Solved: Splunk TA Qualys: many vulnerability informations ...

lauraG85 · ‎08-05-2019

Hi all,

my name is Laura and I'm working with Qualys integration with Splunk with my company.
I had found some issues and I hope that you can help me.

In the Splunk Infrastructure it´s installed and configured the Splunk add-on for Qualys as well as reported in the official documentation. I see in Splunk the Qualys data about VM and WAS correctly, but the problems are:

I couldn't find any field related to the single Qualys scan: so, I see a scanned IP address with all its vulnerabilities, but I don't know in which scan its vulnerabilities have been discovered (information that, obviously , I have in Qualys)
The Splunk add-on had collected the Qualys Knowledge Base, but I only have the standard information (QID, TITLE, SEVERITY, CVE, etc.) and nothing about the details, such as the "Solution" or the "Exploitability"

I’ve installed the Splunk Add-on for Qualys version 1.3.3; maybe the problems could be in the obsolete version?

Thank you in advance.

prabhasgupte · ‎08-07-2019

Hi @lauraG85

Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.

For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.

View solution in original post

prabhasgupte · ‎08-07-2019

Hi @lauraG85

Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.

For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.

lauraG85 · ‎08-13-2019

thank you to your answer.
I've found, actually, in the official TA doc, that I could have some extra fields in the knowledge base,including the solution, modifing the kbpopulatory script.
I will try it soon.

thanks again
🙂

Splunk TA Qualys: many vulnerability informations are missing in Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM