Integrating Qualys vulnerability scan data with Chariot allows organizations to enhance their security operations by centralizing critical vulnerability insights within a single, continuous offensive security platform. Qualys provides robust scanning capabilities, identifying vulnerabilities across assets-- when integrated with Chariot, it enables Praetorian engineers to distill Qualys findings down the vulnerabilities that attackers are most likely to use to compromise your environment.

Chariot offers two methods for integrating with Qualys:

  1. API Integration: Continuous, automated pulling of vulnerability data
  2. CSV Import: One-time import of specific scan results

API Integration

The API integration process begins in Chariot's Integrations page. Upon clicking the "Add Integration" button, you'll find the Qualys integration tile among the available options. This integration requires proper API credentials, which must be configured through your Qualys account.

To set up API access, you'll need an administrator to create a dedicated user account in Qualys. Begin by accessing the Users page in your Qualys dashboard and initiating the user creation process.

When configuring the account, we recommend using "Chariot" as the first name and "Integration" as the last name to clearly identify this account's purpose. While completing the General Information section, ensure you provide valid contact information that aligns with your organization's requirements.

The key to successful integration lies in the proper configuration of user permissions. Navigate to the User Role tab and select the Reader role. It's crucial to enable API access by checking the appropriate box. All other settings can remain at their default values. Upon saving these configurations, Qualys will initiate its account activation process by sending an email to the address provided during setup.

The activation email contains important steps to complete the account setup. You'll need to click the "Activate Your Account" link and enter the provided one-time password.

Upon successful activation, you'll receive the essential credentials: a URL, username, and password. These three pieces of information are what you'll need to complete the integration in Chariot.

Return to Chariot's Qualys Setup dialog and enter these credentials.

 

Before finalizing the integration, you'll have the option to customize what data you want to import from Qualys. Through checkboxes in the setup dialog, you can choose to import:

  • Assets only: Collect information about hosts and their network attributes
  • Vulnerabilities only: Import vulnerability findings for existing assets
  • Both assets and vulnerabilities: Complete data synchronization

This flexibility allows you to tailor the integration to your specific needs, particularly useful when you want to maintain separate asset management workflows or focus solely on vulnerability data. Once you've selected your desired import options, click Finish to activate the integration and begin the automated data collection process.

The API integration's data collection process varies based on your selected import options.

If you choose to import assets, the integration begins by collecting information about scheduled scans and identifying hosts within your defined scope, focusing on non-private IPs and configured domains. This process includes comprehensive processing of DNS records (both A and AAAA records, as well as CNAME records) and service information such as ports and protocols.

When vulnerability import is selected, the integration retrieves detailed vulnerability information for assets, including CVSS scores, CVE identifiers, and supporting proof data for identified vulnerabilities.

Selecting both assets and vulnerabilities enables the full integration workflow. The process starts with asset discovery and enumeration, followed by comprehensive vulnerability data collection. This complete integration ensures that all discovered assets are properly mapped to their corresponding vulnerabilities, providing the most thorough view of your environment's security posture.

CSV Import Integration

Chariot offers a streamlined process for importing vulnerability data from Qualys through CSV files, providing a convenient alternative when direct API integration isn't feasible. To begin the import process, you'll first need to export your data from Qualys. Simply navigate to the Vulnerability Management, Detection, and Response (VMDR) section in your Qualys account, select Vulnerabilities, and click the download icon.

Screenshot 2024-10-03 at 4.46.58 PM.png

The default export settings will provide all the necessary data - just click Download to save your CSV file.

Screenshot 2024-10-03 at 4.50.43 PM.png

Once you have your export file, the import process in Chariot is straightforward. Head to the Integrations page and click "Add Integration." On the Qualys integration card, you'll find the CSV import option listed below the API setup information. Chariot provides two convenient ways to upload your file: you can either drag and drop it directly onto the upload area or use the "Choose Files" button to select it from your system.

Once you have the export file return to the Qualys Import in Chariot. When the file upload interface appears, you have two convenient methods to provide your CSV file. You can either drag and drop your .csv file directly onto the designated upload area, or click the "Choose Files" button to browse and select the file from your local file system. After you've provided the file through either method, Chariot begins its automated processing routine.

The CSV import process follows a systematic approach to data integration. Initially, it validates the format and headers of your CSV file to ensure data integrity. It then creates asset records for each unique host identified in the data, establishing relationships with any associated ports and protocols when available. The process converts Qualys's vulnerability findings into Chariot's risk model and associates any provided proof data with the findings.

Data Processing and Risk Mapping

Both integration methods share a common framework for processing vulnerability data. They handle asset information including hostnames and IP addresses, service details such as ports and protocols, comprehensive vulnerability information including CVE identifiers and CVSS scores, and supporting proof data from scan results.

The integration implements a straightforward mapping of Qualys severity levels to Chariot's risk statuses. A severity level of 1 translates to Info status, while levels 2 through 5 map to Low, Medium, High, and Critical statuses respectively. This consistent mapping ensures clear communication of risk levels across both platforms.

We hope these instructions were helpful! If you find a topic that you would like discussed in detail, or need further assistance, please let us know at support@praetorian.com!