Enricher - Qualys Enricher

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.


Specifications

Enricher name

Qualys Enricher

Supported observable types

cve

Output

Generates Report entities per enriched cve observable.

See Enrichment result.

API endpoint

Qualys API URL.

Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform

Requirements

Automatic enrichment

Avoid setting up enrichment rules for the Qualys enricher.

Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.

Instead, run the enricher manually.

Limitations

Qualys API services have two limits:

For more information on Qualys API service limits, see Qualys documentation.

Rate limits

If the enricher fails because your API service subscription has reached its rate limit, wait for the rate limit to refresh.

Concurrency limits

Avoid running a large number of enrichments at the same time with this enricher. This may quickly exhaust your API call quota and lead to the enricher failing.

Attempting to enrich a large number of observables at the same time may quickly exhaust your API rate limits, even when attempting to enrich fewer observables than the rate limit. This is because enricher handles the concurrency limit by quietly retrying enrichment attempts that fail because of the concurrency limit. These are retried up to five times.

Cache the Qualys KnowledgeBase

Before configuring and using this enricher, you must set up an incoming feed to cache the Qualys KnowledgeBase.

To see how to configure incoming feeds in general, see Configure incoming feeds general options.

To do this:

  1. Create a new incoming feed.

    This opens the Create incoming feed view.

  2. In the General section, fill out the Feed name field with a descriptive name.

    For example: Qualys KnowledgeBase Cache

  3. In the Transport and Content section, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Qualys KnowledgeBase from the drop-down menu.

    Content type*

    Select Qualys KnowledgeBase JSON from the drop-down menu.

    API URL*

    Enter the API URL for your Qualys platform.

    Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform

    password*

    Enter your Qualys account password.

    Username*

    Enter your Qualys user name.

    SSL verification

    Leave this selected.

    Start ingesting from*

    By default, this is set to one year before the feed creation date.

    This feed will cache Qualys Knowledge Base data starting from this timestamp up to the date and time this feed is run.

    Execution schedule*

    (Optional)

    You can leave this as None, or select a schedule to update the Qualys KnowledgeBase cache automatically.

  4. To save and download the Qualys KnowledgeBase, select images/download/attachments/86441197/chevron-down.svg-x24.png > Save and run.

Set up the enricher

You must Cache the Qualys KnowledgeBase before configuring and using this enricher.

When that is done, configure the Qualys Enricher to add your Qualys credentials:

  1. Go to Data configuration images/download/attachments/86441197/robot.svg-x24.png > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More images/download/attachments/86441197/ellipsis-v.svg-x24.png > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Enabled

    Select this to enable this enricher.

    API URL*

    Enter the API URL for your Qualys platform.

    Depends on where your Qualys platform is located. See Qualys: Identify your Qualys platform

    Username*

    Enter your Qualys user name.

    Password*

    Enter your Qualys account password.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

  5. Click Save to store your changes.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Enrichment result

Enriching a cve observable produces an EclecticIQ Report entity with the following information:

Field name

Description/Example

Title

Qualys CVE Scan - <CVE_ID> <Last scan timestamp>

Description

Qualys scan for <QID>

Generic Information:

ID: 170227778

IP: 192.168.100.15

Scan Information:

Last scan datetime: 2021-11-25T08:18:04Z

Analysis

The below list of hosts have been identified as vulnerable against <QID> in your environment

Host1:

Type: Confirmed

Estimated threat start time

<Date and time ingested>

Estimated observed time

<Date and time ingested>

Default configuration

These are the default configuration parameters for the Qualys enricher:

Required fields are marked with an asterisk (*).

Field

Description

Name

Qualys Enricher

Override TLP

Not Set

Description*

Qualys Enricher

Cache validity (sec)*

2592000

Rate limit (per sec)*

1000

Monthly execution cap (runs)*

1000000

Source reliability*

C - Fairly reliable

Observable types*

cve

Enabled

Not selected by default.

API URL*

N/A

Username*

N/A

Password*

N/A

SSL verification

Selected by default.

Path to SSL certificate file

N/A