Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home Paris Security Incident Management Security Operations Configuration Compliance Configuration Compliance integrations Understanding the Qualys Vulnerability Integration

    Understanding the Qualys Vulnerability Integration

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Understanding the Qualys Vulnerability Integration

    Qualys Cloud Platform sensors collect the data and automatically send it to the Qualys Cloud Platform application, which continuously analyzes and correlates the information. It easily integrates with Vulnerability Response as the Qualys Vulnerability Integration to map vulnerabilities to CIs and business services to determine impact and priority of potentially malicious threats.

    Configure your Qualys Vulnerability Integration using Vulnerability > Administration > Setup Assistant to make data retrieval more flexible and scalable.

    If you have multiple deployments of the Qualys Cloud Platform application, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response. Qualys vulnerability integration Knowledge Base records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability.
    Note: You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Note: While the Qualys Vulnerability Integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

    Available versions for Paris

    Release versions with Paris Release Notes

    Qualys Vulnerability Integration v12.0

    Qualys Vulnerability Integration v11.1

    Qualys Vulnerability Integration v11.0

    Qualys Vulnerability Integration v10.3

    Qualys Vulnerability Integration v10.0

    Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Primary and Supporting Integrations

    Qualys primary and supporting integrations enrich the vulnerability data on your instance by retrieving data from the Qualys Vulnerability Integration. A series of scheduled jobs invoke the integrations automatically. You can also execute them manually. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. Primary and supporting integrations can be modified.

    The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for each integration record. The default value for this user is VR.System. This value should not be changed.
    Note: Failing to set a valid run-as user results in multiple, often duplicate, data retrieval attachments on the data source records, every time the integration runs. Multiple attachments on the data source increase processing time, resulting in inconsistent transform results.
    Qualys Cloud Platform integration tasks involve the following roles.
    • sn_vul_qualys.admin — can read, write, and delete records
    • sn_vul_qualys.user — can read and write records
    • sn_vul_qualys.read — can read records

    Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    Primary integrations

    A primary integration is an entry point to the Qualys Cloud Platform interacting with the Qualys API invoked on a schedule.

    View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations.

    The following primary integrations are included in the base system.

    Table 1. Primary integrations
    Integration Description
    Qualys Appliance List Integration Retrieves scanner appliance information from Qualys.
    Qualys Asset Group Integration Retrieves asset group information from Qualys. Asset groups are used to identify which scanner appliances to use for scanning matching configuration items.
    Qualys Dynamic Search List Integration Synchronizes Qualys search lists for finding vulnerable entries, and retrieves dynamic list type records.
    Qualys Host Detection Integration Retrieves host and vulnerability data from Qualys and processes it in your instance. It coordinates the REST message calls to the Host List Detection API.

    The outputs of this integration are vulnerable items.

    Version 10.0: Qualys host tags are imported in this integration.

    Qualys Host List Integration Retrieves authenticated and unauthenticated host scan data, and starting with v10.3, host tags from Qualys once a week and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently.
    Qualys Knowledge Base Retrieves Qualys knowledge base entries. The retrieved data is based on the date the vulnerabilities were updated by Qualys and since the last time the integration ran.

    This data is useful for populating historical data into your instance as well as ensuring the Qualys Identifiers (QIDs) are up to date.

    Qualys Knowledge Base (Backfill) Retrieves Qualys knowledge base entries.

    Scheduled to run after the Qualys Host Detection Integration. Updates your instance with any QIDs that were referenced in the Host Detection integration but did not exist in the system.

    Qualys Static Search List Integration Synchronizes Qualys search lists for finding vulnerable entries. Retrieves only static list type records.
    Qualys Option Profile List Integration Version 12.0: Retrieves option profiles from the Qualys product. Option profiles include scan settings which are required when you initiate scans from your Now Platform® instance.
    Qualys Ticket Integration Retrieves Qualys tickets and adds them to your instance. It coordinates the REST message calls to the ticket list API.

    There are often fewer tickets than Host Detections since Qualys settings can constrain the detections that result in a ticket.

    Supporting integrations

    A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration.

    View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations.

    The following supporting integrations are included in the base system.

    Table 2. Supporting integrations
    Integration Description
    Asset Group Pagination Handler Directs the pagination of the Asset Group Integration.
    Host Detection Import Set Reprocess Integration Handles reprocessing of the Host List import set created by the Host Detection Integration.

    Processes detections found for each host and results in vulnerable items being inserted or updated in your instance.

    Host Detection Pagination Handler Directs the pagination of the Host Detection Integration.

    The Host List Detection API coordinates REST calls for each page request to the server.

