- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2022 05:12 AM
Hello everyone,
Unfortunately on current stage of project I can't integrate Qualys with dev instance. I need to prepare some 'dummy data' for testing CI Lookup Rule and getting familiar with them. Is any possibility to insert 'dummy data' into some kind of staging table, which will trigger the CI lookup rules? When CI lookup rules are triggered?
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2022 12:34 PM
Not terribly difficult to do. You want to use the Discovered Items table. If you generated demo data when you installed the module, you'll have some records in there to play with. And you'll need to install the Qualys integration app to get the default CI lookup rules for that particular integration.
Then, take a Discovered Item record where the state = Unmatched. On that record, you can edit the FQDN, MAC Address, NetBios, and/or IP Address to something that should match a record in your CMDB. And you'll need to make the Source = Qualys (so it'll fire the right CI lookup rules). Then, from the list view, select that record (or records), and select the Reapply CI Lookup Rules action. That'll run that record(s) through the active CI lookup rules.
As for when the CI lookup fires, it's the 1st rule set that will fire when ingesting detection data from your source scanner. In that way, CI attributes can be used by the subsequent rule sets that will fire (in order - Assignment Rules, Risk Scoring Rules, Group (Remediation Target) Rules, and lastly, Remediation Target Date rules.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2022 12:34 PM
Not terribly difficult to do. You want to use the Discovered Items table. If you generated demo data when you installed the module, you'll have some records in there to play with. And you'll need to install the Qualys integration app to get the default CI lookup rules for that particular integration.
Then, take a Discovered Item record where the state = Unmatched. On that record, you can edit the FQDN, MAC Address, NetBios, and/or IP Address to something that should match a record in your CMDB. And you'll need to make the Source = Qualys (so it'll fire the right CI lookup rules). Then, from the list view, select that record (or records), and select the Reapply CI Lookup Rules action. That'll run that record(s) through the active CI lookup rules.
As for when the CI lookup fires, it's the 1st rule set that will fire when ingesting detection data from your source scanner. In that way, CI attributes can be used by the subsequent rule sets that will fire (in order - Assignment Rules, Risk Scoring Rules, Group (Remediation Target) Rules, and lastly, Remediation Target Date rules.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2022 07:53 AM
We can validate CI lookup rule by below code
var x = new sn_sec_cmn.CIIdentify().identify(source, source data, true);
gs.warn(JSON.stringify(x);
Parameters of identity method:
- source - sys id of integration source like Qualys Cloud Platform
- source data - get sample from unmatched discovered items. Changes any parameter to validate each rules. For example, change IP to validate IP rule.
It returns - Sys id of matched CI and sys id of CI lookup rule which used for matching