Understanding the Qualys Vulnerability Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Qualys Vulnerability Integration

    The Qualys Vulnerability Integration enables ServiceNow customers to seamlessly import, correlate, and manage vulnerability data collected by Qualys sensors. This integration maps vulnerabilities to Configuration Items (CIs) and business services within ServiceNow Vulnerability Response, helping prioritize and assess the impact of threats. It supports multiple Qualys Cloud Platform deployments by consolidating asset and vulnerability data into a unified view reconciled with the CMDB.

    Show full answer Show less

    Key Features

    • Flexible Setup and Multiple Deployments: Configure integrations via the Setup Assistant, supporting multiple Qualys deployments with consolidated and normalized vulnerability records.
    • Primary and Supporting Integrations: Scheduled jobs automatically retrieve vulnerability data from Qualys, ensuring synchronization with external vulnerability management systems. Manual execution is also possible.
    • Persona and Granular Role Management: Assign roles to control user access and actions within Vulnerability Response.
    • Service Graph Connector for Qualys: Available from the ServiceNow Store to import asset data using Global Asset and Asset Management APIs, requiring a CSAM license for enhanced asset details.
    • Identification and Reconciliation Engine (IRE): Automatically creates new CIs for unmatched hosts discovered by Qualys scans, with options to categorize unmatched cloud assets appropriately.
    • Search Lists and Option Profiles: Import Qualys search lists and option profiles to customize vulnerability scans, reports, and ticket creation.
    • Asset Groups and Appliance Integration: Import asset groups and associated scanner appliances from Qualys to manage scan initiation within ServiceNow.
    • Host Tags: Import and use host tags for filtering and organizing vulnerabilities in Vulnerability Response. Tags are case-insensitive and controlled by a global property.
    • Vulnerable Item Lifecycle Management: Vulnerable items marked as resolved but not closed by scans are reopened if detected again by subsequent Qualys scans, ensuring accurate vulnerability status.
    • Data Retrieval Customization: Modify REST message parameters to filter vulnerabilities by severity, allowing customers to focus remediation efforts on relevant issues.

    Practical Implications for ServiceNow Customers

    This integration enhances vulnerability management by providing automated, continuous synchronization of Qualys data with ServiceNow Vulnerability Response. Customers gain a consolidated and normalized vulnerability dataset linked to their CMDB, improving impact analysis and prioritization. Role-based access ensures secure management, while features like host tags and search lists enable tailored vulnerability grouping and remediation workflows. The integration’s design supports scalability across multiple Qualys deployments and facilitates accurate CI reconciliation, reducing manual effort and enabling faster response to security threats.

    The Qualys product sensors collect the data and automatically send it to the Qualys application, which continuously analyzes and correlates the information. It easily integrates with Vulnerability Response as the Qualys Vulnerability Integration to map vulnerabilities to CIs and business services to determine impact and priority of potentially malicious threats.

    Configure your Qualys Vulnerability Integration using Vulnerability > Administration > Setup Assistant to make data retrieval more flexible and scalable.

    If you have multiple deployments of the Qualys Cloud Platform application, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response. Qualys Vulnerability Integration Knowledge Base records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability.
    Note:
    You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Note:
    While the Qualys Vulnerability Integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation.

    Available versions

    Release version for Xanadu Release Notes

    Qualys Vulnerability Integration v12.7, v12.8

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Installed components

    For a current list of the roles, integration jobs, and tables that are installed with the integration, as well a link to instructions for how to view what is currently installed in your instance, see Components installed with the Qualys Vulnerability Integration.

    Primary and Supporting Integrations

    Qualys primary and supporting integrations enrich the vulnerability data on your instance by retrieving data from the Qualys Vulnerability Integration. A series of scheduled jobs invoke the integrations automatically. You can also execute them manually. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. Primary and supporting integrations can be modified.

    The Qualys integrations are executed as scheduled jobs. There is a configured run-as user for each integration record. The default value for this user is VR.System. This value should not be changed.
    Note:
    Failing to set a valid run-as user results in multiple, often duplicate, data retrieval attachments on the data source records, every time the integration runs. Multiple attachments on the data source increase processing time, resulting in inconsistent transform results.

    During import, CVE records, not already present, are created as NVD records and referenced in third-party entries for Qualys by default.

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    Primary integrations

    A primary integration is an entry point to the Qualys Cloud Platform interacting with the Qualys API invoked on a schedule.

    View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations.

    Supporting integrations

    A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration.

    View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations.

    Service Graph Connector for Qualys

    Beginning with version 2.2, the Service Graph Connector for Qualys is available from the ServiceNow® Store. See Service Graph Connector for Qualys for more information.

    Data from the Qualys data source fields is imported with the Global Asset API and the Asset Management and Tagging API.

    Global Asset API:
    • A CSAM license is required.
    • Asset information includes details such as Hardware Category and OS Category.
    Asset Management and Tagging API:
    • A CSAM license is not required
    • Asset information does not include details about Hardware Category and OS Category.

    For more information, see Service Graph Connector for Qualys APIs

    .

    Create CIs using the Identification and Reconciliation Engine (IRE)

    You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

    Search lists

    Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them and use for ticket creation and to customize vulnerability scans and reports. The Search Lists module allows you to download search list data from Qualys to your instance on a scheduled basis.

    Search lists are pulled from Qualys using the Dynamic Search List Import and/or Static Search List Import data transformation maps. In each of these transforms, you can define schedules for performing the import.

    Option profiles

    Option profiles are available with Qualys scan settings. An option profile is required when you initiate a scan from your ServiceNow AI Platform.

    Option profiles are imported from the Qualys product by the Option Profile List Integration. You might prefer to run the Option Profile List Integration after an import from the Search Lists Integrations, the Qualys Dynamic Search List and Qualys Static Search List Integrations so that you can see which search lists are associated with option profiles.

    Asset groups

    Asset groups are setup in the Qualys platform. Asset groups identify which scanner appliances are used for scanning matching IP addresses when a scan is initiated from the ServiceNow AI Platform.

    Asset groups that have associated appliances are pulled from Qualys by the Asset Group List Integration.

    Initiate the Appliance List Integration after you import asset groups to populate the Appliance name and Appliance status fields on the Qualys Default Applications records in your ServiceNow AI Platform.

    Host tags

    All host tags are imported as part of the Qualys Host List integration. Host tags are used primarily for filtering in Vulnerability Response Assignment and Vulnerability Group Rules. They are displayed in the Discovered Item form.
    Note:
    The Qualys Host List integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
    • Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. 'San Diego' and 'SAN DIEGO' are considered to be the same host tag. Whichever tag was imported first wins.
    • Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
    • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

    Host tags (also called asset tags) are used for organizing and tracking the assets in your organization. You can assign tags to your host assets. Then, when launching scans, you can select tags associated with the hosts you want to scan. The Host Tags module allows you to download host tag data from Qualys to your instance on a scheduled basis.

    Reopen resolved vulnerable items not closed by scans

    Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the third-party integration runs are reopened if they are detected during rescans.

    For Qualys detections, if the scanner continues to find VIs that were set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans, these VIs move back to 'Open' when the last found date is later than the Resolved date.

    Data retrieval limitations

    By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior.

    The REST message/method responsible for this update is Qualys Host Detection – Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values:
    • Name: severities
    • Value: 3-5 (or whatever appropriate severities are desired)

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.