|
| 1 | +--- |
| 2 | +title: Integrate Qualys data connector in Microsoft Security Exposure Management |
| 3 | +description: Learn how to the Qualys data connector in Microsoft Security Exposure Management. |
| 4 | +ms.author: dlanger |
| 5 | +author: dlanger |
| 6 | +manager: rayne-wiselman |
| 7 | +ms.topic: overview |
| 8 | +ms.service: exposure-management |
| 9 | +ms.date: 09/24/2024 |
| 10 | +--- |
| 11 | + |
| 12 | +# Qualys data connector |
| 13 | + |
| 14 | +To integrate with Qualys, you have to provide basic credentials for a Qualys user with **Manager** role or a **Reader** role with full scope. |
| 15 | + |
| 16 | +## Qualys configuration |
| 17 | + |
| 18 | +1. To set up the Qualys integration, you need the API_URL of your Qualys instance, such as “qualysapi.qg1.apps.qualys.co.uk”. You can find it [here](https://www.qualys.com/platform-identification/). |
| 19 | + 1. If you can't find it: |
| 20 | + 1. Log in to your Qualys account. |
| 21 | + 2. Go to **Help** → **About**. |
| 22 | + 3. You'll see the required information under **Security Operations Center** (SOC). |
| 23 | +1. You'll need credentials of a user with at least **Read Asset** permissions to successfully retrieve data from the connector. To create a user with a Read Asset role: |
| 24 | + 1. Log in to Qualys. |
| 25 | + 2. Go to **Administration** area. |
| 26 | + 3. Go to the **Role Management** section. |
| 27 | + 4. Select New Role. |
| 28 | + 5. Provide a role name, for example, "Read Asset". |
| 29 | + 6. For the Role permissions, check API Access. |
| 30 | + 7. From the **Modules** drop down, choose Asset View. |
| 31 | + 8. To limit the permissions, choose the **Change** option within the **Asset View** selected module. |
| 32 | + 9. Make sure to enable, at least, **Read Asset** under **Asset Management Permissions**. |
| 33 | +1. Add the newly created role to the user you intend to authenticate with in the Exposure Management Qualys Connector. |
| 34 | + 1. Under **Administration** go to **User** **Management**. |
| 35 | + 2. Select the user you onboarded with the Exposure Management Qualys Connector and choose **Edit**. |
| 36 | + 3. Under **Roles and Scopes**, add the Read Asset role created in previous sections to the user assigned roles. |
| 37 | + 4. Under **Edit** scope, select **Allow user view access to all objects** to allow this user full scope. |
| 38 | + 5. Save the **Read Asset** role assignment to the user. |
| 39 | + |
| 40 | +## Establish Qualys connection in Exposure Management |
| 41 | + |
| 42 | +To establish a connection with Qualys in Exposure Management, follow these steps: |
| 43 | + |
| 44 | +1. Open the [Data Connectors](https://security.microsoft.com/exposure-data-connectors) from the Exposure Management navigation and select **Connect** in the Qualys tile. |
| 45 | +1. Enter your Qualys API URL and authentication credentials and select **Connect**. |
| 46 | + |
| 47 | +## Retrieved data |
| 48 | + |
| 49 | +Qualys connector retrieves data on compute devices, including machines and virtual machines, and vulnerability findings from Qualys on those assets. It also retrieves some networking data to identify those devices. |
| 50 | + |
| 51 | +Only devices that were modified in the last 90 days are retrieved, based on assessing the "modified" field in the Qualys asset. |
| 52 | + |
| 53 | +| **Category** | **Properties** | |
| 54 | +|-------------------------|--------------------------------------------------------------------------------| |
| 55 | +| **Assets/devices** | - Gateway address<br>- FQDN<br>- IP address<br>- MAC address<br>- OS information<br>- Qualys criticality data | |
| 56 | +| **Vulnerability findings** | Qualys retrieves CVE findings on the assets that it ingests. | |
| 57 | + |
| 58 | +## Troubleshooting the Qualys data connector |
| 59 | + |
| 60 | +Here are some common issues that might arise when configuring the Qualys Connector, and suggestions for how to resolve them. |
| 61 | + |
| 62 | +| **Error Type** | **Troubleshooting Action** | |
