Advanced Qualys configurations and modifications

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:43分

    • Configure advanced optional modifications and streamline some of the data specifically for the Qualys integration. Most of these modifications require coding or advanced ServiceNow or Qualys Cloud Platform expertise.

    For more tips for Qualys imports, see the Performance tuning tips for Qualys import jobs knowledge article in the HI Knowledge Base.

    Modify the Qualys to ServiceNow priority and state mapping values

    Modify mapping values for priority and state for your requirements.

    始める前に

    Role required: admin

    このタスクについて

    This is an advanced customization option.

    手順

    1. Navigate to All > System Definition > Business Rules.
    2. Search for Map Qualys Values and open it.
    3. Click the Advanced tab.
    4. Modify per your requirements.
      The most common modifications include adding new state values or revising criticality or priority.
    5. Click Update.

    Restrict the ability to write to a record based on an assignment group

    You can restrict write/read rights on records based on membership to an assigned group. Modify conditions and script based on specific requirements.

    始める前に

    Role required: security_admin (elevated role from admin)
    注:
    This action is performed in the Vulnerability scope.

    手順

    1. Navigate to All > System Security > Access Control (ACL).
    2. Search for ACLs that start with sn_vul.
    3. Choose an Access Control record, for example, sn_vul_vulnerable_item, Operation write.
    4. Check the Advanced box in the record, if necessary, to display the Role entries.
    5. Modify the Role script for your requirements.
      Script Example of modifying access by group.
      answer = (current.assigned_to == gs.getUserID() || isMemberOfForScopedApp(current.assignment_group));
// Note: standard 'isMemberOf' does not work within Scoped App
// gs.getUser().isMemberOf(current.assignment_group);
function isMemberOfForScopedApp(groupID){
var result = false;
if (groupID != ''){
var userID = gs.getUserID();
var now_GR = new GlideRecord("sys_user_grmember");
gr.addQuery("group", groupID);
gr.addQuery("user", userID);
gr.query();
if (gr.next()){
result = true;
}
}
return result;
}
    6. Click Update.

    Set up scanner appliances

    If you are initiating scans from your ServiceNow AI Platform® instead of directly from Qualys, you can set up scans for IP address ranges.

    始める前に

    The data comes from the Qualys integration based on Qualys asset groups and their related default appliances (scanners).

    If no appliances are configured for the targeted IP address ranges, the appliance that is set as the default for the integration instance is used for the scan.

    Role required: sn_vul_qualys.admin

    手順

    1. Navigate to All > Qualys Vulnerability Integration > Scanner Appliances.
    2. Fill in the fields on the form, as appropriate.
      Field Description
      Appliance name

      You are prompted to fill in this field when you create a record manually.

      Enter the name for the Qualys scanner appliance to be used for invoking scans for matching configuration items.

      Use the External value when you want the scan to be launched with an external scanner.
      Appliance ID

      Enter the appliance identifier for the Qualys scanner appliance to be used for invoking scans for matching configuration items.

      You are prompted to fill in this field when you create a record manually.

      Use the 0 value when you want the scan to be launched with an external scanner.
      Appliance status Displays the last status of the scanner appliance on the data returned by the Qualys integration. For manually created records, the status is updated only if a valid Appliance ID is specified.
      Asset group ID Displays the Qualys asset group identifier that created this record. This field displays a value only for records created by the Qualys integration.
      Asset group name Displays the Qualys asset group name that created this record. This field displays a value only for records created by the Qualys integration.
      Order Enter a value to be used for determining scanning priority. For appliance that have conflicting criteria, an appliance with a lower order value is given a higher priority.
      Manually created Indicates whether this record was created manually by the user.
      Use filter group Select this check box to specify a filter group for finding matching configuration items for scanning.
      Filter group Select the filter group you want to use for finding matching configuration items for scanning. This field appears only if you selected Use filter group.
      IPs A comma-separated list of IP addresses or ranges of IP addresses to be used by this appliance when invoking scans.
      Integration instance The Qualys integration instance associated with this appliance.
      Option profile Select the option profile you want to use for scans for matching configuration items.
    3. Click Update.

