Configure Application
In the following sections application configuration steps are explained.
Qualys API Configurations
Perform the following steps in QRadar :
- Go to the Admin tab.
- Scroll to the Apps section.
Click Qualys FIM App Settings.
A pop-up window opens. Go to Advanced Configuration.
Authorization Token
QRadar's Authorization token is used to interact securely with QRadar. You can obtain this token from Admin > User Management > Authorized Service.
Following are the steps to generate an Authorization Token:
- Go to Authorized Services in the Admin tab
- Click Add Authorized Service.
- Enter the desired Service Name.
- Select User Role as Admin.
- Select Security Profile as Admin.
- Set the expiry date as required.
- Click Create Service and then click Deploy changes.
- click Save under the settings tab after providing the Authorization Token
Use the Settings tab to configure your Qualys credentials. Enter your Qualys API server, username, and password in the appropriate fields.
Log Source
Perform the following steps in the Log Source:
- Select Log Source for Events as QualysFimMultiline
- Select Log Source for Incidents as QualysFimIncidents
Proxy Configuration
Configure proxy details if you want the Qualys app to use a proxy while calling the API.
- Select Use a proxy server for API call to enable proxy.
- Add your proxy server and proxy port in <proxy server>:<proxy port> format.
If your proxy needs authentication, add the proxy user and proxy password along with the server and port in <proxy user>:<proxy password>@<proxy server>:<proxy port> format.
FIM Events
Use the FIM Events tab to configure and enable Fetch FIM Events.
- Select the Enable FIM Events Fetch to enable this data input.
- Enter a valid cron format entry in the Cron Schedule field. This field is mandatory if the Enable FIM Events option is selected. Learn about cron expression.
- In the Start Date-Time field, enter the date-time from which you want to fetch the FIM events data from Qualys.
- This is an optional field.
- The date-time format should be 'YYYY-MM-DDTHH:MM:SS.MSZ. e.g. '2019-02-25T18:30:00.000Z.
- If the value is not provided, FIM events are fetched from the browser's current date. The start date shouldn't be less than 2017-01-01T00:00:00.000Z.
In the Filter field, enter filter criteria to filter the FIM events.
This is an optional field.
The filter fields should be in Elastic Search Query format.
- From the Select log level, select the required log level out of the following options:
FIM Ignored Events
Use the FIM Ignored Events tab to configure and enable Fetch FIM Ignored Events.
- Select the Enable FIM Ignored Events Fetch to enable this data input.
- In the Cron Schedule field, enter a valid cron format entry. This field is mandatory if the Enable FIM Ignored Events option s selected.
- In the Start Date-Time field, enter the date-time from which you want to fetch the FIM Ignored events data from the Qualys.
- This is an optional field.
- The date-time format should be 'YYYY-MM-DDTHH:MM:SS.MSZ. e.g. '2019-02-25T18:30:00.000Z.
- If the value is not provided, FIM events are fetched from the browser's current date. The start date shouldn't be less than 2017-01-01T00:00:00.000Z.
Enter extra filter criteria to filter the FIM Ignored events in the Filter field.
- This is an optional field.
- The filter fields should be in Elastic Search Query format.
From the Select log level, select the required log level out of the following options:
FIM Incidents
Use the FIM Incidents tab to configure and enable Fetch FIM Incidents.
- Select the Enable FIM Incidents Fetch to enable this data input.
- Enter a valid cron format entry in the Cron Schedule field. This field is mandatory if the Enable FIM Events checkbox is checked. Learn about cron expression
- In the Start Date-Time field, enter the date-time from which you want to fetch the FIM events data from Qualys.
- This is an optional field.
- The date-time format should be 'YYYY-MM-DDTHH:MM:SS.MSZ. e.g. '2019-02-25T18:30:00.000Z.
- If the value is not provided, FIM events are fetched from the browser's current date. The start date shouldn't be less than 2017-01-01T00:00:00.000Z.
- In the Filter field, enter filter criteria to filter the FIM events.
- This is an optional field.
- The filter fields should be in Elastic Search Query format.
From the Select log level drop-down menu, select the required log level out of the following options:
Use the Advanced tab to see the last success and failure for FIM Events, FIM Ignored Events and FIM Incidents.