Qualys vulnerability information for IBM QRadar SIEM

• Adding a Qualys detection scanner
  The Qualys Detection Scanner uses the QualysGuard Host Detection List API to query across multiple scan reports to collect vulnerability data for assets.

1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your Qualys scanner.
5. From the Managed Host list, select the managed host from your QRadar® deployment that manages the scanner import.
6. From the Type list, select Qualys Detection Scanner.
7. In the Qualys Server Host Name field, type the Fully Qualified Domain Name (FQDN) or IP address of the QualysGuard management console based on your location. When an administrator specifies the FQDN, they must type the host name and not the URL. For example, type qualysapi.qualys.com, qualysapi.qualys.eu, or the FQDN of the internal Qualys for systems that use full scanning infrastructure with an internal management console.
8. In the Qualys Username field, type the username necessary for requesting scans. This is the same username required to log in to the Qualys server. The user you specify must have access to download the Qualys KnowledgeBase or you must enable the user account with the option to download the Qualys KnowledgeBase. For more information, see your Qualys documentation.
9. In the Qualys Password field, type the password required to access the Qualys scanner.
10. In the Operating System Filter field, type a regular expression (regex) required to filter the scan data by operating system. The default regular expression is .*, which matches all operating system.
11. In the Asset Group Names field, type a comma-separated list to query IP addresses by the asset group name. An asset group is a name provided by a user in the Qualys management interface to identify a list or range of IP addresses. For example, an asset group named Building1 can contain the IP address 192.168.0.1. An asset group Webserver can contain 192.168.255.255. In QRadar, to retrieve vulnerability information for both of these assets, type Building1,Webserver When the scan completes, the Asset tab in QRadar displays vulnerabilities by their IP address. In this example, QRadar can display all vulnerabilities for assets 192.168.0.1 and 191.168.255.255.
12. In the Host Scan Time Filter (Days) field, type a numeric value to create a filter for the last time the host was scanned. Host scan times that are older than the specified number of days are excluded from the results returned by Qualys.
13. In the Qualys Vulnerability Retention Period (Days) field, type the number of days you want QRadar to store the Qualys Vulnerability Knowledge Base. The default is 7 days. If a scan is scheduled and the retention period has expired, the system downloads an update.
14. Select the Force Qualys Vulnerability Update check box to force the system to update to the latest Qualys Vulnerability Knowledge Base for each scheduled scan.
15. To configure a proxy, select the Use Proxy check box. This following parameters are required:
    1. In the Proxy Host Name field, type the host name or IP address for the proxy server.
    2. In the Proxy Port field, type the port for the proxy server.
    3. In the Proxy Username field, type the username for the proxy server.
    4. In the Proxy Password field, type the username for the proxy server.
16. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
17. Click Save.
18. On the Admin tab, click Deploy Changes. Any changes to the proxy configuration requires a Deploy Full Configuration.

• Adding a Qualys scheduled live scan
  Live scans enables administrators to launch preconfigured scans on the Qualys Scanner and collect the scan results when the live scan completes.

1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your Qualys scanner.
5. From the Managed Host list, select the managed host from your QRadar® deployment that manages the scanner import.
6. From the Type list, select Qualys Scanner.
7. In the Qualys Server Host Name field, type the Fully Qualified Domain Name (FQDN) or IP address of the QualysGuard management console based on your location. When an administrator specifies the FQDN, they must type the host name and not the URL. For example, type qualysapi.qualys.com, qualysapi.qualys.eu, or the FQDN of the internal Qualys for systems that use full scanning infrastructure with an internal management console.
8. In the Qualys Username field, type the username necessary for requesting scans. This is the same username required to log in to the Qualys server. The user you specify must have access to download the Qualys KnowledgeBase or you must enable the user account with the option to download the Qualys KnowledgeBase. For more information, see your Qualys documentation.
9. In the Qualys Password field, type the password required to access the Qualys scanner.
10. To configure a proxy, select the Use Proxy check box. This following parameters are required:
    1. In the Proxy Host Name field, type the host name or IP address for the proxy server.
    2. In the Proxy Port field, type the port for the proxy server.
    3. In the Proxy Username field, type the username for the proxy server.
    4. In the Proxy Password field, type the password for the proxy server.
11. From the Collection Type list, select Scheduled Live – Scan Report.
12. In the Scanner Name field, type the name of the scanner that you want to perform the scan, as it is displayed on the QualysGuard server. To obtain the scanner name, contact your network administrator. Public scanning appliance must clear the name from this field.
13. In the Option Profiles field, type the name of the option profile to determine which scan is started as a live scan.QRadar retrieves the completed live scan data after the live scan completes. Live scans only support one option profile name per scanner configuration.
14. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
15. Click Save.
16. On the Admin tab, click Deploy Changes. Any changes to the proxy configuration requires a Deploy Full Configuration.

