Configure FlexScan

Once you have your connectors configured, you can run FlexScan to collect your cloud resource data, create an inventory, and perform specialized vulnerability scans.

TotalCloud FlexScan is a a zero-touch scanning solution that cover both agent and agentless scanning solutions such as Cloud Perimeter Scan, Qualys Agent deployment, API-Based (agentless) assessment, Snapshot-Based (agentless) assessment.

Refer to Prerequisites for FlexScan before proceeding with the configuration.

Available FlexScan

Currently, TotalCloud offers among three FlexScan to choose from. Select from a combination of agentless and agent-based scans. More FlexScan are to be introduced in later releases.

API-Based AssessmentAPI-Based Assessment

TotalCloud FlexScan's API-Based Assesment uses the APIs of AWS to collect OS package inventory from the workloads for vulnerability analysis. This agentless scan is a quick way to catch vulnerabilities that may pop-up in between the intervals where the agents wait to perform the next automated scan. When combined with agent scans, API-based scans offer a complete security solution by ensuring your newly introduced assets are secure without waitng for the Qualys agent scan.

Once you've selected API-based assesment as one of your FlexScan, the TotalCloud module runs scans automatically with AWS APIs to fetch results. The API-based scans run automatically on Assets discovered as part of connector run or EventBridge alerts.

API-based assessment is quick and best suited for short-lived workloads and the initial assessment of new workloads. You can configure API-based scans on connectors for CloudView or AssetView. 

Refer to Configure Zero-touch API-based Assessment to get started.

Snapshot-Based AssessmentSnapshot-Based Assessment

TotalCloud FlexScan's Snapshot-Based Assesment runs scan on snapshot images of your workloads for high-volume vulnerability analysis, This agentless scanning technique helps customers detect risk, vulnerabilties, and compliance posture for virtual machine/compute instance without affecting their current workload. 

Once you have configured your service and target accounts in your AWS console with the help of the necessary CloudFormation templates, you can target multiple accounts for vulnerability analyses,

Refer to either Configure Zero-touch Snapshot-based Assessment for AWS or Configure Zero-touch Snapshot based Assessment for Azure to get started.

Cloud Perimeter ScanCloud Perimeter Scan

TotalCloud FlexScan launches scans through Qualys External Scanners (Internet Remote Scanners), located at the Qualys Cloud Platform. The scanners assess workloads over the network.

When a new workload is created, FlexScan automatically instantiates the network scanner in the appropriate network to conduct the scan of the workload. Network scanners provide similar assessment capabilities as an agent. However, unlike agents, they cannot do any remediation actions.

Networks should be used to assess workloads facing the internet and for workloads on which agents cannot be installed. Only network scanners can detect vulnerabilities related to network protocols. They can give you an outside-in view that the other scanners cannot.

Refer to Configure Cloud Perimeter Scan to get started.

Qualys Agent ScanQualys Agent Scan

Qualys Cloud agent based scan on AWS is carried out using the Systems Manager (SSM) document and Run Command. Qualys will provide public SSM documents that can be used directly by the customer, or the customer can provision the SSM document using Qualys Flow. 
 

Qualys Flow will be used for the Run Command of the SSM document, and you can also use AWS approach of the SSM State Manager.

Refer to Configure Qualys Agent Scan to get started.

Run FlexScan

Now that you know of the available FlexScan, let's look at how to run a FlexScan on your existing connectors.

1) Navigate to the Connectors Application.

You get to see a list of connectors you have configured from the TotalCloud or the Connector applications. Both connectors are eligible for FlexScan.

2) Select connector(s) where you want to configure FlexScan.

3) Click Configure FlexScan.

4) Select the required FlexScan- API-based, Snapshot-based or Cloud Perimeter.

Note: If you've already configured FlexScan settings for the selected connector. Clicking 'Configure' will overwrite the previous FlexScan settings. Select the "Modifying the settings now..." checkbox to enable the Configure button.

6) Click Configure.

View Connectors with FlexScan

To view connectors with FlexScan configured, you can use the token 'isFlexScanConfigured' and pass true or false. This will fetch the list of connectors with or without FlexScan configured already.