Integrating Qualys with Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1410562%22%20slang%3D%22en-US%22%3EIntegrating%20Qualys%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1410562%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20seems%20to%20be%20a%20dearth%20of%20info%20on%20this%20topic%20(or%20I'm%20just%20not%20searching%20correctly)%3CBR%20%2F%3EWe%20have%20a%20customer%20who%20has%20Splunk%20and%20wants%20to%20do%20a%20parallel%20PoC%20of%20Sentinel.%3CBR%20%2F%3EOne%20use%20case%20they%20called%20out%20was%3A%3C%2FP%3E%3CUL%3E%3CLI%3EVulnerability%20data%3CUL%3E%3CLI%3EIngest%20Qualys%20Raw%20data%3C%2FLI%3E%3CLI%3EDisplay%20Qualys%20Dasboards%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E...%20how%20would%20this%20be%20achieved%20in%20Sentinel%3F%3CBR%20%2F%3EI%20can%20see%20there%20is%20Qualys%20integration%20with%20ASC%20but%20not%20finding%20much%20about%20Qualys%20with%20Sentinel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1411356%22%20slang%3D%22en-US%22%3ERe%3A%20Integrating%20Qualys%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411356%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676388%22%20target%3D%22_blank%22%3E%40Col_Sanders%3C%2FA%3E%26nbsp%3BFor%20raw%20data%2C%20see%20the%20following%20for%20an%20example%20of%20what%20exists%20from%20the%20ASC%20connector%20for%20Azure%20Sentinel%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecurityAlert%3CBR%20%2F%3E%7C%20where%20ProviderName%20contains%20%22asc%22%20and%20ExtendedProperties%20contains%20%22qualys%22%3CBR%20%2F%3E%7C%20project%20RemediationSteps%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20a%20Workbook%20for%20Qualys%2C%20see%3A%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkbooks%2FASCQualysDashboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkbooks%2FASCQualysDashboard%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1412234%22%20slang%3D%22en-US%22%3ERe%3A%20Integrating%20Qualys%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1412234%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20Qualys%20in%20these%20Sentinel%20workbooks%20(with%20some%20correlation%20logic%20to%20Sentinel)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fgain-compliance-posture-and-protection-insights-with-this-azure%2Fba-p%2F1290454%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fgain-compliance-posture-and-protection-insights-with-this-azure%2Fba-p%2F1290454%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcompliance-reporting-for-azure%2Fba-p%2F1259574%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcompliance-reporting-for-azure%2Fba-p%2F1259574%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1625733%22%20slang%3D%22en-US%22%3ERe%3A%20Integrating%20Qualys%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1625733%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20working%20today%20to%20integrate%20Qualys%20with%20Sentinel%20with%20the%20Data%20connector%20available%20on%20Sentinel.%20When%20i%20execute%20the%20function%20i%20get%20the%20below%20error.%20I%20deployed%20the%20function%20as%20is%20as%20mentioned%20in%20the%20documentation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22f15arm7v%22%3Eonnected!%3C%2FDIV%3E%3CDIV%20class%3D%22f1g32z8v%22%3E2020-09-01T17%3A02%3A19%20Welcome%2C%20you%20are%20now%20connected%20to%20log-streaming%20service.