VM Detection Data

Configure settings for collecting VM detection data. Select one or more logging options to indicate the type of data you want to view in Splunk.

To configure settings for collecting VM detection data, follow these steps:

  1. Go to Apps > Manage Apps > Qualys Technology Add-on for Splunk > Set up.
  2. Choose one or more logging options to indicate the type of data you want to view in Splunk.

    For example, you can choose to Log Host Summary events, Log extra statistics in host summary, and so on.

  3. Enter API input parameters in the Extra parameters for Detection API field for the Host Detection API to pull select vulnerability data from your Qualys account.

    For example, only pull data for certain hosts by specifying ips=10.10.10.2-10.10.10.10.

    Refer to API user guides.

VM Detection Settings

Refer to the following table for various VM Detection settings.

Settings Description

Log host information with each detection

Select this option if you want to log host information (IP, OS, DNS, NetBios) along with each detection.

Host fields to log

Default output field that displays host assets on Splunk for VM events.

You can specify additional host XML tag names to log in to the event, adding them separately by commas. You can add tags such as Asset_ID or remove any existing tag from the Host List API response you do not wish to log.

Detection fields to log

Default output field that displays host detection on Splunk for VM events.

To specify the detection XML tag names you want to log in to the event, you can add them separately by commas. For instance, you can add 'AFFECT_EXPLOITABLE_CONFIG' and 'AFFECT_RUNNING_KERNEL' to the Host List Detection response. Conversely, you can remove any existing tags that you do not want to log.

Max characters allowed in RESULTS field

Set a limit on the maximum number of characters that appear in the Results field. So if the number of characters exceeds the maximum allowed limit, TA truncates the excess characters after parsing the RESULTS field. Additionally, it appends the message [TRUNCATED XXX Characters] in the Results field to indicate that some characters were removed. *

The default value is zero, which means TA does not truncate any characters while parsing, and you can see the entire value in the RESULTS field in Splunk 

RESULT_TRUNCATED

The RESULT_TRUNCATED field shows values based on whether the RESULT field is truncated by TA or Splunk.

  • RESULT_TRUNCATED field is set to 0 if neither TA nor Splunk truncates the value in the Results field.
  • RESULT_TRUNCATED field is set to 1 when Splunk truncates the RESULTS field
    This happens if the truncation value is set for the RESULTS field in the props.conf file in Splunk is greater than that set on the TA set up page.
    In this case, the difference between the truncation values set in the TA and Splunk is truncated by Splunk after TA truncates the RESULTS field as per the value specified in the Max characters allowed in RESULTS field.
  • The RESULT_TRUNCATED field is set to 2 if TA, after parsing the event, truncates the RESULTS field value and if the truncation value set for the RESULTS field in the props.conf file in Splunk is either the same or less than that set for the RESULTS field for VM on the TA set up page.

 If Splunk truncates the RESULTS field, then the message [TRUNCATED XXX Characters] in the Results field is not shown.

Enable the checkbox for SwCA Events

To enable SwCA events for retrieving the app result information, select this checkbox.

For detailed information, see Enable SwCa Subscription for Host Detection APIs

TRURISK_SCORE, ACS, TRURISK_FACTORS for Host Asset API

To get the TRURISK_SCORE, ACS, and TRURISK_FACTORS, check the TRURISK_SCORE, ACS, and TRURISK_FACTORS for Host Asset API checkbox provided under VM Detection Settings in the TA setup page.

We parse TRURISK_SCORE, ACS, and TRURISK_FACTORS and add them to VM detection events.

Host List Detection Maximum API Retry Count

Specify the number of times TA can retry the API call after any error occurs, except for 429 Too Many Requests errors.

TA skips the API call after the maximum retry count exceeds and proceeds to pick the next Host IDs or Host ID range to pull the data

This feature is Applicable in the case of Multi threading only.

VM Detection-Advanced Settings

To preserve the VM Detection API XMLs response exclusively for certain host IDs, you need to input those IDs into the Host IDs field in TA-QualysCloudPlatform/tmp.

This field is used to save the response in TA-QualysCloudPlatform/tmp if it falls within the specified range. The system saves the response regardless of whether it exists or not.

The Host Asset API response XML can be preserved in TA-QualysCloudPlatform/tmp directory using Enable to preserve Host Asset API response.

To preserve the XML for the Host Ids provided in the Host IDs field, you must disable the Enable to preserve the XML/JSON files of API output under More Settings. If Enable to preserve the XML/JSON files of API output under More Settings is enabled and you have provided the host Ids in Host IDs field, then all XMLs is preserved along with the provided Host Ids.

Enable SwCA Events

The TA now parses application information present on hosts for SwCA-enabled subscriptions. 

To retrieve the app result information, perform the following steps:

  1. Select Enable the checkbox for SwCA Events checkbox.

  2. On the TA Setup page, in the VM Detection Settings section, verify that the RESULTS is present inside the Detection Fields to Log field.

This feature is available exclusively to users with an active Software Composition Analysis (SwCA) subscription.
To enable Delimit QID Results, please contact your Technical Account Manager (TAM).

New Event Type

SwCA application info is now logged as individual events with the following properties:

  • Event Type: qualys_app_info_event
  • Applies To: host_detection data input

Event Behavior

  • When a <DETECTION> tag contains a RESULT_INSTANCE with application data:
    • The TA parses each software instance individually.
    • Each instance is logged as a separate event under the event type qualys_app_info_event.
  • The original detection event (which doesn’t include a RESULT tag) will include the flag:
    swca_events_generated=1
  • This indicates that SwCA application info events were successfully generated and logged.

Configure Directory Path for the .seed file on Splunk Cloud

Directory path for the .seed file on Splunk Cloud must start with $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/tmp. TA-QualysCloudPlatform shows an error while generating the .seed file if you configure any other path.

Event Types for Searching VM Detection Data in Splunk

You can use default event types to search for VM detection data pulled in Splunk. For more information, refer to Event Types for Searching your Apps Data.