Am I reading the right user guide?
Am I reading the right user guide?
Specific connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the relevant user guide to your environment, click on the "How to connect" button on the connector's setup page. Doing so will direct you to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
Overview
About Qualys
Qualys provides cloud-based cybersecurity solutions designed to help organizations assess vulnerabilities, manage assets, enforce compliance, secure web applications, protect cloud environments, and automate security processes, enhancing their overall cybersecurity posture and resilience against cyber threats.
Why integrate Qualys into the Vulcan platform?
The Qualys Connector by Vulcan integrates with the Qualys platform to pull and ingest assets type host and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Qualys Details
Supported products | |
Category | Vulnerability Assessment |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from the connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the connector, make sure you have the following:
Qualys user with Scanner role with the required access and asset groups.
API TOKEN/KEY and SECRET KEY
For fetching compliance data, you need:
Managed PC Module permission enabled
CVSS scoring feature enabled:
In Qualys, go to Reports tab → Setup tab → CVSS Scoring.
Make sure the ‘Show CVSS Scoring’ is checked and click Save.
Qualys user role and permissions
Under Qualys Administration, create a dedicated Qualys user with the following role and permissions.
Click on User Role, and assign the role Scanner to the user. Make sure to enable access to GUI and API.
Click on "Asset Groups", and assign the relevant asset groups to the user.
Click to Save the user. Once the user is created, Click on it on the users list and make sure Both API and GUI permissions are selected for the user under the scanner role -
Configuring the Qualys Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Qualys icon.
Set up the connector as follows:
Enter the organizational API Server URL of Qualys (See API URLs - API Server URL), and the Username and password of the user you created earlier.
arf_kernel_filter: Qualys offers an option to filter vulnerabilities related to the kernel. This filter is helpful because it helps us weed out vulnerabilities that may have already been fixed but are still associated with an old kernel that remains installed. However, when Vulcan imports information about fixed vulnerabilities, by default, it disregards this filter. The reason is that Vulcan tracks when a vulnerability was resolved, even if it no longer poses a threat due to being removed from the active kernel.
You can configure the "arf_kernel_filter" setting using one of the following settings:
"Vulnerabilities related to the kernel are not filtered based on kernel activity. This matches the default configuration in Qualys, meaning vulnerabilities related to the kernel are not filtered based on kernel activity.
Exclude kernel-related vulnerabilities that are not exploitable (found on non-running kernels).
Include only kernel-related vulnerabilities that are not exploitable (found on non-running kernels).
Include only kernel-related vulnerabilities that are exploitable (found on running kernels).
For Subscription type, select the type of subscription of your Qualys account.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Qualys instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Qualys icon shows Connected, the sync is complete.
Qualys in the Vulcan Platform
Viewing Qualys vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Qualys from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Qualys assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select connector from the drop-down selection.
Select Qualys from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Qualys
To take remediation action on vulnerabilities and assets detected by Qualys:
Go to the Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select connector from the drop-down selection.
Locate the Qualys option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability out of the results list.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Qualys
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Qualys Connector.
From Qualys to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Qualys through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Host fields mapping
Qualys field | Vulcan field |
ID | Uniqueness criteria |
vulcan_enrichment.host_search[0].data.name or DNS | Asset Name |
Hosts | Asset type |
IP | IP |
OS or vulcan_enrichment.host_search[0].data.os | OS |
vulcan_enrichment.host_search[0].data.created | Created date |
LAST_VM_SCANNED_DATE or vulcan_enrichment.host_search[0].data.lastVulnScan | Last seen date |
DNS_DATA.FQDN or vulcan_enrichment.host_search[0].data.fqdn | FQDN |
vulcan_enrichment.host_search[0].data.networkInterface.list.HostAssetInterface.[*].mac_address | Multiple mac addresses |
RESULTS (From detection) | Packages |
vulcan_enrichment.host_search[0].data.openPort.list.HostAssetOpenPort | Open ports |
METADATA.EC2.ATTRIBUTE | Asset Status |
vulcan_enrichment.asset_groups | Asset Tags - Vendor's tags |
Host ID QID PORT PROTOCOL | Vulnerability instance uniqueness criteria |
First Found Datetime | Vulnerability instance first seen |
Last Found Datetime | Vulnerability instance Last seen |
vulcan_enrichment.vulnerability_details[0].data.CVSS_V3.BASE | Vulnerability instance score |
QID | Unique Vulnerability uniqueness criteria |
vulcan_enrichment.vulnerability_details[0].data.TITLE | Vulnerability title |
vulcan_enrichment.vulnerability_details[0].data.CVSS_V3.BASE | Vulnerability score |
vulcan_enrichment.vulnerability_details[0].data.DIAGNOSIS | Vulnerability description |
Ignored Disabled Status | Vulnerability status |
vulcan_enrichment.vulnerability_details[0].data.CVSS_V3.BASE | CVSS |
vulcan_enrichment.vulnerability_details[0].data.CVE_LIST.CVE | CVE/S |
Qualys fix for qid - {{ QID }} | Fix title |
SOLUTION | Fix description |
SOLUTION | Fix references |
Vulnerability status mapping
Qualys Status | Vulcan Status |
Any status that is not "Fixed", "Ignored", or "Disabled". | Vulnerable |
Fixed. | Fixed |
- | Ignored - false positive |
Ignored, Disabled. | Ignored risk acknowledged |
Vulnerability score mapping
CVSS v3 Score from Qualys is mapped into the Vulcan score field.
