Qualys Cloud Platform
sensors collect the data and automatically send it to the Qualys Cloud Platform application,
which continuously analyzes and correlates the information. It easily integrates with Vulnerability Response as the Qualys Vulnerability Integration to map vulnerabilities to
CIs and business services to determine impact and priority of potentially malicious
threats.
Configure your Qualys Vulnerability Integration using to make data retrieval more flexible and scalable.
If you have multiple deployments of the
Qualys Cloud Platform application, you can
add an integration for each deployment.
Assets, identified by multiple third-party
deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This
consolidation happens even when scan processes overlap between the multiple deployments. Data
sourced from each deployment is identified and available in a single instance of Vulnerability Response.. Qualys vulnerability integration Knowledge Base records are normalized across deployments,
ensuring that instances of the same vulnerability across deployments are treated as the same
vulnerability.
Note: You cannot delete the original vulnerability integration but you can
disable it. Integrations created from disabled templates are disabled by default.
There is a configured run-as user for each integration record. The default value for this user
is VR.System. Do not change this value.
Note: While the Qualys Vulnerability Integration creates integrations for
Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required
for normal operation.
Available versions for Orlando
Primary and Supporting Integrations
Qualys primary and supporting integrations enrich the vulnerability data on your instance by
retrieving data from the Qualys Vulnerability Integration. A series of scheduled jobs invoke the
integrations automatically. You can also execute them manually. Scheduled jobs simplify the
vulnerability remediation lifecycle by keeping the instance synchronized with other
vulnerability management systems. Primary and supporting integrations can be modified.
The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for
each integration record. The default value for this user is
VR.System.
This value should not be changed.
Note: Failing to set a valid run-as user results in multiple,
often duplicate, data retrieval attachments on the data source records, every time the
integration runs. Multiple attachments on the data source increase processing time, resulting
in inconsistent transform results.
Qualys Cloud Platform
integration tasks involve the following roles.
- sn_vul_qualys.admin — can read, write, and delete records
- sn_vul_qualys.user — can read and write records
- sn_vul_qualys.read — can read records
Starting with v10.3, persona and granular roles are available to help you manage
what users and groups can see and do in the Vulnerability Response application. For initial
assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information
about managing granular roles, see Manage persona and granular roles for Vulnerability Response.
Primary integrations
A primary integration is an entry point to the Qualys Cloud Platform interacting
with the Qualys API invoked on a schedule.
View the primary integrations by navigating to .
The following primary integrations are included in the base system.
Table 1. Primary integrations
Integration |
Description |
Qualys Appliance List Integration |
Retrieves scanner appliance information from Qualys. |
Qualys Asset Group Integration |
Retrieves asset group information from Qualys. Asset groups are used to identify
which scanner appliances to use for scanning matching configuration items. |
Qualys Dynamic Search List Integration |
Synchronizes Qualys search lists for finding vulnerable entries, and retrieves
dynamic list type records. |
Qualys Host Detection Integration |
Retrieves host and vulnerability data, including host tags, from Qualys and processes
it in your instance. It coordinates the REST message calls to the Host List Detection API.
The outputs of this integration are vulnerable items. Version 10.0: Qualys host
tags are imported in this integration. |
Qualys Host List Integration |
Retrieves authenticated and unauthenticated host scan data, and starting with v10.3, host tags from Qualys once a
week and stores it in the Discovered Items module in your instance. Helps identify assets
that haven't been scanned recently. |
Qualys Knowledge Base |
Retrieves Qualys knowledge base entries. The retrieved data is based on the date the
vulnerabilities were updated by Qualys and since the last time the integration ran. This
data is useful for populating historical data into your instance as well as ensuring the
Qualys Identifiers (QIDs) are up to date. |
Qualys Knowledge Base (Backfill) |
Retrieves Qualys knowledge base entries. Scheduled to run after the Qualys Host
Detection Integration. Updates your instance with any QIDs that were referenced in the
Host Detection integration but did not exist in the system. |
Qualys Static Search List Integration |
Synchronizes Qualys search lists for finding vulnerable entries. Retrieves only
static list type records. |
Qualys Option Profile List Integration |
Version 12.0: Retrieves option profiles from the Qualys product.
