- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk TA Qualys: many vulnerability informati...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
my name is Laura and I'm working with Qualys integration with Splunk with my company.
I had found some issues and I hope that you can help me.
In the Splunk Infrastructure it´s installed and configured the Splunk add-on for Qualys as well as reported in the official documentation. I see in Splunk the Qualys data about VM and WAS correctly, but the problems are:
- I couldn't find any field related to the single Qualys scan: so, I see a scanned IP address with all its vulnerabilities, but I don't know in which scan its vulnerabilities have been discovered (information that, obviously , I have in Qualys)
- The Splunk add-on had collected the Qualys Knowledge Base, but I only have the standard information (QID, TITLE, SEVERITY, CVE, etc.) and nothing about the details, such as the "Solution" or the "Exploitability"
I’ve installed the Splunk Add-on for Qualys version 1.3.3; maybe the problems could be in the obsolete version?
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lauraG85
Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.
For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lauraG85
Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.
For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you to your answer.
I've found, actually, in the official TA doc, that I could have some extra fields in the knowledge base,including the solution, modifing the kbpopulatory script.
I will try it soon.
thanks again
🙂
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
