Qualys Technology Add-on (TA) for Splunk
Overview
Details
Support and resources
For documentation please see: https://community.qualys.com/docs/DOC-4876
Support
In case any assistance is needed, please visit https://www.qualys.com/forms/contact-support/
Release Notes
Version 1.4.1
* Enhancements
- Qualys Threat Protect RTI data is added in the knowledgebase lookup file. For the account which has full TP access, THREAT_INTEL_IDS and THREAT_INTEL_VALUES fields will be populated otherwise those will be blank.
- Added support for 'arf_kernel_filter' as an extra parameter for VM.
* Bugs fixed
- Error faced while parsing knowledgebase API response when CVSS data is missing in the response.
- Missing TCP/UDP information in HOSTSUMMARY event even after setting show_results=1 as an extra parameter.
Version 1.4.0
* New Features
Data inputs added for Qualys Container Security data
- CS container vulnerabilities
- CS image vulnerabilities
* Enhancements
- Added CVSS3 Vector String and Base, Temporal Score to Knowledgebase
- VM Host Summary events enhanced with details of fixed and active counts for confirmed/potential vulns
Version 1.3.4
On top of earlier version (1.3.3), this release has following additions:
* Additional fields in HOST_SUMMARY and HOST_VULN events.
New fields in HOSTSUMMARY event: NETWORK_ID, LAST_VM_SCANNED_DATE, LAST_VM_SCANNED_DURATION
New fields in HOSTVULN event: LAST_FIXED_DATETIME, TIMES_FOUND, IS_IGNORED, IS_DISABLED
* More validation for seed file path in VM Detection - Advanced Settings.
If you are configuring this TA on Splunk Cloud, the seed file path MUST start with $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/tmp
Version 1.3.3
on top of earlier version 1.3.2, this release has following additions:
* Policy Posture Input
- new option added to decide details level (All/Basic).
- new option added to configure number of policy ids to include in Policy Posture API call. (min 1, max 10)
- log messages for policy parsing started/completed. This helps understand activities when TA is parsing large XML.
- overall API response parsing improvements to reduce parsing time.
Version 1.3.2
* New Features
- Policy Compliance posture information data input
- Support for client certificates
- utility script to cleanup leftover, orphan XML files
* Enhancements
- Uses vm_processed_after API parameter instead of vm_scan_since to avoid data loss because of late processing of scan data.
- Some input validations. In case of error, your save operation will fail and you can see the reason in splunkd.log.
- If Qualys API returns error/warning, TA to log the message as it is.
- When installed on Splunk Search Head, TA will not run any data input except knowledgebase.
- Check if the credentials it got indeed belong to Qualys TA.
* Bugs fixed
- "Another process is running" message was not getting into TA log.
- Error faced while checking if process indeed running was not getting into TA log.
- TA would not start fetching the data if pid file is empty.
- WAS Findings feed was getting into recursion problem after 483rd API call.
- Illegal characters/not well formed XML elements were breaking the data pull.
Version 1.3.0
* New Features
- Policy Compliance posture information data input
- Support for client certificates
- utility script to cleanup leftover, orphan XML files
* Enhancements
- Uses vm_processed_after API parameter instead of vm_scan_since to avoid data loss because of late processing of scan data.
- Some input validations. In case of error, your save operation will fail and you can see the reason in splunkd.log.
- If Qualys API returns error/warning, TA to log the message as it is.
- When installed on Splunk Search Head, TA will not run any data input except knowledgebase.
- Check if the credentials it got indeed belong to Qualys TA.
* Bugs fixed
- "Another process is running" message was not getting into TA log.
- Error faced while checking if process indeed running was not getting into TA log.
- TA would not start fetching the data if pid file is empty.
- WAS Findings feed was getting into recursion problem after 483rd API call.
- Illegal characters/not well formed XML elements were breaking the data pull.
Version 1.2.3
* Enhancements
- Improved logic to confirm only one instance of data input is running at any given time. This handles case of PID getting repeated for Non-TA process.
- TA log entries mention data input name when actually doing the job. This will help debugging. You can grep by data input name and see logs for ALL runs of that input in single go.
* Bug fixes
- "Another process is already running for data input" message wasn't getting into TA log.
- WAS Findings fetch was halting after first set of data is pulled.
- Even if you set "Log debug messages" on TA setup page, debug messages were not getting into TA log.
- Proxy settings were not working in run.py (the debug script).
- Setting show_results=1 in detection extra parameters does not pull RESULTS tag.