    Search lists

    Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them and use for ticket creation and to customize vulnerability scans and reports. The Search Lists module allows you to download search list data from Qualys to your instance on a scheduled basis.

    Search lists are pulled from Qualys using the Dynamic Search List Import and/or Static Search List Import data transformation maps. In each of these transforms, you can define schedules for performing the import.

    Option profiles (v 12.0)

    Starting with v12.0, Option profiles are available with Qualys scan settings. An option profile is required when you initiate a scan from your Now Platform.

    Option profiles are imported from the Qualys product by the Option Profile List Integration. You might prefer to run the Option Profile List Integration after an import from the Search Lists Integrations, the Qualys Dynamic Search List and Qualys Static Search List Integrations so that you can see which search lists are associated with option profiles.

    Asset groups

    Asset groups are setup in the Qualys platform. Asset groups identify which scanner appliances are used for scanning matching IP addresses when a scan is initiated from the Now Platform.

    Asset groups that have associated appliances are pulled from Qualys by the Asset Group List Integration.

    Initiate the Appliance List Integration after you import asset groups to populate the Appliance name and Appliance status fields on the Qualys Default Applications records in your Now Platform.

    Host tags

    Version 10.3: All host tags are imported as part of the Qualys Host List integration. Host tags are used primarily for filtering in Vulnerability Response Assignment and Vulnerability Group Rules. They are displayed in the Discovered Item form.
    Note: The Qualys Host List integration should be run prior to creating Assignment or Vulnerability Group Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
    • Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
    • Using host tags as a Group Key in a Vulnerability Group Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
    • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

    Host tags (also called asset tags) are used for organizing and tracking the assets in your organization. You can assign tags to your host assets. Then, when launching scans, you can select tags associated with the hosts you want to scan. The Host Tags module allows you to download host tag data from Qualys to your instance on a scheduled basis.

    Reopen resolved vulnerable items not closed by scans

    Starting with v10.3, vulnerable items set to 'Resolved' in your Now Platform instance but not transitioned to 'Closed/Fixed' by the third-party integration runs are reopened if they are detected during rescans.

    For Qualys detections, if the scanner continues to find VIs that were set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans, these VIs move back to 'Open' when the last found date is later than the Resolved date.

    Data retrieval limitations

    By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

    The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:
    • Name: severities
    • Value: 3-5 (or whatever appropriate severities are desired)

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Related concepts
    • Qualys REST messages

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Understanding the Qualys Vulnerability Integration

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Understanding the Qualys Vulnerability Integration

      Qualys Cloud Platform sensors collect the data and automatically send it to the Qualys Cloud Platform application, which continuously analyzes and correlates the information. It easily integrates with Vulnerability Response as the Qualys Vulnerability Integration to map vulnerabilities to CIs and business services to determine impact and priority of potentially malicious threats.

      Configure your Qualys Vulnerability Integration using Vulnerability > Administration > Setup Assistant to make data retrieval more flexible and scalable.

      If you have multiple deployments of the Qualys Cloud Platform application, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response. Qualys vulnerability integration Knowledge Base records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability.
      Note: You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

      There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

      Note: While the Qualys Vulnerability Integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

      Available versions for Paris

      Release versions with Paris Release Notes

      Qualys Vulnerability Integration v12.0

      Qualys Vulnerability Integration v11.1

      Qualys Vulnerability Integration v11.0

      Qualys Vulnerability Integration v10.3

      Qualys Vulnerability Integration v10.0

      Vulnerability Response release notes

      For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

      Primary and Supporting Integrations

      Qualys primary and supporting integrations enrich the vulnerability data on your instance by retrieving data from the Qualys Vulnerability Integration. A series of scheduled jobs invoke the integrations automatically. You can also execute them manually. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. Primary and supporting integrations can be modified.

      The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for each integration record. The default value for this user is VR.System. This value should not be changed.
      Note: Failing to set a valid run-as user results in multiple, often duplicate, data retrieval attachments on the data source records, every time the integration runs. Multiple attachments on the data source increase processing time, resulting in inconsistent transform results.
      Qualys Cloud Platform integration tasks involve the following roles.
      • sn_vul_qualys.admin — can read, write, and delete records
      • sn_vul_qualys.user — can read and write records
      • sn_vul_qualys.read — can read records

      Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

      Primary integrations

      A primary integration is an entry point to the Qualys Cloud Platform interacting with the Qualys API invoked on a schedule.

      View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations.

      The following primary integrations are included in the base system.

