Q1 Labs
Help Build 7.0 Maintenance Release 3 [email protected]
Managing Qualys Scanners
Managing Qualys Scanners
A QualysGuard vulnerability scanner runs on a remote web server. QRadar must access the remote web server through an HTTPS connection to run and retrieve scan results. QRadar supports Qualys version 4.7 to 6.17. For more information, see your Qualys documentation.
Once you configure the Qualys device and the Qualys scanner in the QRadar interface, you can schedule a scan. The scan schedule configuration allows you to configure potency, however, the Qualys scanner does not consider the potency parameter when performing the scan. For more information, see Managing Scan Schedules.
This chapter includes information on configuring a Qualys scanner, including:
Adding a Qualys Scanner Editing a Qualys Scanner Deleting a Qualys Scanner
Adding a Qualys Scanner
To add a Qualys scanner:
Step 1 Click the Admin tab.
Step 2 In the navigation menu, click Data Sources.
The Data Sources panel is displayed.
Step 3 Click the VA Scanners icon.
The VA Scanners window is displayed.
Step 4 Click Add.
The Add Scanner window is displayed.
Step 5 Enter values for the following parameters:
Scanner Parameters
Parameter Description
Scanner Name Type the name you want to assign to this scanner. The name may be up to 255 characters in length.
Description Type a description for this scanner. The description may be up to 255 characters in length.
Managed Host Using the dropdown list box, select the managed host you want to configure this scanner.
Type Using the dropdown list box, select Qualys Scanner.
The list of parameters for the selected scanner type is displayed.
Step 6 Enter values for the parameters:
Qualys Parameters
Parameter Description
Qualys Server Host Name
Type the Fully Qualified Domain Name (FQDN) or IP address of the QualysGuard management console based on your location.
When specifying the FQDN, you must specify the hostname and not the URL.
For example:
Type qualysapi.qualys.com for a QualysGuard server host name located in the United States.
Type qualysapi.qualys.eu for a QualysGuard server host name located in Europe.
Type qualysapi.<management_console> if you are
using the full scanning infrastructure including an internal management console, where <management_console>
is the hostname of your internal management appliance.
Qualys Username Type the username necessary for requesting scans. This is the login to the Qualys server.
Qualys Password Type the password that corresponds to the Qualys Username and is the login to the Qualys server.
Scanner Name Type the name of the scanner that you want to perform the scanning, as the name appears in the QualysGuard management interface.
To obtain the scanner name, contact your network administrator.
If you are using a public scanning appliance, you must leave the Scanner Name field blank.
Configured Options Type a comma separated list of option profiles to determine which existing scan reports are downloaded from the Qualys scanner. By default, the Configured Options parameter is cleared.
If the Configured Options parameter is cleared, then the list is not filtered based on option profiles. For more information, see your Qualys documentation.
Note: If data is not retrieved from a option profile listed in your comma separated list, then the scan report is likely not available for download. The option profile must have completed the scan on the Qualys appliance for the scan report to download.
Cache Retention Period
(milliseconds)
Type the period of time, in milliseconds, that you want to store scans before they are deleted. The default is 172,800,000 milliseconds (2 days).
Bulk Import Interval (milliseconds)
Type the frequency, in milliseconds, that you want the importer to process a report. The default is 172,800,000 milliseconds (2 days).
Max Report Age (days)
Type the maximum age of a report to include when performing a bulk import. Files that are older than specified time are excluded from the bulk import.
Import File Type the local path to store the report. If you specify an import file, the Qualys scanner imports the entire contents of the file. If this field is blank, the Qualys scanner attempts to retrieve the latest technical report using the Qualys API.
This parameter applies if you select the Schedule Technical Report or Import Technical Report option from the Collection Type dropdown list box.
Collection Type Using the dropdown list box, select one of the following options:
Scheduled Indicates if you want the scheduled scan to include the report data.
Scheduled Technical Report Indicates if you want to schedule the scanner to retrieve latest technical report from the file specified in the Import File parameter.
Import Scan Report Indicates if you want the scan report list retrieved from Qualys and compile all the report results into one report. This option does not use the local file, as defined in the Import File parameter.
Import Technical Report Indicates if you want to import all data from the file specified in the Import File parameter. If the Import File parameter is blank, the scanner retrieves the latest technical report from the Qualys web site and imports all the data.
For more information, see your Qualys documentation.
Scan Report Name Pattern
Type the regular expression (regex) required to filter the scan report filenames. All matching files are included in the processing.
Report Template Title
Type a report template title to replace the default title when retrieving technical reports.
Read Only Select the check box if you want to limit the scanner to retrieving existing scans. No new scans are generated.
If the Read Only check box is clear, the scanner initiates a new scan if no existing scan is found for the IP address or CIDR. By default, the check box is clear.
Note: If you are using a comma separated list for the Configured Options parameter new scans are not initiated if the Read Only check box is clear. You must launch the scans from the Qualys appliance based on the option profile.
Use Proxy Select the check box if your scanner requires a proxy for communication or authentication.
Proxy Host Name Type the host name or IP address of your proxy server if your scanner requires a proxy.
Proxy Port Type the port number of your proxy server if your scanner requires a proxy.
Proxy Username Type the username of your proxy server if your scanner requires a proxy.
Proxy Password Type the password of your proxy server if your scanner requires a proxy.
Step 7 To configure the CIDR ranges you want this scanner to consider:
a In the text field, enter the CIDR range you want this scanner to consider or click Browse to select the CIDR range from the network list.
b Click Add.
If multiple CIDR ranges are specified for a Scheduled Technical Report, a scan schedule is generated for each CIDR range. For example, if a Scheduled Technical Report scan is created with two CIDR ranges, one scan for each CIDR range is generated with scan start times spaced apart equally based on the value of the Bulk Import Interval. Scans using multiple CIDR ranges only appear in the scan schedule once you complete Step 9.
Step 8 Click Save.
Step 9 From the Admin tab, click Deploy Changes.
Editing a Qualys Scanner
To edit a Qualys scanner:
Step 1 Click the Admin tab.
Step 2 In the navigation menu, click Data Sources.
The Data Sources panel is displayed.
Step 3 Click the VA Scanners icon.
The VA Scanners window is displayed.
Step 4 Select the scanner you want to edit.
Step 5 Click Edit.
The Edit Scanner window is displayed.
Step 6 Update parameters, as necessary. See Qualys Parameters.
Step 7 Click Save.
Step 8 From the Admin tab, click Deploy Changes.
Deleting a Qualys Scanner
To delete an Qualys scanner:
Step 1 Click the Admin tab.
Step 2 In the navigation menu, click Data Sources.
The Data Sources panel is displayed.
Step 3 Click the VA Scanners icon.
The VA Scanners window is displayed.
Step 4 Select the scanner you want to delete.
Step 5 Click Delete.
A confirmation window is displayed.
Step 6 Click Ok.
Step 7 From the Admin tab, click Deploy Changes.
