Qualys Vulnerability Integration troubleshooting

Some commonly encountered issues, along with workarounds are discussed.

Qualys Host detection import workaround

This task is a workaround for Helsinki only.

Before you begin

Role required: admin
Note: The following task is only applicable to Helsinki Patch 9 and earlier, or Istanbul Patch 5 and earlier.
The detection_template.xml is available in the KB article, KB0622443.

About this task

For instances on Helsinki Patch 9 and earlier, or Istanbul Patch 5 and earlier, PRB714243 is an issue with the ServiceNow XML data loader. If certain elements are not contained in the first 10 records of the XML data, those elements not processed. The issue is seen in the Qualys Host Detection Integration where elements (such as nullable values like “Port” or the “SSL” flag) appear to be missing. This workaround is for the Qualys Host Detection Integration, specifically.

Procedure

  1. Log in as an admin on the affected system.
  2. Load, Preview, and Commit the following update set: Qualys_Host_Detection_tpl_update_set.xml
  3. Navigate to Qualys Vulnerability Integration > > Supporting Integrations
  4. Select Host Detection Import Set Reprocess Integration
  5. Attach the following file to the Host Detection Import Set Reprocess Integration record: detection_template.xml

Set the integration execution user

A run-as user must be specified to prevent inconsistent transform results, only when the default System Administrator account is removed or disabled,

Before you begin

Roles required: sn_vul_qualys.admin, import_admin, and sn_vul.vulnerability_write

About this task

The Qualys integrations are executed as extensions of sysauto_script. There is a configured run-as user for each integration record. The default value for this user is System Administrator.

If you removed or disabled the default System Administrator account, the run-as values for each integration record must be changed to another user, with the following roles: sn_vul_qualys.admin, import_admin, and sn_vul.vulnerability_write. This user needs access to data sources, transform maps, and vulnerability data.
Note: Failing to set a valid run-as user orphans data retrieval attachments on the data source records, every time the integration runs. Multiple attachments are stored on the data source increasing processing time, resulting in inconsistent transform results.

Procedure

  1. Add specified roles to a selected alternate system user. For more information see Assign a role to a user
  2. Navigate to Vulnerability > Administration > Primary Integrations.
  3. Click the gear icon gear icon at the top left of the list.
  4. In the Personalize List Columns dialog box, add the Run as field to the list.
  5. Click OK.
  6. For each of the Qualys integrations listed, change the Run as user to the user with the listed roles to run the integrations.
  7. Repeat steps 1 through 3 for Supporting Integrations.

Modify transform maps

Transform maps are provided with base configurations and are sufficient usually. You can modify transform mappings depending on the needs of your organization.

Before you begin

Role required: sn_vul_qualys.admin + import_admin

Procedure

  1. Navigate to at System Import Sets > Administration > Transform Maps to view the REST messages.
  2. Filter the resulting list by application, and limit the list to the Qualys Vulnerability Integration application.
  3. Modify the transform maps per the customer requirements.

    For details on the data provided by the Qualys API, see the Qualys API documentation (https://www.qualys.com/docs/qualys-api-v2-user-guide.pdf).

Check XML attachment property size

Verifies that the XML attachment property is sufficient for large files.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Properties > Import Export.
  2. Scroll down to Import Properties > XML Format at the bottom of the page.
    Maximum file size for import
  3. If necessary, change the value to 250 and click Save.

CI import customization

When a CI is imported and does not match an existing CI (matching is based on Qualys identifiers, IP, NetBIOS, and DNS name), the default behavior is to create a cmdb_ci record. Modifying the corresponding transform map can change this behavior.

The transform map that controls this behavior is Qualys Host Import (cmdb_ci).

The easiest modification is to change the target table and corresponding field mapping values to map any additional fields that exist.

The more customizable, but complex, approach is to modify the onBefore Transform Script to do additional custom mappings, such as mapping to OS classifications based on the Qualys OS. Be cautious when using this approach not to interfere with basic transform functionality.

Data retrieval limitations

By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:
  • Name: severities
  • Value: 3-5 (or whatever appropriate severities are desired)

Duplicate vulnerable items

If you see duplicate vulnerable items (multiple vulnerable items, all pointing to the same Configuration Item and Vulnerability Entry), and the duplicate vulnerable items share the same creation timestamp, a concurrency issue might be the cause.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Definition > Business Rules.
  2. Search for Process Vulnerability Attachments [sn_vul_ds_import_q_entry].
  3. Set Active to false.
  4. Navigate to System Definition > Scheduled Jobs.
  5. Search for Scheduled Vulnerability Data Source Processor .
  6. Open and click Configure Job Definition related link.
  7. Set Repeat interval 2 minutes.
  8. Click Update or Execute Now, as appropriate.