Set up Device Security and XSOAR for Qualys Enterprise TruRisk Integration

Table of Contents

Set up Qualys Enterprise TruRisk for Integration

Perform a Vulnerability Scan Using Qualys Enterprise TruRisk

Set up Device Security and XSOAR for Qualys Enterprise TruRisk Integration

Set up Device Security and Cortex XSOAR to integrate with Qualys Enterprise TruRisk.

Where Can I Use This?	What Do I Need?
Device Security (Managed by Strata Cloud Manager) (Legacy) IoT Security (Standalone portal)	One of the following subscriptions: Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical) Device Security X subscription One of the following Cortex XSOAR setups: A free, cohosted, limited-featured Cortex XSOAR instance A full-featured Cortex XSOAR server

Where Can I Use This?

What Do I Need?

Device Security (Managed by Strata Cloud Manager)
(Legacy) IoT Security (Standalone portal)

One of the following subscriptions:

Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
Device Security X subscription

One of the following Cortex XSOAR setups:

A free, cohosted, limited-featured Cortex XSOAR instance
A full-featured Cortex XSOAR server

Configure Cortex XSOAR with a Qualys Enterprise TruRisk integration instance and jobs to import scanners, device details, and vulnerability information into Device Security. After creating a Qualys Enterprise TruRisk integration instance and running a job to get scanners and profiles, you can also initiate a vulnerability scan on Qualys Enterprise TruRisk from Device Security.

Log in to Device Security and from there access the Qualys settings in Cortex XSOAR.
1. Log in to Device Security and then click Integrations.
2. Device Security uses Cortex XSOAR to integrate with Qualys, and the settings you must configure to integrate with it are in the XSOAR interface. To access these settings, click Launch Cortex XSOAR.
  The Cortex XSOAR interface opens in a new browser window.
3. If necessary, search for Qualys to locate it among other instances.
Configure the Qualys Enterprise TruRisk integration instance.
1. Click the active integration instance settings icon (
  
  ), or click Add instance, to open the settings panel.
2. Enter the following and leave other settings at their default values:
  Name: Use the default name of the integration instance.
  
  Don’t change the default integration instance name. The preconfigured Cortex XSOAR jobs that support vulnerability scans from the Device Details page in Device Security rely on Cortex XSOAR playbooks that refer to this integration instance name specifically.
  
  Server URL: Enter the URL of the Qualys API server.
  Username: Enter the username of the Qualys API manager user account you created.
  Password: Enter the password associated with the user account.
  Optional IoT Vertical Filter for Asset Export: Select the types of device category verticals that you want to include when exporting Device Security assets to Qualys.
  Optional Severity Levels: Select the severity levels for open vulnerabilities that you want to import from Qualys to Device Security. By default, Device Security imports only vulnerabilities with a severity level of Critical.
  Optional Last Updated: Enter the time range in days that you want to get device or vulnerability information from Qualys. Device Security polls for all vulnerabilities or devices identified or updated in the specified time. By default, the Qualys jobs retrieve devices or vulnerabilities last seen in the past one day.
  Run on Single engine: Choose No engine.
3. When finished, click Run test or Test.
  If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.
4. After the test succeeds, click Save & exit to save your changes and close the settings panel.
Enable the Qualys integration instance.
Create jobs for Cortex XSOAR to send and receive information from Qualys Enterprise TruRisk.

Depending on whether you want to send device details or get vulnerability information, select the appropriate playbook when configuring the job. If you want to run multiple playbooks, you must create separate jobs, one for each playbook. You can also create multiple jobs if you have multiple integration instances.
1. Click Jobs in the sidebar, and then click New Job to create a new Cortex XSOAR job.
2. Configure the following settings in the New Job panel:
  Optional Recurring: Select this if you want to periodically run the job. Clear it if you want to run the job on-demand.
  Optional Every: If you selected Recurring, enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. If you don't select specific days, then the job will run every day by default. This determines how often Cortex XSOAR queries Qualys to send and receive information.
  You can configure Queue Handling to determine what happens if a new job starts while an old job is still running.
  Name: Enter a name for the job.
  Playbook: Select the playbook depending on the type of job you're configuring. You can select one of the following playbooks when integrating with Qualys Enterprise TruRisk Vulnerability Management, Detection & Response:
  Get Qualys Scanners and Profiles – PANW IoT 3rd Party Integration – Get a list of vulnerability scanners and profiles from Qualys.
  Import Qualys Confirmed Vulnerabilities and Devices to PANW IoT – Get a list of all confirmed vulnerabilities.
  Import Qualys Devices to PANW IoT cloud – Import devices from Qualys to Device Security. For new devices that don't match to an existing device in the Device Security Asset Inventory, Device Security creates a new device.
  Tag Qualys Assets with PANW IoT Categories – Add a tag to all devices in Qualys with their corresponding device category vertical from Device Security. Devices can only have one category tag. You can use the category tag to filter devices when running vulnerability scans in Qualys.
  Export PANW IoT Assets to Qualys – Send device information from Device Security to Qualys. If a device does not exist in Qualys, then this job creates a new device in Qualys. By default, Device Security exports devices from all device type categories unless you specify the IoT Vertical Filter for Asset Export when configuring the integration instance.
  Integration Instance Name: Enter the instance name of the integration instance you created.
3. Click Create new job and verify that the job appears in the Jobs list.
Enable the job and run it.

Check the Job Status for the job you created. If it's Disabled, select its checkbox and then click Enable.

You can immediately run the job by selecting it and clicking Run now. Otherwise, if you scheduled a recurring job, then the enabled job will run as scheduled.
Return to Device Security and check the status of the Qualys integration instance.
XSOAR automatically runs a preconfigured job for Qualys integration and reports the integration instance to Device Security, which displays it on the Integrations page. The integration instance can be in one of the following four states as shown in the Status column on the Integrations page:
- Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Error means that the integration was configured and enabled but isn’t functioning properly, possibly due to a configuration error or network condition.
- Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
- Active means that the integration was configured and enabled and is functioning properly.
When you see that the status of the Qualys instance has changed from Disabled to Active, its setup is complete.