Enricher - Qualys Enricher
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
|
|
Specifications |
|
Enricher name |
Qualys Enricher |
|
Supported observable types |
cve |
|
Output |
Generates Report entities per enriched cve observable. See Enrichment result. |
|
API endpoint |
Qualys API URL. Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform |
Contents
Requirements
Complete steps in the section Cache the Qualys KnowledgeBase
Qualys API URL.
Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform
Qualys user name.
Qualys account password.
Automatic enrichment
Avoid setting up enrichment rules for the Qualys enricher.
Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.
Instead, run the enricher manually.
Limitations
Qualys API services have two limits:
For more information on Qualys API service limits, see Qualys documentation.
Rate limits
If the enricher fails because your API service subscription has reached its rate limit, wait for the rate limit to refresh.
Concurrency limits
Avoid running a large number of enrichments at the same time with this enricher. This may quickly exhaust your API call quota and lead to the enricher failing.
Attempting to enrich a large number of observables at the same time may quickly exhaust your API rate limits, even when attempting to enrich fewer observables than the rate limit. This is because enricher handles the concurrency limit by quietly retrying enrichment attempts that fail because of the concurrency limit. These are retried up to five times.
Cache the Qualys KnowledgeBase
Before configuring and using this enricher, you must set up an incoming feed to cache the Qualys KnowledgeBase.
To see how to configure incoming feeds in general, see Configure incoming feeds general options.
To do this:
Create a new incoming feed.
This opens the Create incoming feed view.
In the General section, fill out the Feed name field with a descriptive name.
For example: Qualys KnowledgeBase Cache
In the Transport and Content section, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Qualys KnowledgeBase from the drop-down menu.
Content type*
Select Qualys KnowledgeBase JSON from the drop-down menu.
API URL*
Enter the API URL for your Qualys platform.
Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform
password*
Enter your Qualys account password.
Username*
Enter your Qualys user name.
SSL verification
Leave this selected.
Start ingesting from*
By default, this is set to one year before the feed creation date.
This feed will cache Qualys Knowledge Base data starting from this timestamp up to the date and time this feed is run.
Execution schedule*
(Optional)
You can leave this as None, or select a schedule to update the Qualys KnowledgeBase cache automatically.
To save and download the Qualys KnowledgeBase, select
> Save and run.
Set up the enricher
You must Cache the Qualys KnowledgeBase before configuring and using this enricher.
When that is done, configure the Qualys Enricher to add your Qualys credentials:
Go to Data configuration
> Enrichers.Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More
> Edit.In the Edit enricher task view, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Enabled
Select this to enable this enricher.
API URL*
Enter the API URL for your Qualys platform.
Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform
Username*
Enter your Qualys user name.
Password*
Enter your Qualys account password.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Click Save to store your changes.
SSL certificates
To use an SSL certificate with the platform, it must be:
Accessible on the EclecticIQ Platform host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.
To make sure that the platform can access the SSL certificate:
Upload the SSL certificate to a location on the platform host.
On the platform host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq/path/to/cert.pemWhere /path/to/cert.pem is the location of the SSL certificate the platform needs to access.
Enrichment result
Enriching a cve observable produces an EclecticIQ Report entity with the following information:
|
Field name |
Description/Example |
|
Title |
Qualys CVE Scan - <CVE_ID> <Last scan timestamp> |
|
Description |
Qualys scan for <QID> Generic Information: ID: 170227778 IP: 192.168.100.15 Scan Information: Last scan datetime: 2021-11-25T08:18:04Z |
|
Analysis |
The below list of hosts have been identified as vulnerable against <QID> in your environment Host1: Type: Confirmed |
|
Estimated threat start time |
<Date and time ingested> |
|
Estimated observed time |
<Date and time ingested> |
Default configuration
These are the default configuration parameters for the Qualys enricher:
Required fields are marked with an asterisk (*).
|
Field |
Description |
|
Name |
Qualys Enricher |
|
Override TLP |
Not Set |
|
Description* |
Qualys Enricher |
|
Cache validity (sec)* |
2592000 |
|
Rate limit (per sec)* |
1000 |
|
Monthly execution cap (runs)* |
1000000 |
|
Source reliability* |
C - Fairly reliable |
|
Observable types* |
cve |
|
Enabled |
Not selected by default. |
|
API URL* |
N/A |
|
Username* |
N/A |
|
Password* |
N/A |
|
SSL verification |
Selected by default. |
|
Path to SSL certificate file |
N/A |