Document toolboxDocument toolbox

Qualys Vulnerability Management

Qualys VM is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

Connect Qualys Vulnerability Management with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Qualys Vulnerability Management.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. API Key: The API key to connect to the Qualys Vulnerability Management.

  9. After you've entered all the details, click Connect.

Actions for Qualys Vulnerability Management

Launch Scan

Launch a vulnerability scan against a target host.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

IP Column

Column name from parent table with an IP address to scan.

Required

Scan Title

Qualys Scan Title to run the scan with.

Required

Option Title

An option title from Qualys.

Required

Scanner Name

Name of the scanner you'd like to scan with.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

``` {json}{ "has_error": true, "error": "The input was empty, not processing this row" }

## Fetch Scan Result Fetches vulnerability Scan Result from Scan Reference ID. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :-------------------- | :---------------------------------------------------------- | :------- | | Scan Reference Column | Column name from parent table containing scan reference ID. | Required | | Scan Result Mode | Mode of the scan result (default is 'Brief'). | Required | | Split Results | Split each result in independent rows (default is 'True'). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null ``` {json}{ "has_error": true, "error": "Scan reference is either invalid or the scan is not in 'Finished' state yet." }

Create And Fetch Report

Create a new report from a previous vulnerability scan.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Scan Reference

Column containing the Qualys scan reference to lookup.

Required

Qualys Template ID

The template to be used for creating a Qualys report.

Required

Report Timeout

Amount of time to spend retrieving a report before stopping (in seconds) (default is 180 seconds).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

``` {json}{ "has_error": true, "error": "Error occurred while parsing create report response. Error: 'ITEM_LIST' {u'SIMPLE_RETURN': {u'RESPONSE': {u'TEXT': u'This account has expired.', u'CODE': u'2001', u'DATETIME': u'2021-01-30T17:07:53Z'}}}////12345" }

## Fetch Report By Name Fetches complete Report with information for a report Name (only xml-reports are supported). ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :------------------------- | :------------------------------------------------------------------------------ | :------- | | Report Name | Enter name of the Report. | Required | | Host Vulnerability Mapping | Select host to vulnerability mapping. (Default is 'Host inside Vulnerability'). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null ``` {json}{ "has_error": true, "error": "Some error(s) occurred while fetching Report. 'NoneType' object has no attribute '__getitem__'" }

Fetch System Vulnerabilities

Fetches detailed vulnerabilities across assets.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Filtering Criteria Template

Jinja template in json-format. It should be a valid json.

 

Example: {"arf_kernel_filter": "{{arf_kernel_filter_col_name}}", "detection_updated_since": "{{detection_updated_since_col_name}}"}

Required

 

Vulnerability Fields

Enter Vulnerability fields (comma-separated) to include in response. Example: CVSS,DIAGNOSIS,SOLUTION,THREAT_INTELLIGENCE. (Default is 'QID,PORT,TYPE,CONSEQUENCE,SEVERITY,STATUS,TITLE'

Required

Truncation Limit

Limit the number of hosts records fetched in a single call. This will override 'truncation_limit' key in 'Filtering Criteria' JSON, if present. Specify 0 for no truncation limit. (Default is 1000).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

``` {json}{ "has_error": true, "error": "Some error(s) occurred while fetching vulnerabilities for assets. {\"SIMPLE_RETURN\": {\"RESPONSE\": {\"TEXT\": \"This account has expired.\", \"CODE\": \"2001\", \"DATETIME\": \"2021-01-30T17:16:24Z\"}}}" }

## Fetch Report Fetch Report by its Id. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------------- | :------------------------------------------- | :------- | | Qualys Report Id | Jinja template for the report ID to download | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - REPORT_LIST: Information of all the reports ``` {json}{ "REPORT_LIST":{ "REPORT":[ { "STATUS":{ "STATE":"Finished" }, "EXPIRATION_DATETIME":"2022-03-18T07:23:43Z", "TITLE":"Authentication Report", "USER_LOGIN":"gchub8aa", "OUTPUT_FORMAT":"MHT", "LAUNCH_DATETIME":"2022-03-11T07:23:41Z", "TYPE":"Authentication", "ID":"4887476", "SIZE":"937.66 KB" },{ "STATUS":{ "STATE":"Finished" }, "EXPIRATION_DATETIME":"2022-03-18T06:43:36Z", "TITLE":"test pdf file", "USER_LOGIN":"gchub8aa", "OUTPUT_FORMAT":"PDF", "LAUNCH_DATETIME":"2022-03-11T06:43:34Z", "TYPE":"Authentication", "ID":"4887404", "SIZE":"10.01 KB", }] }, "DATETIME":"2022-03-14T08:15:54Z" }

List Report

List all the reports against a target host

Input Field

Choose a connection that you have previously created.

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • lhub_file_id: downloaded file id

{json}{ "lhub_file_id":"002cc462f7dd4977b7f48458350e8b2d.pdf", "has_error":false, "error":null }

Release Notes

  • v2.0.8 - Support for US4 Cloud Agent Servers.

  • v2.0.0 - Updated architecture to support IO via filesystem.

  • v1.1.4 - Added documentation link in the automation library.

  • v1.1.3 - Added two actions: List reports and fetch report.