Qualys Data

App Installation

App Search Head Indexer Heavy Forwarder UF / Deployment Server Additional Details
Qualys Technology Add-on (TA) for Splunk Required - Required - Installation and Configuration Guide

Note : Create an index named qualys or update the cs_qualys macro definition from Cyences app configuration page (Cyences Settings > Cyences App Configuration > Products Setup).

Create a new API user on Qualys

  • Open Users page. alt

  • Click on New -> User. alt

  • Fill the required fields. Title: API.

Note: The welcome email will be sent to the email address you fill in below. alt

  • Role: Unit Manager, Business Unit: Customer’s Name. alt

  • Select all permissions alt

Create a Business Unit if not created already:

  • Click on New Business Unit. alt

  • Fill in the name of the customer. alt

  • Select the asset group with the customer’s name. alt

  • Select the API user if created already and any other users in this organization. alt

Configure account and input on Splunk

  • Open the Qualys Addon setup page and configure Qualys API Server, Username, Password details

  • Make below change under $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/inputs.conf file

[qualys://host_detection]
index = qualys
duration = 0 6 * * *
start_date = 2023-01-01T00:00:00Z
disabled = 0

Troubleshoot

  • If you see “ERROR: API concurrency limit reached. Must sleep for 300 seconds and try again” error
    • Increase cron schedule to reduce the input frequency. Qualys API has rate limit

Estimated Data Size

The Qualys Technology Add-on (TA) for Splunk does not consume a ton of license usage since it only collects information regarding vulnerability scans, but it all depends on the number of devices and vulnerabilities that are present in your environment. For example, CrossRealms had around 300 devices and the total license consumption was less than 10MB.

Copyright © 2024 CrossRealms International.