    Configure and manage Qualys vulnerability scanners and scans

    Qualys vulnerability scans can be performed to find software vulnerabilities that affect your CIs. You can initiate scans from a vulnerable item record or by creating a scan record directly for configuration items (CIs) and IP addresses.

    If you scan Qualys vulnerable items directly from the Vulnerable Items screen, you also have the option of scanning multiple vulnerable items at the same time.

    If Security Incident Response is activated, you can also initiate a scan from the security incident catalog, a security incident record, or a security scan request.

    Scans submitted from Qualys vulnerable items, the Security Incident Catalog, security incidents, or security scan requests are performed by the default Qualys scanner.

    You can select the option profile you want to use for scans for matching configuration items.

    • Option profiles contain Qualys scan settings.
    • An option profile is required when you initiate a Qualys scan from your ServiceNow AI Platform®.

    Configure the ServiceNow-initiated Qualys IP scan

    The Qualys scanner included with the base system provides a baseline integration to initiate scans based on IP addresses.

    始める前に

    You can select the option profile you want to use for scans for matching configuration items.

    • Option profiles contain Qualys scan settings.
    • An option profile is required when you initiate a Qualys scan from your ServiceNow AI Platform®.

    Role required: sn_vul_qualys.admin

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    手順

    1. Navigate to All > Vulnerability Response > Vulnerability Scanning > Scanners.
    2. Open the Qualys record.
    3. Select theActive and Default check boxes.

      Selecting Active is required to use the Qualys scanner to scan Qualys VIs automatically. You also don't need to select Default to have it run automatically.

      Prior to v12.0, Active is required to use the scanner. If Default is also selected, the scanner is automatically used without having to be selected during scanning.

    4. For the Source integration field, click the search icon and select the option for Qualys, for example, Qualys Cloud Platform.
    5. Click Update.
    6. Navigate to All > Qualys Vulnerability Integration > Administration > Primary Integrations.
    7. Open the Qualys Asset Group List Integration.
      1. Select the Active check box.
      2. Click Execute Now.
    8. Follow these steps to populate your scanner appliances.
      注:
      You might prefer to run the Option Profile List Integration after an import from the Search Lists Integrations, the Qualys Dynamic Search List, and Qualys Static Search List Integrations, so that you can see which search lists are associated with option profiles.
      1. Open the Qualys Option Profile List Integration.
      2. Select the Active check box.
      3. Click Execute Now.
      4. Follow the steps listed in Set up scanner appliances to configure your scanner appliances.
        Return here after you complete those steps to continue with the configuration.
      5. Navigate to All > Qualys Vulnerability Integration > Administration > Primary Integrations.
      6. Open the Qualys Appliance List Integration.
      7. Select the Active check box.
      8. Click Execute Now.
        Your Qualys scanner appliances are now correctly populated.

    Scan multiple Qualys vulnerabilities or vulnerable items

    You can simultaneously scan multiple Qualys vulnerabilities or vulnerable items that contain at least one affected configuration item (CI) or an IP address populated on the form.

    始める前に

    Role required: sn_vul.vulnerability_write

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    手順

    1. Do one of the following:
      • Navigate to All > Vulnerability Response > Remediation Tasks.
      • Navigate to All > Vulnerability Response > All Vulnerable Items.
    2. Select the check boxes for the records you want to scan.
    3. Click the Actions on selected rows list, and click Re-scan for Vulnerable items.
      A message appears with a link to the scan and the work notes are updated.
    4. Click the link to see the progress or results of the scan.

    Configure the Qualys auto scan for resolved remediation tasks

    You can schedule the scan that runs automatically to update your Qualys vulnerable items.

    始める前に

    After a remediation task is transitioned to Resolved, a scan is initiated automatically to update the state of the associated vulnerable items.

