Filter out vulnerabilities from Qualys for non-running kernels and Superseded patches

User179407
Mega Guru

‎04-25-2022 10:08 AM

Hello,

We are using Qualys Service Integration for VR (Qualys Integration for Security Operations: v12.1.1)

I am looking at modifying the API to exclude non-running kernels and superseded patches.

looking at this article, and Qualys API documentation  i added 2 HTTP parameters, see below screen shot

arf_kernel_filter = 1

exclude_superceded_patches = 1

I now get the below error. FYI - without the above 2 parameters the integration just runs fine.Do I need to add any other parameter with this parameter in the API to support this ?

Error: Invalid response code 400 received from Qualys. Encountered process error running the integration.

I checked the HTTPs Request and it shows the parameters set by me. 

can you please help ?

Thank you.

@./andy-b2poYQ== 

@Chris McDevitt 

@Stephen Laseau 

 

find_real_file.png

 

find_real_file.png

 

 

 

Labels:
Preview file
60 KB
Preview file
98 KB
0 Helpfuls
  • 2,123 Views
8 REPLIES 8

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎04-25-2022 10:54 AM

So, I am going to guess that:

  • exclude_superceded_patches is part of the Scan Templates API
    • /api/2.0/fo/report/template/scan/
  • arf_service_filter is part of the Host List Detection API 
    • /api/2.0/fo/asset/host/vm/detection/

 

 

Preview file
77 KB

User179407
Mega Guru
In response to Chris McDevitt

‎04-25-2022 11:00 AM

Hi Chris,

 

I just figured that out after reading the Qualys API documentation more thoroughly. Thank you for confirming.

I just added "arf_kernel_filter" which is part of Host Detection and it works fine.

So now the question is: Is there a way to filter out vulnerabilities related to Superseded patches  ?

 

Thank you for your help.

0 Helpfuls

Brian Curry
Tera Contributor
In response to User179407

‎07-24-2024 02:41 PM

Were you ever able to determine how/where to configure the exclude_superceded_patches parameter in ServiceNow? We've been unable to find a REST Message that includes the exact endpoint that Chris McDevitt suggested in an earlier response and I'm starting to wonder if that parameter may be related to the "Rescan" function in ServiceNow which is something we cannot enable as we are only allowed to pull from Qualys. I'm also wondering if that parameter can be configured within Qualys itself.

 

Thanks in advance for any guidance you can offer (or remember :-)).

0 Helpfuls

User179407
Mega Guru
In response to Brian Curry

‎07-25-2024 07:06 AM

Brian,

 

yes use filter_superseded_qids parameter and set it to "1" in the post call should do the work, see below screen shot

User179407_0-1721916232682.png

 

refer page 24 of the below documentation

https://cdn2.qualys.com/docs/release-notes/qualys-cloud-platform-10.8-api-release-notes.pdf 

0 Helpfuls