Qualys Integration issues for Vulnerability Response and Configuration Compliance, Host Detection

Lacey L · ‎10-17-2023

We are running two integration instances in our environment, one for Qualys Vulnerability Response and one for Qualys Configuration Compliance. Below are the jobs running for Qualys VR and Qualys CC. We started seeing duplicate VITs in our production environment when we enabled Qualys Host Detection for CC (the host detection integration had already been running for VR in prod). Should the Qualys Host Detection integration only be running for one integration instance? Is that what is causing the duplicates?

Because of the duplicates, we turned off Qualys Host Detection Integration for CC. Now we are seeing empty Discovered Items on the Test Result records. Could this be a result of turning off the Qualys Host Detection Integration for CC or is there a different cause?

Below are the active jobs for the CC integration instance (since turning off Qualys Host Detection Integration):

Below are the active jobs for the VR integration instance:

What is the best practice for jobs and frequencies in both modules?

Lacey L · ‎10-20-2023

Anyone experiencing a similar issue or have any ideas for remediation?

Greg Stone1 · ‎10-20-2023

Hi Lacey. I work mostly with SecOps CC, and we too use the Qualys Integration. We have had numerous issues with that over the years. One of our many challenges is the large volume of data we are needing to ingest and manage in the tool, not to mention the many bugs we're encountering.

Joe Kline · ‎10-20-2023

Hello Lacey.

We too use Qualys as our vulnerability and policy compliance scan tool. However, we only have one instance of Qualys (a Private Cloud Platform) that does both types of scanning of our environment. With that, we only have one of each Integration; but I would think you want to disable the Host Detection Integration in your CC instance, as that integration is ONLY for vulnerability findings from Qualys' VM module. PC Results integration brings over the Qualys PC test result data into CC. If your two instances are in fact separate Qualys pods/platforms, then they would be giving you different Host/Agent ID information for a host, and therefore (I believe) you would get double the discovered items, to which VITs and CTRs get associated to with the CI match.

Similar to Greg's response, we too have found many an issue with the data volume, failing Results integrations, erroneous data storage (in my opinion), no way to recognize removal changes in Qualys to then auto-close out items in CC, etc. I want to, but have not yet had time, change out the older PC Results integration for the newer PCRS (streaming) integration to see if it resolves any of our performance and job failure issues; and we are constantly (it seems) trying to work with ServiceNOW product teams to highlight issues and working with their Success teams to do anything with the performance.

If I understand your situation correctly, I would ensure the Detection Integration is only running against the source instance that does VM scanning and the Results integration is only running against the source instance that does the PC scanning.

Hope this helps in some way,

Joe

Greg Stone1 · ‎10-23-2023

@Joe Kline : We are running the PCRS streaming integration and it is working. On thing we did was modify the page size to get it to perform better. We have 19 Policies and almost 11M Test Results, and the jobs are finishing. We are reluctant to add more until we hear from ServiceNOW about capacity concerns our engineers have. I do believe the PCRS streaming integration will help you. It did for us.

For stale CTRs. We have the auto-close stale job running and it should be closing out stale CRGs and CTRs - but that isn't quite working correctly at the moment. We're manually filtering out CTRs with a Last Seen date before Last Week in the meantime.