Skip to main content

Qualys

Visualize Qualys scanners and findings, monitor findings and changes through queries and alerts.

Installation

For this integration, you will need to provide credentials for a Qualys user with the MANAGER or custom role for best results.

This integration is unable to ingest host findings with the built-in READER role event after adding all of the modules. This may be related to parts of the Qualys "host detection" feature being controlled by a license setting. Instead, use the built-in MANAGER role if you do not want to create a custom role. Please refer to the troubleshooting section below, if you would like to issue granular permissions to JupiterOne.

info

The Qualys API requires usage of a username and password associated with a non-test account user. See the Qualys API docs for more information.

Data Volume Configuration

Control how much data is ingested from Qualys to manage storage and processing.

Ingestion Windows (Time Ranges)

FieldDescriptionDefaultOptions
Host scan age FilterProcess only scans completed within the specified number of days.7Any number
Findings age FilterProcess only findings that were identified or updated within the specified number of days.7Any number
Images Ingestion WindowSpecify the ingestion window for updated images (days ago)9090, 180, 275, 365

How it affects data volume: Larger time windows will result in more hosts, findings, and container images being ingested from Qualys.

Data Filtering Options

FieldTypeDescriptionDefault
Host Finding SeveritiesMulti-selectLimit processing to findings having the specified severities. One or more levels may be specified with multiple entries comma separated.3, 4, 5 (Medium, High, Critical)
Host Finding TypesMulti-selectLimit processing to findings having the specified types. Valid options are 'Info', 'Potential', 'Confirmed'.Potential, Confirmed
Ingest Web App ScansBooleanEnable ingestion of web application scans?true
Web Application IDsArrayOnly ingest web applications and their associated findings for the specified IDs.None (all apps)
Detection Result QIDsArrayIngest first 300 bytes of RESULTS returned from detections endpoint for specific QIDs. WARNING: This may cause the integration to run substantially longer.None
Include Only Asset TagsArrayInclude only asset tags for detection filtering.None (all assets)
Container images Finding SeveritiesMulti-selectLimit processing to container image findings having the specified severities.3, 4, 5 (Medium, High, Critical)
Skip Unassociated Container ImagesBooleanSkip container images that are not associated to any container.false

How it affects data volume: Filtering by severity, finding type, and application IDs reduces the number of vulnerability and scan entities ingested. Enabling Detection Result QIDs significantly increases data volume and processing time.

Configuration in JupiterOne

To install the Qualys integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Qualys. Click New Instance to begin configuring your integration.

Creating an instance requires the following:

  • The Account Name used to identify the Qualys account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Your Qualys account Username, Password, and API URL.

Click Create once all values are provided to finalize the integration.

Troubleshooting Qualys user credentials

If your integration is not running successfully due to insufficient permissions from your Qualys user, we have created a bash script that hits the various endpoints used in this integration. Using the USERNAME, PASSWORD, and HOSTNAME that are used in your JupiterOne Qualys Integration configuration, you should be able to determine which endpoints your user does not have the appropriate permissions to invoke.

note

Please note that while you may receive a status 200 for a particular endpoint, the response may contain a message indicating your lack of permissions.

Example output
< HTTP/1.1 200
< X-Powered-By: Qualys:USPOD03:b3f3a819-7884-e60e-81d0-9725801da546:cbf7331a-292e-f3ed-8231-200b1fb10047
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 14 Jan 2022 03:55:39 GMT
< Server: Apache
<
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qg3.apps.qualys.com/qps/xsd/2.0/am/hostasset.xsd">
  <responseCode>UNAUTHORIZED</responseCode>
  <responseErrorDetails>
    <errorMessage>You are not authorized to access the application through the API.</errorMessage>
    <errorResolution>If you think this is an error, please contact your account manager.</errorResolution>
  </responseErrorDetails>
* Connection #0 to host qualysapi.qg3.apps.qualys.com left intact
</ServiceResponse>

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.