Qualys Technology Add-on (TA) for Splunk
Overview
Details
Support and resources
For documentation please see: https://community.qualys.com/docs/DOC-4876
Support
In case any assistance is needed, please visit https://www.qualys.com/forms/contact-support/
Release Notes
Version 1.8.0
- Splunk Cloud Compatibility changes - Setup xml replaced with Setup view. We have also done visualization changes to the Setup page.
- New data feed - Activity Log. The user activity log that you see on Qualys UI > User > Activity Log, can now ingest.
- Added Page Size field on the Setup page for CS, FIM, and IOC to control the number of records returned in API calls
Version 1.7.2
- Qualys TA is now compatible with both Python v2 and v3.
- Container Security data inputs (Image Vulns and Container Vulns) will use API gateway URLs.
- Macro definitions from eventtypes are removed, so searches on distributes setups will work seamlessly.
- Minor fixes for Splunk Cloud vetting
- Bug fix for TA Setup form
Version 1.7.1
- Qualys TA is now compatible with both Python v2 and v3.
- Container Security data inputs (Image Vulns and Container Vulns) will use API gateway URLs.
- Macro definitions from eventtypes are removed, so searches on distributes setups will work seamlessly.
- Minor fixes for Splunk Cloud vetting
Version 1.6.7
New Feature-
* You can optionally index additional PC Posture fields like RATIONALE, CAUSE_OF_FAILURE, REMEDIATION, EVIDENCE.
Fix-
* Policy Last Evaluation Time wasn't getting assigned as event time.
Version 1.6.6
* We have added some enhancements to ensure data is not missed, and that it is correct.
- Now downloading FIM events based on 'processedTime' timestamp
-Now downloading Containers and Images data based on 'updated' timestamp
* We have also improvised logging, to help troubleshoot even better.
* The VM 'RESULTS' section was being indexed in all Capital chars, we have fixed that and it will be as it is in the API response.
* Some more secrecy! Passwords in proxy settings are now marked.
* Default API retry interval is 5 minutes. If you want to change that, you can do so in qualys.conf.
Version 1.6.4
Features:
* Knowledge base lookup table will have Bugtraq ID wherever available.
Fixes:
* FIM events will be indexed by actual event time.
Version 1.6.3
Improvements:
- Improvements for Splunk Cloud compliance.
Bug Fixes :
- Authentication to Qualys API fails when tried connect to API server via Proxy server using certificate.
- Handled XML parsing error in Host detection due to corrupted response XML for Web Application Scanning (WAS) data.
- KnowledgeBase Data not populating in the solution section of the KB lookup file when Threat Intel fields missing.
- Error while saving Proxy details with Authentication.
Version 1.6.2
*Improvements
- Added support to pull EC2 metadata in Host Detection events. To get EC2 metadata provide extra parameter as {"host_metadata": "ec2"}
- 'cwe' information added in WAS findings events.
* Bug Fixes
- Handled XML parsing error in Host detection due to corrupted response XML - In event of XML parsing error, TA will retry the same request again until it receives the proper response file.
Version 1.6.1
* New Feature:
Version 1.6.1 introduces a new data input to ingest IOC events data. These events are indexed in JSON format.
* Enhancements:
- FIM data input: A better way of pagination, helpful when pulling more than 10K containers.
- Added new macros to better manage the SPL for index customizations. If you are using your own index, edit the `qualys_index` or update data input specific macro.
- Added option on TA setup page to preserve API response files. When checked, TA will not remove them after parsing.
Version 1.5.0
* New Features
Data inputs added for Qualys File Integrity Monitoring(FIM) data
- FIM Events
- FIM Incidents
- FIM Ignored Events
* Bug Fixes
- Pagination handling for WAS while running in multi-threaded mode
- WAS Findings events broken on "tags" data - fixed
Version 1.4.4
Bugs fixed
- Fixed issue with CS APIs - it was missing the last API call
- Fixed issue with Truncation property
Version 1.4.3
*Bugs fixed
- Fixed issue with CS APIs - it was missing the last API call
Version 1.4.2
* Bugs fixed
- Container Security page number fix, set default first-page number to 1.
