How to limit vulnerability host scan from Qualys badsed on "Os Category" attribute of qualys?

Mithilesh K · ‎03-13-2024

We are in the process of initiating the Qualys integration to ServiceNow.

What is the best practice approach to limit, or filter, income vulnerabilities based on Qualys attribute called "Os Category" which is equal to "server".

In other words, lets say I only want to stage how import data, for now, to only server operating system.How is this done?I understand the ability to limit severity in the Setup Assistant, but how can I limit the os category type to server?

Currently on the Vancouver release of VR.

fkaracaer · ‎03-14-2024

You can use the Asset Groups functionality within Qualys.

First you need to define the asset group Servers in Qualys.

Then you can update the REST call within which SecOps retrieves host scan information

You can use this link for SecOps REST message customization:

https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/secops-integration-...

And here is the link to Qualys API:

https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf

Around page 507 you will have the necessary API parameters.

Mithilesh K · ‎03-17-2024

Thanks for the reply , I checked the pdf for that, and when I see that page I can see we can use the attribute as OS_Patter for server like windows or Linux with regard,could you please advise what will be the Regex value I should be using for this and is this %5EWindows or %5ELinux is correct. Also, if I want multiple values for this attribute, should I doing this with comma separated?

Satishkumar B · ‎06-26-2024

Hi @Mithilesh K ,

Steps to Limit Import to Specific "Os Category" (e.g., "server")

1. Configure the Qualys Integration Data Source

Log in to ServiceNow:
- Log in to your ServiceNow instance with an admin account.
Navigate to the Data Sources:
- In the left-hand navigation pane, type Data Sources in the filter navigator and click on System Import Sets > Data Sources.
Open the Qualys Data Source:
- Find the Data Source related to your Qualys integration. This might be named something like Qualys Vulnerability Import.

2. Edit the Import Set Transform Map

Navigate to Transform Maps:
- In the left-hand navigation pane, type Transform Maps and click on System Import Sets > Transform Maps.
Open the Qualys Transform Map:
- Find the Transform Map associated with the Qualys data import. This might be named something like Qualys Vulnerability Import
- Click on the Transform Map to open it.
Edit the Transform Map Script:
- Scroll down to the Field Maps section and look for the script that maps fields from Qualys to ServiceNow.
- Add a script to filter the records by the "Os Category"

Example script:

(function executeRule(current, previous /*null when async*/) {
// Check if OS Category is not 'server'
if (current.os_category != 'server') {
current.setAbortAction(true); // Skip processing
}
})(current, previous);

Save the Transform Map:
- Save your changes to the Transform Map.

3. Test the Data Import

Run a Test Import:
- To test the import, go to the Data Source and run a test import to ensure only records with "Os Category" set to "server" are imported.
Verify the Imported Data:
- Check the relevant table (e.g., sn_vul_vulnerability) to ensure only the desired records with the "Os Category" of "server" are present.

By following these steps, you should be able to limit the import of vulnerabilities to only those with the "Os Category" set to "server" in your Qualys integration with ServiceNow.

-----------------------------------------------------------------------------------------------------------------------------------------------

If my response proves useful, please indicate its helpfulness by selecting "Accept as Solution" and " Helpful." This action benefits both the community and me.

Satishkumar B · ‎06-26-2024