    • The scan is disabled by default.
    • Enable the scan with the scan_on_resolved integration instance parameter in the Qualys record located at All > Qualys Vulnerability Integration > Integration Instances > Qualys. See the following steps for more information.
    • This scan is instance-specific. If you have multiple instances and you want to enable or disable this scan, you must disable the scan_on_resolved parameter in the integration instance parameters in each instance you want changed.
    • When the scan is enabled, you can initiate the scan on-demand, or you can schedule the scan to run only within a specified time window. See Configure Qualys rescans to run only within scheduled intervals for how to set the start and end times for the time window.

    Role required: sn_vul_qualys.admin

    手順

    1. Navigate to All > Qualys Vulnerability Integration > Administration > Integration Instances.
    2. Select Qualys to open the record.
      The Integration Instance Parameters for Qualys are displayed on a tab.
    3. To enable the auto scan, locate the scan_on_resolved parameter.
    4. In the Value column for the property, enter true.
    5. Click Update.

    Configure Qualys rescans to run only within scheduled intervals

    For the Qualys Vulnerability Integration, set the scan start and end time parameters so that rescans run, or are available, only during the hours that you want.

    始める前に

    This configuration applies to both scheduled rescans and the rescans you initiate manually in the Qualys product from your ServiceNow AI Platform® instance.

    Setting the scan start and end time parameters for integration instances permits you to specify time windows when rescans in the Qualys product are available. For example, you might prefer to specify that rescans are only available during off-hours, for example, midnight to 10 AM.

    This setting is instance-specific. If you have multiple instances, you must configure the scan_start_time and scan_end_time values in the integration instance parameters in each instance you want to change.

    Role required: sn_vul_qualys.admin

    手順

    1. Navigate to All > Qualys Vulnerability Integration > Integration Instances > Qualys.
    2. Click Qualys to open the record.
      The integration instance parameters for Qualys are displayed.
    3. For the scan_start_time parameter, in the Value column, enter the time in the UTC time zone in 24 hour format (00:00 through 24:00) for the start time of the window that you want rescans available.
    4. For the scan_end_time, in the Value column, enter times in the same format (00:00 through 24:00) for the end time of the available window.
      For example, if you enter a start time of 00:00 for the scan_start_time parameter, and an scan_end_time of 10:00 AM that same morning, scans scheduled or manually launched outside of the midnight to 10 AM time window are queued and launched at the start time of the following day's time window, 00:00.

      In the same example, if a remediation owner manually initiates a rescan at 11:00 AM, the rescan is not immediately launched, because it lies outside of the available configured scan times. The scan request remains queued until the start of the following day's time window, in this example, (00:00).

    5. Click Update to save your settings.

    Qualys vulnerability scan rate limits

    You can define the rate that different types of scans are performed to limit the number of requests that are sent to an external scanner. After you have defined rate limits, you can apply them to the Qualys scanners.

    Define Qualys scan rate limits

    You can define the rate that different types of scans are performed to balance the load in your scan queue. Conditions defined in the rate limit determine whether the rate limits are applied to queued entries.

    始める前に

    Role required: sn_vul.admin

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    手順
    1. Navigate to All > Vulnerability Response > Vulnerability Scanning > Rate Limit Definitions.
    2. Click New.
    3. Fill in the fields on the form, as appropriate.
      表 : 1. Rate limit definition
      Field Description
      Name Provide a descriptive name that identifies the conditions the queue entry must meet. For example, scans per minute
      Queue conditions Enter conditions used to determine whether a queued scan entry is subject to this rate limit. The conditions should not be specific to a particular scanner.
      Evaluation script Write a script with the logic to evaluate the queued entry. It is important that the script return true/false to define whether the entry is processed. Also, base the evaluation script on the queued entry being evaluated.
    4. Click Submit.

    Apply scan rate limits to Qualys scanners

    After you have defined scan rate limits using Rate Limit Definitions, you can apply rate limits to specific Qualys scanners.

