Skip to main content
All CollectionsConnectorsOlder Release
Qualys Connector (previous revision)
Qualys Connector (previous revision)

Getting started with Qualys connector

Updated over a week ago

Pre-requisites

User - To configure the Qualys connector, please make sure first to use/create a Qualys user with the role "Scanner" and the following permissions:

Asset groups - Add all asset groups to the user

  • Click on the Users tab in the Users section, then edit the user.

  • In the 'Edit user' screen click on 'Asset Groups' and 'Add All' or just the groups you're interested in.

Defining a connector

On the Connectors page, click on Add a Connector.

Click on a Qualys connector.

Fill in all the relevant fields.

Platform – Name of your Qualys platform.
You can check your platform version by your URL.

Username - Use the user you created to authenticate with Qualys.
Use a user with the role 'Scanner' and allow access to GUI and API. You can go with admin account into Qualys --> Administration --> User Management --> View username --> view the user's permissions.

  • for Qualys WAS, make sure that the "WAS" granted modules is added as well.

Asset groups - Add all asset groups to the user

  • Click on the Users tab in the Users section, then edit the user.

  • In the 'Edit user' screen click on 'Asset Groups' and 'Add All' or just the groups you're interested in.


Password - Password in order to authenticate with Qualys
The password must match the user.

We highly recommend login to your Qualys account with the credentials you've provided. 

Map Qualys Business Impact to Vulcan tag’s impact
You can choose to map Qualys Business impact to Vulcan tag’s impact per asset group by enable the mapping functionality:

Please note the following mapping mechanism (from Qualys to -> Vulcan)
•   Critical, High -> High
•   Medium -> Medium
•   Minor, Low -> Low

Vulcan tag’s impact affect the Risk Calculations and can be edit per tag in Vulcan's platform.


Click on Create

  • You can see the connector's progress in the Log tab

3. Getting assets and vulnerabilities from Qualys

In Assets --> Hosts, new assets from your Qualys account will be added to Vulcan.

You can view in Sources the product that identified the asset.
Also, you have full visibility of vulnerabilities found on each specific asset and other important details about the asset (OS, last scan, tags and more) 

Click on an asset to view its Asset Card.
All the vulnerabilities found by Qualys will be displayed under the Vulnerabilities tab.

Depends on your scan type, you can pull the packages installed on your asset via Qualys under Packages.

All the relevant data from Qualys is pulled and can be viewed under the Details tab.

Automating Remediation Actions on Qualys

With Vulcan, you can automate remediation actions on specific assets.

Navigate to the Automation, click on Create new Playbook.

Name your playbook. For example: “Remediate Qualys”

Add a description to your Playbook (optional)

Choose your Playbook’s trigger (Vulnerabilities to fix)

  • Vulnerability from source – The connector from which we pulled assets. For example: Vulnerabilities from source Qualys.

  • Vulnerability where – The rule which the playbook will be attached by. For example: Vulnerability where CVSS Score is greater than 7.

  • On assets where – The asset’s property you wish to be automated. For example: On assets where OS is Windows.

  • In this example, the vulnerability that will be fixed is any vulnerability with CVSS score higher than 7, which was found on assets with Windows OS, and that was discovered by Qualys connector.

  • Choose an action at Remediation actions to automate the process. For example: Open ServiceNow ticket and assign it to the relevant team.

Filter kernel vulnerabilities

Qualys has an option to filter out vulnerabilities related to kernel. using this fillter can remove vulnerabilities that might already be patched but the old kernel is still installed. We will ignore this filter when bringing in fixed vulnerabilities, since we want to know when a vulnerability was fixed, but was removed from the active kernel.

To modify this setting go to the Qualys connector under arf_kernel_filter and use one of these configurations:

Not set - default value. matches 0 the default configuration in Qualys.

0 - vulnerabilities are not filtered based on kernel activity.
1 - exclude kernel related vulnerabilities that are not exploitable (found on non-running kernels).
2 - only include kernel related vulnerabilities that are not exploitable (found on non-running kernels).
3 - only include kernel related vulnerabilities that are exploitable (found on running kernels).
4 - only include kernel related vulnerabilities.

more details from Qualys documentation

Notes:

  1. For fetching the Detections, meaning, the connections between an Asset and a Vulnerabilities, the following API call is used:

    /api/2.0/fo/asset/host/vm/detection?&vm_scan_since={self.DAYS-AGO}

  2. Vulcan's Network Traffic will always originate from a specific IP address. For more information, please review the "Limiting Connectors Access" article.

    1. How to grant access to specific IP in Qualys?

      1. Go to the Vulnerability Management > Users > Set up Security:

      2. Click and enter the IPs/range you want to restrict/allow access to:

      3. Click on Save.

API calls in use

To fetch the data from Qualys, Vulca is using the following API calls:

Fields Mapping

Qualys field

Vulcan field

Host DNS

Asset name

Host IP

IP

Host OS

OS

Last_VM_scanned
Last_agents_check-in

Last seen

Host tags

Tags

Vulnerability title

Vulnerability name

QID

QID

CVE list

CVE

CVSS v3 Base
CVSS base

CVSS

Did this answer your question?