- Visualize Qualys scanners and findings in the JupiterOne graph.
- Monitor Qualys findings within the alerts app.
- Monitor changes to Qualys scanners using JupiterOne alerts.
- JupiterOne periodically fetches Qualys scanners to update the graph.
- Write JupiterOne queries to review and monitor updates to the graph.
- Configure alerts to reduce the noise of findings.
- JupiterOne requires the username and password of a Qualys user that has permission to access to the API. JupiterOne also requires the url of the API.
- You must have permission in JupiterOne to install new integrations.
If you need help with this integration, please contact JupiterOne Support.
The Qualys API requires usage of a username and password associated with a user. Also, by default, trial users do not have access to the Qualys API so you must request access to the API. See Qualys API docs for more information.
After testing for quite a bit, this integration was unable to ingest host findings with the built-in READER role event after adding all of the modules. This may be related to parts of the Qualys "host detection" feature being controlled by a license setting. Instead use the built-in MANAGER role if you do not want to create a custom role. Please refer to the Troubleshooting section below, if you would like to issue granular permissions to J1.
- From the configuration Gear Icon, select Integrations.
- Scroll to the Qualys integration tile and click it.
- Click the Add Configuration button and configure the following settings:
- Enter the Account Name by which you'd like to identify this Qualys account
in JupiterOne. Ingested entities will have this value stored in
tag.AccountName
when Tag with Account Name is checked. - Enter a Description that will further assist your team when identifying the integration instance.
- Select a Polling Interval that you feel is sufficient for your monitoring
needs. You may leave this as
DISABLED
and manually execute the integration. - Enter the Qualys Username of a user configured for read access.
- Enter the Qualys Password of a user configured for read access.
- Enter the API URL for your Qualys account.
- Click Create Configuration once all values are provided.
- From the configuration Gear Icon, select Integrations.
- Scroll to the Qualys integration tile and click it.
- Identify and click the integration to delete.
- Click the trash can icon.
- Click the Remove button to delete the integration.
If your integration is not running successfully due to insufficient permissions from your Qualys user, we have provided a bash script that hits the various endpoints used in this integration. Using the USERNAME, PASSWORD, and HOSTNAME that are used in your JupiterOne Qualys Integration configuration, you should be able to determine which endpoints your user does not have the appropriate permissions to invoke.
The script can be found here: https://github.com/JupiterOne/graph-qualys/blob/main/docs/troubleshoot-creds.sh
Please note that while you may receive a status 200 for a particular endpoint, the response may contain a message indicating your lack of permissions.
Example output:
< HTTP/1.1 200
< X-Powered-By: Qualys:USPOD03:b3f3a819-7884-e60e-81d0-9725801da546:cbf7331a-292e-f3ed-8231-200b1fb10047
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 14 Jan 2022 03:55:39 GMT
< Server: Apache
<
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qg3.apps.qualys.com/qps/xsd/2.0/am/hostasset.xsd">
<responseCode>UNAUTHORIZED</responseCode>
<responseErrorDetails>
<errorMessage>You are not authorized to access the application through the API.</errorMessage>
<errorResolution>If you think this is an error, please contact your account manager.</errorResolution>
</responseErrorDetails>
* Connection #0 to host qualysapi.qg3.apps.qualys.com left intact
</ServiceResponse>
The following entities are created:
Resources | Entity _type |
Entity _class |
---|---|---|
Account | qualys_account |
Account |
Host Detection | qualys_host_finding |
Finding |
Vulnerability Manager | qualys_vulnerability_manager |
Service |
Web App Finding | qualys_web_app_finding |
Finding |
Web Application Scanner | qualys_web_app_scanner |
Service |
The following relationships are created:
Source Entity _type |
Relationship _class |
Target Entity _type |
---|---|---|
qualys_account |
HAS | qualys_vulnerability_manager |
qualys_account |
HAS | qualys_web_app_scanner |
qualys_host_finding |
IS | cve |
qualys_host_finding |
IS | qualys_vuln |
qualys_web_app_finding |
IS | cve |
qualys_web_app_finding |
IS | qualys_vuln |
qualys_web_app_scanner |
IDENTIFIED | qualys_web_app_finding |
qualys_web_app_scanner |
SCANS | web_app |
The following mapped relationships are created:
Source Entity _type |
Relationship _class |
Target Entity _type |
Direction |
---|---|---|---|
qualys_vulnerability_manager |
SCANS | *aws_instance* |
FORWARD |
qualys_vulnerability_manager |
SCANS | *azure_vm* |
FORWARD |
qualys_vulnerability_manager |
SCANS | *discovered_host* |
FORWARD |
qualys_vulnerability_manager |
SCANS | *google_compute_instance* |
FORWARD |
There are two global mapping rules defined to map ThreatIntel
to Finding
and
Vulnerability
entities in Qualys using qid
.
These global mappings are defined as follows:
Source Entity _class |
Source Property | Relationship _class |
Target Entity _class |
Target Property |
---|---|---|---|---|
ThreatIntel |
qid |
HAS | Finding |
qid |
ThreatIntel |
qid |
HAS | Vulnerability |
qid |