How other Qualys customers are using the SN integrations

Joe Kline
Kilo Guru

‎02-06-2023 11:15 AM

Wondering how other folks out there are using the details from Qualys to import and utilize Information Gathered QIDs, and how you might use those to highlight if the last vulnerability scan properly authenticated (or not) to set expectations of how much "trust" you have with the reported vulnerabilities to then act on mitigating them.  We have customized our implementation to attempt to share with our Systems Administrators to work with the scan team to fix authentication records and credentials when a scan results in failed or not attempted to authenticate.  SN pushed back on us at the start stating that IGs are not in their design for VR.

 

Anybody doing this sort of thing out there that we can perhaps compare notes with?

 

Thanks in advance for your time and consideration,

Joe

0 Helpfuls
  • 681 Views
2 REPLIES 2

AC12
Tera Contributor

‎04-19-2023 09:02 AM

We reference a Qualys Search List in the API for ingesting vulnerabilities which has IGs in it that include scan details
example:

AC12_0-1681919734115.png


In SNow VR configuration we only allow Confirmed QIDs to create VITs. The ingested data updates the CMDB CI record, we also used customizations to feed IG info in. From here we can create SNow reports based on Last VM Scanned or last VM Auth Scanned to identify where scans are occurring but Auth is not, or where no scans are occurring at all.

AC12_1-1681920020941.png

 

Joe Kline
Kilo Guru
In response to AC12

‎04-19-2023 09:35 AM

Thanks, @AC12 

So from the images, you are actually bringing over "a ton" of IG data in the API responses but not using much of it (with the Information Severity 1 and 2 check boxes in your search list)?  Then really only relying on the difference of a Last Scan compared to Last VM Auth scan date to say if it was successful or not?  And for normal vulnerability operations, you only bring over confirmed Medium or above.  Do you care about or do anything with Windows "authorization" relative to having trusted authenticated scans?  If you are not actually using the IG data to determine that, I am guessing no.  We actually store the IG data (our implementation partner tried and retried how to do this - ending with a fully custom Qualys Attributes table with a Name-Value pair data type field to store the JSON string of all the IG's we limit the selection of).  From those IG's we can then try to identify where authentication success, failure, or non-attempt is called out to drive actionable change to improve, as well as for Windows whether File & Print is enable, disable, or denied along with remote registry access.  We bring in all 5 severities as well as Confirmed with Potential, and had to limit IG's way, WAY down to the choice few that helps us manage the environment and point out where improvements to get better visibility need to be done ... but SN doesn't seem to put any credence on IGs and suggested that we should make use of CC along with VR instead (but not all IG's are equivalent to a policy control).

 

Interesting differences perspective - thanks much for responding and sharing.

0 Helpfuls