Qualys Vulnerability Integration troubleshooting

Some commonly encountered issues, along with workarounds are discussed.

Attachments not appearing after import

If attachments are not appearing as expected after a host import, check your IP restrictions.

IP access restrictions can prevent attachments from being seen unless you are logged in from a safe IP. So, when you run a host import integration, you do not see the existing attachments. A new attachment is added with each import, resulting in duplicates you have to remove.

To prevent this situation, check your IP restrictions and add users to the safe list prior to import.

Modify transform maps

Transform maps are provided with base configurations and are sufficient usually. You can modify transform mappings depending on the needs of your organization.

Before you begin

Role required: sn_vul_qualys.admin + import_admin

Procedure

  1. Navigate to System Import Sets > Administration > Transform Maps to view the REST messages.
  2. Filter the resulting list by application, and limit the list to the Qualys Vulnerability Integration application.
  3. Modify the transform maps per the customer requirements.

    For details on the data provided by the Qualys API, see the Qualys API documentation (https://www.qualys.com/docs/qualys-api-v2-user-guide.pdf).

Check XML attachment property size

Verifies that the XML attachment property is sufficient for large files.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Properties > Import Export.
  2. Scroll down to Import Properties > XML Format at the bottom of the page.
    Maximum file size for import
  3. If necessary, change the value to 250 and click Save.

Data retrieval limitations

By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:
  • Name: severities
  • Value: 3-5 (or whatever appropriate severities are desired)

Duplicate vulnerable items

If you see duplicate vulnerable items (multiple vulnerable items, all pointing to the same Configuration Item and Vulnerability Entry), and the duplicate vulnerable items share the same creation timestamp, a concurrency issue might be the cause.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Definition > Business Rules.
  2. Search for Process Vulnerability Attachments [sn_vul_ds_import_q_entry].
  3. Set Active to false.
  4. Navigate to System Definition > Scheduled Jobs.
  5. Search for Scheduled Vulnerability Data Source Processor .
  6. Open and click Configure Job Definition related link.
  7. Set Repeat interval 2 minutes.
  8. Click Update or Execute Now, as appropriate.