In-Depth Guide: Integrating ServiceNow with Qualys

Vaishnavi Lathk
Mega Sage
Mega Sage

‎09-22-2024 12:04 AM - edited ‎09-22-2024 12:50 AM

In-Depth Guide: Integrating ServiceNow with Qualys

 

Integrating ServiceNow with Qualys can streamline your organization’s vulnerability management and incident response workflows. This comprehensive guide provides a step-by-step process to set up this integration, complete with example scripts and best practices.

 

Prerequisites

 

- ServiceNow Instance: You need access to a ServiceNow instance with appropriate permissions to create REST messages and scheduled jobs.
- Qualys Account: Ensure you have a valid Qualys account with API access. This typically requires administrative privileges.
- Basic Knowledge: Familiarity with REST APIs, JavaScript, and ServiceNow’s platform will help in understanding the implementation.

 

Step 1: Generate Qualys API Credentials

 

1. Log in to Qualys:

- Access your Qualys account and navigate to the User Preferences section.

 

2. API Settings:
- Locate the section to manage API settings. You may need to enable API access if it’s not already set up.

 

3. Generate Credentials:
- Create or retrieve your API username and password. Keep this information secure, as it will be used to authenticate your API requests.

 

Step 2: Configure Qualys API in ServiceNow

 

2.1 Create a REST Message in ServiceNow

 

1. Navigate to REST Messages:
- In ServiceNow, go to System Web Services > Outbound > REST Message.

 

2. Create a New REST Message:
- Click New and fill in the following fields:
- Name: Qualys API
- Endpoint: `https://<qualys_api_url>/api/2.0/fo/` (replace `<qualys_api_url>` with the actual Qualys API endpoint).

 

3. Define the Request:
- Set the HTTP Method to `GET` for fetching data.

 

2.2 Create Authentication

 

1. Add Authentication:
- Under the REST Message you just created, click on the HTTP Request tab.
- Choose Basic Authentication and fill in:
- Username: Your Qualys API username
- Password: Your Qualys API password

 

Script: Create a REST Message

Here’s a simple script to initialize a REST message in ServiceNow:


var restMessage = new sn_ws.RESTMessageV2();
restMessage.setEndpoint('https://<qualys_api_url>/api/2.0/fo/vm/asset/');
restMessage.setHttpMethod('GET');
restMessage.setBasicAuth('your_username', 'your_password');

Step 3: Set Up Scheduled Jobs

3.1 Create a Scheduled Job

 

1. Navigate to Scheduled Jobs:
- Go to System Definition > Scheduled Jobs.

 

2. Create a New Scheduled Job:
- Click New and configure the fields:
- Name: Pull Qualys Vulnerabilities
- Run: Set your desired frequency (e.g., daily, weekly).

 

3.2 Script to Pull Data

Add the following script in the Script section of the scheduled job to retrieve data from Qualys:

 

 

 

(function executeScheduledJob(current) {
var restMessage = new sn_ws.RESTMessageV2();
restMessage.setEndpoint('https://<qualys_api_url>/api/2.0/fo/vm/asset/');
restMessage.setHttpMethod('GET');
restMessage.setBasicAuth('your_username', 'your_password');

var response = restMessage.execute();
var responseBody = response.getBody();
var responseCode = response.getStatusCode();

// Check if the request was successful
if (responseCode == 200) {
var responseObject = JSON.parse(responseBody);

// Process vulnerabilities
if (responseObject && responseObject.data) {
for (var i = 0; i < responseObject.data.length; i++) {
var vulnerability = responseObject.data[i];

// Logic to create or update incidents
var incident = new GlideRecord('incident');
incident.initialize();
incident.short_description = 'Vulnerability: ' + vulnerability.title;
incident.description = 'Details: ' + vulnerability.details;
incident.insert();
}
}
} else {
// Log error if the API call fails
gs.error('Qualys API call failed with status code: ' + responseCode);
}
})(current);

 

 

 

Step 4: Create Business Rules and Workflows

 

4.1 Create a Business Rule

 

1. Navigate to Business Rules:
- Go to System Definition > Business Rules.

 

2. Create a New Business Rule:
- Click New and configure the fields:
- Name: Create Incident for High Severity Vulnerability
- Table: Vulnerabilities (or your custom table)
- When: After

 

3. Set Conditions:
- Define conditions under which the rule will trigger, such as severity levels.

 

4.2 Script for Business Rule

In the business rule, add the following script to create an incident for high-severity vulnerabilities:

 

 

 

if (current.severity == 'High') {
var incident = new GlideRecord('incident');
incident.initialize();
incident.short_description = 'High Severity Vulnerability: ' + current.title;
incident.description = 'Details: ' + current.details;
incident.insert();
}

 

 

 

Step 5: Test the Integration

1. Run the Scheduled Job:
- Manually trigger the scheduled job to pull data from Qualys.

2. Check Incident Creation:
- Review the incidents created in ServiceNow to ensure they reflect the vulnerabilities fetched from Qualys.

