Host Detection List Import

This transform map is used to transform the detection-specific data returned from the Qualys Host Detection API call to sn_vul_vulnerable_item records.

Changes to this transform alter how the detection information is processed and inserted into the system.

Note: u_port, u_protocol, and u_ssl are not used to determine a vulnerable item match and accounts for the difference between vulnerable items reported by Qualys and vulnerable items reported by ServiceNow.

View the detection list at System Import Sets > Admin > Transform Map > Select Qualys Detection List Transform

To access this transform map, click Qualys Vulnerability Integration > Import Set Tables > Host Detection List Import.

The table shows the fields that are currently being transformed.

Table 1. Detection list transform fields
Source field Target field Description
u_prototcol protocol Maps protocol field from API to protocol field on vulnerable item.

Not used to determine a vulnerable item match.

u_ip ip_address Maps ip field from API to ip_address field on vulnerable item.
u_severity qualys_severity Maps severity field from API to qualys_severity field.

Used to calculate priority of vulnerable item.

[Script] vulnerability Looks up a vulnerability. Used to determine a vulnerable item match.

This field is a script field because QID needs to be appended to the ID provided by the API.

[Script] last_updated_by_qualys Denotes when Qualys updated the vulnerable item.

Script field that sets the value to the current date and time.

u_status status Maps status field from API to status field on vulnerable item.

Later translated to the state of the vulnerable item.

[Script] cmdb_ci Looks up a cmdb_ci to reference on the vulnerable item.

Uses a combination of Qualys host information in addition to IP, netbios, and dns values from the host.

[Script] sys_id Looks up an existing vulnerable item based on host and vulnerability information.

If no existing system ID is found, a new vulnerable item is created.

[Script] last_found Maps the last found timestamp from the API to the last_found field on the vulnerable item.

Script field to format the date for your instance.

u_port port Maps the port field from the API to the port field on the vulnerable item.

Not used to determine a vulnerable item match.

u_dns dns Maps the dns field from the API field to the dns field on the vulnerable item.
[Script] first_found Maps the first found timestamp from the API to the first_found field on the vulnerable item.

Script field to format the date for your instance.

[Script] source Provides a source value to enter on a third-party vulnerability entry.

Used as an identifier. Modifications are not recommended.

u_ssl ssl Maps the ssl field from the API to the ssl field on the vulnerable item.

Not used to determine a vulnerable item match.

u_results description Maps the results field from the API to the description field on the vulnerable item.