• Adding a Qualys scheduled import asset report
  An asset report data import enables administrators to schedule QRadar to retrieve a single asset report from your Qualys scanner.

Live scans enables administrators to launch preconfigured scans on the Qualys Scanner and collect the scan results when the live scan completes.

1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your Qualys scanner.
5. From the Managed Host list, select the managed host from your QRadar® deployment that manages the scanner import.
6. From the Type list, select Qualys Scanner.
7. In the Qualys Server Host Name field, type the Fully Qualified Domain Name (FQDN) or IP address of the QualysGuard management console based on your location. When an administrator specifies the FQDN, they must type the host name and not the URL. For example, type qualysapi.qualys.com, qualysapi.qualys.eu, or the FQDN of the internal Qualys for systems that use full scanning infrastructure with an internal management console.
8. In the Qualys Username field, type the username necessary for requesting scans. This is the same username required to log in to the Qualys server. The user you specify must have access to download the Qualys KnowledgeBase or you must enable the user account with the option to download the Qualys KnowledgeBase. For more information, see your Qualys documentation.
9. In the Qualys Password field, type the password required to access the Qualys scanner.
10. To configure a proxy, select the Use Proxy check box. This following parameters are required:
    1. In the Proxy Host Name field, type the host name or IP address for the proxy server.
    2. In the Proxy Port field, type the port for the proxy server.
    3. In the Proxy Username field, type the username for the proxy server.
    4. In the Proxy Password field, type the password for the proxy server.
11. From the Collection Type list, select Scheduled Live – Scan Report.
12. In the Scanner Name field, type the name of the scanner that you want to perform the scan, as it is displayed on the QualysGuard server. To obtain the scanner name, contact your network administrator. Public scanning appliance must clear the name from this field.
13. In the Option Profiles field, type the name of the option profile to determine which scan is started as a live scan.QRadar retrieves the completed live scan data after the live scan completes. Live scans only support one option profile name per scanner configuration.
14. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
15. Click Save.
16. On the Admin tab, click Deploy Changes. Any changes to the proxy configuration requires a Deploy Full Configuration.

• Adding a Qualys scheduled import scan report
  An scan report data import enables administrators to schedule QRadar to retrieve scan reports from your Qualys scanner.

1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your Qualys scanner.
5. From the Managed Host list, select the managed host from your QRadar deployment that manages the scanner import.
6. From the Type list, select Qualys Scanner.
7. In the Qualys Server Host Name field, type the Fully Qualified Domain Name (FQDN) or IP address of the QualysGuard management console based on your location. When an administrator specifies the FQDN, they must type the host name and not the URL. For example, type qualysapi.qualys.com, qualysapi.qualys.eu, or the FQDN of the internal Qualys for systems that use full scanning infrastructure with an internal management console.
8. In the Qualys Username field, type the username necessary for requesting scans. This is the same username required to log in to the Qualys server. The user you specify must have access to download the Qualys KnowledgeBase or you must enable the user account with the option to download the Qualys KnowledgeBase. For more information, see your Qualys documentation.
9. In the Qualys Password field, type the password required to access the Qualys scanner.
10. To configure a proxy, select the Use Proxy check box. This following parameters are required:
    1. In the Proxy Host Name field, type the host name or IP address for the proxy server.
    2. In the Proxy Port field, type the port for the proxy server.
    3. In the Proxy Username field, type the username for the proxy server.
    4. In the Proxy Password field, type the password for the proxy server.
11. From the Collection Type list, select Scheduled Import – Scan Report.
12. In the Option Profiles field, type the name of the option profile to determine which scan is started as a live scan.QRadar retrieves the completed live scan data after the live scan completes. Live scans only support one option profile name per scanner configuration.
13. In the Scan Report Name Pattern field, type a regular expression (regex) required to filter the list of scan reports. All matching files are included in the processing. The default value regular expression is .*. The .* pattern imports all scan reports.
14. In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and timestamp on the report file are excluded when the schedule scan starts. The default value is 7 days.
15. Optional. In the Import File field, type a directory path to download and import a single scan report from Qualys. For example, /qualys_logs/test_report.xml. If you specify an import file location, QRadar downloads the contents of the asset report from Qualys to a local directory and imports the file. When the Import File field does not contain a value or if the file or directory cannot be found, then the Qualys scanner attempts to retrieve the latest scan report using the Qualys API based on the information in the Option Profiles field.
16. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
17. Click Save.
18. On the Admin tab, click Deploy Changes. Any changes to the proxy configuration requires a Deploy Full Configuration.

Remark: above steps and procedure is compile from IBM QRadar document for this common ask topic Qualys vulnerability information for IBM QRadar SIEM, if future version QRadar change the way for the import, please refer the latest guideline accordingly.

Feel free to contact E-SPIN for Vulnerability Management and Security Information Event Management (SIEM) integration for continuous vulnerability, risk monitoring and security intelligence implementation and requirement.