Contents x
    Qualys VMDR
    • 6 Minutes to read
    • Print
    • PDF
    Contents

    Qualys VMDR

    • 6 Minutes to read
    • Print
    • PDF
    Article Summary

    About this document

    This document provides the step-by-step procedure to integrate SAFE with Qualys VMDR.

    Introduction

    Qualys Vulnerability Management (VM) is a cloud service that gives users global visibility into where their IT systems might be vulnerable to the latest Internet threats and how to protect against them. 

    Integrating SAFE with Qualys VMDR allows SAFE users to discover and import the assets and their respective Vulnerability Assessment results. Users can configure the pull of VA results at a pre-configured time interval and trigger an on-demand pull. Qualys VMDR integration has asset matching capability that enables SAFE to automatically add assets that are discovered through Qualys VMDR to their corresponding default group based on their Operating System.

    • For assets (based on IP address) present in SAFE, the VA controls are added in SAFE based on the vulnerabilities found in Qualys.
    • Users can specify Qualys Asset Tag IDs as filters for pulling selective assets and their related VA results from Qualys. 
    • Users can set the frequency in days (1-30 days) to pull the scan data regularly from Qualys.

    Prerequisites

    To configure Qualys, you need the following details:

    • Qualys API URL -  The URL should start with qualysapi and not qualysguard. (The API URL for your Qualys platform can be determined here)
    • Qualys API Credentials (Refer to Creating a user in Qualys with API access)
      • Ensure that you confirm the Qualys user can log into Qualys following creation.
      • Ensure that the configured user has access to the Asset Groups you wish to ingest into SAFE.
    • Verifying that the SAFE Instance’s IP address is whitelisted in the user’s Qualys Instance.
    • Qualys Asset Tags to filter the Assets in Qualys and their Vulnerability Data to pull VA results of selective Assets from Qualys. (Refer to Identifying Qualys Asset Tag IDs to use as a filter for VA results pull)

    Creating a user in Qualys with API access

    To connect Qualys with SAFE, you can use either an existing user’s username and password, which has access to the Qualys API, or you can create a new user. The minimum access required for the user is Reader level, and the user should have both GUI and API access to set up the integration properly.

    Information
    You need Admin access to create a new user in Qualys.
    1. Log in to your Qualys instance.
    2. Scroll down and select Administration from the top-left dropdown.
    3. On the Administration page, click the Create User button and select Create Reader User.

    4. On the New Reader User page General Information tab, complete the mandatory basic information fields as needed for your environment.
    5. On the New Reader User page User Role tab, select the User Role as Reader (or a higher role).
    6. Mark the API and GUI access checkboxes.
    7. Click Save. The new user will get an email to verify login and complete the user registration process. We can now use the credentials to connect SAFE with Qualys.
    Note
    Ensure that the user account you've set up for SAFE has been granted access to an asset group called All. This access is crucial, as Qualys's APIs will only function properly when this level of access is granted. Otherwise, there may be issues with retrieving assets and vulnerability assessment control information when pulling data into SAFE.

    Identifying Qualys Asset Tag IDs to use as a filter for VA results pull

    The SAFE-Qualys integration allows users to specify Qualys Asset Tag Ids as filters for pulling selective assets and their related VA results from Qualys. This allows SAFE to fetch selective information from Qualys, reducing the time it takes to fetch VA results from Qualys in case the data set is large. Users can configure and reconfigure the filter any number of times.

    User Permissions
    Note that the user you have created to use with the SAFE integration must have access to the Asset Groups you select below.

    Get the Asset Tag IDs

    Get the Asset Tag Ids from Qualys as follows:

    1. Log in to Qualys and click the Global AssetView option from the top-left dropdown.
    2. Select the Tags tab. The system displays a list of available tags.
    3. Identify the tag(s) to which the Assets are tagged in Qualys. Click the Down Arrow next to the Tag Name. 
    4. From the dropdown, click the View option.
    5. The tag information will be shown with the Tag ID available on the right side of the page. Collect all the Tag IDs required to identify all eligible assets. We will use these Tag Ids while configuring Qualys with SAFE.
    6. Users can also, opt for creating a new Tag in case no available tag is suitable for filtering.

