Brandon Reeves

Qualys Integration - A Quick Primer

Discussion created by Brandon Reeves on Aug 12, 2013

I posted this as a response to a question regarding how to integrate with Qualys. Here it is for future reference.

 

I will try to give some high level guidance regarding the steps. I created the solution here with PHP, MySQL, bcp (to connect to MSSQL), and shell scripts so others would hopefully not have the intimidation of reading the code and modifying it if necessary to meet their needs. See my previous posts for examples.

 

You will have 3 pieces here

 

1.> Inventory System

2.> Reporting, and Qualys Update System (this system can be as mature as you like depending on your needs)

3.> Qualys

 

So, Lets get the prerequisites out of the way. You will need someone who understands (at least fundamentally xml, xsl, your scripting technology..in our case php/shell, SQL, and the processes you wish to be implementing). This may vary if you are a windows house and you may need someone who knows powershell, perl, or whatever you feel comfortable with as long as it can interact with XML.

 

So lets start. This is not an iterative process but should help you along the path of getting started. Start simple then grow your solution.

 

Process:

1.) Determine from your inventory system which data point you wish to extend into <2>. At a minimum this should include the information included within the Qualys system. However, you can extend the database of <2> to include information for additional reporting as you see fit.

2.)Work with your Qualys TAM to ensure all API functionality is enabled. This includes KB download etc. Make sure you have a good relationship with your TAM.

 

At this point the Database of <2> has nothing but the information from <1> and some extended information that you  may want to report on, no interface but just data.

 

3.)Develop your initial API Call to do a full KB download. This should be done on a regular basis every day to few days and have it written to a specific table (i.e. t_qualys_kb) on <2> . This will begin your foundation for reporting on qualys vulnerabilities.

 

At this point you have your hosts, host information, and vulnerability knowledgebase in a single location. Here is where the work starts to happen. Now that you have the host information and vulnerability information within the same DB, you can use that to build asset groups, scan groups, and reporting groups. You can also deliver reports VIA the system that is hosting the information becuase you can extend the DB to include ownership infomation and email address.

 

 

4.)Because <3> uses ID (for example "AG_ID" in XML to identify Asset Group), you will need to build your schema for Qualys data within <2> before moving forward. Work through the base API calls to download some basic data to <2> and create dummy tables for your data. For example, you will need to have tables for the following.

*1 Asset Group to Host Map - AG_ID(Asset Group ID)     AG_TITLE(Asset Group Title)     host_id(Host ID)     IP(IP)

*2 Asset Group List - ID     title     Comments     Division     Function     Location

*3 QID to Host List - QID     hostid     IP     OS     DNS

 

5.)Develop API Calls to work through <2> to begin populating <3> with asset information and vice versa. This information should include at a minimum the information to populate the tables for (4) above as well as:

-Vulnerability Info

-Host

-Asset Group

-Owner

-Location

 

6.)At this point you can begin building relationships between the databases and fields. At a minimum you will want to map the following:

<2> KB QID  <--> *3 QID to gain host vulnerability information

<2> *2 AG ID <--> *1 AG_ID to understand the relationship between hosts, asset groups, and vulnerabilities

 

You can expand it out from there.

 

7.) Now you can wrap any interface around this. We chose PHP & apache due to our comfort with the solution. However, any web developed should be able to write the forms necessary to wrap around the databases and information you have created at this point.

 

Please understand, this is an oversimplified text of how to do these steps. Working through these steps may take days, weeks, or months depending on your level of expertise, resource constraints, and other variables. I just wanted to give a primer on how to do it for all that may be interested in starting down a path of working through developing their own kit for integrating with Qualys.

Outcomes