VM Detection Data

Log host information with each detection

Select this option if you want to log host information (IP, OS, DNS, NetBios) along with each detection.

Host fields to log

Default output field that displays host assets on Splunk for VM events.

You can specify additional host XML tag names to log in to the event, adding them separately by commas. You can add tags such as Asset_ID or remove any existing tag from the Host List API response you do not wish to log.

Detection fields to log

Default output field that displays host detection on Splunk for VM events.

To specify the detection XML tag names you want to log in to the event, you can add them separately by commas. For instance, you can add 'AFFECT_EXPLOITABLE_CONFIG' and 'AFFECT_RUNNING_KERNEL' to the Host List Detection response. Conversely, you can remove any existing tags that you do not want to log.

Max characters allowed in RESULTS field

Set a limit on the maximum number of characters that appear in the Results field. So if the number of characters exceeds the maximum allowed limit, TA truncates the excess characters after parsing the RESULTS field. Additionally, it appends the message [TRUNCATED XXX Characters] in the Results field to indicate that some characters were removed. *

The default value is zero, which means TA does not truncate any characters while parsing, and you can see the entire value in the RESULTS field in Splunk 

The RESULT_TRUNCATED field shows values based on whether the RESULT field is truncated by TA or Splunk.

• RESULT_TRUNCATED field is set to 0 if neither TA nor Splunk truncates the value in the Results field.
• RESULT_TRUNCATED field is set to 1 when Splunk truncates the RESULTS field
  This happens if the truncation value is set for the RESULTS field in the props.conf file in Splunk is greater than that set on the TA set up page.
  In this case, the difference between the truncation values set in the TA and Splunk is truncated by Splunk after TA truncates the RESULTS field as per the value specified in the Max characters allowed in RESULTS field.
• The RESULT_TRUNCATED field is set to 2 if TA, after parsing the event, truncates the RESULTS field value and if the truncation value set for the RESULTS field in the props.conf file in Splunk is either the same or less than that set for the RESULTS field for VM on the TA set up page.

 If Splunk truncates the RESULTS field, then the message [TRUNCATED XXX Characters] in the Results field is not shown.

TRURISK_SCORE, ACS, TRURISK_FACTORS for Host Asset API

To get the TRURISK_SCORE, ACS, and TRURISK_FACTORS, check the TRURISK_SCORE, ACS, and TRURISK_FACTORS for Host Asset API checkbox provided under VM Detection Settings in the TA setup page.

We parse TRURISK_SCORE, ACS, and TRURISK_FACTORS and add them to VM detection events.

Specify the number of times TA can retry the API call after any error occurs, except for 429 Too Many Requests errors.

TA skips the API call after the maximum retry count exceeds and proceeds to pick the next Host IDs or Host ID range to pull the data

This feature is Applicable in the case of Multi threading only.

VM Detection-Advanced Settings

To preserve the VM Detection API XMLs response exclusively for certain host IDs, you need to input those IDs into the Host IDs field in TA-QualysCloudPlatform/tmp.

This field is used to save the response in TA-QualysCloudPlatform/tmp if it falls within the specified range. The system saves the response regardless of whether it exists or not.

The Host Asset API response XML can be preserved in TA-QualysCloudPlatform/tmp directory using Enable to preserve Host Asset API response.

To preserve the XML for the Host Ids provided in the Host IDs field, you must disable the Enable to preserve the XML/JSON files of API output under More Settings. If Enable to preserve the XML/JSON files of API output under More Settings is enabled and you have provided the host Ids in Host IDs field, then all XMLs is preserved along with the provided Host Ids.