Qualys Vulnerability Scanners in Graylog

The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Qualys is a security scanner that can identify vulnerabilities in devices, applications, operating systems, and other network or cloud resources. Qualys uses a combination of algorithms to assess threats then assigns a vulnerability risk score based on the Common Vulnerability Scoring System (CVSS).

You can connect Graylog to your existing Qualys scanner. Graylog imports scan data from Qualys and attaches any vulnerabilities to your related machine assets.

Hint: To configure a connection between Graylog and Qualys, you need to ensure you have established a trusted relationship. Be certain you understand the certificate requirements. See Certificates and Certificate Authorities in the Qualys documentation for details.

You can create a Qualys scanner in Graylog with either a paid or free version of Qualys. When you add a scanner following the directions below, you need the API URL for your Qualys instance as well as your access key and secret key to create a connection in Graylog. See the Qualys documentation for information about creating your API keys.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

• A valid Qualys account with API access enabled is required. The account must include the Vulnerability Management (VM or VMDR) module in the subscription.

• Ensure you have Qualys API credentials, including username, password, and API base URL.

• The Qualys account must have at least Manager, Unit Manager, Scanner, or Reader roles to access asset and vulnerability data via the API. API Access must be enabled.

Enable CVSS Score in Qualys Scan Results

By default, CVSS scoring is disabled in Qualys. Enabling this option is optional but recommended if you want CVSS scores to appear alongside Qualys vulnerability data in Graylog. Without it, Qualys scan results imported into Graylog will not include CVSS score values.

1. Log in to your Qualys account with Manager or equivalent permissions.

2. Navigate to the Reports tab on the dashboard.

3. Click the Setup tab in the Reports section.

4. Select CVSS Scoring under setup options.

5. Check or toggle Show CVSS Scoring (or equivalent).

6. Select Save to apply changes.

Hint: For new Qualys VMDR subscriptions, CVSS scoring is enabled by default. If you're using an older or custom Qualys setup, always verify that the CVSS option is active in your account.

Add a Qualys Scanner

To add a Qualys scanner:

1. On the Assets page in the Security user interface, select the Vulnerability Scanners tab.

2. Click Add Scanner, then choose Qualys from the menu.

3. Fill in the connection details and other information for the scanner:

   • Title: Give the scanner a unique, meaningful name.

   • Description (optional): Provide detail about the purpose of this scanner. Although this field is optional, consider adding information here, particularly if you create multiple Qualys scanners.

   • Enabled/Disabled Sync (optional): Toggle this setting to Enabled to automatically import scan data on a specified interval.

   • Sync Interval in Hours (optional): If you enable sync, you can set how frequently to run a new import of scan data to update vulnerability information on your Graylog assets. The default setting is 24 hours (once per day).

   Hint: The fields below require information from your Qualys environment. See the Qualys documentation for complete information.

   • API URL: Enter the URL to connect to your Qualys instance.

   • Access Key: Enter the access key to authenticate with the Qualys API.

   • Secret Key: Enter the secret key to authenticate with the Qualys API.

   After you provide the connection information, Graylog tests the connection. The result of the test displays at the bottom of the dialog. When you connect successfully, the Folders field becomes available.

4. (Optional) Use the Folders field if you want to limit or filter the data for this scanner instance. Folders available here are based on any folder structure you have created in your Qualys environment.

5. Click Add Scanner to add the scanner.

New scanners are added to the list on the Vulnerability Scanners tab of the Assets page.

Import Vulnerability Scans

You have two methods for importing new vulnerability scan data: automatic sync and manual import. With either method, new imports completely replace previous information so all existing vulnerabilities are updated, as appropriate, and any new information is added.

Import Sync

You enable the automatic sync option with the Enabled Sync setting when you define the scanner. You can also use the toggle on the table view under Enable Periodical Imports.

When the sync option is enabled, new vulnerability data is imported according to the sync interval you set.

Manual Import

To manually import scan data:

1. Click a scanner to view its detail page.

2. Click Import Vulnerabilities.

3. Click Import on the dialog box to confirm.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics:

• Vulnerability Scanning

• Asset Enrichment

• Investigations and Alerts