Qualys VM

Integration version: 18.0

Overview

Configure QualysVM integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Download Vm Scan Results

Description

Fetch a vulnerability scan results by the scan ID.

Parameters

Parameter Type Default Value Is Mandatory Description
Scan ID String N/A Yes Scan ID value.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
       "username": "username",
        "city": "New York",
        "zip": "10024",
        "name": "user name",
        "add1": "Broadway",
        "country": "United States of America",
        "company": "X",
        "state": "New York",
        "scan_report_template_title": "Scan Results",
        "result_date": "01/28/2019 12:16:42",
        "role": "Manager",
        "add2": "Suite"
     },{
        "status": "Finished",
        "scanner_appliance": "1.1.1.1 (Scanner 10.10.10-1, Vulnerability Signatures 10.10.10-2)",
        "network": "Global Default Network",
        "reference": "scan/1533110666.07264",
        "ips": "1.1.1.1",
        "launch_date": "08/01/2018 08:04:26",
        "option_profile": "Initial Options",
        "total_hosts": "1",
        "scan_title": "My first scan",
        "duration": "00:06:20",
        "excluded_ips": "",
        "asset_groups": null,
        "type": "API",
        "active_hosts": "1"
    },{
        "protocol": "tcp",
        "qid": 86000,
        "results": "Server Version\\tServer Banner\\ncloudflare-nginx\\tcloudflare-nginx",
        "solution": "N/A",
        "ip_status": "host scanned, found vuln",
        "port": "80",
        "category": "Web server",
        "severity": "1",
        "title": "Web Server Version",
        "instance": null,
        "dns": "1dot1dot1dot1.cloudflare-dns.com",
        "ip": "1.1.1.1",
        "type": "Ig",
        "vendor_reference": null,
        "cve_id": null,
        "ssl": "no",
        "netbios": null,
        "associated_malware": null,
        "pci_vuln": "no",
        "impact": "N/A",
        "fqdn": "",
        "bugtraq_id": null,
        "threat": "N/A",
        "os": "Linux 3.13",
        "exploitability": null
     },{
        "target_distribution_across_scanner_appliances": "External : 1.1.1.1"
    }
]
Entity Enrichment

N/A

Insights

N/A

Enrich Host

Description

Enrich a host with information from Qualys VMDR.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Create Insight Checkbox Checked No If enabled, the action creates an insight containing all of the retrieved information about the entity.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
   {
     "EntityResult":
      {
       "LAST_VM_SCANNED_DATE": "2019-01-06T12: 39: 00Z",
       "LAST_VM_SCANNED_DURATION": "490",
       "NETWORK_ID": "0",
       "IP": "1.1.1.1",
       "LAST_VULN_SCAN_DATETIME": "2019-01-06T12: 39: 00Z",
       "COMMENTS": "AddedbyX",
       "TRACKING_METHOD": "IP",
       "DNS": "one.one.one.one",
       "OS": "Linux3.13",
       "ID": "54664176"
      },
    "Entity": "1.1.1.1"
   }
]
Entity Enrichment
Enrichment Field Name Logic - When to apply
LAST_VM_SCANNED_DATE Returns if it exists in JSON result
LAST_VM_SCANNED_DURATION Returns if it exists in JSON result
NETWORK_ID Returns if it exists in JSON result
IP Returns if it exists in JSON result
LAST_VULN_SCAN_DATETIME Returns if it exists in JSON result
COMMENTS Returns if it exists in JSON result
TRACKING_METHOD Returns if it exists in JSON result
DNS Returns if it exists in JSON result
OS Returns if it exists in JSON result
ID Returns if it exists in JSON result
Entity Returns if it exists in JSON result
Insights

N/A

Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one host (is_success=true): "The following hosts were enriched: {entity.identifier}."

If data is not available for one host (is_success=true): "Action wasn't able to enrich the following entities using information from Qualys VMDR: {entity.identifier}."

