All Apps and Add-ons

Splunk TA Qualys: many vulnerability informations are missing in Splunk

lauraG85
Engager

Hi all,

my name is Laura and I'm working with Qualys integration with Splunk with my company.
I had found some issues and I hope that you can help me.

In the Splunk Infrastructure it´s installed and configured the Splunk add-on for Qualys as well as reported in the official documentation. I see in Splunk the Qualys data about VM and WAS correctly, but the problems are:

  1. I couldn't find any field related to the single Qualys scan: so, I see a scanned IP address with all its vulnerabilities, but I don't know in which scan its vulnerabilities have been discovered (information that, obviously , I have in Qualys)
  2. The Splunk add-on had collected the Qualys Knowledge Base, but I only have the standard information (QID, TITLE, SEVERITY, CVE, etc.) and nothing about the details, such as the "Solution" or the "Exploitability"

I’ve installed the Splunk Add-on for Qualys version 1.3.3; maybe the problems could be in the obsolete version?

Thank you in advance.

0 Karma
1 Solution

prabhasgupte
Communicator

Hi @lauraG85

Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.

For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.

View solution in original post

0 Karma

prabhasgupte
Communicator

Hi @lauraG85

Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.

For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.

0 Karma

lauraG85
Engager

thank you to your answer.
I've found, actually, in the official TA doc, that I could have some extra fields in the knowledge base,including the solution, modifing the kbpopulatory script.
I will try it soon.

thanks again
🙂

0 Karma
Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...