Qualys Policy Compliance (PC) Connector Guide

How to set up and use the Qualys Policy Compliance (PC) connector in RiskSense.

Introduction

The RiskSense Qualys Policy Compliance (PC) connector integrates with Qualys's compliance cloud application, Policy Compliance. You can configure the connector to pull reports generated by the PC module. Currently, the connector ingests Qualys Policy Compliance Reports. RiskSense presents data from the Policy Report as Hosts and Host Findings.

Qualys PC Overview

Qualys PC is a cloud service that performs automated security configuration assessments on IT systems. The PC module requires an additional subscription and is shown as an option when enabled. With PC, users can leverage out-of-the-box library content to allow compliance assessments to use industry-recommended best practices such as CIS Benchmarks and DISA STIGs, which can be fully customized to meet an organization's unique needs.

Refer to the Qualys PC guide for details on setting up and using the Qualys PC module.

Connector Configuration

Qualys Setup

This setup requires a Qualys PC subscription.

First, create a Policy Report, as the RiskSense connector will pull this report.

Qualys PC - Policy Report

Using the schedule option, users can schedule the report generation periodically when creating a Policy Report. Since policy compliance reports are based on the most recent scans for each host, you should already have a scan set up for the report generation to be successful.

RiskSense Connector Setup

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations

In the search bar in the upper-right corner of the Integrations page, type Policy Compliance to find the connector.

Qualys PC - Search for Connector

Locate the Qualys Policy Compliance card on the page and click Configuration.

Qualys PC - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector's name.
  • URL: The URL to access Qualys PC.
  • User Name: User name that has access to Qualys PC.
  • Password: The password associated with the Qualys PC user name.
  • Network: Network name in RiskSense. Ingested hosts and findings will be associated with this network.
  • Qualys Report Title Prefix: The prefix comes from the Policy Report title used when creating the Policy Report in Qualys.

Qualys PC - Connection Section

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to Qualys PC.

Qualys PC - Test Credentials

Under Schedule, you can configure the desired schedule for the connector to retrieve results from the Qualys PC instance.

Under Connector Specific Options, you can optionally turn on Enable auto URBA (Update Remediation by Assessment). Click the Save button to save the connector's configuration and create the connector.

Qualys PC - Schedule and Connector Specific Options

Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Qualys PC - Configured Connector

Click the History button to display the connector details for each pull.

Qualys PC - Connector History

The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Qualys PC - Sync Edit and Delete

Qualys PC Data Mapping in RiskSense

RiskSense ingests Qualys PC scan file data as Hosts and Host Findings. QUALYSPC is the scanner name associated with Qualys PC scans. You can use this scanner name as a filter on both the Hosts and Host Findings pages.

Hosts Page

Any asset data extracted from the scan file is shown on the Hosts page. Both IP address and hostname are extracted from the scan file.

Asset Tag data from the scan file is converted to tags on each asset. Within RiskSense, Asset Tag data is shown in the Host Detail pane. In the Host Detail pane, the scanner is listed as QUALYSPC under the Sources section.

Host Findings View

All findings from the Qualys PC scan file are shown in the Host Findings view in RiskSense.

  • Since these findings are of the compliance type, they are either reported as Passed or Failed in the scan file. When a Passed finding is ingested, its Status is set to Closed. When a Failed finding is ingested, its Status is set to Open.
  • Four filters are provided in the Host Findings list view. These filters are based on information collected from the scan file.
    • PolicyCompliance:Test Status: Use this filter to filter on Passed or Failed findings. The Test Status is shown in the Host Finding Detail view under the Observations section.
    • PolicyCompliance:Technology: This filter is based on the values gleaned from the "Technology" tag in the scan file. This value is shown in the Host Finding Detail view in the top-most section.
    • PolicyCompliance:Expected Result: This filter is based on the expected result of a check done as part of the scan. This information is shown in the Output section in the Host Finding Detail view.
    • PolicyCompliance:Actual Result: This filter is based on the actual result of a check done as part of the scan. This information is shown in the Output section in the Host Finding Detail view.

Qualys PC - Host Finding Filters

Severity Mapping

The Qualys PC scan file contains five different severity levels: Urgent, Critical, Serious, Medium, and Minimal. These levels are mapped to the CHMLI scale in RiskSense, as shown in the table below.

Qualys PC Severity and Value

Mapping to RiskSense CHMLI Scale

Urgent – 5

Critical

Critical – 4

High

Serious – 3

Medium

Medium – 2

Low

Minimal – 1

Informational