If data is not available for all hosts (is_success=false): "No hosts were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities"." Reason: {0}''.format(error.Stacktrace)

General

Download Report

Description

Fetch report by the ID.

Parameters

Parameter Type Default Value Is Mandatory Description
Report ID String N/A Yes Report ID value.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
  "STATUS":
    {
     "STATE": "Finished"
     },
  "EXPIRATION_DATETIME": "2019-02-04T13:11:15Z",
  "TITLE": "Scan scan/1533110666.07264 Report",
  "USER_LOGIN": "sempf3mh",
  "OUTPUT_FORMAT": "PDF",
  "LAUNCH_DATETIME": "2019-01-28T13:11:14Z",
  "TYPE": "Scan",
  "ID": "775111",
  "SIZE": "22.17 KB"
}
Entity Enrichment

N/A

Insights

N/A

Launch Compliance Report

Description

You can run compliance scans and create compliance reports on hosts (IP addresses) that have been added to the PC.

Parameters

Parameter Type Default Value Is Mandatory Description
Report Title String N/A Yes

A user-defined report title. The title may have a maximum of 128 characters.

For a PCI compliance report, the report title is provided by Qualys and cannot be changed.

Report Type String N/A Yes Template name.
Output Format String N/A Yes

One output format may be specified.

When output_format=pdf is specified, the Secure PDF Distribution may be used.

Example: pdf, mht, and html

IPs/Ranges String N/A No

Specify IPs or ranges to change (override) the report target, as defined in the patch report template.

Multiple IPs or ranges are comma-separated.

Asset Groups String N/A No A comma-separated list of asset groups.
Scan Reference String N/A No Show only a scan with a certain scan reference code.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
report_id True/False report_id:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Launch Patch Report

Description

Launch patch reports to find out about the patches you need to apply to fix your current vulnerabilities. You'll be able to use the links in this report to quickly download and install any missing patches.

Parameters

Parameter Type Default Value Is Mandatory Description
Report Title String N/A Yes

A user-defined report title. The title may have a maximum of 128 characters.

For a PCI compliance report, the report title is provided by Qualys and cannot be changed.

Report Type String N/A Yes Template name.
Output Format String N/A Yes

One output format may be specified.

When output_format=pdf is specified, the Secure PDF Distribution may be used.

Example: pdf, mht and html

IPs/Ranges String N/A No

Specify IPs or ranges to change (override) the report target, as defined in the patch report template.

Multiple IPs or ranges are comma-separated.

Asset Groups String N/A No

Asset groups.

If more than one has to be comma-separated.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
report_id True/False report_id:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Launch Remediation Report

Description

Launch remediation reports to get information on remediation tickets, like ticket status and overall trend information. You can choose from these reports:

  • Executive Remediation Report
  • Tickets per Asset Group
  • Tickets per User
  • Tickets per Vulnerability

Parameters

Parameter Type Default Value Is Mandatory Description
Report Title String N/A Yes

A user-defined report title. The title may have a maximum of 128 characters.

For a PCI compliance report, the report title is provided by Qualys and cannot be changed.

Report Type String N/A Yes Template name.
Output Format String N/A Yes

One output format may be specified.

When output_format=pdf is specified, the Secure PDF Distribution may be used.

Example: pdf, mht and html

IPs/Ranges String N/A No

Specify IPs or ranges to change (override) the report target, as defined in the patch report template.

Multiple IPs or ranges are comma separated.

Asset Groups String N/A No

Asset groups.

If more than one has to be comma-separated.

Display Results For All tickets Checkbox Checked No

Specifies whether the report includes tickets assigned to the current user (User is set by default), or all tickets in the user account.

By default tickets assigned to the current user are included.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
report_id True/False report_id:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Launch Scan Report

Description

Launch a scan report.

Parameters

Parameter Type Default Value Is Mandatory Description
Report Title String N/A Yes

A user-defined report title. The title may have a maximum of 128 characters.

