VM Detection Data
Configure settings for collecting VM detection data. Select one or more logging options to indicate the type of data you want to view in Splunk.
To configure settings for collecting VM detection data, follow these steps:
- Go to Apps > Manage Apps > Qualys Technology Add-on for Splunk > Set up.
- Choose one or more logging options to indicate the type of data you want to view in Splunk.
For example, you can choose to Log Host Summary events, Log extra statistics in host summary, and so on.
- Enter API input parameters in the Extra parameters for Detection API field for the Host Detection API to pull select vulnerability data from your Qualys account.
For example, only pull data for certain hosts by specifying ips=10.10.10.2-10.10.10.10.
Refer to API user guides.
VM Detection Settings
Refer to the following table for various VM Detection settings.
| Settings | Description |
|---|---|
|
Log host information with each detection |
Select this option if you want to log host information (IP, OS, DNS, NetBios) along with each detection. |
|
Host fields to log |
Default output field that displays host assets on Splunk for VM events. You can specify additional host XML tag names to log in to the event, adding them separately by commas. You can add tags such as Asset_ID or remove any existing tag from the Host List API response you do not wish to log. |
|
Detection fields to log |
Default output field that displays host detection on Splunk for VM events. To specify the detection XML tag names you want to log in to the event, you can add them separately by commas. For instance, you can add 'AFFECT_EXPLOITABLE_CONFIG' and 'AFFECT_RUNNING_KERNEL' to the Host List Detection response. Conversely, you can remove any existing tags that you do not want to log. |
|
Max characters allowed in RESULTS field |
Set a limit on the maximum number of characters that appear in the Results field. So if the number of characters exceeds the maximum allowed limit, TA truncates the excess characters after parsing the RESULTS field. Additionally, it appends the message [TRUNCATED XXX Characters] in the Results field to indicate that some characters were removed. * The default value is zero, which means TA does not truncate any characters while parsing, and you can see the entire value in the RESULTS field in Splunk |
| RESULT_TRUNCATED |
The RESULT_TRUNCATED field shows values based on whether the RESULT field is truncated by TA or Splunk.
If Splunk truncates the RESULTS field, then the message [TRUNCATED XXX Characters] in the Results field is not shown. |
| Enable the checkbox for SwCA Events |
To enable SwCA events for retrieving the app result information, select this checkbox. For detailed information, see Enable SwCa Subscription for Host Detection APIs |
|
TRURISK_SCORE, ACS, TRURISK_FACTORS for Host Asset API |
To get the TRURISK_SCORE, ACS, and TRURISK_FACTORS, check the TRURISK_SCORE, ACS, and TRURISK_FACTORS for Host Asset API checkbox provided under VM Detection Settings in the TA setup page. We parse TRURISK_SCORE, ACS, and TRURISK_FACTORS and add them to VM detection events. |
| Host List Detection Maximum API Retry Count |
Specify the number of times TA can retry the API call after any error occurs, except for 429 Too Many Requests errors. TA skips the API call after the maximum retry count exceeds and proceeds to pick the next Host IDs or Host ID range to pull the data This feature is Applicable in the case of Multi threading only. |
|
To preserve the VM Detection API XMLs response exclusively for certain host IDs, you need to input those IDs into the Host IDs field in TA-QualysCloudPlatform/tmp. This field is used to save the response in TA-QualysCloudPlatform/tmp if it falls within the specified range. The system saves the response regardless of whether it exists or not. The Host Asset API response XML can be preserved in TA-QualysCloudPlatform/tmp directory using Enable to preserve Host Asset API response. To preserve the XML for the Host Ids provided in the Host IDs field, you must disable the Enable to preserve the XML/JSON files of API output under More Settings. If Enable to preserve the XML/JSON files of API output under More Settings is enabled and you have provided the host Ids in Host IDs field, then all XMLs is preserved along with the provided Host Ids. |
Enable SwCA Events
The TA now parses application information present on hosts for SwCA-enabled subscriptions.
To retrieve the app result information, perform the following steps:
-
Select Enable the checkbox for SwCA Events checkbox.
-
On the TA Setup page, in the VM Detection Settings section, verify that the RESULTS is present inside the Detection Fields to Log field.
This feature is available exclusively to users with an active Software Composition Analysis (SwCA) subscription.
To enable Delimit QID Results, please contact your Technical Account Manager (TAM).
New Event Type
SwCA application info is now logged as individual events with the following properties:
- Event Type: qualys_app_info_event
- Applies To: host_detection data input
Event Behavior
- When a <DETECTION> tag contains a RESULT_INSTANCE with application data:
- The TA parses each software instance individually.
- Each instance is logged as a separate event under the event type
qualys_app_info_event.
- The original detection event (which doesn’t include a RESULT tag) will include the flag:
swca_events_generated=1 - This indicates that SwCA application info events were successfully generated and logged.
Configure Directory Path for the .seed file on Splunk Cloud
Directory path for the .seed file on Splunk Cloud must start with $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/tmp. TA-QualysCloudPlatform shows an error while generating the .seed file if you configure any other path.
Event Types for Searching VM Detection Data in Splunk
You can use default event types to search for VM detection data pulled in Splunk. For more information, refer to Event Types for Searching your Apps Data.