Configuration Compliance jobs created duplicate VIT

danielgarner · ‎10-13-2023

Within our integration of Qualys and Qualys SCA into Vulnerability Response and Configuration Compliance, we are experiencing some VIT duplications that correspond with the starting of Configuration Compliance jobs starting. Since Qualys uses the same scheduled jobs for both VR and CC, we are hypothesizing that if running both jobs has the potential to create duplicates. Does the Qualys plugin use the same API for QualysGuard and SCA? If so, then we can halt the CC jobs to stop the duplicates. This is confusing because from reference, the scheduled jobs look the same from VR and CC.

https://docs.servicenow.com/bundle/vancouver-security-management/page/product/secops-integration-cc/...

We don't want to miss any assets in the smaller subsect of CC tests. But we want to verify if the same jobs used by VR are used by CC as it is using the same API (unlike other vuln scanner APIs).

Joe Kline · ‎10-20-2023

Hi Daniel,

I am not familiar with SCA. We use Qualys to do both VM and PC scanning. The ServiceNOW integration scheduled jobs are then in fact separate, and use different API's (one goes to the Host List Detection API for VM; the other uses Posture Info API's for policy results). Definitely different API's, going after different data fields and details from Qualys' database.

Hope this helps n some way,

Joe

Greg Stone1 · ‎10-23-2023

Deaniel,

We're running CC and will be bringing in VR soon. I can run a test in our lower environment to see if this happens. It it only duplicating VITs or are you seeing duplicate CTRs as well?

Thanks,

Greg

andy_ojha · ‎10-23-2023

Hey there,

You are correct - the ServiceNow SecOps integration jobs used for Qualys VR and Qualys CC - both are setup to target the same Qualys API Subscription.

The Qualys VR and Qualys CC jobs will point to the same "Integration Instance" in ServiceNow - which represents the particular Qualys API subscription and credential (aka console) to be used.
- Once SecOps CC is installed after SecOps VR and Qualys for VR
- New integration jobs appear for the existing Integration Instance (i.e. the same API subscription and credentials for Qualys VR and Qualys CC) - though the API endpoints they touch on Qualys are different

----------------------------------------------------------------------------------------------------------------------

Out of curiosity, how many Integration Instance(s) do we have at the moment, on the given ServiceNow Instance?
- Nav to Qualys Vulnerability Integration > Administration > Integration Instances
-- How many records are present here?
-- If there is more than one record here, is it possible we might've setup two Integration Instance(s) when we configured the Configuration Compliance piece?

Another area to look:

- Nav to Qualys Vulnerability Integration -> Administration -> Primary integrations
-- How many records are present here?
-- How many unique Source Instance values do you see (right click the column and select Group by)

Reference - Example of 2 unqiue Qualys Integration Instance(s)
- NOTE: this is not a mandatory setup approach
- Having 1 Qualys integration instance cover VR and CC would be the normal approach

----------------------------------------------------------------------------------------------------------------------

Some additional context:

For each particular VR/CC integration flavor, it is possible to setup multiple connections from ServiceNow to the target.

The real use-case of this would be to connect ServiceNow to multiple "consoles" or target subscriptions if a customer had more than one for whatever reason

For example:
- ServiceNow.(Integration Instance 1) ---> Qualys API (credential ABC, Subscription 123)
- ServiceNow.(Integration Instance 2) ---> Qualys API (credential ABC, Subscription 123)

For the Qualys SecOps integrations, each Vulnerable Item will be unique to the Integration Instance - think of it as part of the DNA of that Vulnerable Item (in essence the primary key, or coalesce value).

If ServiceNow is configured to talk to the same Qualys API subscription twice (with two separate Integration Instance configurations) - the instance of a detected vulnerability would be represented with two Vulnerable Items (VIT for Qualys instance 1, and VIT for Qualys instance 2) - one from each configured Integration Instance...
- The Source, Vulnerability and CI would all be the same for both VITs

----------------------------------------------------------------------------------------------------------------------

In your example of duplicate VITs - what is the Integration Instance value on them?
- Are they the same or different?