Am I reading the right user guide?
Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
Overview
About Qualys WAS
Qualys WAS finds and catalogs all web apps in your network, including new and unknown ones, and scales from a handful of apps to thousands. With Qualys WAS, you can tag your applications with your own labels and then use those labels to control reporting and limit access to scan data.
Why integrate Qualys WAS into the Vulcan platform?
The Qualys WAS Connector by Vulcan integrates with the Qualys WAS platform to pull and ingest Website assets and their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Connector Details
Supported products | |
Category | Application Security - DAST |
Ingested asset type(s) | Websites |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Read API Permissions User - Your Qualys subscription must be granted permission to run the API function. Please contact Qualys Support or your sales representative to receive this authorization.
Creating API Reader User
In Qualys WAS, go to Administration > User Management
Create a Reader User.
Fill in the General and Locale information as required.
For the User Role, assign the Reader Role with API access.
For Asset Groups, select the relevant asset groups you want the Vulcan Platform to ingest. Only Assets from the selected Asset Groups will be ingested into Vulcan.
For Permissions, grant the Manage VM Module + Manage Web Applications permissions.
For Security, make sure the authentication is disabled. If the authentication is enabled, the integration will not work.
Once the user is saved, Click to Edit the User. Under Roles And Scopes, Add WAS User role to the user API access to the Web Application Scanning module and Save the user.
Make sure the user has the WAS module listed
Configuring the Qualys WAS Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Qualys WAS icon.
Set up the Connector as follows:
Platform: Select your platform. Click here to learn how to identify your Qualys platform.
Username and password of the API Reader User you generated earlier.
Check the "Pull informational findings" box if you want the Vulcan Platform to ingest informational findings from Qualys in addition to Critical, High, and Low vulnerabilities.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Qualys WAS instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Qualys WAS icon shows Connected, the sync is complete.
Qualys WAS in the Vulcan Platform
Viewing Qualys WAS vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Qualys WAS from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Qualys WAS assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Qualys WAS from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Qualys WAS
To take remediation action on vulnerabilities and assets detected by Qualys WAS:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Qualys WAS option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Qualys WAS
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Qualys WAS Connector.
From Qualys WAS to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Qualys WAS through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Website fields mapping
Qualys WAS field | Vulcan field |
Webapp.id | Uniqueness criteria |
Name | Asset Name |
Websites | Asset type |
Address | Address |
Detection URL | Asset’s vulnerable pages |
site id | Asset details |
Tags | Asset Tags - Vendor’s tags |
Updated date | Last seen |
Active | Asset’s Status |
Created date | Creation date |
Finding.url | Vulnerability instance uniqueness criteria |
Finding.history.set[0].WebAppFindingHistory.scanData.launchedDate | Vulnerability instance first seen |
Last detected Finding.lastTestedDate | Vulnerability instance Last seen |
score Finding.severity | Vulnerability instance score |
Finding.url | Vulnerability instance location path |
Finding.qid | Unique Vulnerability uniqueness criteria |
Detection name Finding.name | Vulnerability title |
KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.DIAGNOSIS | Vulnerability description |
Qualys ID Impact | Vulnerability details |
Finding.cvssV3.base | CVSS |
CVE | CVE/S |
CWE Finding.cwe.list | CWE |
cvssV3.attackVector | CVSS attack vector |
result list | Assets-Vulnerability instance connection (info tooltip) |
Qualys WAS recommendation | Fix - Title |
recommendations | Fix - Description |
Vulnerability status mapping
Qualys WAS Status | Vulcan Status |
new, active, reopened, retesting | Vulnerable |
protected, fixed | Fixed |
false positive, not applicable | Ignored - false positive |
risk accepted | Ignored risk acknowledged |
Vulnerability score mapping
Qualys WAS score | Vulcan score |
5 | 10 |
4 | 7.5 |
3 | 5 |
2 | 2.5 |
1 or 0 | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the X connector for the vulnerabilities and assets in the Vulcan Platform.
Update type | Mechanism |
Archiving Assets | By X days according to "Last Seen" - if the Asset hasn’t been seen for X days, the Vulcan Platform archives it. |
Change of vulnerability instances status from "Vulnerable" to "Fixed" | By status: "Fixed". If the connector has a relevant vulnerability status that indicates that the vulnerability is fixed, the Vulcan Platform changes the status to "Fixed". |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API | Use in Vulcan | Permissions required |
| Fetch webapps | API Read |
| Fetch vulnerabilities | API Read |
| Fetch solutions | API Read |
Data Validation
The purpose of this "Data Validation" section is to provide a clear understanding of how data from Qualys WAS appears when ingested into the Vulcan Platform. By following the guidelines mentioned here, you will gain insights into matching unique vulnerabilities, assets, and vulnerability instances.
Matching Assets
In Qualys WAS, navigate to the "Web Application" section to view all assets.
The same assets list will also appear in Vulcan.
Matching Vulnerability Instances
In Qualys WAS, go to the assets view to see the vulnerability count for each asset. This count represents the filtered number of vulnerabilities associated with that specific asset.
To view all vulnerabilities, click on "Detections" and select "Detection list."
In the left filter menu, filter by the relevant web application.
Filter the vulnerabilities out to display only active vulnerabilities.
Compare the vulnerability instances count in Qualys WAS with the corresponding count in Vulcan.
Matching Unique Vulnerabilities
In Qualys WAS, navigate to "Detections" and select "Detection list."
Make sure no web application filter is applied to see the complete vulnerability list.
Note that the full list in Qualys WAS may contain duplications of vulnerability names, which are aggregated in Vulcan.
Counting the unique vulnerability names will match the unique vulnerability count in the relevant screen in Vulcan.
Export the detection list from Qualys and remove duplications based on vulnerability names to obtain this number.
