Pre-requisites
User - To configure the Qualys connector, please make sure first to use/create a Qualys user with the role "Scanner" and the following permissions:
Asset groups - Add all asset groups to the user
Click on the Users tab in the Users section, then edit the user.
In the 'Edit user' screen click on 'Asset Groups' and 'Add All' or just the groups you're interested in.
Defining a connector
On the Connectors page, click on Add a Connector.
Click on a Qualys connector.
Fill in all the relevant fields.
Platform – Name of your Qualys platform.
You can check your platform version by your URL.
Username - Use the user you created to authenticate with Qualys.
Use a user with the role 'Scanner' and allow access to GUI and API. You can go with admin account into Qualys --> Administration --> User Management --> View username --> view the user's permissions.
for Qualys WAS, make sure that the "WAS" granted modules is added as well.
Asset groups - Add all asset groups to the user
Click on the Users tab in the Users section, then edit the user.
In the 'Edit user' screen click on 'Asset Groups' and 'Add All' or just the groups you're interested in.
Password - Password in order to authenticate with Qualys
The password must match the user.
We highly recommend login to your Qualys account with the credentials you've provided.
Map Qualys Business Impact to Vulcan tag’s impact
You can choose to map Qualys Business impact to Vulcan tag’s impact per asset group by enable the mapping functionality:
Please note the following mapping mechanism (from Qualys to -> Vulcan)
• Critical, High -> High
• Medium -> Medium
• Minor, Low -> Low
Vulcan tag’s impact affect the Risk Calculations and can be edit per tag in Vulcan's platform.
Click on Create
You can see the connector's progress in the Log tab
3. Getting assets and vulnerabilities from Qualys
In Assets --> Hosts, new assets from your Qualys account will be added to Vulcan.
You can view in Sources the product that identified the asset.
Also, you have full visibility of vulnerabilities found on each specific asset and other important details about the asset (OS, last scan, tags and more)
Click on an asset to view its Asset Card.
All the vulnerabilities found by Qualys will be displayed under the Vulnerabilities tab.
Depends on your scan type, you can pull the packages installed on your asset via Qualys under Packages.
All the relevant data from Qualys is pulled and can be viewed under the Details tab.
Automating Remediation Actions on Qualys
With Vulcan, you can automate remediation actions on specific assets.
Navigate to the Automation, click on Create new Playbook.
Name your playbook. For example: “Remediate Qualys”
Add a description to your Playbook (optional)
Choose your Playbook’s trigger (Vulnerabilities to fix)
Vulnerability from source – The connector from which we pulled assets. For example: Vulnerabilities from source Qualys.
Vulnerability where – The rule which the playbook will be attached by. For example: Vulnerability where CVSS Score is greater than 7.
On assets where – The asset’s property you wish to be automated. For example: On assets where OS is Windows.
In this example, the vulnerability that will be fixed is any vulnerability with CVSS score higher than 7, which was found on assets with Windows OS, and that was discovered by Qualys connector.
Choose an action at Remediation actions to automate the process. For example: Open ServiceNow ticket and assign it to the relevant team.
Filter kernel vulnerabilities
Qualys has an option to filter out vulnerabilities related to kernel. using this fillter can remove vulnerabilities that might already be patched but the old kernel is still installed. We will ignore this filter when bringing in fixed vulnerabilities, since we want to know when a vulnerability was fixed, but was removed from the active kernel.
To modify this setting go to the Qualys connector under arf_kernel_filter and use one of these configurations:
Not set - default value. matches 0 the default configuration in Qualys.
0 - vulnerabilities are not filtered based on kernel activity.
1 - exclude kernel related vulnerabilities that are not exploitable (found on non-running kernels).
2 - only include kernel related vulnerabilities that are not exploitable (found on non-running kernels).
3 - only include kernel related vulnerabilities that are exploitable (found on running kernels).
4 - only include kernel related vulnerabilities.
more details from Qualys documentation
Notes:
For fetching the Detections, meaning, the connections between an Asset and a Vulnerabilities, the following API call is used:
/api/2.0/fo/asset/host/vm/detection?&vm_scan_since={self.DAYS-AGO}Vulcan's Network Traffic will always originate from a specific IP address. For more information, please review the "Limiting Connectors Access" article.
How to grant access to specific IP in Qualys?
Go to the Vulnerability Management > Users > Set up Security:
Click and enter the IPs/range you want to restrict/allow access to:
Click on Save.
API calls in use
To fetch the data from Qualys, Vulca is using the following API calls:
https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/asset/host/vm/detection Knowledge base calls
Fields Mapping
Qualys field | Vulcan field |
Host DNS | Asset name |
Host IP | IP |
Host OS | OS |
Last_VM_scanned | Last seen |
Host tags | Tags |
Vulnerability title | Vulnerability name |
QID | QID |
CVE list | CVE |
CVSS v3 Base | CVSS |