Home Paris Security Incident Management Security Operations Configuration Compliance Configuration Compliance integrations Understanding the Qualys Vulnerability Integration

Understanding the Qualys Vulnerability Integration

Qualys Cloud Platform sensors collect the data and automatically send it to the Qualys Cloud Platform application, which continuously analyzes and correlates the information. It easily integrates with Vulnerability Response as the Qualys Vulnerability Integration to map vulnerabilities to CIs and business services to determine impact and priority of potentially malicious threats.

Configure your Qualys Vulnerability Integration using Vulnerability > Administration > Setup Assistant to make data retrieval more flexible and scalable.

If you have multiple deployments of the Qualys Cloud Platform application, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response. Qualys vulnerability integration Knowledge Base records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability.

Note: You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Note: While the Qualys Vulnerability Integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

Available versions for Paris


Release versions with Paris	Release Notes
Qualys Vulnerability Integration v12.0 Qualys Vulnerability Integration v11.1 Qualys Vulnerability Integration v11.0 Qualys Vulnerability Integration v10.3 Qualys Vulnerability Integration v10.0	Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Primary and Supporting Integrations

Qualys primary and supporting integrations enrich the vulnerability data on your instance by retrieving data from the Qualys Vulnerability Integration. A series of scheduled jobs invoke the integrations automatically. You can also execute them manually. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. Primary and supporting integrations can be modified.

The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for each integration record. The default value for this user is VR.System. This value should not be changed.

Note: Failing to set a valid run-as user results in multiple, often duplicate, data retrieval attachments on the data source records, every time the integration runs. Multiple attachments on the data source increase processing time, resulting in inconsistent transform results.

Qualys Cloud Platform integration tasks involve the following roles.

sn_vul_qualys.admin — can read, write, and delete records
sn_vul_qualys.user — can read and write records
sn_vul_qualys.read — can read records

Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

Primary integrations

A primary integration is an entry point to the Qualys Cloud Platform interacting with the Qualys API invoked on a schedule.

View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations.

The following primary integrations are included in the base system.

Table 1. Primary integrations
Integration	Description
Qualys Appliance List Integration	Retrieves scanner appliance information from Qualys.
Qualys Asset Group Integration	Retrieves asset group information from Qualys. Asset groups are used to identify which scanner appliances to use for scanning matching configuration items.
Qualys Dynamic Search List Integration	Synchronizes Qualys search lists for finding vulnerable entries, and retrieves dynamic list type records.
Qualys Host Detection Integration	Retrieves host and vulnerability data from Qualys and processes it in your instance. It coordinates the REST message calls to the Host List Detection API. The outputs of this integration are vulnerable items. Version 10.0: Qualys host tags are imported in this integration.
Qualys Host List Integration	Retrieves authenticated and unauthenticated host scan data, and starting with v10.3, host tags from Qualys once a week and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently.
Qualys Knowledge Base	Retrieves Qualys knowledge base entries. The retrieved data is based on the date the vulnerabilities were updated by Qualys and since the last time the integration ran. This data is useful for populating historical data into your instance as well as ensuring the Qualys Identifiers (QIDs) are up to date.
Qualys Knowledge Base (Backfill)	Retrieves Qualys knowledge base entries. Scheduled to run after the Qualys Host Detection Integration. Updates your instance with any QIDs that were referenced in the Host Detection integration but did not exist in the system.
Qualys Static Search List Integration	Synchronizes Qualys search lists for finding vulnerable entries. Retrieves only static list type records.
Qualys Option Profile List Integration	Version 12.0: Retrieves option profiles from the Qualys product. Option profiles include scan settings which are required when you initiate scans from your Now Platform® instance.
Qualys Ticket Integration	Retrieves Qualys tickets and adds them to your instance. It coordinates the REST message calls to the ticket list API. There are often fewer tickets than Host Detections since Qualys settings can constrain the detections that result in a ticket.

Supporting integrations

A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration.

View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations.

