Integrating multiple Qualys sources into Configuration Compliance

WeiY
Tera Contributor

We are ingesting Qualys test results from multiple Qualys instance... let's refer to them as Qualys A and Qualys B. Each Qualys instance has different policies and ingesting test results from each instance results in policies being recorded in the sn_vulc_policy table.

When ingesting, I noticed that the source is “Qualys” whether I'm ingesting from Qualys A or Qualys B and there is no way to tell which policies came from which source. So I dug deeper into the code and found that the source is being hardcoded as "Qualys" no matter how many instances we are ingesting from.

This can be seen in the following 4 Script Includes within the Qualys Integration for Security Operations scope which are referenced when ingesting policies and when querying test results for those policies.

  • PolicyStream

  • PolicyListStream

  • QualysPCResultsIntegration

  • QualysPCPolicyDetailsIntegration

In order to differentiate the policies for each instance for ingestion, all existing policies in the sn_vulc_policy table are marked as inactive (_markInactive function in PolicyListStream Script Include) if they are not in the _receivedPolicy array which is populated by the _handlePolicy function in the same Script Include.

This means that active Qualys A policies will be marked as inactive while Qualys B policies and test results are being ingested (and vice versa). It also means that Qualys A and Qualys B ingestions cannot be done at the same time. They need to be done sequentially since each ingestion loops through the sn_vulc_policy table for all active policies to use in the query for test results.

We are running reports based on the sn_vulc_policy table and need to know which policies are active and inactive as well as which remediation tasks are linked to inactive policies. However, because the policies from Qualys A are set to inactive during ingestions of Qualys B (and vice versa), we can't accurately run these reports.

Is there a way to differentiate these policies that are coming in from Qualys A and Qualys B and to keep active ones from Qualys A active while ingesting from Qualys B?

4 REPLIES 4

Vishal6
Tera Expert

Is there a field called Integration Instance?  This is the field I see in the VR module.

WeiY
Tera Contributor

There isn't for Configuration Compliance.

Satishkumar B
Giga Sage
Giga Sage

@WeiY Could you show your qualys integration setup for these 2 instance. Have you specified different name for each instance integrated.

WeiY_0-1723179704034.png

 

As I mentioned before, if you look in the Script Includes that I listed, I see this in all of them:

WeiY_1-1723179778767.png

So it doesn't matter what I name my instances, the source name will always be "Qualys" for policies.