Optional Qualys modifications

Configure optional modifications and streamline some of the data specifically for the Qualys integration.

Set Qualys API credentials

If the Qualys Cloud Platform integration plugin was not installed using the Integration Configurations page, you can still supply the API server and authentication information to use when making REST calls to the Qualys server.

Before you begin

Role required: admin

About this task

You are asked to enter API credentials when you first access the integration. The credentials must provide adequate permissions for retrieving knowledge, scan, and detection information for a Qualys subscription.
Note: The Primary credentials are the recommended default. The New button is an advanced feature and used to add credentials. To use additional credentials, all Primary and Supporting integration records (Qualys REST Details tab) must be updated with them.

Procedure

  1. Navigate to Qualys Vulnerability Integration > Administration > API Credentials.
  2. Click the Primary record.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Security incident
    Field Description
    Name Name assigned to the integration.
    API Server URL

    The URL of the Qualys API server.

    Click the lock icon to unlock this field and enter the URL. When finished, click the lock icon again.

    User name The API user name to use for Basic Auth REST message authentication.
    Password The API password to use for Basic Auth REST message authentication.
  4. Click Update.

Modify REST message parameters to affect data retrieval

You can have specific requirements that the default REST message parameters sent to Qualys during data requests be modified to filter the imported data.

Before you begin

Role required: admin

About this task

You can adjust the query parameters for both initial and delta data retrievals. Qualys defined valid parameters in their API documentation. Do not alter any existing field values that use template syntax formatting. The integration code uses these fields.

Procedure

  1. Navigate to Qualys Vulnerability Integration > Administration > Primary Integrations.
  2. Open the Qualys Host Detection Integration record.
  3. To change the related REST message parameters, click the Qualys REST Details tab, and navigate to the REST method reference.
  4. Double-click the Information icon to open the record.
  5. Choose the HTTP Request tab.
  6. Create or update the HTTP Query Parameters as needed.
    1. For initial and delta data retrievals, use the Query parameter severities to reduce the number of records retrieved.
      Qualys severities values
      Parameter Values Description
      severities 3,4,5 3=serious, 4=critical, and 5=urgent

      These values should be used to create a vulnerable item record.

      severities 1,2 1=minimal, 2= medium

      These values are informational and may not be needed in the ServiceNow instance.

      Note: Ensure that you want these detections to be pulled into ServiceNow.
    2. Add detection_updated_since to HTTP parameters. Use ${lastScanDate} for value and 125 for Order.
      Displays detections whose status changed after a specified date and time. Detections that have never changed use the last detection date.
    3. Delete vm_scan_since.
    4. For initial data retrieval, change the HTTP Query Parameter value for status to New,Active,Re-Opened (no spaces).
    5. For delta data retrievals, change the HTTP Query Parameter for status to New,Fixed,Active,Re-Opened (no spaces).
      Note:

      Only bring in Fixed detection records when there is a business requirement to have all history in ServiceNow.

      HTTP Query Parameters for delta data retrievals
    6. Click Update.

View and modify outbound REST messages

Outbound REST messages retrieve data that is then processed through a set of data sources and transformed by transform maps. Outbound REST messages and methods are provided with base configurations and are sufficient usually. You can modify or add parameters depending on the needs of your organization.

Before you begin

Role required: web_service_admin

About this task

Data retrieval uses REST to make calls to the Qualys knowledge base REST API and the Qualys Host List Detection REST API. The returned data is processed by Data Sources and Transform maps.

Procedure

  1. Navigate to System Web Services > Outbound > REST Message to view the REST messages.
    You can adjust the filter to show relevant REST messages. For a full list of acceptable API parameters, see the Qualys API documentation (https://www.qualys.com/docs/qualys-api-v2-user-guide.pdf).
  2. Open and edit the REST message you want to edit.

Disable the default vulnerability calculator if not used

If you do not use vulnerability calculators, it is best to disable the default calculators in addition to any others you have defined. Vulnerability calculators run every time a vulnerable item record is accessed, and can impact instance performance.

Before you begin

Role required: admin

Procedure

  1. Navigate to Vulnerability > Administration > Vulnerability Calculator Groups.
  2. Open the Vulnerability Criticality group.
  3. Open the Score and Service Based Impact calculator.
  4. Deselect the Active field to deactivate the calculator.
  5. Click Update.

Disable notification-related business rules prior to initial record import

During the initial import of records, certain notification-related business rules can generate many notifications, impacting performance. These business rules should be modified to disable them during the import.

Before you begin

Role required: admin

Procedure

  1. Navigate toSystem Definition > Business Rules.
  2. Search for Affected ci notifications.
  3. Open the business rule and insert this condition: current.sys_class_name != “sn_vul_vulnerable_item".
  4. Click Update.
  5. Repeat this procedure for the following business rules:
    • Affected cost center notifications
    • Affected group notifications
    • Affected location notifications
    Note: After the completion of the initial record import, you have the option of re-enabling these business rules. However, consider leaving them disabled. They can generate large numbers of notifications and impact the performance of your instance.

Add Qualys host identification indexes

When large CMDBs are present, the data import and transformation can take a very long time. One possible cause is a slow matching of Qualys assets to configuration items in the CMBD. To improve data load time performance, add an index on the Qualys ID and the Qualys Host ID.

Before you begin

Role required: admin

About this task

When large cmdbs are present, the data import and transformation can take a long time. One cause is the slow match of Qualys assets to configuration items in the cmdb.

Procedure

  1. Navigate to Systems Definition > Tables.
  2. Open the Configuration Item [cmdb_ci] table.
  3. Scroll down and click the Database Indexes related list.
  4. Click New and add and individual index for Qualys ID.
    Database indexes
  5. Click Create Index.
  6. Repeat for Qualys Host ID
  7. Close the Database Indexes window.
    A new dialog box appears. You cannot enter an email address unless the Database Indexes window is closed.
  8. Enter an email address or choose Do not notify me.
  9. Click OK.
    It can take a while to process. If you did not request an email, check the Database Indexes related tab.
    Database indexes

Modify an initial start date

Set an initial start date for the Qualys Ticket List Import and Host Detection List Import integrations. You can also set an initial start date for Qualys ticket the knowledge base. This date is not used, however, for pulling historical data from the knowledge base.

Before you begin

Role required: sn_vul_qualys.admin

Procedure

  1. Navigate to Qualys Vulnerability Integration > Administration > Primary Integrations.
  2. Click Qualys Host Detection Integration.
  3. Click Integration Details.
  4. Set the Start time field to a value in the past, so all scanned and detected vulnerabilities since that time are detected.

    If you configuredQualys Cloud Platform using the quick-start, the Start time field is pre-filled.

    Note: If the date is left empty, no data is returned on the first run. Set the value to a maximum of a month in the past. This keeps large amount of data from exceeding the Qualys API rate limitations, as well as triggering execution timeouts.
     
  5. Click Submit or Update.
  6. (Optional) Click Execute Now to run immediately.