- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2019 06:13 PM
We are in the process of initiating the Qualys integration to ServiceNow as part of an internal VR project. What is the best practice approach to limit, or filter, income vulnerabilities based on Asset Class (CMDB Class) and then vulnerability severity.
In other words, lets say I only want to stage how import data, for now, to only Linux servers which have a severity of 3-5. How is this done? Is it on the Qualys side or are there modifications needed on the ServiceNow side? I understand the ability to limit severity in the Setup Assistant, but how can I limit the assets types?
Currently on the London release of VR.
Solved! Go to Solution.
- Labels:
-
Best Practices
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2019 05:00 PM
Hey Doug.
It's definitely a good idea to filter the Qualys detection data being on-boarded into VR, and taking a staggered approach.
The filtering of Qualys detection data is configured in the Qualys API Request using special parameters. Since the API Request is sent from ServiceNow to Qualys, setting the Qualys API Request parameters is done in ServiceNow. From there, Qualys will filter the payload returned to ServiceNow based on the request it is serving.
There are certain parameters that are already specified in the base system Qualys + ServiceNow VR integration as you noted from the Setup Assistant in London. However, if you need to adjust that filtering to suit your needs, you can specify additional API parameters that are compliance with the `Qualys Host List Detection API`.
Check out the Qualys API docs, from Page 324 onwards (Qualys Host List Detection API):
- https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf
You may want to consider your approach to filtering based on how you've setup Qualys and your environment being scanned.
You could specify in the API call from ServiceNow --> Qualys, what results should be returned using parameters such as Qualys Asset Tags, Qualys asset IP addresses, Qualys asset IP ranges, Qualys asset operating system values (regex matching), Qualys detection severity values, etc.
It sounds like you are on the track here. Generally, it's a good idea to start with an aggressive filter and ensure that the moving pieces in ServiceNow are functioning as expected (e.g. Configuration Item matching, Vulnerable Item / Vulnerability Group grouping and assignment, etc). Then you could open up the filtering to on-board a larger volume of Qualys detections.
You'll see some posts in the Community that review using the "Postman" tool to do troubleshooting and analysis with the Qualys API - it's a handy tool for this purpose as you get started and begin crafting your Qualys Host List Detection API request with certain parameters.
The API Parameters that are used to construct the API Request sent to Qualys from ServiceNow, can be located via:
- Qualys Vulnerability Integration | Administration | Primary Integrations | Qualys Host Detection Integration | Qualys REST Details - (tab) | REST Method - (i) icon | HTTP Request - (tab)
You'll see the parameters here that the Setup Assistant in London controls.
You could introduce your own parameters in this list, based on your requirement (e.g. IP Addresses, Qualys Tags, Qualys OS based on regex). This will construct the API Request sent to Qualys, that will return a filtered payload of Qualys Host Detection data for ServiceNow to process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2019 07:22 AM
I had done integration via a different VR product, but the principles are the same. I would suggest that you review closely what the goal of the project. What are the existing processes that the VR integration would improve, what's the new process the VR would enable?
i.e.
1. using VR to improve the existing patch management process (identify patches not been installed, missing the sla, etc).
2. using VR to enable integrated risk management
3. using VR to help security incident handling
4. improve existing discovery for Configuration Items
These are just some examples. Depends on your goal, you could configure/adjust your integration accordingly. Focus on leveraging what's already exist in ServiceNow, not just import the VR data in ServiceNow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2019 08:14 AM
Doug,
You need to add "os_pattern={expression}" to the HTTP Query Parameters section of Post from the Qualys Host Detection Integration. You need to encode the os_pattern in a Regular Expression in PCRE Format. This will only pull hosts OS that matches your specified pattern.
Please mark this as correct or helpful so others can benefit from our conversations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2019 05:00 PM
Hey Doug.
It's definitely a good idea to filter the Qualys detection data being on-boarded into VR, and taking a staggered approach.
The filtering of Qualys detection data is configured in the Qualys API Request using special parameters. Since the API Request is sent from ServiceNow to Qualys, setting the Qualys API Request parameters is done in ServiceNow. From there, Qualys will filter the payload returned to ServiceNow based on the request it is serving.
There are certain parameters that are already specified in the base system Qualys + ServiceNow VR integration as you noted from the Setup Assistant in London. However, if you need to adjust that filtering to suit your needs, you can specify additional API parameters that are compliance with the `Qualys Host List Detection API`.
Check out the Qualys API docs, from Page 324 onwards (Qualys Host List Detection API):
- https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf
You may want to consider your approach to filtering based on how you've setup Qualys and your environment being scanned.
You could specify in the API call from ServiceNow --> Qualys, what results should be returned using parameters such as Qualys Asset Tags, Qualys asset IP addresses, Qualys asset IP ranges, Qualys asset operating system values (regex matching), Qualys detection severity values, etc.
It sounds like you are on the track here. Generally, it's a good idea to start with an aggressive filter and ensure that the moving pieces in ServiceNow are functioning as expected (e.g. Configuration Item matching, Vulnerable Item / Vulnerability Group grouping and assignment, etc). Then you could open up the filtering to on-board a larger volume of Qualys detections.
You'll see some posts in the Community that review using the "Postman" tool to do troubleshooting and analysis with the Qualys API - it's a handy tool for this purpose as you get started and begin crafting your Qualys Host List Detection API request with certain parameters.
The API Parameters that are used to construct the API Request sent to Qualys from ServiceNow, can be located via:
- Qualys Vulnerability Integration | Administration | Primary Integrations | Qualys Host Detection Integration | Qualys REST Details - (tab) | REST Method - (i) icon | HTTP Request - (tab)
You'll see the parameters here that the Setup Assistant in London controls.
You could introduce your own parameters in this list, based on your requirement (e.g. IP Addresses, Qualys Tags, Qualys OS based on regex). This will construct the API Request sent to Qualys, that will return a filtered payload of Qualys Host Detection data for ServiceNow to process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2019 09:03 AM
Thank you!
