Qualys Host Detection Comprehensive Integration (New vs Active Vulnerabilities)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-16-2022 09:48 AM
As per the release notes for Version 12.2.2 - October 2021
Qualys Host Detection Comprehensive Integration retrieves host and vulnerability data from Qualys. The output of this integration is vulnerable items. This integration imports vulnerabilities in all the states - New, Fixed, Active, and Reopened. By default, this integration is inactive and runs weekly.
Changed: Changed the existing Qualys Host Detection Integration to bring in only new and closed detections. This change is done to improve the daily integration performance.
We are trying to understand how this will impact us if the Qualys Host Detection Comprehensive Integration is not turned on.
Please let us know the impacts of not having the active vulnerabilities for a week and how this will impact the auto-stale functionality.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-19-2022 12:14 PM
Response from HI:
If you decide not to turn the comprehensive job active, the Qualys host detection integration continues pulling in ACTIVE records along with "NEW, FIXED, REOPENED".
Before 12.2.2, from Qualys host detection integration we bring in all the detections with status as "NEW, ACTIVE, FIXED, REOPENED". If an organization is scanning all the assets daily. Qualys host detection integration which runs daily will bring in the whole data which can be huge. Some of the customers scan 300k assets daily and Qualys host detection integration brings in more than 16 million items daily. Based on our OOB Integration rate this is causing the integration to run for more than 24 hours. The integration job completion time is affected by other integration jobs running on the instance as well, such as "Discovery, Service Mapping, Flow designer"...
How are we solving it?
We've split the OOB Qualys host detection integration into two:
1. Qualys Host Detection Integration: Runs daily for status "NEW, FIXED, REOPENED"
2. Qualys Host Comprehensive Detection Integration: Runs weekly for status "NEW, ACTIVE, FIXED, REOPENED"
This will ensure that daily runs finish within a few hours. This will also improve the performance for the customers as fewer data will be processed daily. This integration will be shipped as inactive and only if a customer is having huge volume, they can use it to limit the daily data.
For your question:
1. We are trying to understand how this will impact us if the Qualys Host Detection Comprehensive Integration is not turned on.
If the Qualys Host Detection Comprehensive Integration is not turned on, as mentioned earlier, the OOB host detection job will get all the data which can be huge to get processed daily hence causing performance issues on the nodes(long-running daily VINTRUN, node memory issues, etc)...It is necessary to enable the comprehensive job if you are experiencing performance issues already in the instance with the VR jobs or considering increasing the importing data size from Qualys.
It is also fine to have it disabled if you are not seeing perf issues with the current host detection job.
2. Please let us know the impacts of not having the active vulnerabilities for a week and how this will impact the auto-stale functionality.
After Qualys Host Comprehensive Detection Integration is turned on, if the Qualys Vulnerability is still in ACTIVE state or not closed, it would not get imported from the host detection job since there is no change to this Vulnerability, and not necessary to include this item in the detection to get processed. It will be imported via the comprehensive job weekly.
It should not affect the auto-close stale detection/VIT since the comprehensive job is still getting them every week.