      Table 1. Primary integrations
      Integration Description
      Qualys Appliance List Integration Retrieves scanner appliance information from Qualys.
      Qualys Asset Group Integration Retrieves asset group information from Qualys. Asset groups are used to identify which scanner appliances to use for scanning matching configuration items.
      Qualys Dynamic Search List Integration Synchronizes Qualys search lists for finding vulnerable entries, and retrieves dynamic list type records.
      Qualys Host Detection Integration Retrieves host and vulnerability data from Qualys and processes it in your instance. It coordinates the REST message calls to the Host List Detection API.

      The outputs of this integration are vulnerable items.

      Version 10.0: Qualys host tags are imported in this integration.

      Qualys Host List Integration Retrieves authenticated and unauthenticated host scan data, and starting with v10.3, host tags from Qualys once a week and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently.
      Qualys Knowledge Base Retrieves Qualys knowledge base entries. The retrieved data is based on the date the vulnerabilities were updated by Qualys and since the last time the integration ran.

      This data is useful for populating historical data into your instance as well as ensuring the Qualys Identifiers (QIDs) are up to date.

      Qualys Knowledge Base (Backfill) Retrieves Qualys knowledge base entries.

      Scheduled to run after the Qualys Host Detection Integration. Updates your instance with any QIDs that were referenced in the Host Detection integration but did not exist in the system.

      Qualys Static Search List Integration Synchronizes Qualys search lists for finding vulnerable entries. Retrieves only static list type records.
      Qualys Option Profile List Integration Version 12.0: Retrieves option profiles from the Qualys product. Option profiles include scan settings which are required when you initiate scans from your Now Platform® instance.
      Qualys Ticket Integration Retrieves Qualys tickets and adds them to your instance. It coordinates the REST message calls to the ticket list API.

      There are often fewer tickets than Host Detections since Qualys settings can constrain the detections that result in a ticket.

      Supporting integrations

      A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration.

      View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations.

      The following supporting integrations are included in the base system.

      Table 2. Supporting integrations
      Integration Description
      Asset Group Pagination Handler Directs the pagination of the Asset Group Integration.
      Host Detection Import Set Reprocess Integration Handles reprocessing of the Host List import set created by the Host Detection Integration.

      Processes detections found for each host and results in vulnerable items being inserted or updated in your instance.

      Host Detection Pagination Handler Directs the pagination of the Host Detection Integration.

      The Host List Detection API coordinates REST calls for each page request to the server.

      Search lists

      Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them and use for ticket creation and to customize vulnerability scans and reports. The Search Lists module allows you to download search list data from Qualys to your instance on a scheduled basis.

      Search lists are pulled from Qualys using the Dynamic Search List Import and/or Static Search List Import data transformation maps. In each of these transforms, you can define schedules for performing the import.

      Option profiles (v 12.0)

      Starting with v12.0, Option profiles are available with Qualys scan settings. An option profile is required when you initiate a scan from your Now Platform.

      Option profiles are imported from the Qualys product by the Option Profile List Integration. You might prefer to run the Option Profile List Integration after an import from the Search Lists Integrations, the Qualys Dynamic Search List and Qualys Static Search List Integrations so that you can see which search lists are associated with option profiles.

      Asset groups

      Asset groups are setup in the Qualys platform. Asset groups identify which scanner appliances are used for scanning matching IP addresses when a scan is initiated from the Now Platform.

      Asset groups that have associated appliances are pulled from Qualys by the Asset Group List Integration.

      Initiate the Appliance List Integration after you import asset groups to populate the Appliance name and Appliance status fields on the Qualys Default Applications records in your Now Platform.

      Host tags

      Version 10.3: All host tags are imported as part of the Qualys Host List integration. Host tags are used primarily for filtering in Vulnerability Response Assignment and Vulnerability Group Rules. They are displayed in the Discovered Item form.
      Note: The Qualys Host List integration should be run prior to creating Assignment or Vulnerability Group Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
      • Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
      • Using host tags as a Group Key in a Vulnerability Group Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
      • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

      Host tags (also called asset tags) are used for organizing and tracking the assets in your organization. You can assign tags to your host assets. Then, when launching scans, you can select tags associated with the hosts you want to scan. The Host Tags module allows you to download host tag data from Qualys to your instance on a scheduled basis.

      Reopen resolved vulnerable items not closed by scans

      Starting with v10.3, vulnerable items set to 'Resolved' in your Now Platform instance but not transitioned to 'Closed/Fixed' by the third-party integration runs are reopened if they are detected during rescans.

      For Qualys detections, if the scanner continues to find VIs that were set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans, these VIs move back to 'Open' when the last found date is later than the Resolved date.

      Data retrieval limitations

      By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

      The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:
      • Name: severities
      • Value: 3-5 (or whatever appropriate severities are desired)

      Request apps on the Store

      Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

      Related concepts
      • Qualys REST messages

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login