Qualys VMDR Source
The Qualys VMDR ingests vulnerability data from Vulnerability API, knowledgeBase data from KnowledgeBase API, and asset data from Asset API.
Data collected
Polling Interval | Data |
---|---|
1 hour | Assets |
24 hours | Vulnerabilities |
Setup
Vendor configuration
Identify your Qualys API server URLs and Qualys API Gateway URL as mentioned in the Qualys documentation.
Source configuration
When you create a Qualys VMDR Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.
To configure a Qualys VMDR Source:
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the Sumo Logic top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - On the Collectors page, click Add Source next to a Hosted Collector.
- Search for and select Qualys VMDR.
- Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
_sourceCategory
. - (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and value.
- A green circle with a check mark is shown when the field exists in the Fields table schema.
- An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
- Qualys API Server URL and Qualys API Gateway URL. Provide the Qualys API server URLs. Use the Qualys Platform Identification page and scroll down to API URLs to for a reference to your Qualys deployment location.
- Username and Password. Use your Qualys account username and password for API authentication.
- The next section covers the type of data to collect and how often.
- Collect vulnerability data. This option will fetch the list of hosts with the host's latest vulnerability data based on the host-based scan data available in the user’s account. We recommend leaving the polling interval at the default 1 hour.
- (Optional) Collect KnowledgeBase Information. This option is only available if you choose to collect vulnerability data. If selected, it will automatically download the vulnerability details from the Qualys KnowledgeBase for vulnerabilities detected within your environment.
- Collect asset inventory. This option consumes asset data from Qualys Global IT Asset Inventory API. The inventory data collected here will also be used in Cloud SIEM as inventory data. We recommend leaving the polling interval at the default 24 hours.
- To forward Qualys VMDR assetInventory to Cloud SIEM, it is recommended to create a Field Extraction Rule with the following criteria:
- Scope:
_sourceCategory="<enter your source category here from Step 5>" "assetInventory"
- Parse Expression:
"true" as _siemForward
- When you are finished configuring the Source, click Submit.
FAQ
Click here for more information about Cloud-to-Cloud sources.
What specific API routes does this C2C collect?
Data Type | API Route | Description |
Vulnerability Detections | /api/2.0/fo/asset/host/vm/detection/ | This collects a current list of new vulnerabilities detected for each computer. Each detection is sent as a separate log to Sumo Logic. Permissions - Managers view all VM scanned hosts in subscription. Auditors have no permission to view VM scanned hosts. Unit Managers view VM scanned hosts in the user’s assigned business unit. Scanners and Readers view VM scanned hosts in the user’s account.API details are on page 496 in this Qualys PDF. |
KnowledgeBase | /api/2.0/fo/knowledge_base/vuln/ | This collects the current vulnerability details from the Qualys KnowledgeBase for vulnerabilities when they are detected within your environment. Permissions - A subscription must be granted permission to run this API function. Roles Manager , Unit Manager , Scanner , Reader are granted a permission Download vulnerability data from the KnowledgeBase . Role Auditor has no such permission.API details are on page 209 in this Qualys PDF. |
Computer Inventory | /rest/2.0/search/am/asset/ | This collects the details for each asset/computer from Qualys. This data source is supported by Cloud SIEM as inventory data. Permissions - User must have the GAV/CSAM module and the App API Enabled option enabled for that role. Additionally, the user must have the Allow user view access to all objects checkbox enabled under Roles And Scopes within the user settings.API details are on page 27 in the this Qualys PDF. |
Is anything changed with data for computer inventory?
Sometimes the asset information from the computer inventory data can exceed the Sumo Logic maximum log size of 64KB. Sumo Logic will automatically split log messages exceeding the size limit into smaller chunks. This C2C makes the following changes to the computer inventory asset data collected in order to keep most logs under the size limit and prevent splitting:
- The
openPortListData
key only contains information about ports open since the last time computer asset was ingested instead of listing all open port history from all time. - The
softwareListData
is reduced down from the full details to simply a list/array of software names using the full name.
How can I differentiate between data types collected?
The Qualys VMDR C2C collects all data using JSON as the format. It will add an additional key to your data called LogType
with the values of vulnerabilityLogs
, knowledgeBaseLogs
, and assetInventory
. This allows you to easily filter between them in your search queries.