Configuring the Qualys Scanner Connector

As an administrator, you can configure different types of scanners to scan security risks and vulnerabilities across your IT infrastructure. 

Qualys is a comprehensive vulnerability management solution that provides complete visibility of the security risks across your IT infrastructure. With this integration, you can retrieve the vulnerability scan results from multiple Qualys instances and process the vulnerabilities to map the remediation content. You can then create operations to remediate vulnerabilities. 

After you configure and run this connector, the scan files that contains the Qualys assets and vulnerabilities are automatically imported into Automation Console.

Before you begin

Make sure that the following prerequisites are met:

• One or more configured Qualys instances are running in your environment.
• Install and run the connector on Windows or Linux operating systems based on the following criteria:

  • Port requirements:

    Port	Protocol	From	To	Inbound / Outbound
    443 OR <Customer configured port>	HTTPS	Connector	Qualys Server	Outbound
    443	HTTPS	Qualys Server	Connector	Inbound

To configure the Qualys scanner connector

After you install TrueSight Automation Console, the Qualys connector is available for configuration in the Scanner Connectors widget. 

1. From the TrueSight Automation Console, login as an administrative user. 
2. From Briefcase click Connectors.
3. On the Manage Connectors page, select the  option against the Scanner Connector widget and select Edit > Add Configuration.
   
   
4. On the Add configuration page, provide the following details:
   1. In the Vendor field, select Qualys from the list.
   2. In the Connector details section, provide the following information:
      1. In the Configuration Name field, specify a unique name which is assigned to the scan files imported into Automation Console.
      2. (Optional) In the Configuration Description field, provide a description of the connector.

      3. In the Admin Security Group field, specify one or more admin security groups (comma separated list) that can access the scan results.
         If you do not specify a security group, all the admin security groups can access the scan files that are imported from Qualys.
         

         Important

         If you have both TrueSight Server Automation and TrueSight Network Automation endpoints, specify the name of the appropriate security group. If you specify a non-admin security group, Automation Console does not fetch any data from Qualys.

   3. In the Connector Configuration section, perform the following steps:
      1. In the Endpoint URL field, specify the URL to connect to Qualys.

      2. In the Fetch Data From field, specify the number of days for which you want to fetch the scan results.

         Important

         Automation Console retrieves the vulnerability data for the specified days during the first import. If you do not specify any value, Automation Console retrieves all the reported vulnerabilities from the Qualys instances.

         For all the imports during the next schedules, Automation Console fetches only those vulnerabilities and assets that were scanned and available in Qualys after the last sync date.

   4. In the Authentication Details section, perform the following steps:
      1. Enter the User Name set for your account with Qualys.
      2. Enter the Password set for your account with Qualys.
   5. In the Filters section, provide values to fetch the specific scanned data:
      1. Select the required Severity levels.
      2. To fetch more precise data, enter the Network IP and IP range as comma separated values.

      3. In the Additional Filters field, specify the filters supported by Qualys to fetch further detailed scanned data.
         For the list of Qualys custom filters, refer the Host List Detection section in the Qualys API User Guide.

         Example

         To fetch the asset vulnerability data from Qualys, you can use the API https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/host/vm/detection/?action=list .

   6. In the Auto-close vulnerabilities section, select the Enable Auto-close check box to enable the system to automatically close vulnerabilities that were fixed in the previous scan and are no longer present in the subsequent scan.
5. Click Save.
   The newly added configuration is listed in the Configurations table.
6. Repeat steps 3 to 5 to have multiple configurations of the Qualys instance, with different filters specified for each configuration.
7. On the Manage Connectors page, in the Configuration Schedule section, specify a frequency at which you want to run the connector, and save the schedule.
8. Click Continue and download the connector zip file on a local host. 

9. On the server where the connector file is downloaded and extracted, go to the connector location, and run the following command to install and start the connector: 

   • Windows: run.bat
   • Linux: run.sh

   The connector starts running successfully. You can view the connector status on the Connectors page.

Vulnerability scan files are created with the specified configuration names. Automation Console processes each configuration sequentially.

To update the connector

1. On the Manage Connectors page, click the  option against the Scanner Connector widget, and click Disable.
2. Click Edit.
   The available configurations are displayed. To quickly locate the required configuration, search or sort the configurations by the various columns, such as Status and Vendor.
3. Click Save.

To enable debug mode

1. Press CTRL+C twice to stop the connector, if its already running.

2. Navigate to <ConnectorLocation>/config, open the application.properties file, add the following parameter, and set it to debug: 

   #
   #Logging related Properties
   logging.level.com.bmc.truesight.scannerconnector=debug
3. Save the file.
4. Restart the connector.