For a PCI compliance report, the report title is provided by Qualys and cannot be changed.

Report Type String N/A Yes Template name.
Output Format String N/A Yes

One output format may be specified.

When output_format=pdf is specified, the Secure PDF Distribution may be used.

Example: pdf, mht and html.

IPs/Ranges String N/A No

Specify IPs or ranges to change (override) the report target, as defined in the patch report template.

Multiple IPs or ranges are comma-separated.

Asset Groups String N/A No

Asset groups.

If more than one has to be comma-separated.

Scan Reference String N/A No Show only a scan with a certain scan reference code.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
report_id True/False report_id:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Launch VM Scan and Fetch Results

Description

Launch vulnerability scan on a host in your network and fetch results.

Parameters

Parameter Type Default Value Is Mandatory Description
Title String N/A No The scan title. It can be up to 2000 characters (ASCII) long.
Processing Priority String N/A Yes

Specify a value between 0 and 9 to set a processing priority level for the scan. When not specified, a value of 0 (no priority) is used.

Valid values are:

  • 0 for No Priority (the default)
  • 1 for Emergency
  • 2 for Ultimate
  • 3 for Critical
  • 4 for Major
  • 5 for High
  • 6 for Standard
  • 7 for Medium
  • 8 for Minor
  • 9 for Low
Scan Profile String N/A Yes

The title of the compliance option profile to be used.

One of these parameters must be specified in a request:

  • option_title
  • option_id
Scanner Appliance String N/A No

The friendly names of the scanner appliances to be used or "External" for external scanners.

Multiple entries are comma-separated.

Network String N/A No

The ID of a network used to filter the IPs or ranges specified in the "ip" parameter.

Set to a custom network ID.

Note: This does not filter IPs or ranges specified in "asset_groups" or "asset_group_ids".

Or set to "0" (the default) for the Global Default Network. This is used to scan hosts outside of your custom networks.

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
username Returns if it exists in JSON result
city Returns if it exists in JSON result
zip Returns if it exists in JSON result
name Returns if it exists in JSON result
add1 Returns if it exists in JSON result
country Returns if it exists in JSON result
company Returns if it exists in JSON result
state Returns if it exists in JSON result
can_report_template_title Returns if it exists in JSON result
result_date Returns if it exists in JSON result
role Returns if it exists in JSON result
add2 Returns if it exists in JSON result
status Returns if it exists in JSON result
scanner_appliance Returns if it exists in JSON result
network Returns if it exists in JSON result
reference Returns if it exists in JSON result
ips Returns if it exists in JSON result
launch_date Returns if it exists in JSON result
option_profile Returns if it exists in JSON result
total_hosts Returns if it exists in JSON result
scan_title Returns if it exists in JSON result
duration Returns if it exists in JSON result
excluded_ips Returns if it exists in JSON result
asset_groups Returns if it exists in JSON result
type Returns if it exists in JSON result
active_hosts Returns if it exists in JSON result
protocol Returns if it exists in JSON result
qid Returns if it exists in JSON result
results Returns if it exists in JSON result
solution Returns if it exists in JSON result
severity Returns if it exists in JSON result
title Returns if it exists in JSON result
instance Returns if it exists in JSON result
dns Returns if it exists in JSON result
ip Returns if it exists in JSON result
vendor_reference Returns if it exists in JSON result
cve_id Returns if it exists in JSON result
ssl Returns if it exists in JSON result
netbios Returns if it exists in JSON result
associated_malware Returns if it exists in JSON result
pci_vuln Returns if it exists in JSON result
fqdn Returns if it exists in JSON result
bugtraq_id Returns if it exists in JSON result
threat Returns if it exists in JSON result
os Returns if it exists in JSON result
exploitability Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
scan_ref N/A N/A
JSON Result
[
  {
    "username": "username",
    "city": "New York",
    "zip": "10024",
    "name": "user name",
    "add1": "Broadway",
    "country": "United States of America",
    "company": "X",
    "state": "New York",
    "scan_report_template_title": "Scan Results",
    "result_date": "01/28/2019 12:16:42",
    "role": "Manager",
    "add2": "Suite"
  },{
    "status": "Finished",
    "scanner_appliance": "1.1.1.1 (Scanner 10.10.10-1, Vulnerability Signatures 10.10.10-2)",
    "network": "Global Default Network",
    "reference": "scan/1533110666.07264",
    "ips": "1.1.1.1",
    "launch_date": "08/01/2018 08:04:26",
    "option_profile": "Initial Options",
    "total_hosts": "1",
    "scan_title": "My first scan",
    "duration": "00:06:20",
    "excluded_ips": "",
    "asset_groups": null,
    "type": "API",
    "active_hosts": "1"
  },{
    "protocol": "tcp",
    "qid": 86000,
    "results": "Server VersiontServer Banner\\ncloudflare-nginx\\tcloudflare-nginx",
    "solution": "N/A",
    "ip_status": "host scanned, found vuln",
    "port": "80",
    "category": "Web server",
    "severity": "1",
    "title": "Web Server Version",
    "instance": null,
    "dns": "1dot1dot1dot1.cloudflare-dns.com",
    "ip": "1.1.1.1",
    "type": "Ig",
    "vendor_reference": null,
    "cve_id": null,
    "ssl": "no",
    "netbios": null,
    "associated_malware": null,
    "pci_vuln": "no",
    "impact": "N/A",
    "fqdn": "",
    "bugtraq_id": null,
    "threat": "N/A",
    "os": "Linux 3.13",
    "exploitability": null
   },{
    "target_distribution_across_scanner_appliances": "External : 1.1.1.1"
   }
]

