Qualys Host Detection Comprehensive Integration (New vs Active Vulnerabilities)

venkata2 · ‎09-16-2022

As per the release notes for Version 12.2.2 - October 2021

Qualys Host Detection Comprehensive Integration retrieves host and vulnerability data from Qualys. The output of this integration is vulnerable items. This integration imports vulnerabilities in all the states - New, Fixed, Active, and Reopened. By default, this integration is inactive and runs weekly.

Changed: Changed the existing Qualys Host Detection Integration to bring in only new and closed detections. This change is done to improve the daily integration performance.

We are trying to understand how this will impact us if the Qualys Host Detection Comprehensive Integration is not turned on.
Please let us know the impacts of not having the active vulnerabilities for a week and how this will impact the auto-stale functionality.

Shivam Sarawagi · ‎09-17-2022

Hi,

The purpose of comprehensive integration is to reduce the volume of daily integration brings. This integration is helpful when your daily ingestion runs very long and brings tens of millions of data. With enabling comprehensive, daily will bring in reopened or fixed or newly identified detections only. If detection is in the same state, then it won't come in by daily integration, in turn reducing the volume of daily ingestion.

A successful run of comprehensive integration becomes mandatory for autoclose if you enable it. If you keep it inactive daily integration will bring in everything which is getting scanned and will keep the last found of the detection up to date and autoclose will work without any issues.

Ravali · ‎09-19-2022

Hey Shivam,

Thanks for the response. I understand the removal of active detections from the host detection to make it faster. Have a followup on your response. Is it mandatory to have the comprehensive turned on with that change. And would you plz share some more context for 'A successful run of comprehensive integration becomes mandatory for autoclose if you enable it. If you keep it inactive daily integration will bring in everything which is getting scanned and will keep the last found of the detection up to date and autoclose will work without any issues. '

'It' refers to comprehensive job? and by 'Auto close' you mean the OOB configuration that closes VITs with retired CIs?

Thanks,

Shivam Sarawagi · ‎09-19-2022

Yes if you remove active from host detection integration then comprehensive integration becomes mandatory to update the detections/VITs with the correct last found date. This date is used by auto close job to mark items stale.

Joe Kline · ‎09-17-2022

venkata and Shivam,

I am not sure I am following the question nor the reply, as it relates to what is actually enabled on venkata's plan, or how the two Host List Detection integrations can/do/do not work together from Shivam's response. In our environment, we customized the original Host List Detection to do a multi-threaded import, and we schedule it periodically (every 30 minutes) such that no matter how long the 5-thread job runs, the next series will launch no more than 30 minutes later. Not having the "last found" and "Time found" detail with bringing the Active items over causes a large number of our remediation teams to question the results, challenge the validity, etc. if/when they believe they actually mitigated an item but SecOps VR is still reporting it vulnerable with an older last found date ... I don't recall seeing anything in the auto-close that talks about the mandatory need of the comprehensive integration, so if I were to enable that, how does it interact with stale if the Active items aren't coming over?

Not that I want to add yet another integration that brings in vulnerability detections (we have concurrent Qualys API call count limits placed on us and not sure what that impact might look like to have all states coming in every 30-minute launch time attempts, as well as a comprehensive one running daily/weekly as needed.

Thanks for any clarification you might be able to add,

Not that I want to add yet another integration that brings in vulnerability detections (we have concurrent Qualys API call count limits placed on us and not sure what that impact might look like to have all states coming in every 30-minute launch time attempts, as well as a comprehensive one running daily/weekly as needed.

Thanks for any clarification yo umight be able to add,

Joe