Cloud Agent as Passive Sensor
Click to view navigation pane

Home

Cloud Agent as a Passive Sensor

You can configure the Qualys Cloud Agent to work as a passive sensor to identify traffic in the subnet agent. When configured, the Agent monitors your network activity without actively probing of devices to detect active assets in your network.

Note: This feature will be available only when the Windows agent binary with cloud agent as passive sensor support will be available. For supported agent versions, refer to the Features by Agent Version section in the Cloud Agent Platform Availability Matrix.

To configure the settings for the cloud agent as a passive sensor:

1) In the Cloud Agent application, navigate to Configuration > CAPS Configuration.

 

2) In the CAPS Configuration page, configure the parameters described in the following sections.

3) Click Save. If you want to revert the changes made in the CAPS Configuration, click Cancel

Data Upload Interval

Define the time interval, in minutes, at which Cloud Agent uploads CAPS data to Qualys Cloud Platform. The valid range is 15 to 1440 minutes. The default value is 30 minutes.

Configure CAPS Data

Configure the CAPS data to define the inclusion criteria for Cloud Agent to start the network scan.

CAPS Peers

Provide the value for minimum CAPS peers required in the network to start a scan. You can provide any value in the range 2-20.

Using this functionality, you can check if your Cloud Agent is on-premise or off-premise. CAPS allows you to configure the minimum number of CAPS-activated agents present in the network to confirm the state of your Cloud Agent.

For example, if you set the minimum number of peers required in the network as 2 and your Cloud Agent detects two CAPS-activated agents in the network, it means that your Cloud Agent is on-premise. If it detects less than two CAPS-activated agents on the network, it means that your Cloud Agent is off-premise.

DNS Suffix

Provide the domain name and IP address/IP address range within your network to specify the assets you want to monitor.

DNS Suffix Name: Provide the domain name to specify the assets that you want to add in the scan scope.

IP/IP Range: Provide the values for one or more IP addresses. Ensure that IP addresses are provided in the accepted formats, such as comma-separated list, IP range, and Classless Inter-Domain Routing (CIDR) notation.

Note: The Domain Name must be an exact match with the connection-specific DNS Suffix found on the endpoint as shown in the following image.

When you set the value for CAPS Peers with IP address and do not provide the DNS Suffix name, the AND condition is applied for CAPS peers and DNS suffix. This means that for a Cloud Agent to start the scan, both the minimum peer condition and IP address condition must be fulfilled in your network.

When you provide minimum CAPS Peers with IP addresses and also provide DNS suffix name, you can select whether to add AND or OR condition for CAPS Peers and DNS Suffix.

Excluded Assets

Provide the IP addresses and Mac addresses of the assets that you want to exclude from the CAPS inventory. When you exclude assets from the CAPS inventory, Cloud Agent does not scan them.

Note: When you define the IP or Mac addresses to be excluded, the assets with the specified IP and Mac addresses, if available in the CSAM/GAV inventory, will deleted.

Additional Configurations

You can configure additional knobs for CAPS by using the following flags.

Active Probe

Universal Plug and Play (UPnP) broadcast and multicast services search for devices present on the network and distribute service requests to them. Using the active probe functionality, you can leverage the UPnP broadcast and multicast services to make direct queries on devices present in the network.

Active Query

This functionality expedites the asset inventory building. You can enable CAPS-activated agents to make standard UPnP queries rather than just passively listening to them. For this functionality, you can use multicast and broadcast announcement queries and supported protocol queries. Qualys CAPS also allows you to opt out of this feature.

Suppress Reporting of Randomized MAC Addresses

Select the Suppress reporting of randomized MAC addresses checkbox to stop reporting assets with randomized MAC Addresses.

For mobile phones with the MAC Randomization feature enabled, Cloud Agent creates multiple asset records, which shows an increased unmanaged asset count. The Suppress reporting of randomized MAC addresses option allows you to restrict reporting such assets, keeping inventory size in check. 

Qualys maintains a hostname exclusion list for mobile phones. When you select this option, assets not present in the hostname exclusion list are reported to Qualys Cloud Platform, whereas assets present in the exclusion list are not reported to the Qualys Cloud Platform.

Suppress Reporting of Multicast MAC Addresses

CAPS assets with multicast MAC addresses may not add any value to the asset inventory. This happens because some software running on agent hosts uses incorrect MAC addresses, such as Multicast MAC addresses, which increases the asset inventory.
 
To stop monitoring and reporting such assets present in the network, select the Suppress reporting of multicast MAC addresses checkbox. This option keeps the inventory size in check.