Integrating specific Qualys Policies with Configuration Compliance

Go to solution
Kevin Lillis
Tera Expert

‎11-10-2023 12:51 PM

Hi,

 

We are in the process of integrating Qualys Policy Compliance with Configuration Compliance.  We currently do have an integration successfully working for several years for Vulnerability Response.  We are on the Utah version (soon going to Vancouver).

 

Is there a way to specifically choose which Qualys policies you want to integrate/ingest into ServiceNow Config Compliance?  We have a total of 11 active policies and only wish to integrate 8 policies at this point.  In addition, as we test this out, we would maybe like to integrate just one policy to start with into our DEV environment and 'work out the kinks' before we integrate the additional 7 policies.

 

Thanks in advance.

 

Kevin

0 Helpfuls
  • 1,863 Views
1 ACCEPTED SOLUTION

Go to solution
Joe Kline
Kilo Guru
In response to Kevin Lillis

‎11-15-2023 09:33 AM

Kevin,

That link by itself doesn't really go into the detail of what to change or how to accomplish it to then limit which Policies get pulled from Qualys.  However match that along with the Qualys API user guides, you can find this:

ids={value} (Optional) Show only certain policy IDs and/or ID ranges. One or
more policy IDs/ranges may be specified. Multiple entries are
comma separated. A policy ID range entry is specified with a
hyphen (for example, 160-165). Valid policy IDs are required.

 

That is an additional input parameter that you can add to the HTTP REST message that gets passed along and should limit you down on what will come across.  For me, I have enough technical debt on customizations without doing that too, and once set would mean I have to always be in communication with the PC team that is configuring Policies on Qualys to know when they have another new one that would need to be then added to this list for import.  But that sure does enable you to only go after specific ID's when the integration runs.

View solution in original post

11 REPLIES 11

Go to solution
Joe Kline
Kilo Guru
In response to Greg Stone1

‎11-13-2023 10:32 AM

I'd be interested in more detail of just how this is being done, as well.  My view and understanding of the integrations is that the Qualys PC Policy integration job uses the API to list all policies, without selective capability ... unless you customize the script include and/or HTTP method for the integration.

Go to solution
Greg Stone1
Tera Contributor

‎11-13-2023 10:21 AM

I'm not sure what happens on the Qualys side, but on the SecOps CC side, there is a Test Group for each of the policies we want to bring in. The Policy ID of that Test Group is the Qualys Policy ID, they must match.

0 Helpfuls

Go to solution
Joe Kline
Kilo Guru
In response to Greg Stone1

‎11-14-2023 06:40 AM

Right!  Policies was recently renamed to Test Groups in the CC product, and yes, each entry corresponds to a Policy in Qualys.  However, I think Kevin asked how to be selective in doing the Policy ingest.  My experience so far is that the Qualys PC Policy integration is not at all selective without modification.  It sends an API "list" request over to Qualys, and the results are fully inclusive of ALL policies that are active and enabled in Qualys.  Greg, on your response that I asked for more understanding, it seemed to me to say you did something to get only the policy that you wanted, very selectively.

Go to solution
Kevin Lillis
Tera Expert

‎11-15-2023 06:43 AM

It appears that this is the link that you can identify what policies to integrate from Qualys Policy Compliance into Configuration Compliance.  Has anyone set these settings before for specific policies?

https://docs.servicenow.com/bundle/vancouver-security-management/page/product/secops-integration-cc/...

0 Helpfuls

Go to solution
Joe Kline
Kilo Guru
In response to Kevin Lillis

‎11-15-2023 09:33 AM

Kevin,

That link by itself doesn't really go into the detail of what to change or how to accomplish it to then limit which Policies get pulled from Qualys.  However match that along with the Qualys API user guides, you can find this:

ids={value} (Optional) Show only certain policy IDs and/or ID ranges. One or
more policy IDs/ranges may be specified. Multiple entries are
comma separated. A policy ID range entry is specified with a
hyphen (for example, 160-165). Valid policy IDs are required.

 

That is an additional input parameter that you can add to the HTTP REST message that gets passed along and should limit you down on what will come across.  For me, I have enough technical debt on customizations without doing that too, and once set would mean I have to always be in communication with the PC team that is configuring Policies on Qualys to know when they have another new one that would need to be then added to this list for import.  But that sure does enable you to only go after specific ID's when the integration runs.