The Qualys product sensors collect the data and automatically send it to the Qualys application, which continuously analyzes and correlates the information. It easily integrates with Vulnerability Response as the Qualys Vulnerability Integration to map vulnerabilities to CIs and business services to determine impact and priority of potentially malicious threats.

Configure your Qualys Vulnerability Integration using Vulnerability > Administration > Setup Assistant to make data retrieval more flexible and scalable.

If you have multiple deployments of the Qualys Cloud Platform application, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response. Qualys Vulnerability Integration Knowledge Base records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability.
Note: You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Note: While the Qualys Vulnerability Integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

Available versions

Release version for Yokohama Release Notes

Qualys Vulnerability Integration v12.7, v12.8

For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Installed components

For a current list of the roles, integration jobs, and tables that are installed with the integration, as well a link to instructions for how to view what is currently installed in your instance, see Components installed with the Qualys Vulnerability Integration.

Primary and Supporting Integrations

Qualys primary and supporting integrations enrich the vulnerability data on your instance by retrieving data from the Qualys Vulnerability Integration. A series of scheduled jobs invoke the integrations automatically. You can also execute them manually. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. Primary and supporting integrations can be modified.

The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for each integration record. The default value for this user is VR.System. This value should not be changed.
Note: Failing to set a valid run-as user results in multiple, often duplicate, data retrieval attachments on the data source records, every time the integration runs. Multiple attachments on the data source increase processing time, resulting in inconsistent transform results.

During import, CVE records, not already present, are created as NVD records and referenced in third-party entries for Qualys by default.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

Primary integrations

A primary integration is an entry point to the Qualys Cloud Platform interacting with the Qualys API invoked on a schedule.

View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations.

Supporting integrations

A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration.

View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations.

Service Graph Connector for Qualys

Beginning with version 2.2, the Service Graph Connector for Qualys is available from the ServiceNow® Store. See Service Graph Connector for Qualys for more information.

Data from the Qualys data source fields is imported with the Global Asset API and the Asset Management and Tagging API.

Global Asset API:
  • A CSAM license is required.
  • Asset information includes details such as Hardware Category and OS Category.
Asset Management and Tagging API:
  • A CSAM license is not required
  • Asset information does not include details about Hardware Category and OS Category.

For more information, see Service Graph Connector for Qualys APIs

.

Create CIs using the Identification and Reconciliation Engine (IRE)

You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

Search lists

Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them and use for ticket creation and to customize vulnerability scans and reports. The Search Lists module allows you to download search list data from Qualys to your instance on a scheduled basis.

Search lists are pulled from Qualys using the Dynamic Search List Import and/or Static Search List Import data transformation maps. In each of these transforms, you can define schedules for performing the import.

Option profiles

Option profiles are available with Qualys scan settings. An option profile is required when you initiate a scan from your ServiceNow AI Platform.

Option profiles are imported from the Qualys product by the Option Profile List Integration. You might prefer to run the Option Profile List Integration after an import from the Search Lists Integrations, the Qualys Dynamic Search List and Qualys Static Search List Integrations so that you can see which search lists are associated with option profiles.

Asset groups

Asset groups are setup in the Qualys platform. Asset groups identify which scanner appliances are used for scanning matching IP addresses when a scan is initiated from the ServiceNow AI Platform.

Asset groups that have associated appliances are pulled from Qualys by the Asset Group List Integration.

Initiate the Appliance List Integration after you import asset groups to populate the Appliance name and Appliance status fields on the Qualys Default Applications records in your Now Platform.

Host tags

All host tags are imported as part of the Qualys Host List integration. Host tags are used primarily for filtering in Vulnerability Response Assignment and Remediation Task Rules. They are displayed in the Discovered Item form.
Note: The Qualys Host List integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
  • Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. 'San Diego' and 'SAN DIEGO' are considered to be the same host tag. Whichever tag was imported first wins.
  • Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
  • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

Host tags (also called asset tags) are used for organizing and tracking the assets in your organization. You can assign tags to your host assets. Then, when launching scans, you can select tags associated with the hosts you want to scan. The Host Tags module allows you to download host tag data from Qualys to your instance on a scheduled basis.

Reopen resolved vulnerable items not closed by scans

Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the third-party integration runs are reopened if they are detected during rescans.

For Qualys detections, if the scanner continues to find VIs that were set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans, these VIs move back to 'Open' when the last found date is later than the Resolved date.

Data retrieval limitations

By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:
  • Name: severities
  • Value: 3-5 (or whatever appropriate severities are desired)

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.