Configuring Qualys Connectors
The Qualys connector allows Stellar Cyber to collect host asset and vulnerability data from Qualys and add it to the Asset Analytics identified Asset table.
Connector Overview: Qualys
Capabilities
-
Collect: Yes
-
Respond: No
-
Native Alerts Mapped: No
-
Runs on: DP
-
Interval: Configurable
Collected Data
Content Type |
Index |
Locating Records |
---|---|---|
Hosts Vulnerabilities |
Syslog Scans
|
Domain
<Qualys API URL> where <Qualys API URL> is a variable from the configuration of this connector |
Response Actions
N/A
Third Party Native Alert Integration Details
N/A
Required Credentials
-
Qualys API URL, Username, and Password
Let us know if you find the above overview useful.
Adding a Qualys Connector
To add a Qualys connector:
Setting up the Stellar Cyber App Integration
-
Log in to the Qualys Cloud Platform Console as a user with API access privileges (https://qualysguard.qg3.apps.qualys.com/).
-
Locate the SOC API URL you will need in order to configure your Stellar Cyber connector. Click the Help>About menu.
-
Locate the Security Operations Center addresses and make note of the address with API in the string.
-
Close the dialog and access the user's profile to verify API access. Open the menu to the right of the Help menu and access the User Profile.
-
When the dialog opens, verify that Allow Access to: API checkbox is enabled in the User Roles tab.
-
With the above URL and the credentials for this user, you are now ready to set up your Stellar Cyber Qualys connector.
Adding the Connector in Stellar Cyber
To add a Qualys connector in Stellar Cyber:
-
Log in to Stellar Cyber.
-
Click System | Integration | Connectors. The Connector Overview appears.
-
Click Create. The General tab of the Add Connector screen appears. The information on this tab cannot be changed after you add the connector.
The asterisk (*) indicates a required field.
-
Choose Vulnerability Scanner from the Category drop-down.
-
Choose Qualys from the Type drop-down.
-
For this connector, the supported Function is Collect, which is enabled already.
-
Enter a Name.
This field does not accept multibyte characters.
-
Choose a Tenant Name. The Interflow records created by this connector include this tenant name.
-
Choose the device on which to run the connector.
-
(Optional) When the Function is Collect, you can create Log Filters. For information, see Managing Log Filters.
-
Click Next. The Configuration tab appears.
The asterisk (*) indicates a required field.
-
Enter the Qualys API URL.
For release versions prior to v4.3.4, ensure the URL does not include a trailing "/" symbol.
-
Enter the Username of the user you logged in with above.
-
Enter the Password for that user.
-
Choose the Interval (min). This is how often the logs are collected.
-
Choose the Content Type you would like to collect. The logs for Hosts and Vulnerabilities are supported.
-
Click Next. The final confirmation tab appears.
-
Click Submit.
To pull data, a connector must be added to a Data Analyzer profile if it is running on the Data Processor.
The new connector is immediately active.
Testing the Connector
When you add (or edit) a connector, we recommend that you run a test to validate the connectivity parameters you entered. (The test validates only the authentication / connectivity; it does not validate data flow).
For connectors running on a sensor, Stellar Cyber recommends that you allow 30-60 seconds for new or modified configuration details to be propagated to the sensor before performing a test.
-
Click System | Integrations | Connectors. The Connector Overview appears.
-
Locate the connector that you added, or modified, or that you want to test.
-
Click Test at the right side of that row. The test runs immediately.
Note that you may run only one test at a time.
Stellar Cyber conducts a basic connectivity test for the connector and reports a success or failure result. A successful test indicates that you entered all of the connector information correctly.
To aid troubleshooting your connector, the dialog remains open until you explicitly close it by using the X button. If the test fails, you can select the button from the same row to review and correct issues.
The connector status is updated every five (5) minutes. A successful test clears the connector status, but if issues persist, the status reverts to failed after a minute.
Repeat the test as needed.
Verifying Ingestion
To verify ingestion:
- Click Investigate | Threat Hunting. The Interflow Search tab appears.
- Change the Indices to include either or both of Syslog or Scans. The table immediately updates to show ingested Interflow records.