QualysGuard Vulnerability Management automates the lifecycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking.
Use the QualysGuard Vulnerability Management Connector to import your vulnerability scan information into Cisco Vulnerability Management to assist you in reducing risk across your environment.
Platform support
Currently, Cisco Vulnerability Management supports the following Qualys PODs:
- Qualys cloud: US1, US2, US3, US4, Qualys EU1, Qualys EU2, Qualys Canada, Qualys India, Qualys AE, Qualys UK, Qualys AU
Prerequisites
- You must have API access.
- You must manually log in to Qualys once to complete registration.
- Cisco Vulnerability Management will "see" whatever the Qualys user account can access.
- The user must be a "manager account" to pull hierarchical tag data from Qualys.
Configuring Your Qualys Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Qualys VM.
4. On the QualysGuard page, enter the following information:
-
Name: Enter a name for the connector, or leave it as QualysGuard.
-
Region: Select the Qualys POD/Region that your instance resides on.
-
Username and Password: Enter your Qualys username and password.
-
Schedule: Select the frequency that you’d like your Connector to run.
-
Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans). The connector inactivity limit will take precedence over the Global limit for all items seen by the connector.
5. Click Save And Verify.
What Qualys items are synced with Cisco Vulnerability Management items?
Qualys Field |
Cisco Vulnerability Management |
Notes |
Title |
Name |
|
Qualys ID |
Identifier (Vulnerability) |
|
cvss/temporal |
CVSS Temporal Score |
|
Diagnosis |
Description |
|
Solution |
Solution/Fix |
|
Severity |
scanner_score |
1-5 |
Status |
Vulnerability Status |
Only maps Open, Closed, & Re-opened vulnerabilities. For re-opened vulnerabilities, the status of “Re-opened is only passed on the connector run most recently after the vuln is reopened. It is listed as Open in Cisco Vulnerability Management, but provided you have “Re-opened” status tracking enabled (please see Optional Settings in the Qualys Doc) we will deposit the date of re-open in that custom field for the vulnerability which was reopened (Date in UTC) |
Results |
Details |
|
vulnerability > cve (qid) |
CVE |
|
vulnerability > pci_related |
PCI |
(Binary Yes / No - is the vuln PCI related) |
Vulnerability > Port |
Ports |
|
last_seen_time |
Last Seen |
|
last_found_datetime |
Found On |
|
last_fixed_datetime |
Closed |
|
N/A |
Created |
Date the vuln or asset was first imported to Cisco Vulnerability Management. Not mapped to a Qualys field. (Each asset and each vuln will have their own created dates) |
os_cpe_name + os_vendor |
OS |
|
EC2_instance_id |
EC2 |
Only if EC2 locator import is enabled on the Qualys Connector. Please see Optional Settings below. |
Host > qualys asset id |
external_id |
The external_id maps to the Qualys Host ID by default, not the QG Host ID (agent ID). This can be swapped with a feature flag, but Host ID is the correct ID for most customers: https://success.qualys.com/discussions/s/article/000006216 |
DNS |
hostname |
|
IP |
ip_address |
|
|
MAC_address |
Not available in Qualys VM API |
NETBIOS |
netbios |
|
Business Unit |
Tags |
All of these items are converted to tags within Cisco Vulnerability Management. |
Qualys items that Cisco Vulnerability Management does not import:
- Custom Fields
- Network IDs (not available via VM Hosts endpoint unless via a tag)
Qualys Connector API Calls
The following API calls are performed during a connector run to retrieve the Qualys information and import it into Cisco Vulnerability Management.
- Tags: https://qualysapi.qualys.com/qps/rest/2.0/search/am/tag
- Hosts: https://qualysapi.qualys.com:443/api/2.0/fo/asset/host/?action=list&show_tags=1&details=Basic/AGs
- Detections: https://qualysapi.qualys.com:443/api/2.0/fo/asset/host/vm/detection/?action=list&show_tags=1&status=New,Active,Re-Opened,Fixed
Optional Settings
The following settings can be enabled for Qualys connectors. To have these settings enabled, or for more information, contact Cisco Support or your Customer Success Engineer.
Exclude Non-Running Kernels
When this option is enabled, vulnerabilities found on non-running Linux kernels will not be imported.
Exclude Non-Exploitable Vulnerabilities
When this option is enabled, vulnerabilities that are not exploitable due to configuration will not be imported.
Exclude Informationals
When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.
Exclude Potential Vulnerabilities
When this option is enabled, Cisco Vulnerability Management will not import potential vulnerabilities.
Include EC2 Metadata
When this option is enabled, Cisco Vulnerability Management will import the EC2 instance ID as a locator and display this on the asset
Use Qualys Host ID as External ID
- When this option is enabled, Cisco Vulnerability Management will use the Qualys Host ID as the External ID.
- The Qualys Host ID is a unique identifier created when scans are run using agent-less tracking or the Qualys Cloud Agent.
- Users must enable agent-less tracking on their Qualys subscription.
Skip Tags
This setting enables you to not create any Tags in Cisco Vulnerability Management based on the scanner metadata.
Tag Reset
This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.
Active Asset Tags
When this option is enabled, tags used in Tag Reset only come from assets that have not passed the configured asset expiration period. This ensures that old Qualys records are not impacting Cisco Vulnerability Management data.
Pass the date a "Re-opened" status is assigned to a vuln into a custom field in Cisco Vulnerability Management
This requires that a custom field be created in Cisco Vulnerability Management, that we can write the <date> that any specific vulnerability is re-opened in Qualys. This allows tracking for "re-opened" vulns via custom field, given Cisco Vulnerability Management does not support a "Reopened" status.
Comments
Please sign in to leave a comment.