Collect Qualys scan logs
This document describes how you can collect Qualys scan logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the QUALYS_SCAN ingestion label.
Create an account for Qualys scan data import
- Sign in to the Qualys portal.
- In the Tools section of the Customer Qualys manager account page, click User accounts.
- Select New > User.
Enter the contact details or customer reference point. Ensure the following fields are mapped for the user account.
- In the User Role list, select Reader.
- In the Allow access to field, select the GUI checkbox and the API checkbox.
- In the Asset Groups section, assign all available asset groups to the user.
Select Advanced configuration.
In the Notifications options section, select None for vulnerabilities, and select No notifications for scan, map, and report.
After you create a new user, activate the user and ensure that the username and password work.
Configure a feed in Google Security Operations to ingest Qualys scan logs
- Go to SIEM Settings > Feeds.
- Click Add New.
- Enter a unique name for the Field name.
- Select Third party API as the Source type.
- Select Qualys Scan as the Log type.
- Click Next.
- Configure the following mandatory input parameters:
- Username: specify the username that you obtained previously.
- Secret: specify the password that you obtained previously.
- API full path: specify the API full path, such as
qualysapi.qualys.com. - API type: specify the API type.
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser extracts security event data from Qualys Scan JSON logs, transforming it into the Unified Data Model (UDM). It handles various Qualys Scan log formats, prioritizing ScanInput.ScanDatetime, UpdateDate, and LaunchDatetime for timestamp extraction and maps relevant fields to UDM properties, including user information, descriptions, security results, and additional metadata. The parser also iterates through Technologies data, extracting and mapping relevant fields within each technology entry.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| Category | metadata.product_log_id |
Converted to string. |
| Category | security_result.category_details |
Directly mapped. |
| ID | metadata.product_log_id |
Directly mapped. |
| LaunchDatetime | metadata.event_timestamp |
Parsed to timestamp using "ISO8601" format. |
| Ref | additional.fields[key="ScanReference"].value.string_value |
Directly mapped as string value within additional fields. |
| ScanDetails.Status | security_result.detection_fields[key="ScanDetails Status"].value |
Directly mapped. |
| ScanInput.Network.ID | additional.fields[key="ScanInput Network ID"].value.string_value |
Directly mapped as string value within additional fields. |
| ScanInput.Network.Name | additional.fields[key="ScanInput Network Name"].value.string_value |
Directly mapped as string value within additional fields. |
| ScanInput.OptionProfile.ID | additional.fields[key="ScanInput Option Profile ID"].value.string_value |
Directly mapped as string value within additional fields. |
| ScanInput.OptionProfile.Name | additional.fields[key="ScanInput Option Profile Name"].value.string_value |
Directly mapped as string value within additional fields. |
| ScanInput.ScanDatetime | metadata.event_timestamp |
Parsed to timestamp using "ISO8601" format. |
| ScanInput.Title | metadata.description |
Directly mapped. |
| ScanInput.Username | principal.user.userid |
Directly mapped. |
| ScanReference | additional.fields[key="ScanReference"].value.string_value |
Directly mapped as string value within additional fields. |
| Statement | metadata.description |
Directly mapped. |
| Status | security_result.detection_fields[key="Status"].value |
Directly mapped. |
| SubCategory | security_result.description |
Directly mapped. |
| Technologies.ID | security_result.detection_fields[key="ID"].value |
Converted to string and mapped for each technology. |
| Technologies.Name | security_result.detection_fields[key="Name"].value |
Mapped for each technology. |
| Technologies.Rationale | security_result.detection_fields[key="Rationale"].value |
Mapped for each technology. |
| Title | metadata.description |
Directly mapped. |
| Type | additional.fields[key="Type"].value.string_value |
Directly mapped as string value within additional fields. |
| UpdateDate | metadata.event_timestamp |
Parsed to timestamp using "ISO8601" format. |
| Userlogin | target.user.userid |
Directly mapped. Set to "AUTHTYPE_UNSPECIFIED" when Userlogin is present. Set to "USER_LOGIN" when Userlogin is present, "USER_UNCATEGORIZED" when ScanInput.Username is present and metadata_event_type is "GENERIC_EVENT", or the value of metadata_event_type otherwise. Hardcoded to "QUALYS_SCAN". Hardcoded to "QUALYS_SCAN". |
Changes
2023-04-21
- Newly created parser.