Qualys score | Vulcan score |
CVSS v3 | CVSS v3 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.
The table below lists how the status update mechanism works in the Qualys connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the connector's last sync - Asset not seen for X days according to "Last Seen". |
The vulnerability instance status changes to "Fixed" | - Vulnerability status on the connector's side changes to "Fixed" |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: 2.0
API | Use in Vulcan |
{{ server_url }}/api/2.0/fo/asset/host/ | Host IDS, Hosts |
{{ server_url }}/qps/rest/2.0/search/am/hostasset | Host search (Enrichment) |
{{ server_url }}/api/2.0/fo/asset/group/ | Asset groups |
{{ server_url }}/api/2.0/fo/asset/host/vm/detection/ | Detections (Vulnerability instances) |
{{ server_url }}/api/2.0/fo/knowledge_base/vuln/ | Vulnerability details |
Compliance mapping
Qualys fields | Vulcan field |
Host ID CONTROL ID | Vulnerability instance uniqueness criteria |
firstFailDate or firstPassDate | Vulnerability instance first seen |
lastFailDate or lastPassDate | Vulnerability instance Last seen |
criticality.value * 2 | Vulnerability instance score |
controlId | Unique Vulnerability uniqueness criteria |
controlStatement or policyTitle + ' - control id: ' + controlId | Vulnerability title |
criticality.value * 2 | Vulnerability score |
rationale | Vulnerability description |
if not controlStatement: riskAcknowledged elif: status if passed: fixed else: vulnerable | Vulnerability status |
criticality.value * 2 | CVSS |
Qualys fix for Control ID - {{ controlId }} | Fix title |
remediation | Fix description |
Compliance Status Mapping
Vulcan status | Connector Status |
Vulnerable | All the rest |
Fixed | passed |
Ignored - false positive | - |
Ignored risk acknowledged | if not |
Compliance Score Mapping
Qualys score | Vulcan score |
|
|
Compliance API URL
API | Use in Vulcan | Permission required |
{{qualys_api_url}}/api/2.0/fo/compliance/policy?action=list | Fetch the policies (in order to fetch the compliances) | Manage PC module |
{{qualys_api_url}}/api/2.0/fo/compliance/posture/info/?action=list&show_remediation_info=1&policy_id={{ policy_id }}&truncation_limit=5000 | Fetch the compliances (vulnerability instances) | Manage PC module |
{{qualys_api_url}}/api/2.0/fo/compliance/control/?action=list&ids={{ control_ids }} | Fetch the controls (unique vulnerabilities) | Manage PC module |
Compliance API Endpoint in Use
API version: 2.0
API | Use in Vulcan | Permission Required |
{{qualys_api_gateway_url}}/auth | Fetch auth token | Manage PC module |
{{qualys_api_gateway_url}}/pcrs/1.0/posture/policy/list | Fetch policies list | Manage PC module |
{{qualys_api_gateway_url}}/pcrs/1.0/posture/hostids?policyId={{policy_id}} | Fetch host ids list per policy | Manage PC module |
{{qualys_api_gateway_url}}/pcrs/2.0/posture/postureInfo?compressionRequired=1&evidenceRequired=0&excludeInactiveControl=0 | Fetch posture info per policy per group of hosts | Manage PC module |
Data Validation
The purpose of this "Data Validation" section is to provide a clear understanding of how data from Qualys is presented on the Vulcan Platform. By following the guidelines mentioned here, you will gain insights into matching unique vulnerabilities, assets, and vulnerability instances.
Assets Matching
To validate and compare assets between Vulcan and Qualys, we first retrieve assets from Vulcan using the API call: {{ server_url }}/api/2.0/fo/asset/host/.
However, in the Qualys UI, there isn't a direct filter to get all assets matching those from Vulcan's "hosts" endpoint.
Instead, we can validate a subset of assets from Qualys by navigating to the AssetView in Qualys. In Qualys AssetView, access "Assets" and search by the filter "activatedForModules:VM" to identify assets related to vulnerability management (VM).
In our example, Qualys reports 47 assets in this subset, while Vulcan indicates 55 assets. The gap arises from assets not included in the VM module in Qualys.
Vulnerabilities Instances Matching
We filter out supersedence vulnerabilities during the synchronization process; hence, these should not be ingested into Vulcan. In Qualys, navigate to AssetView, search for an asset name as it appears in Vulcan, and click on it. Go to the "Vulnerabilities" tab.
Ensure that all severities are selected.
The count of vulnerabilities in Qualys should match the count in Vulcan.
Unique Vulnerabilities Matching
In Qualys VMDR, navigate to "Vulnerabilities," view by "Vulnerability," group by "Vulnerability," and apply filters to exclude information, fixed, disabled, and ignored vulnerabilities. This will display only active Vulcan vulnerabilities.
In Qualys, we observe 1030 unique vulnerabilities, including supersedence vulnerabilities (which are filtered out in Vulcan).
Vulcan reports 1017 unique vulnerabilities. The discrepancy arises due to the exclusion of supersedence vulnerabilities in Vulcan.