3. Error Logging:
- Check the system logs for any errors that occurred during the integration process.

 

 Step 6: Monitor and Maintain

- Regular Monitoring: Check the integration periodically to ensure data is being pulled correctly.
- Update Scripts: Modify scripts as necessary, especially if there are changes to API endpoints or data structures.
- Security: Regularly update API credentials and enforce best security practices to protect sensitive information.

 

Conclusion

Integrating ServiceNow with Qualys can greatly improve your organization’s ability to manage vulnerabilities and respond to security incidents effectively. By following this guide, you can set up a robust integration that automates workflows and enhances security operations.

 

Resource
- Qualys API Documentation

- [ServiceNow REST API Documentation]
- [ServiceNow Business Rules]

 

 

Feel free to customize the scripts and processes based on your organization's needs. If you have further questions or require additional assistance, don’t hesitate to reach out!

  • 9,655 Views
7 REPLIES 7

Ravi Chandra_K
Kilo Patron
Kilo Patron

‎09-22-2024 12:14 AM

Good write up @Vaishnavi Lathk 

This is one of the most used VR integrations.

 

A small question on this, since the script is inserting incidents, How the incidents assignment is managed?

Since it will add huge no.of incidents into the system.

 

 

Just want to add one point.

Since the amount of data the comes into the system is high, it's recommended to set the schedule job during non peak business hours to

reduce the impact on system performance.

 

Kind Regards,

Ravi.

0 Helpfuls

Vaishnavi Lathk
Mega Sage
Mega Sage
In response to Ravi Chandra_K

‎09-22-2024 12:35 AM

Thank you for your question regarding incident assignment in our ServiceNow integration.

When the script inserts incidents, we implement a few strategies to manage assignment effectively:

 

  1. Assignment Rules: We utilize predefined assignment rules within ServiceNow. These rules help route incidents to appropriate groups based on criteria such as incident type, priority, and location. This ensures that incidents are assigned to the right teams for timely resolution.

  2. Load Balancing: To handle the volume of incidents, we can configure load balancing by distributing incidents evenly across available teams. This prevents any one group from being overwhelmed by a sudden influx of incidents.

  3. Dynamic Assignment: For real-time incident management, we can leverage ServiceNow’s dynamic assignment features. This allows incidents to be assigned to specific agents based on their current workload and availability, optimizing resource utilization.

  4. Monitoring and Alerts: We implement monitoring mechanisms to track incident volumes and assignment efficiency. This way, we can quickly identify any bottlenecks and adjust the assignment strategies as needed.

Regarding your point about scheduling jobs during non-peak hours, that’s an excellent recommendation. Running the integration during off-peak hours can significantly reduce the impact on system performance and ensure smoother processing of incidents.

 

Please let me know if you need further details or have more questions!

0 Helpfuls

Ravi Chandra_K
Kilo Patron
Kilo Patron
In response to Vaishnavi Lathk

‎09-22-2024 01:54 AM

Thanks Vaishnavi.

I'm not aware of incidents part, I was impression it follows Remediation process.

(like Remediation Task rules, and those Remediation tasks get assigned to concerned team) 

 

Kind Regards,

Ravi Chandra.

0 Helpfuls

Eliz Skogquist
ServiceNow Employee
ServiceNow Employee

‎09-30-2024 12:16 PM

Hi Vaishnavi,

Are you aware of the OOB integration ServiceNow has developed between Qualys and our Vulnerability Response solution?  Due to the security of these types of incidents, the Vulnerability Response application has access controls built in to only allow those assigned viewing of their vulnerability incidents.  We have found organizations that put vulnerability incidents into the Incident channel used for ITSM both access and reporting can cause challenges.  The OOB integration brings in the Qualys knowledge base, the asset library, and the vulnerability findings.  We also offer an integration for bringing in Qualys policy compliance findings into Configuration Compliance application.  Any customer with a license to the Vulnerability Response application would have access to this integration.

 

Hope this helps!