Qualys VM is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.
Configuring Qualys VM
Generate the API credentials
Before starting:
- Sign up for a Qualys Account.
- Go to VMDR --> User --> Select your user and go to User Role and Make sure that the API option is checked marked as shown in below image.
3. Go to the below Link and Choose the API URL as per your location.
Qualys API URL
For instance:- If your Username has “2” in it then choose the US2 API URL which is – “qualysapi.qg2.apps.qualys.com”
Configuring a feed in Chronicle
- Open Settings in Chronicle and browser to Feeds
- In Feeds, click Add New
3. Select Third party API as source type and then select Qualys VM as log source as shown in below image
4. Click Next after which you have to enter the required parameters as below
-
- USERNAME : User Login Name
- SECRET : Password
- API FULL PATH : <API URL from the Above Mentioned Document>/api/2.0/fo/asset/host/vm/detection/?action=list
5. For Instance if it is US2 then the API Path will be
-
- qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/host/vm/detection/?action=list
- qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/host/?action=list
6. Click Next and Finalize
Verifying Qualys VM logs in Chronicle
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Sample Logs
The following are the logs that Qualys VM sends to the Chronicle.
{"ID":495224573,"IP":"0.0.0.0","TrackingMethod":"AGENT","NetworkID":"",
"DNS":"vbox2-egg-dev1.cncff3kcowgubbtap0xpqnl5dg.bx.internal.cloudapp.net",
"DNSData":{"HOSTNAME":"vbox2-egg-dev1","DOMAIN":"cncff3kbukgubbtap0xrqnl0dg.bx.internal.cloudapp.net",
"FQDN":"vbox2-egg-dev1.cncff3kcowgubbtap0xpqnl5dg.bx.internal.cloudapp.net"},
"Netbios":"","Os":"Ubuntu Linux 16.04.3","QgHostID":"f389fe71-e29f-400c-8dda-26c0fa6076ff",
"LastScanDateTime":"2023-07-13T15:41:23Z","LastVMScanDate":"2023-07-13T15:40:28Z",
"LastVMScanDuration":"","LastVMAuthScanDate":"2023-07-13T15:40:28Z",
"LastVMAuthScanDuration":"","DetectionList":[{"Qid":"105936","DType":"Confirmed","Severity":"3",
"Ssl":"0","Results":"Vulnerable version of OpenSSH Detected:\n\nOpenSSH_7.2p2 Ubuntu-4ubuntu2.6, OpenSSL 1.0.2g 1 Mar 2016",
"Status":"Active","FirstFoundTime":"2022-12-02T00:51:06Z","LastFoundTime":"2023-07-13T15:40:28Z",
"TimesFound":"1279","LastTestDateTime":"2023-07-13T15:40:28Z","LastUpdateDateTime":"2023-07-13T15:41:23Z",
"LastFixedDatetime":"2023-01-10T00:00:28Z","IsIgnored":"0","IsDisabled":"0",
"LastProcessedDatetime":"2023-07-13T15:41:23Z"},{"Qid":"105977","DType":"Confirmed","Severity":"5",
"Ssl":"0","Results":"EOL/Obsolete Operating System Ubuntu 16.04 (Xenial Xerus) detected.",
"Status":"Active","FirstFoundTime":"2022-12-02T00:51:06Z","LastFoundTime":"2023-07-13T15:40:28Z",
"TimesFound":"1279","LastTestDateTime":"2023-07-13T15:40:28Z","LastUpdateDateTime":"2023-07-13T15:41:23Z",
"LastFixedDatetime":"2023-01-10T00:00:28Z","IsIgnored":"0","IsDisabled":"0",
"LastProcessedDatetime":"2023-07-13T15:41:23Z"},{"Qid":"650005","DType":"Confirmed",
"Severity":"5","Ssl":"0","Results":"Install Location\tVersion\t\n/usr/sbin/nginx\t1.12.2",
"Status":"Active","FirstFoundTime":"2022-12-02T00:51:06Z","LastFoundTime":"2023-07-13T15:40:28Z",
"TimesFound":"1279","LastTestDateTime":"2023-07-13T15:40:28Z","LastUpdateDateTime":"2023-07-13T15:41:23Z",
"LastFixedDatetime":"2023-01-10T00:00:28Z","IsIgnored":"0","IsDisabled":"0",
"LastProcessedDatetime":"2023-07-13T15:41:23Z"}]}
Comments
0 comments
Please sign in to leave a comment.