Configure and import Qualys Vulnerability integrations

When configuring the Qualys integrations, remember to approach them in incremental steps. Starting small, helps to debug any issues.

After the Qualys Cloud Platform and Vulnerability Response plugins are activated, you can configure the system to make data retrieval more flexible and scalable.
Note: Make any necessary configuration changes based on your requirements before running the integrations.
The recommended order of execution is to first configure and import the Qualys Knowledge Base, then configure and perform an initial Qualys Host Detection import and finally configure your delta Qualys Host Detection imports. If you choose to use them, Qualys Ticket Integration and Knowledge Base (Backfill) instructions are provided.
Note: While the Qualys Vulnerability integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

Qualys Knowledge Base import

The Qualys Knowledge Base import creates records within Vulnerability Response and initially tests your Qualys integration configuration.

Before you begin

Role required: sn_vul_qualys.admin

About this task

The default number of days to retrieve Knowledge Base records initially is 365 days. Depending on your system, you may want to specify more or fewer days but, it is not recommended.

Procedure

  1. Switch to the Qualys Vulnerability Integration scope.
  2. Disable the Qualys Ticket Integration, as it is not required and provides only minimal additional data. If you are using the QualysGuard remediation ticketing system, move any special auto-assignment functionality into ServiceNow.
  3. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Knowledge Base and open it.
  4. The settings for this integration are ready for a run. The base system contains five data sources which pull data in parallel. Adding data sources increases parallel processing but are not normally necessary for the Knowledge Base.
  5. Click the Integration Details tab and set the Start time field to 1996-01-01 00:00:00
    Qualys Knowledgebase start time
    Note: This process can be time consuming. On average, allow it to run for about 30 minutes.
  6. Right click in the header to save the record.
  7. Pull historical data by clicking Execute Now.
  8. Return to Qualys Vulnerability Integration > Primary Integrations > Qualys Knowledge Base.
  9. The Vulnerability Integration Runs related tab displays the run. It should show Running under State unless there was an error. For an error, open the run and the error message is shown under Note.
  10. Navigate to Vulnerability > Administration > Import Queue to see the run processing.
  11. Sort by Queued on descending (z to a) to see the progress. Refresh the screen using the All link at the top of the screen.
  12. Entries processing or successfully processed show that your API credentials are good and the integration is working.
  13. Navigate to Vulnerability > Third-party to see the imported QIDs and verify that the Knowledge Base was imported.
  14. Navigate to Qualys Vulnerability Integration > Primary Integrations > Vulnerability Integration Runs and click on a record.
  15. Sort Number in descending order to see the latest import and how far along you are in the run. Click the condition link at the top of the page to refresh.
    Blue circles next to the State, End date time, Substate, and Notes fields, indicate that the run has ended, succeeded, and the fields have been updated.

Result

You have tested of your credentials, your connection to the Qualys Cloud Platform, and the import of the Qualys Knowledge Base. You are ready to import vulnerabilities.

Qualys initial Host Detection import

The Qualys initial host detection integration imports records for remediation.

Before you begin

Role required: sn_vul_qualys.admin

About this task

This task is the initial host detection import. It should be kept small to test the system.
Note:

When a regular vulnerability is promoted to a third-party vulnerability, its severity_flag is set to true. The schedule job, Run severity calculator after vuln entry promotion runs every 30 minutes and selects all vulnerable items with a severity_flag set and recalculates business impact.

The Qualys vulnerability integration also has scheduled jobs which query and load Qualys vulnerability integration scans in the ServiceNow instance.

Procedure

  1. Disable notification-related business rules prior to initial record import if appropriate.
  2. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration and open it.
  3. By default, the scheduled job is set to run at 2:00 every day. You can change it under the Schedule tab.
  4. Click on the Qualys REST Details tab.
  5. Thousands of detection records could be available for import, so to limit the amount of data retrieved from Qualys,Modify REST message parameters to affect data retrieval.
  6. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration
  7. Click on the Integration Details tab.
  8. Verify the start time. It contains the value you entered on the Configure screen during activation from Integration Configurations.
    Note: Once the initial run completes, this date is set to the current time.
  9. Click Save.
  10. Pull initial host detection data by clicking Execute Now.
    Note: You can cancel the import from the Vulnerability Integration Run tab on this form any time while it is running.
  11. Navigate to Vulnerability > Administration > Import Queue and open it.
  12. You should see Qualys Host Import and Qualys Host Detection Pagination entries.
    Click on an entry to see it and also an attachment containing the original Qualys data. This import creates configuration items (CIs) and/or vulnerable items (VIs).
  13. To view unmatched CIs, enter sn_vul_qualys_ci.list in the left navigation search box.
  14. To view VIs, navigate to Vulnerability > Vulnerable Items
    Vulnerability Groups are created based on Vulnerabilities.
  15. You can delete a vulnerability integration run from the Vulnerability Integration Run tab on the integration form found under Qualys Vulnerability Integration > Primary Integrations.
  16. You are ready to remediate or go on to configure your delta imports.

Qualys delta Host Detection imports

The Qualys delta host detection integration imports updated records for remediation.

Before you begin

Role required: sn_vul_qualys.admin

About this task

Procedure

  1. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration and open it.
  2. By default, the scheduled job is set to run at 2:00 every day. You can change it under the Schedule tab.
  3. Click on the Qualys REST Details tab.
  4. Modify REST message parameters to affect data retrieval using the delta import parameters.
  5. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration
  6. Click on the Integration Details tab.
  7. Verify the start time. If you change it click, Save.
  8. Pull host detection data by clicking Execute Now.
  9. Navigate to Vulnerability > Administration > Import Queue and open it.
  10. You should see Qualys Host Import and Qualys Host Detection Pagination entries.
    Click on an entry to see it and also an attachment containing the original Qualys data. This import creates configuration items (CIs) and/or vulnerable items (VIs).
  11. To view unmatched CIs, enter sn_vul_qualys_ci.list in the left navigation search box.
  12. To view VIs, navigate to Vulnerability > Vulnerable Items
    Vulnerability Groups are created based on Vulnerabilities.
  13. You can delete a vulnerability integration run from the Vulnerability Integration Run tab on the integration form found under Qualys Vulnerability Integration > Primary Integrations.
  14. You can delete a vulnerability integration run from the Vulnerability Integration Run tab on the integration form found under Qualys Vulnerability Integration > Primary Integrations.
  15. You can make optional Qualys modifications as appropriate to your environment.
  16. You are ready to view reports remediate or perform a Qualys Ticket import.