Welcome to Community Week 2025! Join us to learn, connect, and be recognized as we celebrate the spirit of Community and the power of AI. Get the details  

ServiceNow Configuration compliance not pulling all data from qualys on OOB API parameters

Go to solution
IceIronDragon
Tera Guru

‎05-25-2022 06:34 PM

Hello All,

We are seeing this weird behavior on ServicewNow Configuration compliance :

>>where in we are using OOB API parameters.

>>test results are getting created 

>>but the amount of failed test results generated by Qualys (weekly qualys report) is 2times more than what we see on ServiceNow .

>>there is no filteration or custom Parameters used.

>>anybody faced this issue ??

find_real_file.png

Preview file
25 KB
0 Helpfuls
  • 2,075 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to IceIronDragon

‎05-26-2022 11:38 AM

Hey there,

It's driven by the Qualys PC attributes ...

"Change in status" -- means change in the Qualys PC Result Status -- the filtering here is based on data in Qualys PC not ServiceNow

Let's say on your Qualys PC Result Job - the `Import Since` is set to May 1, 2022 

  • This translates to the API request going to Qualys PC as "hey Qualys, give me all compliance posture results, that have had a status change since May 1, 2022..."

  • This will bring in Qualys PC Results (Compliance check for a control on a host) - where the Qualys PC Result Status has changed since May 1, 2022 
  • This will exclude Qualys PC results that had their status change prior to May 1, 2022 -- even if they are continuously evaluated every single day from May 1 to May 26 as FAILED over and over again 
  • For example, Qualys PC FAILED Results that had their Status initially set or last changed in Jan 2022, Feb 2022, March 2022 -- would not be brought into ServiceNow
  • For Qualys PC Results that were in a FAILED Status long before May 1, 2022 - those would not be brought into ServiceNow 
  • Even if those same Qualys PC Results are evaluated every day as FAILED over and over again - between May 1 and May 26 - they would not be brought into ServiceNow 
  • Change in Qualys PC Status maps to the Qualys PC Result (FAILED <-> PASSED <-> ERROR)

Backdating the 'Import since' on the Qualys PC job for the very first import can be used to initially set the benchmark / pre-seed the data, and from that point forward only delta updates are bought in daily.

After the first initial import (with the back dated 'Import since') -- actionable data will be brought into ServiceNow from that point forward... i.e. Qualys PC results with a status change (FAILED <-> PASSED <-> ERROR)...

Keep in mind - this will also impact how the the 'Last seen' field on ServiceNow CC Test Results is maintained due to the filtering limiting Qualys PC Results based on 'Status changes since'... ('Last seen' won't be updated every time a host is evaluated against a control over and over, unless the Status of the Qualys PC Result changes)...

 

View solution in original post

7 REPLIES 7

Go to solution
IceIronDragon
Tera Guru
In response to Adam Peterson

‎07-25-2022 07:15 PM

I usually refer https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf  , Hopefully this helps 

0 Helpfuls

Go to solution
BradleyGSource
Tera Contributor
In response to andy_ojha

‎04-15-2025 05:53 AM

Hey Andy,

 

Do you know if this starting date can be redefined after the initial load?

 

Cheers,

 

Graeme

0 Helpfuls

Go to solution
IceIronDragon
Tera Guru

‎05-27-2022 07:38 AM

thank you so much for the in depth analysis and time taken for the explanantion.

It is so much helpful and clear my doubts.

I would like to connect on linkdin if possible.

0 Helpfuls