Fixing Detection Keys for Qualys Job settings

Joe Kline
Kilo Guru

I have been working on an early upgrade instance where we get to Rome AND latest updates for Vulnerability Response and the Qualys Integration for Security Operations applications.  Within those updates we are going from v13 VR to v15 which include the changes made as part of v14 where the Detection keys allow for the removal of "Proof" in the hash - thus hoping to see less duplication of detections for the same vulnerability found on a device ... In doing this, I want to correct the old detections to ensure we get rid of old "garbage" duplicates and have the single "valid" detections to then be updated and capture the Fixed state from the Qualys scanner more consistently to close them out.

Reading through the documentation leaves me wondering about the "Fixing the detections for updated key for Qualys" job and how it really should be enabled/triggered.  On my system it is inactive.  Documentation suggests it needs to run, but doesn't specifically state activating it and letting it run as periodically like it is scheduled, or if it should be an activation and one time run, or just what.

Anybody out there with a Qualys integration that went through this to advise on the correct usage and frequency of letting that new schedule job run to clean up millions of detection data to get it down to having only the right subset of items to then be updated with ongoing import integration jobs?

 

Thanks, in advance, for any clarifying suggestions.

1 ACCEPTED SOLUTION

Shivam Sarawagi
ServiceNow Employee
ServiceNow Employee

Hi,

 

The job needs to be run only once. Please check sn_vul_detection_key_config table and see the "Status" of the source Qualys, If it's complete then the job has already run and fixed your data (nothing to be done).

If it's in the pending state then please check and make sure you don't have any customization in the script include "Detection" and "DetectionBase". After reverting the script include out of box you can trigger the scheduled job once.

 

Thanks,

Shivam

View solution in original post

2 REPLIES 2

Shivam Sarawagi
ServiceNow Employee
ServiceNow Employee

Hi,

 

The job needs to be run only once. Please check sn_vul_detection_key_config table and see the "Status" of the source Qualys, If it's complete then the job has already run and fixed your data (nothing to be done).

If it's in the pending state then please check and make sure you don't have any customization in the script include "Detection" and "DetectionBase". After reverting the script include out of box you can trigger the scheduled job once.

 

Thanks,

Shivam

Thank you Shivam.  I currently see two jobs having been run so far in my logs.  I knew nothing about the key_config table and just looking it is in "In Progress" status.  Detection and DetectionBase, I believe were both modified and other team members responsible to help me in that area felt the customizations were too complex to just "revert".  Sigh.

I will look deeper into the two script include items per your suggestion as well as now monitor the key config table status of the Qualys record to see if it goes to Complete - when we do this all again for real in the Rome upgrade starting this weekend.

Appreciate the rapid reply!