Secure Enterprise Mobility Settings

Configure Secure Enterprise Mobility (SEM) settings to fetch asset and asset detection data from your Qualys SEM account. The SEM settings section has options that enable you to

  • log the asset summary events
  • log the individual asset detections
  • set the number of records that can be fetched per API request (default limit is 1000)
  • provide extra parameters, if any, for the SEM API.
    The default option is to log both the individual asset detection and the asset summary events.

You can choose one or both options.

configure_sem

SEM Data Processing

We use two dates to fetch the SEM data: the start date and current date. The start date is the date from which TA pulls the SEM data from your Qualys SEM account. TA uses the start date as the checkpoint date from the SEM checkpoint file if the file is available; else, it uses the start date from the data input page (Settings > Data Inputs > Add Data). This date is stored in the detection_updated_since parameter.

The second date is the current date in the YYYY-MM-DDTHH:MM:SSZ format. This date is stored in the detection_updated_before param.

TA makes a call to the asset list API with 'detection_updated_since', 'detection_updated_before', 'action=list', 'truncation_limit' and extra params if any parameters to fetch all the SEM data available between the start date and current date in Splunk.

If the API response contains a <WARNING> tag, the TA initiates a pagination call to retrieve the next data set.

Post-processing of SEM Data

After receiving the SEM API response, we extract the asset ID from the <ASSET><ID></ID></ASSET> tag and create a new <ASSET_ID> tag for each of the <Detection> tag. The asset ID in the Detection tag helps the user identify the asset ID for a detection. We also remove the <DETECTION_LIST> tag from the <ASSET> tag and show the remaining asset information.

In the end, if more than one record is logged as an event in Splunk, then TA updates the checkpoint file with the value of detection_updated_before (i.e. current date of data input run). The checkpoint file is not updated if no records are found.

SEM Event Types

TA logs the fetched SEM data into two event types:

  • Asset information (<ASSET></ASSET>) is logged into the 'qualys_sem_asset_summary_event' event type in Splunk, and
  • Asset detection (<DETECTION></DETECTION>) is logged into the 'qualys_sem_detection_event' event type.

Event Types for Searching SEM Findings in Splunk

You can use default event types to search for SEM data pulled in  Splunk. For more information, refer to Event Types for searching your app's data. 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.