Qualys Integration issues for Vulnerability Response and Configuration Compliance, Host Detection

Lacey L · ‎10-17-2023

We are running two integration instances in our environment, one for Qualys Vulnerability Response and one for Qualys Configuration Compliance. Below are the jobs running for Qualys VR and Qualys CC. We started seeing duplicate VITs in our production environment when we enabled Qualys Host Detection for CC (the host detection integration had already been running for VR in prod). Should the Qualys Host Detection integration only be running for one integration instance? Is that what is causing the duplicates?

Because of the duplicates, we turned off Qualys Host Detection Integration for CC. Now we are seeing empty Discovered Items on the Test Result records. Could this be a result of turning off the Qualys Host Detection Integration for CC or is there a different cause?

Below are the active jobs for the CC integration instance (since turning off Qualys Host Detection Integration):

Below are the active jobs for the VR integration instance:

What is the best practice for jobs and frequencies in both modules?

Joe Kline · ‎10-25-2023

Hey Greg - I think "out of box" it is set to Discovered Item Last scan. I added in an "OR Discovered Item Last configuration compliance scan. Based on what Andy has been commenting and asking of us, I am going to revisit this one more after I see what the new comprehensive integration gives me, and even more once I can convert to the PCRS pair instead of the original PC Results. Among a couple other options up my sleeve if I can find the time to get them investigated and implemented. I will add to this thread when I know more, in case it turns out to help.

Greg Stone1 · ‎10-26-2023

This is good to know Joe. Let's please stay in touch on this one. We're still on N-1 version for now so I don't have all the new stuff running on Vancouver yet. Are you on the latest version?

Joe Kline · ‎10-26-2023

Greg, From the Family perspective, we are on Utah, getting ready to patch up to whatever the patch and hotfix number will be when we do that (slated for early to mid November). From the application perspective, we are on versions as of the August 2023 release (i.e., VR is now at 19.0.7), but since another fix was released in September (19.0.8) we are not where I would call us "at the latest". Vancouver upgrade is being planned for first quarter 2024, which shouldn't change (I HOPE) much at the applications levels since we did the August 2023 updates just a week ago now, and puts us higher than the "minimum compatible" that the family upgrade will attempt to apply. CC is at 14.9.2 for reference on that one too.

andy_ojha · ‎10-23-2023

Hey there,

Out of curiosity - why are we running the Qualys VR and Qualys CC - out of two separate Integration Instance(s)?

Generally, if we are using a single Qualys API subscription (for both Vuln Mgmt and Policy Compliance) - you'd want to use a single Integration Instance in ServiceNow SecOps where your Qualys VR and Qualys CC jobs leverage that that same Qualys API Subscription / Integration Instance.

One big benefit of this - is that your Discovered Items that are brought in for the given Qualys API subscription / Integration Instance is then your "source of the truth" if you will and can be used for both SecOps VR and SecOps CC.

Another benefit of this - is you won't have to worry about which jobs to turn on and which jobs to turn off, to avoid creating duplicate records (in either the Test Results for CC - or - Vulnerable Items for VR).

Setting up the multiple Integration Instance(s) -- aka multi-console, is used when we have the same scanner vendor (e.g. Qualys) and multiple Subscriptions for whatever reason that may be (acquisitions, different parts of the organization managed with its own scanner / subscription, etc.)...