All Apps and Add-ons

Splunk TA Qualys: many vulnerability informations are missing in Splunk

lauraG85
Engager

Hi all,

my name is Laura and I'm working with Qualys integration with Splunk with my company.
I had found some issues and I hope that you can help me.

In the Splunk Infrastructure it´s installed and configured the Splunk add-on for Qualys as well as reported in the official documentation. I see in Splunk the Qualys data about VM and WAS correctly, but the problems are:

  1. I couldn't find any field related to the single Qualys scan: so, I see a scanned IP address with all its vulnerabilities, but I don't know in which scan its vulnerabilities have been discovered (information that, obviously , I have in Qualys)
  2. The Splunk add-on had collected the Qualys Knowledge Base, but I only have the standard information (QID, TITLE, SEVERITY, CVE, etc.) and nothing about the details, such as the "Solution" or the "Exploitability"

I’ve installed the Splunk Add-on for Qualys version 1.3.3; maybe the problems could be in the obsolete version?

Thank you in advance.

0 Karma
1 Solution

prabhasgupte
Communicator

Hi @lauraG85

Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.

For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.

View solution in original post

0 Karma

prabhasgupte
Communicator

Hi @lauraG85

Those are not really the issues. Its by design. The API used in Qualys TA for VM detection returns normalized data across all scans. And hence, it does not contain any scan reference. Its more like a snapshot of your vuln posture at the point of API call. On similar lines, WAS API too does not have scan reference. Perhaps, opening a Feature Request on these two APIs with Qualys could be the next step.

For any data input, the TA does not parse each and every field from API response by default. It has a default set of fields to be parsed though. If you can read Python code, you can go to any of the populator class and see _process_root_element method.
For knowledge base, the TA does not parse "Solution" information, mainly because it could be multi-line. Similarly, it is not coded to parse "Exploitability" by default. If you need those fields, please get in touch with Qualys Support and they will guide you on how to customize that code to get "Solution" and "Exploitability" fields.

0 Karma

lauraG85
Engager

thank you to your answer.
I've found, actually, in the official TA doc, that I could have some extra fields in the knowledge base,including the solution, modifing the kbpopulatory script.
I will try it soon.

thanks again
🙂

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...