    始める前に

    Role required: sn.vul_admin

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    手順
    1. Navigate to All > Vulnerability Response > Vulnerability Scanning > Scanner Rate Limits.
    2. Click New.
    3. Fill in the fields on the form, as appropriate.
      表 : 2. Scanner rate limit
      Field Description
      Scanner Select the scanner to which you want to apply a rate limit.
      Rate limit Select the rate limit you want to apply to this scanner.
      Threshold Enter the threshold that you want to subject the selected scanner to for the selected rate limit. For example, if the scanner allows 4 scans per minute, and the rate limit is defined as requests per minute, the threshold would be 4.
    4. Click Submit.

    View the Qualys vulnerability scan queue

    Vulnerability scan requests submitted to Qualys vulnerability scanning integration are queued so as not to overload system resources. You can view the status of queued requests, as needed.

    始める前に

    Role required: sn_vul.vulnerability_admin or sn_vul.admin (deprecated)

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    このタスクについて

    In the list of queued scans, each scan includes an automatically generated scan name that identifies the CI that was scanned.

    手順

    1. Navigate to All > Vulnerability Response > Vulnerability Scanning > Scan Queue.
      All Qualys scan requests that have been submitted are shown in a list. The State column shows the current state of each queued entry. A state of Complete indicates that the scan has left the queue. It does not necessarily indicate that the scan has completed processing. When the scans have been completed or if they failed, the Processing column shows the appropriate work notes text.
      注:
      If a hash value was submitted for scanning and the scanner fails to find a result, the State shows Complete and the work note in the Processing column indicates Unknown.
    2. After a scan has finished processing, click a queued record to view details for the scan request.

    Enable base system filter for confirmed detection imports

    Enable a default filter using integration parameters to import only confirmed detections from Qualys Cloud Platform.

    始める前に

    Role required: sn_vul_qualys.admin, sn_vul.vr_import_admin

    このタスクについて

    A base system integration instance parameter “include_only_confirmed” is available to import a filtered list of detections from Qualys Cloud Platform. By default, this parameter is set to FALSE, and all detections whether potential, confirmed, or informational are imported.

    手順

    1. Navigate to All > Qualys Vulnerability Integration > Administration > Integration Instances.
    2. Open the Qualys Cloud platform integration from the Integration instances list.
    3. From the Integration Instance Parameters list, open the 'include_only_confirmed' parameter.
    4. Update the default value to True.
    5. Click Update.
      You have enabled the filter to import confirmed detections from the Qualys Cloud Platform integration.

    タスクの結果

    By default, only confirmed detections from the Qualys Cloud Platform integration are imported when the next Qualys Vulnerability Import runs. All other detections such as informational and potential are ignored and not imported. For more information, see View Vulnerability Response vulnerable item detection data.

    Initiate rescan for the Qualys Vulnerability Integration

    Verify your vulnerable items have been remediated between scheduled scanning cycles by initiating rescans in the Qualys product from your ServiceNow AI Platform on-demand.

    始める前に

    You can initiate rescans from the Vulnerability Response workspaces. For more information, see Rescan records and remediation tasks in the Vulnerability Manager Workspace and Rescan vulnerable items and remediation tasks in the IT Remediation Workspace.

    For rescans in the classic environment, see the following sections for how to initiate rescans.

    Required setup for rescans in the Qualys product initiated from your ServiceNow AI Platform:

    You can initiate a rescan on-demand for vulnerable items for the Qualys product from your ServiceNow AI Platform® instance.

    To help reduce the overhead and volume involved with scheduled, full scans, remediation owners, IT specialists, vulnerability analysts, or vulnerability managers can initiate targeted rescans on-demand for specific vulnerabilities on assets (configuration items) in their environments. You can initiate rescans in the Qualys product from vulnerable item (VI), remediation tasks (RT), third-party entry (TPE), or discovered item records from your ServiceNow AI Platform instance.

    Rescans permit you to verify that your remediation activities, patches, and other actions have successfully fixed specific vulnerabilities on your configuration items (CIs).

