Advanced View related link.
  6. Under the Choices tab, click New.
  7. Enter Qualys in the Label text box.
  8. Enter qualys in the Value text box.
    Dictionary entry choices
  9. Click Submit.
  10. Navigate to System Import Sets > Administration > Transform Maps
  11. Search for Qualys Detection List Transform
  12. Click New under the Field Maps tab to add a new field mapping.
  13. Add new field mapping.
    1. Change Target field to Source.
    2. Check the Use source script box.
    3. Edit the Source script as follows:
      answer = (function transformEntry(source) {
      return ‘Qualys’
      })(source);
  14. Click Update.

Modify the Qualys to ServiceNow priority and state mapping values

Modify mapping values for priority and state for your requirements.

Before you begin

Role required: admin

About this task

This is an advanced customization option.

Procedure

  1. Navigate to System Definition > Business Rules.
  2. Search for Map Qualys Values and open it.
  3. Click the Advanced tab.
  4. Modify per your requirements. The most common modifications include adding new state values or revising criticality or priority.
  5. Click Update.

Restrict the ability to write to a record based on an assignment group

You can restrict write/read rights on records based on membership to an assigned group. Modify conditions and script based on specific requirements.

Before you begin

Role required: security_admin (elevated role from admin)
Note: This action is performed in the Vulnerability scope.

Procedure

  1. Navigate to System Security > Access Control (ACL).
  2. Search for ACLs that start with sn_vul.
  3. Choose an Access Control record, for example, sn_vul_vulnerable_item, Operation write.
  4. Check the Advanced box in the record, if necessary, to display the Role entries.
  5. Modify the Role script for your requirements.
    Script Example of modifying access by group.
    answer = (current.assigned_to == gs.getUserID() || isMemberOfForScopedApp(current.assignment_group));
    // Note: standard 'isMemberOf' does not work within Scoped App
    // gs.getUser().isMemberOf(current.assignment_group);
    function isMemberOfForScopedApp(groupID){
    var result = false;
    if (groupID != ''){
    var userID = gs.getUserID();
    var gr = new GlideRecord("sys_user_grmember");
    gr.addQuery("group", groupID);
    gr.addQuery("user", userID);
    gr.query();
    if (gr.next()){
    result = true;
    }
    }
    return result;
    }
  6. Click Update.

Set up scanner appliances

If you are initiating scans from ServiceNow, instead of directly from Qualys, you can set up scans for IP address ranges. The data comes from the Qualys integration based on Qualys asset groups and their related default appliances. If a default appliance is not specified on the Integration Configuration form, the appliance from the associated Qualys asset group is used.

Before you begin

Role required: sn_vul_qualys.admin

Procedure

  1. Navigate to Qualys Vulnerability Integration > Scanner Appliances.
  2. Fill in the fields on the form, as appropriate.
    Field Description
    Appliance name Enter the name for the Qualys scanner appliance to be used for invoking scans for matching configuration items. If you have manually created records that do have an Appliance ID provided, the appliance name is used.
    Appliance ID Enter the appliance identifier for the Qualys scanner appliance to be used for invoking scans for matching configuration items. If you entered both an Appliance name and an Appliance ID, the identifier is used.
    Appliance status Displays the last status of the scanner appliance on the data returned by the Qualys integration. For manually created records, the status is updated only if a valid Appliance ID is specified.
    Asset group ID Displays the Qualys asset group identifier that created this record. This field displays a value only for records created by the Qualys integration.
    Asset group name Displays the Qualys asset group name that created this record. This field displays a value only for records created by the Qualys integration.
    Order Enter a value to be used for determining scanning priority. For appliance that have conflicting criteria, an appliance with a lower order value is given a higher priority.
    Manually created Indicates whether this record was created manually by the user.
    Use filter group Select this check box to specify a filter group for finding matching configuration items for scanning.
    Filter group Select the filter group you want to use for finding matching configuration items for scanning. This field appears only if you selected Use filter group.
    IPs A comma-separated list of IP addresses or ranges of IP addresses to be used by this appliance when invoking scans.
  3. Click Update.

Extend the Qualys scanner

The Qualys scanner included with the base system provides a baseline integration to initiate scans based on IP addresses. Qualys provides a REST API to launch scans. You can view and edit the outbound REST message sent to Qualys.

Before you begin

Role required: web_service_admin

Procedure

  1. Navigate to System Web Services > Outbound > REST Message.
  2. Locate and click Qualys-VMScan-Default.
  3. If needed, modify the Endpoint host address to match a different Qualys endpoint.
  4. In the HTTP Methods related list, click post.
  5. Edit the Basic auth profile field with valid Qualys credentials for your organization.
  6. Modify the endpoint and various query parameters to launch a scan that meets the needs of your organization.
    Note: The IP query parameter is the only parameter that is scan-specific and updated by the scanner implementation.
  7. Click Update.

Threat and solution summary from an associated vulnerability

You can combine the threat and solution information from the referenced Vulnerability into a summary field on the vulnerable item.