    Configure Qualys

    To configure Qualys:

    1. Navigate to the SAFE Hooks.
    2. Click the QualysVMDR card.
    3. Enter the Qualys API URL, Qualys Username & Qualys Password [for the Qualys user that was configured for API access in the previous section]
    4. Configure the Auto-Sync Frequency value in days or leave the default value.
    5. Enter the Tag Filters for pulling selective assets and their related VA results from Qualys.
    6. Select the Auto Onboard New Assets checkbox to onboard the new assets if required.
    7. Click the Test Connection button.
    8. Once the connection is verified, click Save Configuration.

    Qualys VMDR Configuration

    Notes:
    • The Qualys user’s credentials used to establish the connection must have Admin privileges to work this integration. SAFE Instance's IP should be whitelisted in the customer's Qualys instance.
    • Users can pull the scan results on-demand by clicking the “Sync Now” button on the Qualys configuration page.
    • SAFE only supports importing VA results from Qualys for assets in the following technology groups:
      • Network and Security Nodes
      • Server
      • End Points
      • Others

    View results

    Once the Qualys is configured, SAFE pulls all the VA scan results from Qualys. For assets (based on IP address) present in SAFE, the VA findings are added in SAFE based on the vulnerabilities found in Qualys.

    View Assets

    To view the assets pulled from Qualys VMDR:

    1. Click the See Updated Assets button available at the top-right of the History table.
    2. The system displays a filtered list of assets pulled from Qualys VMDR.

    View Findings

    To view the findings:

    Note
    To view findings related to assets, they should be assigned to at least one group and its associated risk scenarios. The Findings view on the Risk Scenario page will present the findings list along with their respective details.\
    1. Navigate to the Risk Scenario created for the Qualys VMDR assets.
    2. Scroll down to the Findings section. Here you can see the finding details of the Qulays VMDR assets.

    FAQs

    I do not see the expected number of assets in SAFE. Why?

    This is normally a result of incorrectly configured permissions for the Qualys user that has been configured in SAFE. To confirm the assets that can be seen by the Qualys user, you can use the following cURL to query the Qualys API and return the list of host IDs that this user can view. 

    Command Substitutions:

    To use the below command, you will need to:

    • Update the FQDN for your Qualys endpoint - https://qualysapi.<host name>.apps.qualys.com
    • Update the username/password with a BASE64 encoded string of the username/password for the Qualys user. 
      • For example the username "qualys1" and password "password123"  encode the string "qualys1:password123" to give the output "cQB1AGEAbAB5AHMAMQA6AHAAYQBzAHMAdwBvAHIAZAAxADIAMwA=" which you would then substitute instead of <BASE_64_ENCODED_username:password>

    curl --location --request GET 'https://qualysapi.<host name>.apps.qualys.com/api/2.0/fo/asset/host?action=list&details=None' \
--header 'X-Requested-With: QualysPostman' \
--header 'Authorization: Basic <BASE_64_ENCODED_username:password>'

    The API should respond with the list of hosts the user can view, similar to the example below.

    <HOST_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2023-10-05T11:01:32Z</DATETIME>
        <ID_SET>
            <ID>222603114</ID>
            <ID>222615064</ID>
            <ID>222834012</ID>
            <ID>223399088</ID>
            <ID>228352379</ID>
            <ID>237917698</ID>
            <ID>237956085</ID>
            <ID>247442977</ID>
            <ID>251223661</ID>
            <ID>251464069</ID>
        </ID_SET>
    </RESPONSE>
</HOST_LIST_OUTPUT>

    If the number of hosts is less than expected then check in your Qualys Administration permissions that the user has a "Global Scope" configured with the expected asset group tags. You may wish to check the box "Allow user view access to all objects" to give complete asset visibility at the global level.

    If the number of hosts is not as expected, check the SAFE Hook and confirm that you have not configured any filters, and if there are errors in the transaction history:

    If the issue persists, please contact SAFE Support.

    Was this article helpful?
    What's Next