Hey there,
This is a great question.
I believe you will need to actually filter these detections from being sent to ServiceNow from Qualys. Today, the Qualys Vulnerable Items (VIs) do not have this information, such that you could use a data point to de-prioritize Qualys VIs on inactive kernels.
Within the Qualys API, there are certain parameters that can be used to filter the detections returned to ServiceNow, with the context to exploitable / running kernels.
One thing to be aware of, you may see older documentation and community posts kicking around that reference a Qualys API parameter called <active_kernels_only>.
While this parameter still is functional today, Qualys has earmarked that this will be deprecated at some point in the future, in favor of a new Qualys API parameter called <arf_kernel_filter>.
This parameter will have an impact on the detections returned to ServiceNow, and if you check out the Qualys API docs, you will see two flavors of how this filter works -> "includes" and "excludes".
I would imagine that you would want to use the "excludes", so that your API requests say "hey Qualys, bring me back detections for <xyz> criteria, but exclude any detections found on non-running or non-exploitable kernels".
You can read more about the Qualys API filters here:
- https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf
In ServiceNow, you will need to adjust the POST Message that is used to make API Requests to Qualys.
This involves, adding a new "HTTP Query Parameter", to call out this additional Qualys API filter (on top of Severity, Detection Updated Since, etc).
I would further research the Qualys API Parameter called <arf_kernel_filter>; to see what available options exist, and if any of these meet your requirement (such as Option 1, shown the screenshot below to exclude non-running / non-exploitable kernels). If Option 1 looks like it fits your requirements, I would then test this out to make sure it returns Qualys detections that you are expecting in a sub-prod ServiceNow instance -> or even a tool like Curl or Postman.
You may want to work with a seasoned ServiceNow developer or possibly create a HI Support Ticket for assistance if you are not comfortable with developing, backing up work, testing work, etc. on the ServiceNow platform.
You can find the Qualys Host Detection REST, POST Msg here:
https://<<YOUR_INSTNACE_NAME>>.service-now.com/nav_to.do?uri=%2Fsys_rest_message_fn.do%3Fsys_id%3Da9d2e1369f21120034c6b6a0942e70ed
Hey there,
This is a great question.
I believe you will need to actually filter these detections from being sent to ServiceNow from Qualys. Today, the Qualys Vulnerable Items (VIs) do not have this information, such that you could use a data point to de-prioritize Qualys VIs on inactive kernels.
Within the Qualys API, there are certain parameters that can be used to filter the detections returned to ServiceNow, with the context to exploitable / running kernels.
One thing to be aware of, you may see older documentation and community posts kicking around that reference a Qualys API parameter called <active_kernels_only>.
While this parameter still is functional today, Qualys has earmarked that this will be deprecated at some point in the future, in favor of a new Qualys API parameter called <arf_kernel_filter>.
This parameter will have an impact on the detections returned to ServiceNow, and if you check out the Qualys API docs, you will see two flavors of how this filter works -> "includes" and "excludes".
I would imagine that you would want to use the "excludes", so that your API requests say "hey Qualys, bring me back detections for <xyz> criteria, but exclude any detections found on non-running or non-exploitable kernels".
You can read more about the Qualys API filters here:
- https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf
In ServiceNow, you will need to adjust the POST Message that is used to make API Requests to Qualys.
This involves, adding a new "HTTP Query Parameter", to call out this additional Qualys API filter (on top of Severity, Detection Updated Since, etc).
I would further research the Qualys API Parameter called <arf_kernel_filter>; to see what available options exist, and if any of these meet your requirement (such as Option 1, shown the screenshot below to exclude non-running / non-exploitable kernels). If Option 1 looks like it fits your requirements, I would then test this out to make sure it returns Qualys detections that you are expecting in a sub-prod ServiceNow instance -> or even a tool like Curl or Postman.
You may want to work with a seasoned ServiceNow developer or possibly create a HI Support Ticket for assistance if you are not comfortable with developing, backing up work, testing work, etc. on the ServiceNow platform.
You can find the Qualys Host Detection REST, POST Msg here:
https://<<YOUR_INSTNACE_NAME>>.service-now.com/nav_to.do?uri=%2Fsys_rest_message_fn.do%3Fsys_id%3Da9d2e1369f21120034c6b6a0942e70ed
