Qualys Vulnerability Management
Qualys VM is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.
Connect Qualys Vulnerability Management with Devo SOAR
Navigate to Automations > Integrations.
Search for Qualys Vulnerability Management.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: The API key to connect to the Qualys Vulnerability Management.
After you've entered all the details, click Connect.
Actions for Qualys Vulnerability Management
Launch Scan
Launch a vulnerability scan against a target host.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
IP Column | Column name from parent table with an IP address to scan. | Required |
Scan Title | Qualys Scan Title to run the scan with. | Required |
Option Title | An option title from Qualys. | Required |
Scanner Name | Name of the scanner you'd like to scan with. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
``` {json}{ "has_error": true, "error": "The input was empty, not processing this row" }
## Fetch Scan Result
Fetches vulnerability Scan Result from Scan Reference ID.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :-------------------- | :---------------------------------------------------------- | :------- |
| Scan Reference Column | Column name from parent table containing scan reference ID. | Required |
| Scan Result Mode | Mode of the scan result (default is 'Brief'). | Required |
| Split Results | Split each result in independent rows (default is 'True'). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
``` {json}{
"has_error": true,
"error": "Scan reference is either invalid or the scan is not in 'Finished' state yet."
}
Create And Fetch Report
Create a new report from a previous vulnerability scan.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Scan Reference | Column containing the Qualys scan reference to lookup. | Required |
Qualys Template ID | The template to be used for creating a Qualys report. | Required |
Report Timeout | Amount of time to spend retrieving a report before stopping (in seconds) (default is 180 seconds). | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
``` {json}{ "has_error": true, "error": "Error occurred while parsing create report response. Error: 'ITEM_LIST' {u'SIMPLE_RETURN': {u'RESPONSE': {u'TEXT': u'This account has expired.', u'CODE': u'2001', u'DATETIME': u'2021-01-30T17:07:53Z'}}}////12345" }
## Fetch Report By Name
Fetches complete Report with information for a report Name (only xml-reports are supported).
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------------------- | :------------------------------------------------------------------------------ | :------- |
| Report Name | Enter name of the Report. | Required |
| Host Vulnerability Mapping | Select host to vulnerability mapping. (Default is 'Host inside Vulnerability'). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
``` {json}{
"has_error": true,
"error": "Some error(s) occurred while fetching Report. 'NoneType' object has no attribute '__getitem__'"
}
Fetch System Vulnerabilities
Fetches detailed vulnerabilities across assets.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Filtering Criteria Template | Jinja template in json-format. It should be a valid json. | Â |
Example: {"arf_kernel_filter": "{{arf_kernel_filter_col_name}}", "detection_updated_since": "{{detection_updated_since_col_name}}"} | Required | Â |
Vulnerability Fields | Enter Vulnerability fields (comma-separated) to include in response. Example: CVSS,DIAGNOSIS,SOLUTION,THREAT_INTELLIGENCE. (Default is 'QID,PORT,TYPE,CONSEQUENCE,SEVERITY,STATUS,TITLE' | Required |
Truncation Limit | Limit the number of hosts records fetched in a single call. This will override 'truncation_limit' key in 'Filtering Criteria' JSON, if present. Specify 0 for no truncation limit. (Default is 1000). | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
``` {json}{ "has_error": true, "error": "Some error(s) occurred while fetching vulnerabilities for assets. {\"SIMPLE_RETURN\": {\"RESPONSE\": {\"TEXT\": \"This account has expired.\", \"CODE\": \"2001\", \"DATETIME\": \"2021-01-30T17:16:24Z\"}}}" }
## Fetch Report
Fetch Report by its Id.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------------- | :------------------------------------------- | :------- |
| Qualys Report Id | Jinja template for the report ID to download | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- REPORT_LIST: Information of all the reports
``` {json}{
"REPORT_LIST":{
"REPORT":[
{
"STATUS":{
"STATE":"Finished"
},
"EXPIRATION_DATETIME":"2022-03-18T07:23:43Z",
"TITLE":"Authentication Report",
"USER_LOGIN":"gchub8aa",
"OUTPUT_FORMAT":"MHT",
"LAUNCH_DATETIME":"2022-03-11T07:23:41Z",
"TYPE":"Authentication",
"ID":"4887476",
"SIZE":"937.66 KB"
},{
"STATUS":{
"STATE":"Finished"
},
"EXPIRATION_DATETIME":"2022-03-18T06:43:36Z",
"TITLE":"test pdf file",
"USER_LOGIN":"gchub8aa",
"OUTPUT_FORMAT":"PDF",
"LAUNCH_DATETIME":"2022-03-11T06:43:34Z",
"TYPE":"Authentication",
"ID":"4887404",
"SIZE":"10.01 KB",
}]
},
"DATETIME":"2022-03-14T08:15:54Z"
}
List Report
List all the reports against a target host
Input Field
Choose a connection that you have previously created.
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
lhub_file_id: downloaded file id
{json}{
"lhub_file_id":"002cc462f7dd4977b7f48458350e8b2d.pdf",
"has_error":false,
"error":null
}
Release Notes
v2.0.8
- Support for US4 Cloud Agent Servers.v2.0.0
- Updated architecture to support IO via filesystem.v1.1.4
- Added documentation link in the automation library.v1.1.3
- Added two actions: List reports and fetch report.