Version 1.4.1
* Enhancements
- Qualys Threat Protect RTI data is added in the knowledgebase lookup file. For the account which has full TP access, THREAT_INTEL_IDS and THREAT_INTEL_VALUES fields will be populated otherwise those will be blank.
- Added support for 'arf_kernel_filter' as an extra parameter for VM.
* Bugs fixed
- Error faced while parsing knowledgebase API response when CVSS data is missing in the response.
- Missing TCP/UDP information in HOSTSUMMARY event even after setting show_results=1 as an extra parameter.
Version 1.4.0
* New Features
Data inputs added for Qualys Container Security data
- CS container vulnerabilities
- CS image vulnerabilities
* Enhancements
- Added CVSS3 Vector String and Base, Temporal Score to Knowledgebase
- VM Host Summary events enhanced with details of fixed and active counts for confirmed/potential vulns
Version 1.3.4
On top of earlier version (1.3.3), this release has following additions:
* Additional fields in HOST_SUMMARY and HOST_VULN events.
New fields in HOSTSUMMARY event: NETWORK_ID, LAST_VM_SCANNED_DATE, LAST_VM_SCANNED_DURATION
New fields in HOSTVULN event: LAST_FIXED_DATETIME, TIMES_FOUND, IS_IGNORED, IS_DISABLED
* More validation for seed file path in VM Detection - Advanced Settings.
If you are configuring this TA on Splunk Cloud, the seed file path MUST start with $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/tmp
Version 1.3.3
on top of earlier version 1.3.2, this release has following additions:
* Policy Posture Input
- new option added to decide details level (All/Basic).
- new option added to configure number of policy ids to include in Policy Posture API call. (min 1, max 10)
- log messages for policy parsing started/completed. This helps understand activities when TA is parsing large XML.
- overall API response parsing improvements to reduce parsing time.
Version 1.3.2
* New Features
- Policy Compliance posture information data input
- Support for client certificates
- utility script to cleanup leftover, orphan XML files
* Enhancements
- Uses vm_processed_after API parameter instead of vm_scan_since to avoid data loss because of late processing of scan data.
- Some input validations. In case of error, your save operation will fail and you can see the reason in splunkd.log.
- If Qualys API returns error/warning, TA to log the message as it is.
- When installed on Splunk Search Head, TA will not run any data input except knowledgebase.
- Check if the credentials it got indeed belong to Qualys TA.
* Bugs fixed
- "Another process is running" message was not getting into TA log.
- Error faced while checking if process indeed running was not getting into TA log.
- TA would not start fetching the data if pid file is empty.
- WAS Findings feed was getting into recursion problem after 483rd API call.
- Illegal characters/not well formed XML elements were breaking the data pull.
Version 1.3.0
* New Features
- Policy Compliance posture information data input
- Support for client certificates
- utility script to cleanup leftover, orphan XML files
* Enhancements
- Uses vm_processed_after API parameter instead of vm_scan_since to avoid data loss because of late processing of scan data.
- Some input validations. In case of error, your save operation will fail and you can see the reason in splunkd.log.
- If Qualys API returns error/warning, TA to log the message as it is.
- When installed on Splunk Search Head, TA will not run any data input except knowledgebase.
- Check if the credentials it got indeed belong to Qualys TA.
* Bugs fixed
- "Another process is running" message was not getting into TA log.
- Error faced while checking if process indeed running was not getting into TA log.
- TA would not start fetching the data if pid file is empty.
- WAS Findings feed was getting into recursion problem after 483rd API call.
- Illegal characters/not well formed XML elements were breaking the data pull.
Version 1.2.3
* Enhancements
- Improved logic to confirm only one instance of data input is running at any given time. This handles case of PID getting repeated for Non-TA process.
- TA log entries mention data input name when actually doing the job. This will help debugging. You can grep by data input name and see logs for ALL runs of that input in single go.
* Bug fixes
- "Another process is already running for data input" message wasn't getting into TA log.
- WAS Findings fetch was halting after first set of data is pulled.
- Even if you set "Log debug messages" on TA setup page, debug messages were not getting into TA log.
- Proxy settings were not working in run.py (the debug script).
- Setting show_results=1 in detection extra parameters does not pull RESULTS tag.