Skip to main content
Qualys WAS Connector (new revision)

Learn all about integrating Qualys WAS into the Vulcan Platform

Updated over 5 months ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.

Overview

About Qualys WAS

Qualys WAS finds and catalogs all web apps in your network, including new and unknown ones, and scales from a handful of apps to thousands. With Qualys WAS, you can tag your applications with your own labels and then use those labels to control reporting and limit access to scan data.

Why integrate Qualys WAS into the Vulcan platform?

The Qualys WAS Connector by Vulcan integrates with the Qualys WAS platform to pull and ingest Website assets and their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Connector Details

Supported products

Category

Application Security - DAST

Ingested asset type(s)

Websites

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

  • Read API Permissions User - Your Qualys subscription must be granted permission to run the API function. Please contact Qualys Support or your sales representative to receive this authorization.

Creating API Reader User

  1. In Qualys WAS, go to Administration > User Management

  2. Create a Reader User.

  3. Fill in the General and Locale information as required.

  4. For the User Role, assign the Reader Role with API access.

  5. For Asset Groups, select the relevant asset groups you want the Vulcan Platform to ingest. Only Assets from the selected Asset Groups will be ingested into Vulcan.

  6. For Permissions, grant the Manage VM Module + Manage Web Applications permissions.

  7. For Security, make sure the authentication is disabled. If the authentication is enabled, the integration will not work.

  8. Once the user is saved, Click to Edit the User. Under Roles And Scopes, Add WAS User role to the user API access to the Web Application Scanning module and Save the user.

  9. Make sure the user has the WAS module listed

Configuring the Qualys WAS Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Qualys WAS icon.

  4. Set up the Connector as follows:

    • Platform: Select your platform. Click here to learn how to identify your Qualys platform.

    • Username and password of the API Reader User you generated earlier.

  5. Check the "Pull informational findings" box if you want the Vulcan Platform to ingest informational findings from Qualys in addition to Critical, High, and Low vulnerabilities.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Qualys WAS instance, then click Create (or Save Changes).

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the Qualys WAS icon shows Connected, the sync is complete.


Qualys WAS in the Vulcan Platform

Viewing Qualys WAS vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select Qualys WAS from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing Qualys WAS assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select Qualys WAS from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Qualys WAS

To take remediation action on vulnerabilities and assets detected by Qualys WAS:

  1. Go to Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the Qualys WAS option to view all synced vulnerabilities/assets.

  4. Select the relevant Vulnerability/Asset.

Automating remediation actions on vulnerabilities detected by Qualys WAS

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Qualys WAS Connector.


From Qualys WAS to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Qualys WAS through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Website fields mapping

Qualys WAS field

Vulcan field

Webapp.id

Uniqueness criteria

Name

Asset Name

Websites

Asset type

Address

Address

Detection URL

Asset’s vulnerable pages

site id
site name
updated date
Operating system
Custom attributes

Asset details

Tags

Asset Tags - Vendor’s tags

Updated date

Last seen

Active

Asset’s Status

Created date

Creation date

Finding.url

Vulnerability instance uniqueness criteria

Finding.history.set[0].WebAppFindingHistory.scanData.launchedDate

Vulnerability instance first seen

Last detected Finding.lastTestedDate

Vulnerability instance Last seen

score Finding.severity

Vulnerability instance score

Finding.url

Vulnerability instance location path

Finding.qid

Unique Vulnerability uniqueness criteria

Detection name Finding.name

Vulnerability title

KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.DIAGNOSIS

Vulnerability description

Qualys ID
Published date
score
severity
type
group
CPE
OWASP
WASC
External references

Impact

Vulnerability details

Finding.cvssV3.base

CVSS

CVE

CVE/S

CWE Finding.cwe.list

CWE

cvssV3.attackVector

CVSS attack vector

result list

Assets-Vulnerability instance connection (info tooltip)

Qualys WAS recommendation

Fix - Title

recommendations

Fix - Description

Vulnerability status mapping

Qualys WAS Status

Vulcan Status

new, active, reopened, retesting

Vulnerable

protected, fixed

Fixed

false positive, not applicable

Ignored - false positive

risk accepted

Ignored risk acknowledged

Vulnerability score mapping

Qualys WAS score

Vulcan score

5

10

4

7.5

3

5

2

2.5

1 or 0

0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the X connector for the vulnerabilities and assets in the Vulcan Platform.

Update type

Mechanism

Archiving Assets

By X days according to "Last Seen" - if the Asset hasn’t been seen for X days, the Vulcan Platform archives it.

Change of vulnerability instances status from "Vulnerable" to "Fixed"

By status: "Fixed". If the connector has a relevant vulnerability status that indicates that the vulnerability is fixed, the Vulcan Platform changes the status to "Fixed".

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API

Use in Vulcan

Permissions required

qps/rest/3.0/search/was/webapp

Fetch webapps

API Read

qps/rest/3.0/search/was/finding

Fetch vulnerabilities

API Read

api/2.0/fo/knowledge_base/vuln/

Fetch solutions

API Read


Data Validation

The purpose of this "Data Validation" section is to provide a clear understanding of how data from Qualys WAS appears when ingested into the Vulcan Platform. By following the guidelines mentioned here, you will gain insights into matching unique vulnerabilities, assets, and vulnerability instances.

Matching Assets

In Qualys WAS, navigate to the "Web Application" section to view all assets.

The same assets list will also appear in Vulcan.

Matching Vulnerability Instances

  1. In Qualys WAS, go to the assets view to see the vulnerability count for each asset. This count represents the filtered number of vulnerabilities associated with that specific asset.

  2. To view all vulnerabilities, click on "Detections" and select "Detection list."

  3. In the left filter menu, filter by the relevant web application.

  4. Filter the vulnerabilities out to display only active vulnerabilities.

  5. Compare the vulnerability instances count in Qualys WAS with the corresponding count in Vulcan.

Matching Unique Vulnerabilities

  1. In Qualys WAS, navigate to "Detections" and select "Detection list."

  2. Make sure no web application filter is applied to see the complete vulnerability list.

  3. Note that the full list in Qualys WAS may contain duplications of vulnerability names, which are aggregated in Vulcan.

  4. Counting the unique vulnerability names will match the unique vulnerability count in the relevant screen in Vulcan.

  5. Export the detection list from Qualys and remove duplications based on vulnerability names to obtain this number.

Did this answer your question?