Before you begin

Role required: admin

About this task

Procedure

  1. Navigate to Vulnerability > Vulnerable Items.
  2. Select a vulnerable item.
  3. Right click in the header to bring up the Configure menu.
  4. From the Configure menu, choose Dictionary.
  5. Click New.
  6. Fill in the fields on the form, as appropriate. See Data dictionary form
  7. Navigate to System Import Sets > Administration > Transform Maps
  8. Search for Qualys Detection List Transform
  9. Click on the Field Maps tab.
  10. Add new field mapping. See Create a field map.
    1. Check the Use Source Script box.
    2. Set target field to Vulnerability Summary
    3. Enter Source Script:
      answer = (function transformEntry(source) {
      var gr = new GlideRecord('sn_vul_third_party_entry');
      gr.get('id','QID-'+source.u_qid);
      if ((gr.threat) && (gr.threat != 'undefined')) {
      return '<h1>Threat:</h1><br>' +gr.threat+'<br><br><h1>Solution:</h1><br>'+gr.solution;
      } else
      return;
      })(source);
  11. Click Submit.

Set ignore host detection updates if no state changes

You can ignore host detection when no state changes are made.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Import Sets > Administration > Transform maps.
  2. Navigate to Qualys Detection List Transform Transform Map and open it.
  3. Click on the Transform Scripts tab.
    1. Create or edit an onBefore transform script. Its only function is to update target records if the incoming Qualys status value is different from the target record.
      Here is an example of an onBegin script:
      (function runTransformScript(source, map, log, target /*undefined onStart*/ ) {
      //Collect values from the Source record and build query to find matching VI record
      var ip = source.u_ip;
      var dns = source.u_dns;
      var netbios = source.u_netbios;
      var qid = source.u_qid;
      var port = source.u_port;
      var vul = new GlideRecord("sn_vul_entry");
      if (!vul.get("id", "QID-" + qid)) {
      return null;
      } else {
      var gr = new GlideRecord("sn_vul_vulnerable_item");
      var encoded = "vulnerability=" + vul.getUniqueValue();
      if (!gs.nil(port)) {
      encoded += "^port=" + port;
      } else {
      encoded += "^portISEMPTY";
      }
      var appendOr = false;
      if (!gs.nil(ip)) {
      if (appendOr) {
      encoded += "^ORip_address=" + ip;
      } else{
      encoded += "^ip_address=" + ip;
      appendOr = true;
      }
      }
      if (!gs.nil(dns)) {
      if (appendOr) {
      encoded += "^ORdns=" + dns;
      } else {
      encoded += "^dns=" + dns;
      appendOr = true;
      }
      }
      if (!gs.nil(netbios)) {
      if (appendOr) {
      encoded += "^ORnetbios=" + netbios;
      } else {
      encoded += "^netbios=" + netbios;
      }
      }
      gr.addEncodedQuery(encoded);
      gr.query();
      while (gr.next()) {
      //Check to see if Status has changed - Build State/Status Mapping Object
      if (!source.u_status.nil()){
      var stateMap = {"new": 1,"active": 1,"re-opened": 1,"reopened": 1,"fixed": 3};
      var ignoredSubstates = ["1", "2", "3"];
      var currentState = gr.state + "";
      var currentSubstate = gr.substate + "";
      var currentStatus = (source.u_status + "").toLowerCase();
      var expectedState = 0;
      if (stateMap.hasOwnProperty(currentStatus)) {
      //If Source Status = Fixed then Close Vulnerable Item record
      if (currentStatus == "fixed") {
      expectedState = 3;
      }
      //If Target State = Closed and Target Substate value is not in the IgnoredSubstates Array - Run Status value through
      State Map.
      else if (currentState == 3 && ignoredSubstates.indexOf(currentSubstate) < 0){
      expectedState = stateMap[currentStatus];
      }
      //If Target State = Pending Confirmation - Run Status value through State Map
      else if (currentState == 10) {
      expectedState = stateMap[currentStatus];
      }
      //If Target State = Ignored and Target Substate = Fixed - Run Status value through State Map, Else ignore
      else if (currentState == 12 && currentSubstate == 4){
      expectedState = stateMap[currentStatus];
      }
      //If Target State = New or Analysis - Run Status value through State Map, Else ignore
      else if (currentState == 1 || currentState == 2){
      expectedState = stateMap[currentStatus];
      } 
      }
      }//If No Mapping State value was returned and Target State is In Review and the Source Status was not Fixed - Ignore
      transform row
      if (expectedState == 0 && currentState == 11){
      ignore = true;
      info ="Record is in Review and has not been fixed, row ignored! ";
      log.info( info );
      }
      //If Target State/Status is the same as the Source State/Status - Ignore transform row
      else if (gr.status.toLowerCase() == currentStatus && gr.state == expectedState){
      ignore = true;
      info ="No state change, row ignored! ";
      log.info( info );
      }
      }
      }
      }
      })(source, map, log, target);
  4. Click Submit or Update, as appropriate.