The following supporting integrations are included in the base system.

Table 2. Supporting integrations
Integration	Description
Asset Group Pagination Handler	Directs the pagination of the Asset Group Integration.
Host Detection Import Set Reprocess Integration	Handles reprocessing of the Host List import set created by the Host Detection Integration. Processes detections found for each host and results in vulnerable items being inserted or updated in your instance.
Host Detection Pagination Handler	Directs the pagination of the Host Detection Integration. The Host List Detection API coordinates REST calls for each page request to the server.

Search lists

Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them and use for ticket creation and to customize vulnerability scans and reports. The Search Lists module allows you to download search list data from Qualys to your instance on a scheduled basis.

Search lists are pulled from Qualys using the Dynamic Search List Import and/or Static Search List Import data transformation maps. In each of these transforms, you can define schedules for performing the import.

Option profiles (v 12.0)

Starting with v12.0, Option profiles are available with Qualys scan settings. An option profile is required when you initiate a scan from your Now Platform.

Option profiles are imported from the Qualys product by the Option Profile List Integration. You might prefer to run the Option Profile List Integration after an import from the Search Lists Integrations, the Qualys Dynamic Search List and Qualys Static Search List Integrations so that you can see which search lists are associated with option profiles.

Asset groups

Asset groups are setup in the Qualys platform. Asset groups identify which scanner appliances are used for scanning matching IP addresses when a scan is initiated from the Now Platform.

Asset groups that have associated appliances are pulled from Qualys by the Asset Group List Integration.

Initiate the Appliance List Integration after you import asset groups to populate the Appliance name and Appliance status fields on the Qualys Default Applications records in your Now Platform.

Host tags

Version 10.3: All host tags are imported as part of the Qualys Host List integration. Host tags are used primarily for filtering in Vulnerability Response Assignment and Vulnerability Group Rules. They are displayed in the Discovered Item form.

Note: The Qualys Host List integration should be run prior to creating Assignment or Vulnerability Group Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.

Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
Using host tags as a Group Key in a Vulnerability Group Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

Host tags (also called asset tags) are used for organizing and tracking the assets in your organization. You can assign tags to your host assets. Then, when launching scans, you can select tags associated with the hosts you want to scan. The Host Tags module allows you to download host tag data from Qualys to your instance on a scheduled basis.

Reopen resolved vulnerable items not closed by scans

Starting with v10.3, vulnerable items set to 'Resolved' in your Now Platform instance but not transitioned to 'Closed/Fixed' by the third-party integration runs are reopened if they are detected during rescans.

For Qualys detections, if the scanner continues to find VIs that were set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans, these VIs move back to 'Open' when the last found date is later than the Resolved date.

Data retrieval limitations

By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:

Name: severities
Value: 3-5 (or whatever appropriate severities are desired)

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Previous topic

Next topic

Release version

Understanding the Qualys Vulnerability Integration

Configure your Qualys Vulnerability Integration using Vulnerability > Administration > Setup Assistant to make data retrieval more flexible and scalable.

Note: You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Note: While the Qualys Vulnerability Integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

Available versions for Paris


Release versions with Paris	Release Notes
Qualys Vulnerability Integration v12.0 Qualys Vulnerability Integration v11.1 Qualys Vulnerability Integration v11.0 Qualys Vulnerability Integration v10.3 Qualys Vulnerability Integration v10.0	Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Primary and Supporting Integrations

The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for each integration record. The default value for this user is VR.System. This value should not be changed.

Qualys Cloud Platform integration tasks involve the following roles.

sn_vul_qualys.admin — can read, write, and delete records
sn_vul_qualys.user — can read and write records
sn_vul_qualys.read — can read records

Primary integrations

A primary integration is an entry point to the Qualys Cloud Platform interacting with the Qualys API invoked on a schedule.

View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations.

The following primary integrations are included in the base system.

