- 6 Minutes to read
- Print
- PDF
Qualys VMDR
- 6 Minutes to read
- Print
- PDF
About this document
This document provides the step-by-step procedure to integrate SAFE with Qualys VMDR.
Introduction
Qualys Vulnerability Management (VM) is a cloud service that gives users global visibility into where their IT systems might be vulnerable to the latest Internet threats and how to protect against them.
Integrating SAFE with Qualys VMDR allows SAFE users to discover and import the assets and their respective Vulnerability Assessment results. Users can configure the pull of VA results at a pre-configured time interval and trigger an on-demand pull. Qualys VMDR integration has asset matching capability that enables SAFE to automatically add assets that are discovered through Qualys VMDR to their corresponding default group based on their Operating System.
For assets (based on IP address) present in SAFE, the VA controls are added in SAFE based on the vulnerabilities found in Qualys.
Users can specify Qualys Asset Tag IDs as filters for pulling selective assets and their related VA results from Qualys.
Users can set the frequency in days (1-30 days) to pull the scan data regularly from Qualys.
Prerequisites
To configure Qualys, you need the following details:
Qualys API URL - The URL should start with qualysapi and not qualysguard.
Qualys API Credentials (Refer to Creating a user in Qualys with API access)
Ensure that you confirm the Qualys user can log into Qualys following creation.
Ensure that the configured user has access to the Asset Groups you wish to ingest into SAFE.
Verifying that the SAFE Instance’s IP address is whitelisted in the user’s Qualys Instance.
Qualys Asset Tags to filter the Assets in Qualys and their Vulnerability Data to pull VA results of selective Assets from Qualys. (Refer to Identifying Qualys Asset Tag IDs to use as a filter for VA results pull)
Creating a user in Qualys with API access
To connect Qualys with SAFE, you can use either an existing user’s username and password, which has access to the Qualys API, or you can create a new user. The minimum access required for the user is Reader level, and the user should have both GUI and API access to set up the integration properly.
Information
You need Admin access to create a new user in Qualys.
Log in to your Qualys instance.
Scroll down and select Administration from the top-left dropdown.
On the Administration page, click the Create User button and select Create Reader User.
On the New Reader User page, select the user role as Reader (or a higher role).
Mark the API and GUI access checkboxes.
Click Save. The new user will get an email to verify login and complete the user registration process. We can now use the credentials to connect SAFE with Qualys.
Note
Ensure that the user account you've set up for SAFE has been granted access to an asset group called All. This access is crucial, as Qualys's APIs will only function properly when this level of access is granted. Otherwise, there may be issues with retrieving assets and vulnerability assessment control information when pulling data into SAFE.
Identifying Qualys Asset Tag IDs to use as a filter for VA results pull
The SAFE-Qualys integration allows users to specify Qualys Asset Tag Ids as filters for pulling selective assets and their related VA results from Qualys. This allows SAFE to fetch selective information from Qualys, reducing the time it takes to fetch VA results from Qualys in case the data set is large. Users can configure and reconfigure the filter any number of times.
User Permissions
Note that the user you have created to use with the SAFE integration must have access to the Asset Groups you select below.
Get the Asset Tag IDs
Get the Asset Tag Ids from Qualys as follows:
Log in to Qualys and click the Global AssetView option from the top-left dropdown.
Select the Tags tab. The system displays a list of available tags.
Identify the tag(s) to which the Assets are tagged in Qualys. Click the Down Arrow next to the Tag Name.
From the dropdown, click the View option.
The tag information will be shown with the Tag ID available on the right side of the page. Collect all the Tag IDs required to identify all eligible assets. We will use these Tag Ids while configuring Qualys with SAFE.
Users can also, opt for creating a new Tag in case no available tag is suitable for filtering.
Configure Qualys
To configure Qualys:
Navigate to the SAFE Hooks.
Click the QualysVMDR card.
Enter the Qualys API URL, Username, Password, and Auto-Sync Frequency.
Enter the Tag Filters for pulling selective assets and their related VA results from Qualys.
Select the Auto Onboard New Assets checkbox to onboard the new assets if required.
Click the Test Connection button.
Once the connection is verified, click Save Configuration.
Notes:
The Qualys user’s credentials used to establish the connection must have Admin privileges to work this integration. SAFE Instance's IP should be whitelisted in the customer's Qualys instance.
Users can pull the scan results on-demand by clicking the “Sync Now” button on the Qualys configuration page.
SAFE only supports importing VA results from Qualys for assets in the following technology groups:
Network and Security Nodes
Server
End Points
Others
Support for pulling Asset Tags from Qualys
SAFE supports pulling asset tags from Qualys into SAFE via custom-field creation. Perform the following steps to ingest tags IN SAFE:
From the left navigation menu head over to Settings > Custom Fields.
Add a new custom-field with the name: qualys-tags
View results
Once the Qualys is configured, SAFE pulls all the VA scan results from Qualys. For assets (based on IP address) present in SAFE, the VA findings are added in SAFE based on the vulnerabilities found in Qualys.
Go to the integration homepage.
Scroll to find the Qualys integration card or search for Qualys in the search bar.
Click on the Qualys integration card for Finding View and Asset View.
Finding View: This tab displays all the findings details pulled from Qualys.
Asset View: This tab displays all the Asset details pulled from Qualys.
(optional)To view the ingested tags for assets, add a column with the name: Custom Field: qualys-tags
FAQs
Question 1. I do not see the expected number of assets in SAFE
Answer: This is normally a result of incorrectly configured permissions for the Qualys user that has been configured in SAFE. To confirm the assets that can be seen by the Qualys user, you can use the following cURL to query the Qualys API and return the list of host IDs that this user can view.
Command Substitutions:
To use the below command, you will need to:
Update the FQDN for your Qualys endpoint - https://qualysapi.<host name>.apps.qualys.com
Update the username/password with a BASE64 encoded string of the username/password for the Qualys user.
For example the username "qualys1" and password "password123" encode the string "qualys1:password123" to give the output "cQB1AGEAbAB5AHMAMQA6AHAAYQBzAHMAdwBvAHIAZAAxADIAMwA=" which you would then substitute instead of <BASE_64_ENCODED_username:password>
Text
curl --location --request GET 'https://qualysapi.<host name>.apps.qualys.com/api/2.0/fo/asset/host?action=list&details=None' \
--header 'X-Requested-With: QualysPostman' \
--header 'Authorization: Basic <BASE_64_ENCODED_username:password>'
The API should respond with the list of hosts the user can view, similar to the example below.
Text
<HOST_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2023-10-05T11:01:32Z</DATETIME>
<ID_SET>
<ID>222603114</ID>
<ID>222615064</ID>
<ID>222834012</ID>
<ID>223399088</ID>
<ID>228352379</ID>
<ID>237917698</ID>
<ID>237956085</ID>
<ID>247442977</ID>
<ID>251223661</ID>
<ID>251464069</ID>
</ID_SET>
</RESPONSE>
</HOST_LIST_OUTPUT>
If the number of hosts is less than expected then check in your Qualys Administration permissions that the user has a "Global Scope" configured with the expected asset group tags. You may wish to check the box "Allow user view access to all objects" to give complete asset visibility at the global level.
If the number of hosts is not as expected, check the Qualys VMDR configuration page in SAFE, and confirm that you have configured the correct filters and if there are errors in the sync history.
If the issue persists, please contact SAFE Support.