Configure Data Sync
TA-QualysCloudPlatform pulls Qualys data and indexes in Splunk on a regular basis.
Scripts parse and convert the Qualys API output to Splunk friendly format (CIM-compliant in Splunk parlance).
Go to Settings and select Data Inputs.
Click the Add new link for the Qualys Technology Add-On, as shown.
Choose the Qualys metric (data feed input) you are interested in, and specify when and how often to start pulling data.
Click Next.
Repeat these steps for each metric you want.
| Application | Data Feed Input |
|---|---|
| VM data |
knowledge_base and host_detection You need to create 2 data inputs. One for knowledgebase and another for host detection |
| PC data | policy_posture_info |
| WAS data |
knowledge_base and was_findings You need to create 2 data inputs. One for knowledgebase and another for was findings. |
| CS image |
cs_image_vulns. |
| For CS container | cs_container_vulns |
| FIM events data | fim_events |
| FIM ignored events | fim_ignored_events. |
| EDR | edr_events |
| Activity Log | activity_log |
| SEM | sem_detection |
| PCRS | pcrs_posture_info |
| CSAM | cyber_security_asset_management |
| CertView | certview_certificates |
When setting the interval, consider your Qualys scanning schedule. If you scan weekly, daily data sync is unnecessary.
Does the script pull all data or deltas only?
The script pulls all data from your Qualys account the first time it runs, but it only pulls the changes afterwards.
Qualys data is added to Splunk
You notice that each scan has a separate entry in Splunk. If you purge hosts using your Qualys account, the data is not removed from Splunk.
How to assign a custom index to an event type?
From TA v1.7.1 onwards, we are not supporting macro definition for indexes.
- Specify a custom index from UI
- Go to Settings > Event types.
- From the app drop-down, select Qualys Technology Add-On for Splunk.
- Navigate to the event type that you want to update.
- Click the event type and update the search string to specify index=<name of the custom index>.
- Specify a custom index from CLI.
- To set a custom index, copy the eventtype.conf file from
$SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/default/to$SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/and update the search string of the required event type to specify index=<name of the custom index>. - Restart the Splunk app.
Next Step