Q1 Labs Help Build 7.0 Maintenance Release 3 documentation@q1labs.com Managing Qualys Scanners Managing Qualys Scanners A QualysGuard vulnerability scanner runs on a remote web server. QRadar must access the remote web server through an HTTPS connection to run and retrieve scan results. QRadar supports Qualys version 4.7 to 6.17. For more information, see your Qualys documentation. Once you configure the Qualys device and the Qualys scanner in the QRadar interface, you can schedule a scan. The scan schedule configuration allows you to configure potency, however, the Qualys scanner does not consider the potency parameter when performing the scan. For more information, see Managing Scan Schedules. This chapter includes information on configuring a Qualys scanner, including: Adding a Qualys Scanner Editing a Qualys Scanner Deleting a Qualys Scanner Adding a Qualys Scanner To add a Qualys scanner: Step 1 Step 2 Step 3 Step 4 Step 5 Click the Admin tab. In the navigation menu, click Data Sources. Click the VA Scanners icon. Click Add. The Add Scanner window is displayed. Enter values for the following parameters: Scanner Parameters Parameter Scanner Name Type the name you want to assign to this scanner. The name may be up to 255 characters in length. Type a description for this scanner. The description may be up to 255 characters in length.
Managed Host Type Using the drop down list box, select the managed host you want to configure this scanner. Using the drop down list box, select Qualys Scanner. The list of parameters for the selected scanner type is displayed. Step 6 Enter values for the parameters: Qualys Parameters Parameter Qualys Server Host Name Type the Fully Qualified Domain Name (FQDN) or IP address of the QualysGuard management console based on your location. When specifying the FQDN, you must specify the hostname and not the URL. For example: Type qualysapi.qualys.comfor a QualysGuard server host name located in the United States. Type qualysapi.qualys.eufor a QualysGuard server host name located in Europe. Type qualysapi.<management_console>if you are
using the full scanning infrastructure including an internal management console, where <management_console> is the hostname of your internal management appliance. Qualys Username Qualys Password Scanner Name Configured Options Cache Retention Period (milliseconds) Bulk Import Interval (milliseconds) Max Report Age (days) Import File Collection Type Type the username necessary for requesting scans. This is the login to the Qualys server. Type the password that corresponds to the Qualys Username and is the login to the Qualys server. Type the name of the scanner that you want to perform the scanning, as the name appears in the QualysGuard management interface. To obtain the scanner name, contact your network administrator. If you are using a public scanning appliance, you must leave the Scanner Name field blank. Type a comma separated list of option profiles to determine which existing scan reports are downloaded from the Qualys scanner. By default, the Configured Options parameter is cleared. If the Configured Options parameter is cleared, then the list is not filtered based on option profiles. For more information, see your Qualys documentation. Note: If data is not retrieved from a option profile listed in your comma separated list, then the scan report is likely not available for download. The option profile must have completed the scan on the Qualys appliance for the scan report to download. Type the period of time, in milliseconds, that you want to store scans before they are deleted. The default is 172,800,000 milliseconds (2 days). Type the frequency, in milliseconds, that you want the importer to process a report. The default is 172,800,000 milliseconds (2 days). Type the maximum age of a report to include when performing a bulk import. Files that are older than specified time are excluded from the bulk import. Type the local path to store the report. If you specify an import file, the Qualys scanner imports the entire contents of the file. If this field is blank, the Qualys scanner attempts to retrieve the latest technical report using the Qualys API. This parameter applies if you select the Schedule Technical Report or Import Technical Report option from the Collection Type drop down list box. Using the drop down list box, select one of the following options: Scheduled Indicates if you want the scheduled scan to include the report data. Scheduled Technical Report Indicates if you want to schedule the scanner to retrieve latest technical report from the file specified in the Import File parameter.
Import Scan Report Indicates if you want the scan report list retrieved from Qualys and compile all the report results into one report. This option does not use the local file, as defined in the Import File parameter. Import Technical Report Indicates if you want to import all data from the file specified in the Import File parameter. If the Import File parameter is blank, the scanner retrieves the latest technical report from the Qualys web site and imports all the data. For more information, see your Qualys documentation. Scan Report Name Pattern Report Template Title Read Only Use Proxy Proxy Host Name Proxy Port Proxy Username Proxy Password Type the regular expression (regex) required to filter the scan report filenames. All matching files are included in the processing. Type a report template title to replace the default title when retrieving technical reports. Select the check box if you want to limit the scanner to retrieving existing scans. No new scans are generated. If the Read Only check box is clear, the scanner initiates a new scan if no existing scan is found for the IP address or CIDR. By default, the check box is clear. Note: If you are using a comma separated list for the Configured Options parameter new scans are not initiated if the Read Only check box is clear. You must launch the scans from the Qualys appliance based on the option profile. Select the check box if your scanner requires a proxy for communication or authentication. Type the host name or IP address of your proxy server if your scanner requires a proxy. Type the port number of your proxy server if your scanner requires a proxy. Type the username of your proxy server if your scanner requires a proxy. Type the password of your proxy server if your scanner requires a proxy. Step 7 To configure the CIDR ranges you want this scanner to consider: a b In the text field, enter the CIDR range you want this scanner to consider or click Browse to select the CIDR range from the network list. Click Add. If multiple CIDR ranges are specified for a Scheduled Technical Report, a scan schedule is generated for each CIDR range. For example, if a Scheduled Technical Report scan is created with two CIDR ranges, one scan for each CIDR range is generated with scan start times spaced apart equally based on the value of the Bulk Import Interval. Scans using multiple CIDR ranges only appear in the scan schedule once you complete Step 9.
Step 8 Step 9 Click Save. From the Admin tab, click Deploy Changes. Editing a Qualys Scanner To edit a Qualys scanner: Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources. Step 3 Click the VA Scanners icon. Step 4 Select the scanner you want to edit. Step 5 Click Edit. The Edit Scanner window is displayed. Step 6 Update parameters, as necessary. See Qualys Parameters. Step 7 Click Save. Step 8 From the Admin tab, click Deploy Changes. Deleting a Qualys Scanner To delete an Qualys scanner: Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources. Step 3 Click the VA Scanners icon. Step 4 Select the scanner you want to delete. Step 5 Click Delete. A confirmation window is displayed. Step 6 Click Ok. Step 7 From the Admin tab, click Deploy Changes.