Qualys Host Detection Integration

SHA3 · ‎07-19-2018

Hi,

We are trying to integrate ServiceNow with Qualys.

"Qualys Host Detection Integration" when executed uses the below command,

"https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&detection_updated_since=2018-07-18T17:36:33Z&show_tags=1&action=list&vm_scan_since=2018-07-18T17:36:33Z&truncation_limit=500&status=New,Fixed,Active,Re-Opened"

It is only return a response as below,

<HOST_LIST_VM_DETECTION_OUTPUT>

<RESPONSE>

<DATETIME>2018-07-19T17:37:33Z</DATETIME>

</RESPONSE>

</HOST_LIST_VM_DETECTION_OUTPUT>

<!--
 CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2018, Qualys, Inc. //
-->
 
The User used for this API call has full access to Host Detection and Knowledge Base.
Knowledge Base is working as expected. 
 
Has someone already faced such issue? 
We have raised issue with Qualys support as well, they are saying via curl command the response is fine.
When I try the same curl command, i still get the above response
 
If anyone could provider a pointer to move forward it will be very helpful.
 
We are sitting on this for quite a while 😞

SHA3 · ‎07-26-2018

Sorted. The issue was actually with the permissions that was given to the Qualys user.

Qualys user id had full access to Knowledge base, but needed more access for Host Detection.

View solution in original post

andy_ojha · ‎07-22-2018

Have you performed an initial load of the Qualys Host Detection Data already, and are now working towards trimming down the amount of data brought in for delta / subsequent loads? Or, are you trying to perform the initial Qualys import for the first time to begin with?

I think there is potentially an issue with the <date> parameters being used here. The API query is specifying two different date / time filters (i.e. API Parameters) that may be conflicting with each other, depending on the scenario of initial load vs subsequent load, and your particular use-case.

https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&detection_updated_since=2018-07-18T17:36:33Z&show_tags=1&action=list&vm_scan_since=2018-07-18T17:36:33Z&truncation_limit=500&status=New,Fixed,Active,Re-Opened

Referring to the Qualys docs, <detection_updated_since> is used to filter on detections where a change in status has occurred since a specified date (regardless of how many times you've scanned the asset, it will only bring in data for the assets where vulnerability finding's statuses have changed between New, Fixed, Active and Re-Opened, in Qualys).

So, if the states for Qualys Host Detections / findings have not changed since Jul 18, 2018, no data will be pulled into the payload that is returned based on the API parameter being passed here.

This API parameter could be beneficial for delta / subsequent loads, after an initial load has been performed so that you limit the data periodically being brought in.

As per Qualys Docs --> detection_updated_since={date}
(Optional) Show only detections whose detection status have
changed since a certain date. For detections that have never
changed the date is applied to the last detection date. Valid date
format is: YYYY-MM-DD format (UTC/GMT), like “2016-01-11”
One of these parameters may be specified in the same request:
detection_updated_since, max_days_since_detection

vm_scan_since
This parameter works at the host level, not at the vulnerability finding level. This works to bring in findings for hosts that have been scanned & processed since a certain time. All vulnerabilities from previous scans will be included (by default) since the Host List Detection API leverages Host Based Findings.

Qualys has some good documentation that reviews <vm_scan_since> here:

https://blog.qualys.com/technology/2014/07/23/download-your-vm-data-faster

Also, check out "Modify REST message parameters to affect data retrieval" - Step 6 from the SN Docs page, going over steps to add <detection_updated_since> and deleting <vm_scan_since>:

https://docs.servicenow.com/bundle/kingston-security-management/page/product/secops-integration-qualys-vulnerability/concept/optional-modifications.html#modify-rest-msg-params

I do not see <severities> values specified in the API call. You may want to validate which severity values should be brought in from Qualys (i.e. 5, 4, 3, 2, 1) and ensure it is configured on the REST API call made from ServiceNow (following the instructions from the SN Docs page above).

Lastly, if you have not checked it out already - Postman is a good tool to use for ensuring your credentials work and your API call + parameters are tuned appropriately. Check out the Postman section at the bottom of the page here:

https://community.qualys.com/docs/DOC-4523-qualys-api-client-examples#jive_content_id_Web_browser_Chrome_Postman

SHA3 · ‎07-23-2018

Hi,

I have tried to run

https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&action=list

as well. Even in curl. It still provides same response.

andy_ojha · ‎07-23-2018

Sorry, I think you may need to reach out to the Qualys support team again or perhaps create a post on the Qualys Community Page.

Have you confirmed the base url of the Qualys platform you are pointing to is appropriate - is this the same base url you used to successfully pull the Qualys KB?

If you are not seeing results come back from curl for a request like below - perhaps the issue could be the account being used, the Qualys platform you are pointing to or another issue.

curl -u "username:password" -H "X-Requested-With: curl"
"https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/?act
ion=list&truncation_limit=10"

Sangeetha6 · ‎09-05-2024

@andy_ojha

Exactly what script create discovered item.

Need help in understanding discovered item creation.

In my case discovered item wrongly fetching the CI name - i need to understand this further.

Please guide me on this.