Integrating multiple Qualys sources into Configuration Compliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2024 07:15 PM
We are ingesting Qualys test results from multiple Qualys instance... let's refer to them as Qualys A and Qualys B. Each Qualys instance has different policies and ingesting test results from each instance results in policies being recorded in the sn_vulc_policy table.
When ingesting, I noticed that the source is “Qualys” whether I'm ingesting from Qualys A or Qualys B and there is no way to tell which policies came from which source. So I dug deeper into the code and found that the source is being hardcoded as "Qualys" no matter how many instances we are ingesting from.
This can be seen in the following 4 Script Includes within the Qualys Integration for Security Operations scope which are referenced when ingesting policies and when querying test results for those policies.
PolicyStream
PolicyListStream
QualysPCResultsIntegration
QualysPCPolicyDetailsIntegration
In order to differentiate the policies for each instance for ingestion, all existing policies in the sn_vulc_policy table are marked as inactive (_markInactive function in PolicyListStream Script Include) if they are not in the _receivedPolicy array which is populated by the _handlePolicy function in the same Script Include.
This means that active Qualys A policies will be marked as inactive while Qualys B policies and test results are being ingested (and vice versa). It also means that Qualys A and Qualys B ingestions cannot be done at the same time. They need to be done sequentially since each ingestion loops through the sn_vulc_policy table for all active policies to use in the query for test results.
We are running reports based on the sn_vulc_policy table and need to know which policies are active and inactive as well as which remediation tasks are linked to inactive policies. However, because the policies from Qualys A are set to inactive during ingestions of Qualys B (and vice versa), we can't accurately run these reports.
Is there a way to differentiate these policies that are coming in from Qualys A and Qualys B and to keep active ones from Qualys A active while ingesting from Qualys B?
- Labels:
-
Configuration Compliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2024 08:14 PM
Is there a field called Integration Instance? This is the field I see in the VR module.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2024 09:01 PM
There isn't for Configuration Compliance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2024 09:56 PM
@WeiY Could you show your qualys integration setup for these 2 instance. Have you specified different name for each instance integrated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2024 10:04 PM
As I mentioned before, if you look in the Script Includes that I listed, I see this in all of them:
So it doesn't matter what I name my instances, the source name will always be "Qualys" for policies.