Auto Scan from Servicenow to Qualys on state changes

User179407 · ‎09-01-2020

Hello,

I would like to know how does the auto scan happen from Servicenow to Qualys and on which states is the scan triggered ?

What are the jobs that run and where can we monitor the/m?

Update: i see that when the state changes to Resolved the auto scan is initiated.(see below link). however I dont see the workflow is initiating in my SN instance, how to i activate that auto workflow ?

https://www.youtube.com/watch?v=uAaF9o-gylg&t=190s

Thanks.

@Chris McDevitt

@Stephen Laseau

@./andy-b2poYQ==

andy_ojha · ‎09-02-2020

Hey there - you need to specify a fallback appliance that will be used in the API request sent to Qualys.

The Qualys API will not accept requests for re-scan without an appliance - so this acts as the fallback (even though you've setup the Default Scan Appliances)...

In the Default Scan Appliances you can ensure the IP Ranges are mapped to the appliances you'd expect to cover the scans (that would win first).

The "default scanner appliance" you setup is the fallback, if we do not find a target Appliance from the "Default Scan Appliances" you have already setup.

You can specify either the ID or Name of the Appliance (seem to have better luck with the Name).

View solution in original post

andy_ojha · ‎09-02-2020

Hey there,

Have you seen the Workflow Triggers defined on the Vulnerable Item and Vulnerability Group tables?

- Navigate to Security Operations > Workflows > Workflow Triggers
- Adjust your filter for table starts with [sn_vul]
- This is what triggers the workflows for kicking off the scan request (automatically) when the records move to Resolved

From there you should be able to see under Workflow Contexts - the particular workflow "Vulnerability Response - Scan Vulnerable Item" get kicked off.

From there records are inserted into the "Scan Queue":
- Vulnerability Response > Vulnerability Scanning > Scan Queue

A Scheduled Job handles processing the Scan Queue (Process Scan Queue)

So you could keep an eye on the Scan Queue, and Scheduled Job.

Would be worth considering how often assets are scanned today by Qualys, and the need to have this requested from ServiceNow as you head down this path - balancing that with the performance concerns you shared.

User179407 · ‎09-02-2020

Thank you Andy,

this is good to know..i adjusted the filter and now it triggers the workflow and a record is created in the 'Vulnerability Scans'

However I see the below error

Error: No scan options profile defined. Provide a scan options profile in the Qualys configuration

I have added the scan_options_profile as provided by Qualys admin, but still face the same error when initiating scan from SN. Appliances are already loaded in the scanner appliance table.

Do we need to do any other configuration besides this ?

Thanks for all your help

andy_ojha · ‎09-02-2020

Hey there - interesting - that is a ServiceNow warning message.

Where did you set the `scan_options_profile`?

It should go into the Query Parameters on the Integration Instance record.

- Qualys Vulnerability Integration > Administration > Integration Instances
- Find your record (ensure it is the correct console if you have multiple)
- On the Integration Instance Parameters -> look for `scan_options_profile`
- Ensure you also have the `default_scan_appliance` set as well

User179407 · ‎09-02-2020

Hi Andy,

Thanks for your reply

1. I have set the scan_options_profile under Vulnerability Integration > Administration > Integration Instances -->Qualys --> Integration Instance Parameters (see screen shot 1)

Question: should it be the title or the ID of the Option Profile, i tried both and receive the same error (see screen shot 2).

2. The Qualys Scanner is Active and default (see screen shot 3)

3. Where can I find value for default_scan_appliance ? Please note that I have already configured the Qualys Default Appliances (see screen shot 4)

Thanks for all your help

screen shot 1

screen shot 2

screen shot 3

screen shot 4