Qualys VMDR Integration

• Overview
• Solution Briefs
• Video Overview
• Key Features
• Integration Architecture
• Configuration
• Administration and Operations
• Tracking Data Attack Surface hosts
• Data Attack Surface Scheduled Scans
• Reporting
• Scanning Data Attack Surface Hosts
• Run Risk Analysis for Specific Vulnerabilities on Data Attack Surface hosts

Overview

The Qualys integration offers tagging Assets with Data Attack Surface.  This allows reports on the Data Attack surface assets and more frequent scanning schedule based on dynamic data risk tags .  Vulnerability scan results are fully integrated into the AI prediction model within Superna Data Attack Surface Manager by mapping asset scan reports with data hosts.

Solution Briefs

Product page

Video Overview

Key Features

1. Dynamic Asset group creation to group Data attack surface hosts to enable scanning and reporting of the Data Attack Surface.
2. Asset group scheduled scan will be created automatically to scan any Data attack surface hosts detected by DASM by placing them in the asset group.
3. Scan report lookup and ingestion for Data Attack Surface AI predictions and key input to Host/user data risk scoring.
4. Dynamic host scans - if a data attack surface host does not have a scan report, an automation adds the host to the subscription and requests a scan of the host.
   1. A webhook alert is sent when any host in the attack surface does not have a scan within the last 7 days.   Once all hosts comply with the scanning policy another webhook alert is sent that indicates all hosts have current scan report.

Integration Architecture

Configuration

1. The integration requires API access to the Qualys VMDR.  This is requested for a userid in your tenant account.   The user name and password is used to authenticate API requests.  Contact your Qualys support team to upgrade an account to support the automation api.
   1. Permissions required: create asset group, create schedule, apply tags to assets, query scan reports, query assets, launch scan
2. The configuration files require the following information to authenticate to the Qualys VMDR

   1. Login to the DASM host as dasmadmin

   2. nano the /mnt/ml_data/ml-cvm/cvm_qualys_get_extract_cve.py, edit these section to change the name of the asset group, the scheduled scan for the asset group, the time the scan runs, frequency default is daily scans

      1. schedule_title = "DASM Schedule Scan"
         qualys_group_name = "DASM_Asset_Group"
         qualys_option_title = "PLACEHOLDER"
         qualys_appliance_name = "PLACEHOLDER"
         scheduled_time = "01:15"
         qualys_time_zone_code = "PLACEHOLDER"
         qualys_observe_dst = "yes"
         occurrence = "daily"
         frequency_days = "1"

   3. Edit the values for Qualys

3. The scheduled scan data retrieval will be automated by DASM to build the AI model training data.   The results of the AI model will be published into the asset group and tag applied.  The schedule scan schedule on the asset will ensure that all Data Attack Surface hosts are scanned for vulnerabilities more frequently using the DASM Asset Group Scheduled scan default.  Daily.
4. Each new Data Risk Score host will be synced to the Asset group named Superna-Data-Attack-Surface.  This allows filtering reports and dynamic assets with the custom tag. 

Administration and Operations

Tracking Data Attack Surface hosts

1. The DASM Asset group will be created to store hosts that are flagged as data attack surface hosts
2.  
3. This asset group will be maintained by DASM and will add and remove assets as needed to keep the group up to date.

Data Attack Surface Scheduled Scans

1. The Asset group is used to schedule scans daily and increase the frequency of high risk hosts.    The schedule is automatically created by the integration. It defaults to daily scans of all assets in the group.  This can be customized as needed.
2. 
   

Reporting

1. Once Data Attack Surface data is synced into Qualys VMDR.  Vulnerabilities reports can use the asset group filter to report on remediation efforts on high risk hosts.
2. In the report interface you can specify the asset group to report on.  Select DASM.
   1. 
   2. 
   3. Sample report download 

Scanning Data Attack Surface Hosts

1. Open the Scans interface
2. Create a new scan definition and set the target to DASM
3. Run the scan to scan all the DASM identified hosts
4. Or select individual hosts with the DASM tag on the asset

Run Risk Analysis for Specific Vulnerabilities on Data Attack Surface hosts

1. On the reports tab Risk Analysis
2. Select DASM asset group as the target and the ip range along with the vulnerability  QID
3.