Qualys VMDR

Enterprise

runZero integrates with Qualys VMDR by importing data from the Qualys KnowledgeBase API.

How runZero maps Qualys hosts to assets:

  • For Qualys hosts that can be matched to an existing runZero asset, asset-level attributes such as IP address, hostname, and MAC address will be updated, and Qualys-specific attributes will be added.

  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge existing assets with Qualys data when the MAC address, hostname, or IP address overlaps. Qualys hosts can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Asset inventory

There is a column on the asset inventory page showing the count of vulnerabilities detected by Qualys for each asset. When a single asset is selected, the vulnerabilities table lists all the results related to that asset. The vulnerability count can be impacted by the type of vulnerability scan as well as the import settings selected.

Vulnerabilities table

The Vulnerabilities tab of the inventory lists all vulnerability results that have been imported from Qualys. The table lists every result, and selecting a result will take you to the page for the impacted asset.

Severity and risk scores

Qualys assigns all vulnerabilities a severity rating (Minimal, Medium, Serious, Critical, Urgent). runZero normalizes the severities shown in the vulnerability inventory to be consistent across the runZero Console.

runZero Severity Qualys Severity
Info 1 / Minimal
Low 2 / Medium
Medium 3 / Serious
High 4 / Critical
Critical 5 / Urgent

runZero will also normalize risk scores assigned by Qualys. A risk score of 0.0 will be shown as none in the runZero Console, and all other risk scores will match the assigned severity level.

Getting started with Qualys

To set up the Qualys VMDR integration, you’ll need to:

  1. Create or obtain user credentials with access to the Qualys API.
  2. Configure CVSS scoring in Qualys.
  3. Add the Qualys API username, password, and account API URL in runZero.
  4. Activate the Qualys connection to pull your data into runZero.

Requirements

Before you can set up the Qualys VMDR integration:

  • Verify that you have runZero Enterprise.
  • Make sure you have access to the Qualys Cloud Platform portal.

Step 1: Add the Qualys credentials to runZero

  1. Go to the Credentials page in runZero. Provide a name for the credentials, like Qualys.
  2. Choose Qualys Username & Password from the list of credential types.
  3. Provide the following information:
    • Qualys username - the username you want to use to connect to the Qualys API.
    • Qualys password - the password for your Qualys API username.
    • Qualys account API URL - the URL of the Qualys API for the relevant account. The expected format is https://ip:port or https://domain.tld:port. This URL is unique for each Qualys user.
  4. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
  5. Save the credential. You’re now ready to set up and activate the connection to bring in data from Qualys VMDR.

Step 2: Sync your Qualys VMDR data

After you add your Qualys credential, you’ll need to sync your data. This can be accomplished through a scan probe or a connector.

Note: The Qualys Cloud Platform enforces limits on the API calls subscription users can make. Both API controls are limited per subscription based on your service level. The tasks generated by this integration may experience slow performance or failures as a result of the enforced API limits. The Qualys API documentation on this topic can be found [here](https://debug.qualys.com/qwebhelp/fo_portal/api_doc/scans/index.htm#t=get_started%2Fapi_limits.htm).

Step 2a: Configure the Qualys scan probe

You can run the Qualys VMDR integration as a scan probe so that the runZero Explorer will pull your vulnerability data into the runZero Console.

In a new or existing scan configuration:

  • Ensure that the QUALYS option is set to Yes in the Probes tab.
  • Set the correct Qualys credential to Yes in the Credentials tab.
  • Optionally, set a minimum severity and risk for ingested vulnerability scan results.

Step 2b: Configure the Qualys connector

A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Qualys-only assets are created.

  1. Activate a connection to Qualys. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
  3. Enter a name for the task, like Qualys sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  5. Under Task configuration:
    • Choose the site you want to add your assets to, and
    • Set a minimum severity and risk to ingest.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the scheduled tasks to see when the next sync will occur.

Step 3: View Qualys assets and vulnerabilities

After a successful sync, you can go to your inventory to view your Qualys assets. These assets will have a Qualys icon listed in the Source column.

The Qualys integration gathers details about vulnerabilities detected in addition to enriching asset inventory data. Go to Inventory > Vulnerabilities to view the vulnerability data provided by Qualys VMDR.

To filter by Qualys assets, consider running the following query:

Click into each asset to see its individual attributes. runZero will show you the attributes gathered from the Qualys VMDR scan data.