| 63 | +| ------------------------------------------------------------ | ------------------------------------------------------------ | |
| 64 | +| **Error code** 401: Authorization failure | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the Qualys data. Check your credentials and make sure they're correct and valid. Also check that your credentials have the required permissions. See the Qualys [configuration section](#qualys-configuration) for details on how to assign the appropriate role and scope. <br>You can validate your user credentials by running the following:<br>curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list" "[https://qualysapi.qg1.apps.qualys.ca/qps/rest/2.0/search/am/hostasset](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fqualysapi.qg1.apps.qualys.ca%2Fqps%2Frest%2F2.0%2Fsearch%2Fam%2Fhostasset&data=05\|02\| [email protected]\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889139624\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=cnChKl0R%2BvXdnHEyWXwtokJXLWfJTBEkZksbJEvqiqA%3D&reserved=0)" >output.txt | |
| 65 | +| **Error code** 409: Possible insufficient permissions | Qualys connector utilizes the knowledge_base API which requires specific permissions. You can see more details in the KnowledgeBase section of [this Qualys API document](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcdn2.qualys.com%2Fdocs%2Fqualys-api-vmpc-user-guide.pdf&data=05\|02\| [email protected]\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889160705\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=6VlESEXXIudzrf3WFAqAqXu775Q72%2FynZxGt75W0%2BVk%3D&reserved=0). <br>To validate the provided user has sufficient permissions, run the following command and verify it succeeds:<br>curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list""[https://qualysapi.qg1.apps.qualys.ca/api/2.0/fo/knowledge_base/vuln/](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fqualysapi.qg1.apps.qualys.ca%2Fapi%2F2.0%2Ffo%2Fknowledge_base%2Fvuln%2F&data=05\|02\| [email protected]\|16df3effc63244b6236808dcfe9c61d1\|72f988bf86f141af91ab2d7cd011db47\|1\|0\|638665194889173173\|Unknown\|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D\|0\|\|\|&sdata=g8%2BzcLq3rI%2B2%2F6ii9WNiyKBsHzGU7vQPfMKT232C5f4%3D&reserved=0)" >output.txt <br>In case it fails, refer to Qualys documentation to mitigate. | |
| 66 | +| **Error code 403:** Access forbidden error | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the [configuration section](#qualys-configuration), and make sure they have at minimum the Read Asset permissions. | |
| 67 | +| **Error code 404:** Not found error | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your Qualys API endpoint is correct, see the [configuration section](#qualys-configuration) for details. | |
| 68 | +| **Error code 429** 'Too many requests" | The system periodically pulls data from the configured external providers, which might have a limit on the number of concurrent requests. We recommend creating a dedicated user or account for the connector to avoid reaching this limit. | |
| 69 | +| 'Temporary disconnected' or 'Temporary failure' error message | In the case where this error message appears without any additional information, verify the connector configuration (API endpoint and credentials). If these are valid and the issue doesn't resolve on its own, contact Support. | |
| 70 | +| Not seeing my assets or the vulnerabilities reported by Qualys in the ingested data | See [Retrieved data](#retrieved-data) for a description of the data expected to be retrieved by the Qualys connector. If there's still missing data, contact Support. | |
| 71 | +| Qualys allowed IPs need to be configured to enable Exposure Management connectors to access Qualys | Read how to add the set of IPs to add to your allowlist here: [Allowlist IP addresses](configure-data-connectors.md#allowlist-ip-addresses). | |
| 72 | + |
| 73 | +## Next steps |
| 74 | + |
| 75 | +[Getting value from your data connectors](value-data-connectors.md). |
0 commit comments