Configure CAPS Settings

You can set up the Qualys Cloud Agent to passively sense the traffic in the agent's subnet and assets.

Qualys CAPS generates minimal User Datagram Protocol (UDP) multicast traffic at regular intervals (by default, 120 seconds) to communicate with other CAPS agents in the network and elect a leader. This UDP multicast traffic is not used for asset discovery.

To configure the settings for the cloud agent as a passive sensor:

  1. In the Cloud Agent application, navigate to Configuration > CAPS Configuration.

  2. In the CAPS Configuration page, configure the parameters described in the following sections.
  3. Click Save to apply the changes. If you want to discard the modifications made to the CAPS Configuration, click Cancel.

Data Upload Interval

Define the time interval, in minutes, at which Cloud Agent uploads CAPS data to Qualys Cloud Platform. The valid range is 15 to 1440 minutes. The default value is 30 minutes.

Configure CAPS Data

Configure the CAPS settings to define the inclusion criteria for asset detection.

CAPS Peers

This configuration helps CAPS-activated Cloud Agents to identify if it is on-premise, such as inside an enterprise network, or off-premise such as a coffee shop or remote location. This is the minimum number of CAPS-activated Cloud Agents that must be present in a subnet for the elected CAPS leader to start reporting the assets.

For example, if you set the minimum number of peers as 4, the CAPS-activated Cloud Agent starts reporting assets only when it detects the presence of 4 or more CAPS-activated agents in the subnet. You can provide any value in the range 2-20.

DNS Suffix

Configure the DNS Suffix to help CAPS-activated Cloud Agents identify if it is on or off-premise. Provide the name(s) of the domains associated with the subnets in your enterprise network or provide the IP address/IP address range within your network interface.

DNS Suffix Name: Provide the domain name(s) for the assets that you want to include in the asset inventory. CAPS leader ensures that the assets present in the subnet of the Agent interfaces, whose DNS Suffix matches the configured domain names are reported.

IP/IP Range: Provide the values for one or more IP addresses so that CAPS can start the election process and detect the assets. Ensure that IP addresses are provided in the accepted formats, such as comma-separated list, IP range, and Classless Inter-Domain Routing (CIDR) notation.

 The Domain Name must be an exact match with the connection-specific DNS Suffix found on the endpoint as shown in the following image.

When you set the value for CAPS Peers with IP address and do not provide the DNS Suffix name, the AND condition is applied for CAPS peers and DNS suffix. This means that for a Cloud Agent to start the scan, both the minimum peer condition and IP address condition must be fulfilled in your network.

When you provide minimum CAPS Peers with IP addresses and also provide DNS suffix name, you can select whether to add AND or OR condition for CAPS Peers and DNS Suffix.

 To learn more about defining conditions for network scans, refer to CAPS Configuration Use Cases.

Excluded Assets

Provide the IP addresses and Mac addresses of the assets that you want to exclude from the CAPS inventory. Once IP addresses and MAC addresses are added to this configuration, CAPS stops detecting assets with the specified IPs and MAC addresses.

 When you define the IP or Mac addresses for exclusion, the assets with the specified IP and Mac addresses, if available in the CSAM/GAV inventory, will get deleted.

Additional Configurations

You can configure additional knobs for CAPS by using the following flags.

Active Probe

When you enable the Active Probe, CAPS-activated Cloud Agent leverages the UPnP broadcast and multicast services to make direct queries on devices present in the network. This helps in enriching the asset fingerprints of an already detected asset.

Active Query

This functionality expedites the asset inventory building. When you enable Active Query, the CAPS-activated agent makes standard UPnP queries rather than just passively listening to them in the network. For this functionality, it uses the standard multicast and broadcast announcement queries using the supported protocols.

Suppress Reporting of Randomized MAC Addresses

Select the Suppress reporting of randomized MAC addresses checkbox to stop reporting assets with randomized MAC Addresses.

For mobile phones with the MAC Randomization feature enabled, Cloud Agent creates as many asset records as MACS reported. This causes the CAPS inventory to show an inaccurate unmanaged asset count which is far larger than the actual assets in the network. You can enable the Suppress reporting of randomized MAC addresses option, to restrict CAPS from reporting such assets with randomized MACS thus keeping inventory size in check.

Qualys maintains a hostname exclusion list for mobile phones. When you select this option, assets with hostnames not present in the hostname exclusion list are reported to Qualys Cloud Platform, whereas assets whose hostnames are present in the exclusion list are not reported to the Qualys Cloud Platform.

Suppress Reporting of Multicast MAC Addresses

CAPS assets with multicast MAC addresses may not add any value to the asset inventory. This could happen if some vulnerable software running on agent hosts uses incorrect MAC addresses, such as Multicast MAC addresses. CAPS detects each unique MAC address as an asset and thus bloats the asset count in the CAPS unmanaged inventory.
 
To stop monitoring and reporting such assets present in the network, select the Suppress reporting of multicast MAC addresses checkbox. This option helps to keep the inventory size in check.