- 5 Minutes to read
- Print
- PDF
Qualys VMDR
- 5 Minutes to read
- Print
- PDF
About this document
This document provides the step-by-step procedure to integrate SAFE with Qualys VMDR.
Introduction
Qualys Vulnerability Management (VM) is a cloud service that gives users global visibility into where their IT systems might be vulnerable to the latest Internet threats and how to protect against them.
Integrating SAFE with Qualys VMDR allows SAFE users to discover and import the assets and their respective Vulnerability Assessment results. Users can configure the pull of VA results at a pre-configured time interval and trigger an on-demand pull. Qualys VMDR integration has asset matching capability that enables SAFE to automatically add assets that are discovered through Qualys VMDR to their corresponding default group based on their Operating System.
- For assets (based on IP address) present in SAFE, the VA controls are added in SAFE based on the vulnerabilities found in Qualys.
- Users can specify Qualys Asset Tag IDs as filters for pulling selective assets and their related VA results from Qualys.
- Users can set the frequency in days (1-30 days) to pull the scan data regularly from Qualys.
Prerequisites
To configure Qualys, you need the following details:
- Qualys API URL - The URL should start with qualysapi and not qualysguard.
- Qualys API Credentials (Refer to Creating a user in Qualys with API access)
- Ensure that you confirm the Qualys user can log into Qualys following creation.
- Ensure that the configured user has access to the Asset Groups you wish to ingest into SAFE.
- Verifying that the SAFE Instance’s IP address is whitelisted in the user’s Qualys Instance.
- Qualys Asset Tags to filter the Assets in Qualys and their Vulnerability Data to pull VA results of selective Assets from Qualys. (Refer to Identifying Qualys Asset Tag IDs to use as a filter for VA results pull)
Creating a user in Qualys with API access
To connect Qualys with SAFE, you can use either an existing user’s username and password, which has access to the Qualys API, or you can create a new user. The minimum access required for the user is Reader level, and the user should have both GUI and API access to set up the integration properly.
- Log in to your Qualys instance.
- Scroll down and select Administration from the top-left dropdown.
- On the Administration page, click the Create User button and select Create Reader User.
- On the New Reader User page, select the user role as Reader (or a higher role).
- Mark the API and GUI access checkboxes.
- Click Save. The new user will get an email to verify login and complete the user registration process. We can now use the credentials to connect SAFE with Qualys.
Identifying Qualys Asset Tag IDs to use as a filter for VA results pull
The SAFE-Qualys integration allows users to specify Qualys Asset Tag Ids as filters for pulling selective assets and their related VA results from Qualys. This allows SAFE to fetch selective information from Qualys, reducing the time it takes to fetch VA results from Qualys in case the data set is large. Users can configure and reconfigure the filter any number of times.
Get the Asset Tag IDs
Get the Asset Tag Ids from Qualys as follows:
- Log in to Qualys and click the Global AssetView option from the top-left dropdown.
- Select the Tags tab. The system displays a list of available tags.
- Identify the tag(s) to which the Assets are tagged in Qualys. Click the Down Arrow next to the Tag Name.
- From the dropdown, click the View option.
- The tag information will be shown with the Tag ID available on the right side of the page. Collect all the Tag IDs required to identify all eligible assets. We will use these Tag Ids while configuring Qualys with SAFE.
- Users can also, opt for creating a new Tag in case no available tag is suitable for filtering.
Configure Qualys
To configure Qualys:
- Navigate to the SAFE Hooks.
- Click the Qualys VMDR card.
- Enter the Qualys API URL, Username, Password, and Auto-Sync Frequency.
- Enter the Tag Filters for pulling selective assets and their related VA results from Qualys.
- Select the Auto Onboard New Assets checkbox to onboard the new assets if required.
- Click the Test Connection button.
- Once the connection is verified, click Save Configuration.
- The Qualys user’s credentials used to establish the connection must have Admin privileges to work this integration. SAFE Instance's IP should be whitelisted in the customer's Qualys instance.
- Users can pull the scan results on-demand by clicking the “Sync Now” button on the Qualys configuration page.
- SAFE only supports importing VA results from Qualys for assets in the following technology groups:
- Network and Security Nodes
- Server
- End Points
- Others
View results
Once the Qualys is configured, SAFE pulls all the VA scan results from Qualys. For assets (based on IP address) present in SAFE, the VA controls are added in SAFE based on the vulnerabilities found in Qualys. To view the result for an asset:
- Navigate to Technology > Assets.
- Filter the asset list for the source as security.safe.qualys-vmdr. The system displays the Qualys VMDR assets.
- Clicking an asset from the list, the system displays the controls and their status.
FAQs
Question 1. I do not see the expected number of assets in SAFE
Answer: This is normally as a result of incorrectly configured permissions for the Qualys user that has been configured in SAFE. To confirm the assets that can be seen by the Qualys user, you can use the following cURL to query the Qualys API and return the list of host ids that this user can view.
To use the below command you will need to:
- Update the FQDN for your Qualys endpoint - https://qualysapi.<host name>.apps.qualys.com
- Update the username/password with a BASE64 encoded string of the username/password for the Qualys user.
- For example the username "qualys1" and password "password123" encode the string "qualys1:password123" to give the output "cQB1AGEAbAB5AHMAMQA6AHAAYQBzAHMAdwBvAHIAZAAxADIAMwA=" which you would then substitute instead of <BASE_64_ENCODED_username:password>
curl --location --request GET 'https://qualysapi.<host name>.apps.qualys.com/api/2.0/fo/asset/host?action=list&details=None' \
--header 'X-Requested-With: QualysPostman' \
--header 'Authorization: Basic <BASE_64_ENCODED_username:password>'
The API should respond with the list of hosts the user can view similar to the example below.
<HOST_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2023-10-05T11:01:32Z</DATETIME>
<ID_SET>
<ID>222603114</ID>
<ID>222615064</ID>
<ID>222834012</ID>
<ID>223399088</ID>
<ID>228352379</ID>
<ID>237917698</ID>
<ID>237956085</ID>
<ID>247442977</ID>
<ID>251223661</ID>
<ID>251464069</ID>
</ID_SET>
</RESPONSE>
</HOST_LIST_OUTPUT>
If the number of hosts is less than expected then check in your Qualys Administration permissions that the user has a "Global Scope" configured with the expected asset group tags. You may wish to check the box "Allow user view access to all objects" to give complete asset visibility at the global level.
If the number of hosts is as expected, check the SAFE Hook and confirm that you have not configured any filters, and if there are errors in the transaction history:
If the issue persists, please contact SAFE Support.