All assets from Qualys are not imported into ServiceNow

User1234 · ‎11-08-2019

i'm having an issue with importing data from Qualys into ServiceNow. Multiple assets are not showing up in the Security Operations CMDB, nor as Vulnerable Items. I have given my ServiceNow API user access to read the "All" asset group, and most assets do import fine into ServiceNow. There are just a few of them that I can see in Qualys, but not in ServiceNow. What could be the reason for this? I have reviewed the XML files in the import in ServiceNow as well, and found no reference to the assets there.

threatangler · ‎11-08-2019

The rapid7 api integration seems to only pull in new assets and vuln items discovered since the integration. If the scanner was already scanning prior to the integration it will not pull in the assets and vulns already discovered prior to the integration. Qualys may work the same. Test it by scanning an asset the scanner had not seen prior to the integration with ServiceNow. Or update the scanner with the latest vulnerability detection capabilities and rescan to see if those new vulns show up in servicenow and bring the asset in too. There is another post about this in the community. It was for tenable I believe.

andy_ojha · ‎11-08-2019

Hey there,

If you are not seeing the assets in the raw XML payload, it could be related to the filtering used in the requests from ServiceNow to Qualys.

Do you recall the "Start time" (i.e. date) that was used when the first Qualys integration run was executed (i.e. how far back in time did we request data for)?

By default in London, Madrid, New York: the Qualys "Detection Updated Since" time based filter is used, when ServiceNow requests Qualys detection data from Qualys' API.

-> This filter will look for Qualys detections that have been updated since a certain date (e.g. initially found, found again), along with Qualys detections that have changed in Qualys State since a certain date (e.g. Active -> Fixed).

- Generally, when you run the integration for the first time, you could set that date used in the filter back in time (e.g. after the last 90 days, 60 days, 30 days, etc).

- Then, for subsequent data loads after the first one -> the daily integration runs would request for Qualys detections updated in the past x1 day (only capturing the incremental updates).

This means that within ServiceNow, you'd see Vulnerable Items for Qualys Assets based on the timeframe of which Qualys detections were updated.

Also - by default only detections with Qualys Severity 3,4,5 are brought in. This can also be adjusted based on your business requirements.

I would investigate the Qualys Assets you've earmarked that you see in Qualys and not ServiceNow, and check when the corresponding detections on those assets were last updated; this may indicate why they were not "caught in the filter", and why we do not see them in ServiceNow. You can then adjust the "Start time" on the [Qualys Host Detection Integration] record, to a previous date, and gauge the impact to data brought in (additional Vulnerable Items / additional records under Discovered Items).

User1234 · ‎11-14-2019

I have tried to set the "Start date" for the "Qualys Host Detection Integration" to be back in 2017, which was before we started the Qualys scans. The hosts also have severity 4 and 5 vulnerabilities, so it should be imported. I'm still puzzled why it doesn't show up in the imported XML files.

andy_ojha · ‎11-14-2019

Hey there,

For the Qualys 'User Account' that is being used for the integration:
- What role does this user have in Qualys (i.e. Manager)?
- What Business Unit is this user a part of in Qualys (i.e. Unassigned)?
- Wondering if there may be a Qualys [Asset Group] permission in place?

You can also double check the SecOps Discovered Items, to see if by chance the asset made it over and was associated to a particular CI in ServiceNow.
- Navigate to [Security Operations] -> [CMDB] -> [Discovered Items]
--> Remove the filter (State = Unmatched)
----> Query for "Source data | Contains | {$qualys_asset}
--------> Replace {$qualys_asset} with a known attribute you have on hand for the asset in question, such as IP Address, Qualys ID, etc

If you don't find a matching Discovered Item record - I would perhaps look at opening a Qualys Support Ticket, and mention that you are querying the Qualys API, (Endpoint = /api/2.0/fo/asset/host/vm/detection/), using <xyz> creds, and not see the payload include Detections for (Qualys Asset ID <123>); perhaps they can spot the subscription / permission / other issue at hand here.