Post-Configuration Operations at Qualys
Once you configure and enable FIM Events, Ignored Events, and FIM Incidents, the application bundled with this extension starts fetching your FIM data. By default, it pulls 1000 events at a time. This value is set to such a small number to ensure the application can process your data without hitting the memory limit governed by QRadar.
The first run might take some time, depending on your scan volume. After that, subsequent pulls are incremental, fetching only new or changed data.
QRadar Gets data
Whenever cron runs any job (based on the cron schedule you defined), it makes an outbound API call to Qualys, gets the event JSON, and sends it to the QRadar over a socket using the TCP port configured in QualysFimMultiline or QualysFimIncidents Log Source. Using DSM Editor and Qualys FIM JSON or Qualys FIM INCIDENTS Log Source Type provided with this extension, QRadar puts this data into the Events table in the Ariel database.
Related Topics