Option profiles include scan settings which are required when you initiate scans from your
Now Platform® instance. |
Qualys Ticket Integration |
Retrieves Qualys tickets and adds them to your instance. It coordinates the REST
message calls to the ticket list API. There are often fewer tickets than Host Detections
since Qualys settings can constrain the detections that result in a ticket. |
Supporting integrations
A supporting integration is a process that is not intended to run on a schedule nor without
invocation by a primary integration.
View the supporting integrations by navigating to .
The following supporting integrations are included in the base system.
Table 2. Supporting integrations
Integration |
Description |
Asset Group Pagination Handler |
Directs the pagination of the Asset Group Integration. |
Host Detection Import Set Reprocess Integration |
Handles reprocessing of the Host List import set created by the Host Detection
Integration. Processes detections found for each host and results in vulnerable items
being inserted or updated in your instance. |
Host Detection Pagination Handler |
Directs the pagination of the Host Detection Integration. The Host List Detection
API coordinates REST calls for each page request to the server. |
Search lists
Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them
and use for ticket creation and to customize vulnerability scans and reports. The Search Lists
module allows you to download search list data from Qualys to your instance on a scheduled
basis.
Search lists are pulled from Qualys using the Dynamic Search List Import
and/or Static Search List
Import data transformation maps. In each of these transforms, you can define schedules
for performing the import.
Option profiles (v 12.0)
Starting with v12.0, Option profiles are available with Qualys scan settings.
An option profile is required when you initiate a scan from your Now Platform.
Option profiles are imported from the Qualys product by the Option Profile List
Integration. You might prefer to run the Option Profile List Integration after an import from
the Search Lists Integrations, the Qualys Dynamic Search List and Qualys Static Search List
Integrations so that you can see which search lists are associated with option profiles.
Asset groups
Asset groups are setup in the Qualys platform. Asset groups identify which
scanner appliances are used for scanning matching IP addresses when a scan is initiated from the
Now Platform.
Asset groups that have associated appliances are pulled from Qualys by the Asset Group List
Integration.
Initiate the Appliance List Integration after you import asset groups to populate the
Appliance name and Appliance status fields on the Qualys Default Applications records in your
Now Platform.
Host tags
Version 10.3: All host tags are imported as part of the
Qualys Host List integration. Host tags are used primarily for filtering in
Vulnerability Response Assignment and Vulnerability Group Rules. They are displayed in the
Discovered Item form.
Note: The Qualys Host List integration should be run prior
to creating Assignment or Vulnerability Group Rules in Vulnerability Response so that all
tags can be present in the rules and before vulnerable items are imported and
grouped.
- Tag storage is not case sensitive. If a San Diego tag is created,
then a SAN DIEGO tag cannot be stored in the Host tag table. “San
Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported
first wins.
- Using host tags as a Group Key in a Vulnerability Group Rule can have unexpected results.
Host tags are intended for use only in the Condition builder.
- Host tags are controlled by the global system property
sn_vul.import_host_tags. This property is set to true by default.
Turning tags off turns them off across all instances.
Host tags (also called asset tags) are used for organizing and tracking the assets in your
organization. You can assign tags to your host assets. Then, when launching scans, you can
select tags associated with the hosts you want to scan. The Host Tags module allows you to
download host tag data from Qualys to your instance on a scheduled basis.
Data retrieval limitations
By default, there are no restrictions on how data is retrieved from Qualys. Many records can
be related to low severity vulnerabilities that a customer is not willing to remediate using
their vulnerability response process. Updating the corresponding REST message/method parameters
can modify this behavior.
The REST message/method responsible for this update is
Qualys Host Detection –
Standard/post. To update the values, add a new HTTP Query Parameter to the post
method with the following values:
- Name: severities
- Value: 3-5 (or whatever appropriate severities are desired)