Qualys Host Detection Integration

SHA3
Giga Expert

Hi,

We are trying to integrate ServiceNow with Qualys.

"Qualys Host Detection Integration" when executed uses the below command,

"https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&detection_updated_since=2018-07-18T17:36:33Z&show_tags=1&action=list&vm_scan_since=2018-07-18T17:36:33Z&truncation_limit=500&status=New,Fixed,Active,Re-Opened"

It is only return a response as below,

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<HOST_LIST_VM_DETECTION_OUTPUT>
<RESPONSE>
<DATETIME>2018-07-19T17:37:33Z</DATETIME>
</RESPONSE>
</HOST_LIST_VM_DETECTION_OUTPUT>
<!--
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2018, Qualys, Inc. //
-->
 
The User used for this API call has full access to Host Detection and Knowledge Base.
Knowledge Base is working as expected. 
 
Has someone already faced such issue? 
We have raised issue with Qualys support as well, they are saying via curl command the response is fine.
When I try the same curl command, i still get the above response
 
If anyone could provider a pointer to move forward it will be very helpful.
 
We are sitting on this for quite a while 😞
1 ACCEPTED SOLUTION

SHA3
Giga Expert

Sorted. The issue was actually with the permissions that was given to the Qualys user. 

Qualys user id had full access to Knowledge base, but needed more access for Host Detection.

View solution in original post

12 REPLIES 12

Hi Sangeetha,
If the Discovered Item record has been matched incorrectly with a CI, this is a result of the Lookup Rules. I suggest to add the CI Matching Rule field to your Discovered Items listing to understand which rule made the match.  On the Discovered Items record is a field called: Source data, as well as one called: Initial source data.  These hold the values brought into SN from the scanner which are processed through the CI Lookup rules.  It's common that customers will tune their CI Lookup rules to better align with the CMDB naming convention used at their organization, as well as order of Lookup rule application dependant on the maturity/accuracy of various fields maintained on the CIs.  Take a look at this article, with a couple of videos to provide you insight on the use and tuning of CI Lookup rules: https://www.servicenow.com/community/secops-articles/ci-matching-how-to-do-it-right-20-min-video-tut...

 

Hope this provides you the insight and guidance needed.

Thank you @Eliz Skogquist for sharing your suggestion.

 

I need to understand what script or script include create discovered items. Could you please share your suggestion on this? I referred many articles and can't understand this part.
After qualys job execution how detection created and what script include create DI? where it is called

 

In our case I checked that specific DI created by CI lookup rule and that was custom lookup rule.

I watched the video which you shared, still need more clarity about script portion and I need to understand post qualys execution what script run which order and how DI, Detection, VIT created.

The integration that brings in data from Qualys to create the Discovered Items table is the Host List integration.  You can become familiar with the various integration jobs and ServiceNow tables loaded in docs: https://docs.servicenow.com/bundle/xanadu-security-management/page/product/secops-integration-vr/qua....
The Host Detection List integration is bringing in the scan findings.  This is intended to run after the Host Detection integration has completed.
When digging into the integration process, you are probably aware of the Transform maps used during load.  Within the Transform Map defined for the Qualys integration is the onComplete script which calls the: QualysHostListImportReportProcessor script include.  Within this script Discovered Items are created.

Thank you for sharing this details.

 

I checked the script include - "QualysHostListImportReportProcessor" this script include only has the function to update Discovered item - "updateDiscoveredItem" - could you please help me in understanding from where and which script exactly new discovered items are created.

 

I really appreciate your support.

I am stuck with this, trying to find. Because in my case discovered items are created with wrong CI - "xyz" CI name  - in source data, DNS is tagged with "abc" CI name - discovered item - is suppose to tag with abc ci instead it is tagged with xyz CI name. Source data of discovered item is correctly shows "xyz" DNS mapping, but why source data and CI related fields in discovered item is conflicting, how to debug this - I really need help on this Team. Experts please share your thoughts.

 

But one common thing we found for both abc and xyz ci is serial number of CI is common and hence I am trying to understand how exactly discovered items are created and does Serial Number of CI - plays a role in creation of discovered item.

 

@Eliz Skogquist @andy_ojha 

 

Thank you.

Sangeetha

Sangeetha,

 

The fact that a CI is being created, leads me to believe it's an unmatched record.  If an asset is available that it should be matching to, that takes one to CI Lookup Rule tuning.  The previous information shared is true. Looking into script include QualysHostImportReportProcessor calls ImportHost.  ImportHost calls ImportHostCmn for DI creation.  Helpful hint, you could also discover this by going to script include listing and filtering to: script contains sn_sec_cmn_src_ci, and follow the Qualys scripts processing trail.