    Use case:

    As an example, say your entire environment is scanned once every three weeks. The most recent full scan was completed a week ago, but you applied a patch yesterday to fix a critical vulnerability. Due to the nature of this vulnerability, you cannot wait two weeks for the next scheduled scan to verify that it has been remediated. To verify that your patch successfully fixed a critical vulnerability discovered during an earlier scan, you can initiate a targeted rescan from your ServiceNow AI Platform for Qualys vulnerable items.

    You can initiate rescans for VIs that have Qualys as the source in states other than closed. See Rescan records and remediation tasks in the Vulnerability Manager Workspace and Rescan vulnerable items and remediation tasks in the IT Remediation Workspace.

    Verify you have completed the following setup required for rescans. See the steps starting with Configure and manage Qualys vulnerability scanners and scans listed in the previous sections for more information.

    Role required: sn_vul_manually_initiate_rescan

    手順

    1. Navigate to All > Vulnerability Response > Vulnerable items.
    2. Locate the vulnerable item record that you want to trigger a rescan from and open it.
      注:
      You can only initiate rescans for VIs with Qualys as the source. Verify Qualys is displayed in the Source column on the VI List views, or in the Source fields on individual records. You can use the condition builder to group VIs by Source. Or, if the Source column is not displayed on the VI List view, in the upper left of the list, click thePersonalize List icon (Gear icon) and use the Slushbucket to move Source from Available to Selected.
    3. Alternatively, navigate to All > Vulnerability Response > Remediation Tasks, Vulnerability Response > Libraries > Third-Party, or to Discovered items for the remediation task, third-party entry, or discovered items records, respectively, that you want to use for the rescan.

      Depending on your choice, the Rescan button is available on the following records:

      • On a single VI record, the VI must be from the Qualys product and in any state other than Closed. For multiple VI records, all the VIs must have Qualys as the source and in any state other than Closed.
      • On an RT record, the remediation task can be in any state other than Closed, and all the associated VIs must have Qualys as the source.
      • On a third-party entry (TPE) record, the record must have at least one associated VI record in any state other than Closed with Qualys as the source.
      • On a discovered item record, the configuration item has at least one associated VI with Qualys as the source in any state other than Closed.
    4. In the upper right of the record you chose, click Rescan.
      In the dialog that is displayed, choose one to continue.
      Option Description
      Select the Specify option profiles check box. From the list, choose the option profile for the Qualys scanner you want to use for the rescan. These are the appliances (scanners) you have configured and listed at Qualys Vulnerability Integration > Scanner Appliances.
      Clear the Specify option profiles check box (not selected). The Qualys option profile for the scanner you have set as your default scanner on the Scanner Appliances list is used for the scan.

      For more information about setting the default scanners you initiate from your ServiceNow AI Platform, Setup scanner appliances listed in the previous section for more information.
    5. Click Request Scan.

      A message is displayed that indicates your scan is being processed. Status for all rescans can be found at any time under the Scan related lists on the VI, RT, TPE, and discovered item records you used to launch the rescans. In the message, click View details to view the status of the rescan and view any other rescans launched from a given record.

      Your instance tracks the rescan status until it successfully completes, or until the set tracking period times out, whichever happens first. The time-out does not stop the scan. The time-out refers to when the ServiceNow AI Platform stopped tracking your rescan status, not when the actual rescan stopped.

      After the rescan is successfully completed, the Qualys Host Detection Integration is automatically initiated to update your vulnerable items. Depending on how many VIs you have, your detections, VIs and RTs are updated after the completion of the Qualys Host Detection Integration scan. Navigate to these records to view the updates after the Host Detection Integration is completed.

      This scan is instance-specific and can be disabled. For more information about the Qualys integrations and how to view the integrations, see Understanding the Qualys Vulnerability Integration.

    次のタスク

    You can view a .csv attachment on the scan record to see details about the rescans.

    .csv file and Hosts not scanned on scan record.

    As shown in the previous image, during the rescan, if hosts (configuration items) in your environment are not accessible, any detections and VIs associated with these assets are not updated when the rescan is completed. To help you understand why they are not included, after the rescan is completed, the asset IP addresses for these CIs are listed on Vulnerability records in the Hosts not scanned field.