Unable to populate Vulnerability score (v3) (Qualys Integration for Security Operations application + New York)

Report Inappropriate Content · ‎01-20-2020

I am unable to populate Vulnerability score (v3) within vulnerability response > vulnerabilities > vulnerable items.

Troubleshooting steps:

I went to Qualys KB integration, set the ‘delta start date’ to 1-1-1990 and ran the import again. This step should have updated all the vulnerabilities to include the CVSS 3 score.

Any assistance is greatly appreciated.

andy_ojha · ‎01-20-2020

Hey Jarred - Given that no records are returned for that test query and you have CVSS enabled in Qualys:
- I would move on to opening a ServiceNow HI Support Ticket to get additional eyes on this

In the meantime:
- Is this a fresh installation of the ServiceNow Vulnerability Response and Qualys Apps?
- Was this installed on a previous version and then upgraded?
- Are you running version 8.x or version 9.x of each app?

View solution in original post

andy_ojha · ‎01-20-2020

Hey Jarred - Given that no records are returned for that test query and you have CVSS enabled in Qualys:
- I would move on to opening a ServiceNow HI Support Ticket to get additional eyes on this

In the meantime:
- Is this a fresh installation of the ServiceNow Vulnerability Response and Qualys Apps?
- Was this installed on a previous version and then upgraded?
- Are you running version 8.x or version 9.x of each app?

Report Inappropriate Content · ‎01-20-2020

Hello,

This is my personal instance tied to lab environment for testing that I installed a couple of weeks ago. Fresh install nothing upgraded. version 9.x.x for VR and Qualys

andy_ojha · ‎01-20-2020

Got it ...

We can try to rule out Qualys (as in permissions, CVSS settings, etc) - by checking the raw payload sent to ServiceNow.

Navigate to System Import Sets > Administration > Data Sources
- Search for: Name | Starts with | qualys knowledge
- You should see x5 records returned
- On each record, there should be an XML file attachment

If you download those XML attachments, and scroll through them you will see the actual payload data from Qualys here for the KBs.

Under a few QIDs in the XML file, look for the following nodes :
- <CVSS_V3> ... </CVSS_V3>
- <CVSS> ... </CVSS>

In these nodes, you should see metrics that make up the overall score.

If you don't see these nodes in the payload file, it may be an issue with the Qualys account being used here.

What role does the current Qualys account have - can you try testing with a 'Manager' role?

---------------------------------------------

Are the Qualys Knowledge Base jobs running successfully?
- Nav to Qualys Vulnerability Integration > Administration > Primary Integrations
- Open the appropriate for the "Qualys Knowledge Base" record
- Scroll down, and look for "Vulnerability Integration Runs"
- Are the records here showing State = Complete, Substate = Success?

---------------------------------------------

When we initially setup the integration - did we allow for the Qualys Knowledge Base job to successfully complete - before moving on to running the Qualys Host Detection Job?

If we did not allow the Qualys KB job to finish successfully, prior to executing the Qualys Host Detection job... - Can you try manually executing the Qualys Knowledge Base (Backfill) job, and see if that starts to populate the CVSS information in the ServiceNow Third-Party Entry (library)?

andy_ojha · ‎01-20-2020

Also - you may want to double check your CVSS Scoring setting in Qualys.

Login to Qualys -> go to Reports -> go to Setup
-> Click the "CVSS" tile
-> Validate if this is enabled or not

If it is not enabled, we likely will need to turn that on.

Reference: https://discussions.qualys.com/thread/18436-cvss-report-available

Report Inappropriate Content · ‎01-20-2020

CVSS is enabled in Qualys