- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-19-2018 11:10 AM
Hi,
We are trying to integrate ServiceNow with Qualys.
"Qualys Host Detection Integration" when executed uses the below command,
"https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&detection_updated_since=2018-07-18T17:36:33Z&show_tags=1&action=list&vm_scan_since=2018-07-18T17:36:33Z&truncation_limit=500&status=New,Fixed,Active,Re-Opened"
It is only return a response as below,
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-26-2018 09:54 AM
Sorted. The issue was actually with the permissions that was given to the Qualys user.
Qualys user id had full access to Knowledge base, but needed more access for Host Detection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-05-2024 09:15 AM
Hi Sangeetha,
If the Discovered Item record has been matched incorrectly with a CI, this is a result of the Lookup Rules. I suggest to add the CI Matching Rule field to your Discovered Items listing to understand which rule made the match. On the Discovered Items record is a field called: Source data, as well as one called: Initial source data. These hold the values brought into SN from the scanner which are processed through the CI Lookup rules. It's common that customers will tune their CI Lookup rules to better align with the CMDB naming convention used at their organization, as well as order of Lookup rule application dependant on the maturity/accuracy of various fields maintained on the CIs. Take a look at this article, with a couple of videos to provide you insight on the use and tuning of CI Lookup rules: https://www.servicenow.com/community/secops-articles/ci-matching-how-to-do-it-right-20-min-video-tut....
Hope this provides you the insight and guidance needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-05-2024 09:21 AM - edited ‎09-05-2024 09:27 AM
Thank you @Eliz Skogquist for sharing your suggestion.
I need to understand what script or script include create discovered items. Could you please share your suggestion on this? I referred many articles and can't understand this part.
After qualys job execution how detection created and what script include create DI? where it is called
In our case I checked that specific DI created by CI lookup rule and that was custom lookup rule.
I watched the video which you shared, still need more clarity about script portion and I need to understand post qualys execution what script run which order and how DI, Detection, VIT created.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-05-2024 10:50 AM
The integration that brings in data from Qualys to create the Discovered Items table is the Host List integration. You can become familiar with the various integration jobs and ServiceNow tables loaded in docs: https://docs.servicenow.com/bundle/xanadu-security-management/page/product/secops-integration-vr/qua....
The Host Detection List integration is bringing in the scan findings. This is intended to run after the Host Detection integration has completed.
When digging into the integration process, you are probably aware of the Transform maps used during load. Within the Transform Map defined for the Qualys integration is the onComplete script which calls the: QualysHostListImportReportProcessor script include. Within this script Discovered Items are created.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-06-2024 06:36 AM - edited ‎09-06-2024 07:45 AM
Thank you for sharing this details.
I checked the script include - "QualysHostListImportReportProcessor" this script include only has the function to update Discovered item - "updateDiscoveredItem" - could you please help me in understanding from where and which script exactly new discovered items are created.
I really appreciate your support.
I am stuck with this, trying to find. Because in my case discovered items are created with wrong CI - "xyz" CI name - in source data, DNS is tagged with "abc" CI name - discovered item - is suppose to tag with abc ci instead it is tagged with xyz CI name. Source data of discovered item is correctly shows "xyz" DNS mapping, but why source data and CI related fields in discovered item is conflicting, how to debug this - I really need help on this Team. Experts please share your thoughts.
But one common thing we found for both abc and xyz ci is serial number of CI is common and hence I am trying to understand how exactly discovered items are created and does Serial Number of CI - plays a role in creation of discovered item.
Thank you.
Sangeetha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-06-2024 08:23 AM
Sangeetha,
The fact that a CI is being created, leads me to believe it's an unmatched record. If an asset is available that it should be matching to, that takes one to CI Lookup Rule tuning. The previous information shared is true. Looking into script include QualysHostImportReportProcessor calls ImportHost. ImportHost calls ImportHostCmn for DI creation. Helpful hint, you could also discover this by going to script include listing and filtering to: script contains sn_sec_cmn_src_ci, and follow the Qualys scripts processing trail.