Qualys Vulnerability Integration troubleshooting Some commonly encountered issues, along with workarounds are discussed. Qualys Host detection import workaround This task is a workaround for Helsinki only. Before you beginRole required: adminNote: The following task is only applicable to Helsinki Patch 9 and earlier, or Istanbul Patch 5 and earlier. The detection_template.xml is available in the KB article, KB0622443. About this task For instances on Helsinki Patch 9 and earlier, or Istanbul Patch 5 and earlier, PRB714243 is an issue with the ServiceNow XML data loader. If certain elements are not contained in the first 10 records of the XML data, those elements not processed. The issue is seen in the Qualys Host Detection Integration where elements (such as nullable values like “Port” or the “SSL” flag) appear to be missing. This workaround is for the Qualys Host Detection Integration, specifically. Procedure Log in as an admin on the affected system. Load, Preview, and Commit the following update set: Qualys_Host_Detection_tpl_update_set.xml Navigate to Qualys Vulnerability Integration > > Supporting Integrations Select Host Detection Import Set Reprocess Integration Attach the following file to the Host Detection Import Set Reprocess Integration record: detection_template.xml Attachments not appearing after import If attachments are not appearing as expected for data sources or on a security incident after third-party integration imports, check your IP restrictions. IP access restrictions can prevent attachments from being seen unless you are logged in from a safe IP. Since a new attachment is added with each import, this can result in duplicates you have to remove. For example, when you run a third-party host import integration, if you do not see any attachments on your data sources, check your IP restrictions and add users to the safe list prior to import. Set the integration execution user A run-as user must be specified to prevent inconsistent transform results, only when the default System Administrator account is removed or disabled, Before you beginRoles required: sn_vul_qualys.admin, import_admin, and sn_vul.vulnerability_write About this task The Qualys integrations are executed as extensions of sysauto_script. There is a configured run-as user for each integration record. The default value for this user is System Administrator. If you removed or disabled the default System Administrator account, the run-as values for each integration record must be changed to another user, with the following roles: sn_vul_qualys.admin, import_admin, and sn_vul.vulnerability_write. This user needs access to data sources, transform maps, and vulnerability data.Note: Failing to set a valid run-as user orphans data retrieval attachments on the data source records, every time the integration runs. Multiple attachments are stored on the data source increasing processing time, resulting in inconsistent transform results. Procedure Add specified roles to a selected alternate system user. For more information see Assign a role to a user Navigate to Vulnerability > Administration > Primary Integrations. Click the at the top left of the list. In the Personalize List Columns dialog box, add the Run as field to the list. Click OK. For each of the Qualys integrations listed, change the Run as user to the user with the listed roles to run the integrations. Repeat steps 1 through 3 for Supporting Integrations. Modify transform maps Transform maps are provided with base configurations and are sufficient usually. You can modify transform mappings depending on the needs of your organization. Before you beginRole required: sn_vul_qualys.admin + import_admin Procedure Navigate to at System Import Sets > Administration > Transform Maps to view the REST messages. Filter the resulting list by application, and limit the list to the Qualys Vulnerability Integration application. Modify the transform maps per the customer requirements. For details on the data provided by the Qualys API, see the Qualys API documentation (https://www.qualys.com/docs/qualys-api-v2-user-guide.pdf). Check XML attachment property size Verifies that the XML attachment property is sufficient for large files. Before you beginRole required: admin Procedure Navigate to System Properties > Import Export. Scroll down to Import Properties > XML Format at the bottom of the page. If necessary, change the value to 250 and click Save. Related ReferenceAvailable system properties CI import customization When a CI is imported and does not match an existing CI (matching is based on Qualys identifiers, IP, NetBIOS, and DNS name), the default behavior is to create a cmdb_ci record. Modifying the corresponding transform map can change this behavior. The transform map that controls this behavior is Qualys Host Import (cmdb_ci). The easiest modification is to change the target table and corresponding field mapping values to map any additional fields that exist. The more customizable, but complex, approach is to modify the onBefore Transform Script to do additional custom mappings, such as mapping to OS classifications based on the Qualys OS. Be cautious when using this approach not to interfere with basic transform functionality. Data retrieval limitations By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior. The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values: Name: severities Value: 3-5 (or whatever appropriate severities are desired) Duplicate vulnerable items If you see duplicate vulnerable items (multiple vulnerable items, all pointing to the same Configuration Item and Vulnerability Entry), and the duplicate vulnerable items share the same creation timestamp, a concurrency issue might be the cause. Before you beginRole required: admin Procedure Navigate to System Definition > Business Rules. Search for Process Vulnerability Attachments [sn_vul_ds_import_q_entry]. Set Active to false. Navigate to System Definition > Scheduled Jobs. Search for Scheduled Vulnerability Data Source Processor . Open and click Configure Job Definition related link. Set Repeat interval 2 minutes. Click Update or Execute Now, as appropriate.