QualysGuard Vulnerability Management

Use the QualysGuard Vulnerability Management Connector to import your vulnerability scan information into Kenna to assist you in reducing risk across your environment.

Platform support:

Currently, Kenna supports the following Qualys PODs:

Qualys cloud: US1, US2, US3, US4, Qualys EU1, Qualys EU2, Qualys Canada, Qualys India, Qualys AE, Qualys UK, Qualys AU

User Prerequisites /Qualys setup:

Must have API access
Must manually log into Qualys once to complete registration
Kenna will "see" whatever the Qualys user account can access
User must be a "manager account" in order to pull hierarchical tag data from Qualys

Configuring Your Qualys Connector in Kenna

Once you select the Qualys VM icon from the Kenna Connectors page, you will see a screen like this:

Enter a name for the connector
Select the Qualys POD/Region that your Qualys instance resides on
Enter your Qualys username and password
Select the frequency that you want to run your Kenna Qualys Connector
Save & Verify

Note: At this time if you wish to set a connector level inactivity limit, you may do so. We recommend setting the limit to 2-3x your scan cadence. The connector inactivity limit will take precedence over the Global limit for all items seen by the connector.

What Qualys items are synced with Kenna items?

Qualys Field	Kenna Field	Notes
Title	Name
Qualys ID	Identifier (Vulnerability)
cvss/temporal	CVSS Temporal Score
Diagnosis	Description
Solution	Solution/Fix
Severity	scanner_score	1-5
Status	Vulnerability Status	Only maps Open, Closed, & Re-opened vulnerabilities. For re-opened vulnerabilities, the status of “Re-opened is only passed on the connector run most recently after the vuln is reopened. It is listed as Open in Kenna, but provided you have “Re-opened” status tracking enabled (please see Optional Settings in the Qualys Doc) we will deposit the date of re-open in that custom field for the vulnerability which was reopened (Date in UTC)
Results	Details
vulnerability > cve (qid)	CVE
vulnerability > pci_related	PCI	(Binary Yes / No - is the vuln PCI related)
Vulnerability > Port	Ports
last_seen_time	Last Seen
last_found_datetime	Found On
last_fixed_datetime	Closed
N/A	Created	Date the vuln or asset was first imported to Kenna. Not mapped to a Qualys field. (Each asset and each vuln will have their own created dates)
os_cpe_name + os_vendor	OS
EC2_instance_id	EC2	Only if EC2 locator import is enabled on the Qualys Connector. Please see Optional Settings below.
Host > qualys asset id	external_id	The external_id maps to the Qualys Host ID by default, not the QG Host ID (agent ID). This can be swapped with a feature flag, but Host ID is the correct ID for most customers: https://success.qualys.com/discussions/s/article/000006216
DNS	hostname
IP	ip_address
	MAC_address	Not available in Qualys VM API
NETBIOS	netbios
Business Unit Asset Group Asset Group ID Tags Hierarchical Tags	Tags	All of these items are converted to tags within Kenna. Tags are served through the Hosts endpoint, but for clients where it is available we use the Tags endpoint to retrieve tag hierarchies.

Qualys Items Kenna does not import:

Custom Fields
Network IDs (Not available via vm Hosts endpoint unless via a tag)

Qualys Connector API Calls

The following API calls are performed during a connector run to retrieve the Qualys information and import it into the Kenna Platform.

Tags: https://qualysapi.qualys.com/qps/rest/2.0/search/am/tag
Hosts: https://qualysapi.qualys.com:443/api/2.0/fo/asset/host/?action=list&show_tags=1&details=Basic/AGs
Detections: https://qualysapi.qualys.com:443/api/2.0/fo/asset/host/vm/detection/?action=list&show_tags=1&status=New,Active,Re-Opened,Fixed

Optional Settings

The following settings can be enabled on the backend for Qualys Connectors. To get these settings enabled or for more information contact your Customer Success Engineer.

Exclude Non-Running Kernels
- When this option is enabled, vulnerabilities found on non-running Linux kernels will not be imported.
Exclude Non-Exploitable Vulnerabilities
- When this option is enabled, vulnerabilities that are not exploitable due to configuration will not be imported.
Exclude Informationals
- When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE.
Exclude Potential Vulnerabilities
- When this option is enabled, Kenna will not import potential vulnerabilities.
Include EC2 Metadata
- When enabled, Kenna will import the EC2 instance ID as a locator and display this on the asset
Use Qualys Host ID as External ID
- When this option is enabled, Kenna will use the Qualys Host ID as the External ID.
- The Qualys Host ID is a unique identifier created when scans are run using agent-less tracking or the Qualys Cloud Agent.
- Users must enable agent-less tracking on their Qualys subscription.
Skip Tags
- This setting will allow you to NOT create any Tags within Kenna based on the Qualys metadata.
Tag Reset
- This setting will assist in keeping your Qualys metadata in sync within Kenna. Each time the connector is run, ALL tags within Kenna will be removed and the Qualys metadata will be re-created.
- If you have created any manual tags OR any tags were created off of metadata from other connectors it will be removed and will be refreshed once those connectors run.
Active Asset Tags
- This setting ensure that tags used in Tag Reset only come from assets that have not passed the configured asset expiration period. This ensures that old Qualys records are no impacting Kenna data.
Pass the date a "Re-opened" status is assigned to a vuln into a custom field in Kenna
- This requires that a custom field be created in Kenna, to which we can write the <date> any specific vulnerability is re-opened in Qualys. This allows tracking for "re-opened" vulns via custom field, given Kenna does not support a "Reopened" status.