List Groups

Description

List of asset groups in the user's account.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{
   "TITLE": "All",
   "IP_SET":
      {
        "IP": ["1.1.1.1"]
       },
   "DOMAIN_LIST":
      {
        "DOMAIN":
          [{
             "@network_id": "0",
             "#text": "google.com"
           },{
             "@network_id": "0",
             "#text": "none",
             "@netblock": "1.1.1.1-1.1.1.1"
           }]
      },
   "LAST_UPDATE": "2018-07-25T14:56:05Z",
   "NETWORK_ID": "0",
   "OWNER_USER_NAME": "Global User",
   "BUSINESS_IMPACT": "High",
   "ID": "1111"
 },{
   "TITLE": "G",
   "NETWORK_ID": "0",
   "LAST_UPDATE": "2018-08-13T08:14:55Z",
   "OWNER_USER_NAME": "user (Manager)",
   "OWNER_USER_ID": "11111",
   "BUSINESS_IMPACT": "High",
   "ID": "11111"
 }]
Entity Enrichment

N/A ##### Insights

N/A

List IPs

Description

List of IP addresses in the user's account. By default, all hosts in the user's account are included.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ip_list True/False ip_list:False
JSON Result
[
  "1.1.1.1",
  "1.1.100.100",
  "10.10.10.10"
]
Entity Enrichment

N/A ##### Insights

N/A

List Reports

Description

List of reports in the user's account when the Report Share feature is enabled. The report list output includes all report types, including scorecard reports.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
  {
    "STATUS":
      {
        "STATE": "Finished"
      },
    "EXPIRATION_DATETIME": "2019-02-04T13:11:15Z",
    "TITLE": "Scan scan/1533110666.07264 Report",
    "USER_LOGIN": "sempf3mh",
    "OUTPUT_FORMAT": "PDF",
    "LAUNCH_DATETIME": "2019-01-28T13:11:14Z",
    "TYPE": "Scan",
    "ID": "775111",
    "SIZE": "22.17 KB"
  }
]
Entity Enrichment

