This article explains the recommended options for importing data from your Qualys console into Nucleus to get the most out of the connector. This article assumes you already have a Qualys connector set up and verified.
Agentless Tracking
Here at Nucleus we recommend utilizing the Qualys agentless tracking for all of your scans. Essentially this allows you to track an asset through hostname changes, IP changes, and bad DNS setups. Additionally, Qualys will sometimes change the way they display an asset (DNS vs non-DNS) out of the same scan or report so agentless tracking eliminates duplicate asset buildup.
In Nucleus, this makes asset management way simpler as Qualys does not report consistently and also will make your risk metrics, host history tracking, and risk profile more accurate.
Nucleus looks for Qualys Host IDs by default on import of a scan, so this will take effect as soon as you import scans with agentless tracking enabled.
For more information about Qualys Agentless Tracking, refer to this Qualys support document.
Summary of Qualys support document linked above:
- In order for Agentless tracking to be enabled, the following must occur in Qualys
- Agentless tracking enabled by admin
- Scan must be an authenticated scan
- Scan must have the checkbox for Agentless tracking selected in order to use agentless tracking in that scan
Scans vs Reports
In Nucleus, there are 2 options for importing data from Qualys into your Nucleus project. The following explains the differences between the options. You can also mix between the two in order to get the desired results.
1. Import Raw scans into Nucleus
- Pros:
- Can import your entire scan history into Nucleus to see what days the scans occurred.
- Can drill down at the scan level to see results from specific scans in Nucleus
- Cons:
- Cloud Agent scanning will not be able to separate out separate clients in individual Nucleus projects
2. Import Technical Reports from Qualys into Nucleus
- Pros:
- Can consolidate information from Qualys scans into one report for Nucleus to ingest, reducing API calls to Qualys and reducing automated ingest rules in Nucleus
- Can utilize cloud agent scanning for multiple clients and have better organization of project data
- Cons:
- Report level drill-down in Nucleus, vs scan level drill-down, in the historical scan data
- Most users do not have technical reports already set up for import into Nucleus when starting out.
Whichever method you choose, you can tailor it to suit your needs.
Scheduling Reports to Import Into Nucleus Automatically
To schedule a technical report to be imported into Nucleus at a future date in a recurring, automated fashion, do the following:
- Log into your Qualys console
- Navigate to Reports > Schedules
- Select New > Scan Report > Template Based
- Fill out the popup with with the following info
- Title: Something to remember what this report is for. We highly recommend using the word Nucleus in the title so that everyone knows the reason for the scheduled report
- Report Template: Select Technical Report
- Report Format: XML
- Asset Groups: Fill this out however you want, based on the scans that you want to import into Nucleus. Could be based on asset tags etc
- Scheduling: Select the schedule on which you would like this report to run. This will also be the interval you select for importing the results into Nucleus going forward
- Click Schedule
- Your page should now look something like this:
- Run the report by selecting Quick Actions > Launch Now
Once the report has finished, close out of it and move on to the next step.
- Schedule Technical Report for Auto-Import Into Nucleus
You should now have a technical report completed in your Qualys console, as well as historical scans importing into Nucleus. To schedule future ingests of scans from your Qualys connector, do the following:
- Log into your Nucleus console
- Navigate to the project in which you want to import your technical report
- Navigate to Automation Dashboard
- Find the Vulnerability Scan Ingest panel, and click the blue + Add Rule button
- In the resulting popup, select your Qualys connector from the dropdown, and then click Next
- You should see a list of vulnerability scan results. Look for the technical report you just launched from Qualys. It should look similar to the following
- Use the checkboxes to select which report you would like to auto-import and then click Next
- Choose the schedule which you would like to import the technical report going forward.
- Note: We recommend you select a time in the middle of the night so that you have the most up to date risk picture.
- Another Note: We recommend you choose a time in the past so that your first import happens immediately
- Click Save & Finish
Your Qualys reports should now run on a schedule, and then be imported by Nucleus after they run! So all future scans will be consolidated into the report going forward.
If you have any questions, feel free to reach out to support@nucleussec.com or your Nucleus support representative, and we would be happy to assist!
Comments
0 comments
Please sign in to leave a comment.