One-to-One Rules

Perform the following steps to create one-to-one rules:

  1. Go to Configuration > Detection Event Rules to view the detection rule that is available by default. However, you can update an existing rule or create a new rule.

    DetectionEventRule

    We have created a separate destination table: Incident for the Qualys VMDR vulnerabilities. However, you can change the destination table to create a incident or request incident.

    You can use the Copy this Rule option to clone the detection rule, modify the required field, and save the rule with a new name. See Clone a detection rule.

    new_detection_event

  2. Review the existing values in the fields and modify as required:

    • Source table - Select the source table from where the detections are retrieved, that is, host detection table.
    • Destination table - Select Incident from the list of tables. This is ServiceNow table used for Qualys VMDR incidents.

      detection_event_rule_destination_table

    • For change request creation, select Change Request in the Destination table.

      detection_event_change_request

    • Description - Enter the description for detection event rule.

    • The Trigger Criteria tab defines when this detection event rule runs.

      detection_event_trigger_criteria

    • Order - Provide the number that indicates the order of priority for running this detection event rule. The value in the Order field is a relative value and the detection event rules are executed in ascending order, that is, lowest to highest. The order assigned to a rule helps decide the priority when multiple rules exist for the same table.

    • Stop processing - Select this check box to stop processing the rules ordered after this rule once the detection conditions are met.

    • Trigger when- Define criteria on the host detection record that should trigger this detection event rule and create a record in the destination table. You can use single or multiple attributes and filters.

      You may need to use the Show Related Fields option at the bottom of the field list to allow you to get to reference data such as QID => Severity to validate the severity level of a detection record.

      detection_condition

      For change request creation, the Trigger Criteria can be set as displayed in the following image:

      detection_event_patch_trigger_criteria

      The Assignment tab defines how the vulnerability incidents are assigned once this detection event rule is triggered.

      detection_event_assignment

      • If the Assignment group based on ServiceNow Assignment Rules is selected, the incidents are assigned based on the rules set in the Reprocess the detection event rules.
      • If the Assignment based on the Detection Event Rule is selected, you can select a value in the Assignment Group field. This assignment group applies only to this rule.
      •  If the Assignment based on Group by field is selected, you can select a value in the Assignment Group field. This assignment group applies only to this rule.
  3. Click Submit to create the detection event rule.

Detection Event Field Maps

Once the detection event rule is created, add field mappings.

Perform the following steps for adding field mappings:

  1. Click the detection event rule that you created, and go to Detection event field maps.
  2. You must add the following fields mappings.

    detection_event_rule_maps

    You can add any additional field mappings as per your requirement.

We recommend to set the Coalesce field as mentioned in the example to avoid creation of duplicate entries. 

Related Topic

Grouping Rules

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.