N/A

Insights

N/A

List Scans

Description

List of scans launched within the past 30 days.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
    [
       {
         "STATUS":
           {
              "STATE": "Finished"
           },
        "TARGET": "1.1.1.1",
        "TITLE": "Test Scan",
        "USER_LOGIN": "sempf3mh",
        "LAUNCH_DATETIME": "2019-01-06T12:29:52Z",
        "PROCESSED": "1",
        "REF": "scan/1546777792.44756",
        "PROCESSING_PRIORITY": "0 - No Priority",
        "DURATION": "00:08:24",
        "TYPE": "On-Demand"
       }
     ]
Entity Enrichment

N/A

Insights

N/A

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

List Endpoint Detections

Description

List endpoint detections in Qualys VMDR.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Status Filter CSV new, active, re-opened No

Specify a comma-separated list of statuses that should be used during ingestion.

If nothing is provided, the action ingests detections with "New, Active, Re-Opened" statuses.

Possible values: New, Active, Fixed, Re-Opened.

Ingest Ignored Detections Checkbox Unchecked No If enabled, the action also returns ignored detections.
Ingest Disabled Detections Checkbox Unchecked No If enabled, the action also returns disabled detections.
Lowest Severity To Fetch DDL Medium No Specify the lowest severity that is used to fetch detections.
Create Insight Checkbox Checked No If enabled, the action creates an insight containing information about vulnerabilities found on the entity.
Max Detections To Return Integer 50 No

Specify the number of detections to return per entity.

Maximum: 200

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data for at least one endpoint is found (is_success=true): "Successfully listed detections related to the following endpoints in Qualys VMDR: {entity.identifier}

If one endpoint is not found or invalid IP is provided (is_success=true): "Action wasn't able to find the following endpoints in Qualys VMDR: {entity.identifier}."

If no data for at least one endpoint is found (is_success=true): "No vulnerabilities were found for the following endpoints: {entity.identifier}."

If no data for all endpoints is found (is_success=true): "No vulnerabilities were found for the provided endpoints."

If no endpoints are found or invalid IP is provided (is_success=false): "Provided endpoints were not found in Qualys VMDR."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Endpoint Detections''. Reason: {0}''.format(error.Stacktrace)

If invalid "Status Filter" is reported: "Error executing action "List Endpoint Detections''." Reason: invalid value provided for the parameter "Status Filter": {value}. Possible values: new, open, reopened, fixed.

General
Case Wall

Table Columns:

  • QID
  • Title
  • Severity
  • Diagnosis
  • Consequences
  • Solution
  • Patchable
  • Category
Entity

Connectors

Qualys VM - Detections Connector

Description

Pull detections from Qualys VMDR.

Configure Qualys VM - Detections Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String Event Type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 300 Yes Timeout limit for the python process running the current script.
API root String N/A API Root of the Qualis VM instance.
Username String N/A Yes Username of the Qualis VM instance.
Password Password N/A Yes Password of the Qualis VM instance.
Lowest Severity To Fetch Integer 0 No Lowest severity that will be used to fetch detections. If nothing is provided, the connector will fetch all detections. Maximum: 5.
Status Filter CSV NEW, ACTIVE, REOPENED No Status filter for the connector. If nothing is provided, the connector will ingest detections with "New, Active, Reopened" statuses. Possible values: NEW, ACTIVE, FIXED, REOPENED.
Ingest Ignored Detections Checkbox Unchecked No If enabled, the connector will ingest ignored detections.
Ingest Disabled Detections Checkbox Unchecked No If enabled, the connector will ingest disabled detections.
Grouping Mechanism String Detection Yes

Grouping mechanism that will be used to create Google Security Operations SOAR alerts. Possible values: Host, Detection, None.

If Host is provided, the connector will create 1 Google Security Operations SOAR alert containing all of the detection related to the host.

If Detection is provided, the connector will create 1 Google Security Operations SOAR alert containing information about all of the hosts that have that detection.

If None or invalid value is provided, the connector will create a new Google Security Operations SOAR alert for each separate detection per host.

Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Qualys VMDR server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports proxy.