Qualys Data
The Qualys Technology Add-on (TA) for Splunk is required to keep track of all the vulnerabilities on the assets/devices.
Splunkbase Download: https://splunkbase.splunk.com/app/2964/
Installation and Configuration Guide: https://www.qualys.com/docs/qualys-ta-for-splunk.pdf
Create a new API user on Qualys
-
Open Users page.
-
Click on New -> User.
-
Fill the required fields. Title: API.
Note: The welcome email will be sent to the email address you fill in below.
-
Role: Unit Manager, Business Unit: Customer’s Name.
-
Select all permissions
Create a Business Unit if not created already:
-
Click on New Business Unit.
-
Fill in the name of the customer.
-
Select the asset group with the customer’s name.
-
Select the API user if created already and any other users in this organization.
Configure account and input on Splunk
-
Open the Qualys Addon setup page and configure Qualys API Server, Username, Password details
-
Make below change under $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/inputs.conf file
[qualys://host_detection]
index = qualys
duration = 0 6 * * *
start_date = 2023-01-01T00:00:00Z
disabled = 0
Troubleshoot
- If you see “ERROR: API concurrency limit reached. Must sleep for 300 seconds and try again” error
- Increase cron schedule to reduce the input frequency. Qualys API has rate limit
Note: Use index=qualys for data collection or update the macro definition for cs_qualys
(Settings > Configuration).
Estimated Data Size
The Qualys Technology Add-on (TA) for Splunk does not consume a ton of license usage since it only collects information regarding vulnerability scans, but it all depends on the number of devices and vulnerabilities that are present in your environment. For example, CrossRealms had around 300 devices and the total license consumption was less than 10MB.