Table 1. Primary integrations
Integration	Description
Qualys Appliance List Integration	Retrieves scanner appliance information from Qualys.
Qualys Asset Group Integration	Retrieves asset group information from Qualys. Asset groups are used to identify which scanner appliances to use for scanning matching configuration items.
Qualys Dynamic Search List Integration	Synchronizes Qualys search lists for finding vulnerable entries, and retrieves dynamic list type records.
Qualys Host Detection Integration	Retrieves host and vulnerability data from Qualys and processes it in your instance. It coordinates the REST message calls to the Host List Detection API. The outputs of this integration are vulnerable items. Version 10.0: Qualys host tags are imported in this integration.
Qualys Host List Integration	Retrieves authenticated and unauthenticated host scan data, and starting with v10.3, host tags from Qualys once a week and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently.
Qualys Knowledge Base	Retrieves Qualys knowledge base entries. The retrieved data is based on the date the vulnerabilities were updated by Qualys and since the last time the integration ran. This data is useful for populating historical data into your instance as well as ensuring the Qualys Identifiers (QIDs) are up to date.
Qualys Knowledge Base (Backfill)	Retrieves Qualys knowledge base entries. Scheduled to run after the Qualys Host Detection Integration. Updates your instance with any QIDs that were referenced in the Host Detection integration but did not exist in the system.
Qualys Static Search List Integration	Synchronizes Qualys search lists for finding vulnerable entries. Retrieves only static list type records.
Qualys Option Profile List Integration	Version 12.0: Retrieves option profiles from the Qualys product. Option profiles include scan settings which are required when you initiate scans from your Now Platform® instance.
Qualys Ticket Integration	Retrieves Qualys tickets and adds them to your instance. It coordinates the REST message calls to the ticket list API. There are often fewer tickets than Host Detections since Qualys settings can constrain the detections that result in a ticket.

Supporting integrations

A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration.

View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations.

The following supporting integrations are included in the base system.

Table 2. Supporting integrations
Integration	Description
Asset Group Pagination Handler	Directs the pagination of the Asset Group Integration.
Host Detection Import Set Reprocess Integration	Handles reprocessing of the Host List import set created by the Host Detection Integration. Processes detections found for each host and results in vulnerable items being inserted or updated in your instance.
Host Detection Pagination Handler	Directs the pagination of the Host Detection Integration. The Host List Detection API coordinates REST calls for each page request to the server.

Search lists

Option profiles (v 12.0)

Starting with v12.0, Option profiles are available with Qualys scan settings. An option profile is required when you initiate a scan from your Now Platform.

Asset groups

Asset groups are setup in the Qualys platform. Asset groups identify which scanner appliances are used for scanning matching IP addresses when a scan is initiated from the Now Platform.

Asset groups that have associated appliances are pulled from Qualys by the Asset Group List Integration.

Initiate the Appliance List Integration after you import asset groups to populate the Appliance name and Appliance status fields on the Qualys Default Applications records in your Now Platform.

Host tags

Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
Using host tags as a Group Key in a Vulnerability Group Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

Reopen resolved vulnerable items not closed by scans

Data retrieval limitations

The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:

Name: severities
Value: 3-5 (or whatever appropriate severities are desired)

Request apps on the Store

How search works:

Topics are ranked in search results by how closely they match your search terms

Understanding the Qualys Vulnerability Integration

Understanding the Qualys Vulnerability Integration

Available versions for Paris

Primary and Supporting Integrations

Primary integrations

Supporting integrations

Search lists

Option profiles (v 12.0)

Asset groups

Host tags

Reopen resolved vulnerable items not closed by scans

Data retrieval limitations

Request apps on the Store

On this page

Understanding the Qualys Vulnerability Integration

Understanding the Qualys Vulnerability Integration

Available versions for Paris

Primary and Supporting Integrations

Primary integrations

Supporting integrations

Search lists

Option profiles (v 12.0)

Asset groups

Host tags

Reopen resolved vulnerable items not closed by scans

Data retrieval limitations

Request apps on the Store

Log in to personalize your search results and subscribe to topics