Hi all,
my name is Laura and I'm working with Qualys integration with Splunk with my company.
I had found some issues and I hope that you can help me.
In the Splunk Infrastructure it´s installed and configured the Splunk add-on for Qualys as well as reported in the official documentation. I see in Splunk the Qualys data about VM and WAS correctly, but the problems are:
I’ve installed the Splunk Add-on for Qualys version 1.3.3; maybe the problems could be in the obsolete version?
Thank you in advance.
Hi @lauraG85
Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.
For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.
Hi @lauraG85
Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.
For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.
thank you to your answer.
I've found, actually, in the official TA doc, that I could have some extra fields in the knowledge base,including the solution, modifing the kbpopulatory script.
I will try it soon.
thanks again
🙂