Ingest Specific Qualys Policies and Results - Configuration Compliance

ebbrostrom_sn
ServiceNow Employee

an hour ago

Overview:

As we can imagine, and have most felt, the Configuration Compliance integrations can bring in mass amounts of information and at some times, information that will never be triaged and/or remediated. If you fall into one of these categories, there is the ability with the Qualys API HTTP query parameters to filter down specific policies to be consumed into Configuration Compliance on the ServiceNow platform.

 

Scenario:

Let’s say, our organization only will do triage and resolution on specific Policies established in Qualys; but at this point in time, we are consuming ALL policies as well as all results pertaining to those policies. Requirement is to filter down my policy consumption into Configuration Compliance only to Policies 441764 and 43978 (will vary for every Qualys implementation).

 

Understanding:

First, we need to understand how the Qualys Results and policies come into the platform.

There are two different integrations we are worried about for this topic:

  •  Qualys PC Policies
    • Calls the REST API of <apiserver>/api/2.0/fo/compliance/policy/
    • Query parameter ‘action’ is  ‘list’

      ebbrostrom_sn_0-1769120402615.png

       

    • Qualys API Documentation
  • Qualys PC Results
    • Calls the REST API of <apiserver>/api/2.0/fo/compliance/posture/info/
    • Query parameter ‘action’ is ‘list’

      ebbrostrom_sn_1-1769120402617.png

       

    • Qualys API Documentation

You will notice that on the PC Posture Info REST “List” method above, there is the HTTP Query Parameter of ‘policy_id’ with a reference variabled to ‘${policyId}’.

This is referenced in the Integration factory script "sn_vul_qualys.QualysPCResultsIntegration()" tied to the Qualys PC Results integration when the REST message is being built and transacted upon.

  • Specifically in the function of ‘_buildRESTMessage’; on line 272, you will see there is function being called to gather the Policies procured into the ServiceNow platform (‘_getPolicyIds’).
  • This function is calling back to the ‘sn_vulc_policy’ table, which is populated via the Qualys PC Policies integration.

With that said, these two integrations are tightly coupled; results will only be pulled for active Policies ingested into the ServiceNow platform listed under ‘sn_vulc_policy’.

 

Now, let’s examine the Qualys PC Policies integrations.

 

The base REST API will pull all the policies tied, then load them into the ServiceNow platform. These are then transformed via the Qualys PC List Import transform map, this transform map calls the sn_vul_qualys.PolicyListStream() script include, that will traverse the XML and insert/update the policies as needed.

 

One specific to call out in that script include, is line 35 of the ‘stream’ function, which is the additional function of ‘_markInactive()’.

This function runs at the end of the processing of the policies being inserted/updated to the platform. During the inserts/updates of the Policies, the script takes note of what policies are being inserted/updated, and stores them in a local variable and then as apart of the ‘_markInactive()’ function, it will cross reference what has been retrieved and mark the other policies that were not consumed as ‘active=false’.

 

Summary of the above; policies are pulled from Qualys, Results are then pulled from Qualys based on the Policies previously pulled and that are active in the system.

 

Solution:

With all the background we talked about earlier, the solution really boils down to one simple factor; the Policies being consumed into ServiceNow need to be limited ONLY to the policies we want. Based on the Qualys API documentation for "List Policies", we can do this simply by introducing a HTTP Query Parameter of ‘ids’ to the List method for Qualys PC Policy.

ids={value}

Optional

Integer 

Show only certain policy IDs/ranges. One or more policy IDs/ranges may be specified. Valid host IDs are required. Multiple entries are comma separated. A policy ID range is specified with a hyphen (for example, 160-165).

 

ebbrostrom_sn_2-1769120402621.png

 

Result:

Re-running the “Qualys PC Policies” integration will now ONLY pull in the policies defined, in this case 441764 and 43978. Deactivates (i.e. set the ‘active=false’) the other Policies associated to Qualys that were previously ingested into the ServiceNow platform on the ‘sn_vulc_policy’ table.

Re-running the “Qualys PC Results” integration will now ONLY pull results pertaining to the policies defined as well, reducing the volume of results being ingested and having a targeted approach of what policies are being ingested to be remediated.

 

----------------

*NOTE: If the change means that all other results that are tied to OTHER policies are no longer valid, consider Archiving/deleting the specified Test Results, Tests, Test Groups and Remediation tasks associated as deemed fit to keep estate clean with actionable data. Remember, Test Results are tied to Tests which are tied to the policies, or as we refer to them in the ServiceNow table structures as, Test Groups.

  • 28 Views
Version history
Last update:
2 hours ago
Updated by:
ServiceNow Employee
Contributors