%20The%20default%20timeout%20is%202%20hours.%20Change%20the%20timeout%20with%20the%20App%20Setting%20SCM_LOGSTREAM_TIMEOUT%20(in%20seconds).%3C%2FDIV%3E%3CDIV%20class%3D%22f1g32z8v%22%3E2020-09-01T17%3A02%3A26.017%20%5BInformation%5D%20Loading%20functions%20metadata%3C%2FDIV%3E%3CDIV%20class%3D%22f1g32z8v%22%3E2020-09-01T17%3A02%3A26.078%20%5BInformation%5D%201%20functions%20loaded%3C%2FDIV%3E%3CDIV%20class%3D%22f1g32z8v%22%3E2020-09-01T17%3A02%3A27.463%20%5BInformation%5D%20Executing%20'Functions.QualysTimerTrigger'%20(Reason%3D'This%20function%20was%20programmatically%20called%20via%20the%20host%20APIs.'%2C%20Id%3D0a3b0089-9827-4e78-8213-2154fc083)%3C%2FDIV%3E%3CDIV%20class%3D%22f1g32z8v%22%3E%3CFONT%20color%3D%22%23FF00FF%22%3E2020-09-01T17%3A02%3A27.556%20%5BError%5D%20ERROR%3A%20Cannot%20index%20into%20a%20null%20array.Exception%20%3AType%20%3A%20System.Management.Automation.RuntimeExceptionErrorRecord%20%3AException%20%3AType%20%3A%20%3C%2FFONT%3ESystem.Management.Automation.ParentContainsErrorRecordExceptionMessage%20%3A%20Cannot%20index%20into%20a%20null%20array.HResult%20%3A%20-2146233087CategoryInfo%20%3A%20InvalidOperation%3A%20(%3A)%20%5B%5D%2C%20ParentContainsErrorRecordExceptionFullyQualifiedErrorId%20%3A%20NullArrayInvocationInfo%20%3AScriptLineNumber%20%3A%2042OffsetInLine%20%3A%201HistoryId%20%3A%20-1ScriptName%20%3A%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTrigger%5Crun.ps1Line%20%3A%20%24base%20%3D%20%5Bregex%5D%3A%3Amatches(%24uri%2C%20'(https%3A%5C%2F%5C%2F%5B%5Cw%5C.%5D%2B%5C%2Fapi%5C%2F%5Cd%5C.%5Cd%5C%2Ffo)').captures.groups%5B1%5D.valuePositionMessage%20%3A%20At%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTrigger%5Crun.ps1%3A42%20char%3A1%2B%20%24base%20%3D%20%5Bregex%5D%3A%3Amatches(%24uri%2C%20'(https%3A%5C%2F%5C%2F%5B%5Cw%5C.%5D%2B%5C%2Fapi%5C%2F%5Cd%5C.%5Cd%5C%2Ffo)%20%E2%80%A6%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot%20%3A%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTriggerPSCommandPath%20%3A%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTrigger%5Crun.ps1CommandOrigin%20%3A%20InternalScriptStackTrace%20%3A%20at%20%3CSCRIPTBLOCK%3E%2C%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTrigger%5Crun.ps1%3A%20line%2042TargetSite%20%3A%20System.Object%20CallSite.Target(System.Runtime.CompilerServices.Closure%2C%20System.Runtime.CompilerServices.CallSite%2C%20System.Object%2C%20Int32)StackTrace%20%3Aat%20CallSite.Target(Closure%20%2C%20CallSite%20%2C%20Object%20%2C%20Int32%20)at%20System.Management.Automation.Interpreter.DynamicInstruction%603.Run(InterpretedFrame%20frame)at%20System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame%20frame)Message%20%3A%20Cannot%20index%20into%20a%20null%20array.Data%20%3A%20System.Collections.ListDictionaryInternalSource%20%3A%20Anonymously%20Hosted%20DynamicMethods%20AssemblyHResult%20%3A%20-2146233087CategoryInfo%20%3A%20InvalidOperation%3A%20(%3A)%20%5B%5D%2C%20RuntimeExceptionFullyQualifiedErrorId%20%3A%20NullArrayInvocationInfo%20%3AScriptLineNumber%20%3A%2042OffsetInLine%20%3A%201HistoryId%20%3A%20-1ScriptName%20%3A%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTrigger%5Crun.ps1Line%20%3A%20%24base%20%3D%20%5Bregex%5D%3A%3Amatches(%24uri%2C%20'(https%3A%5C%2F%5C%2F%5B%5Cw%5C.%5D%2B%5C%2Fapi%5C%2F%5Cd%5C.%5Cd%5C%2Ffo)').captures.groups%5B1%5D.valuePositionMessage%20%3A%20At%20C%3A%5Chome%5Csite%5Cwwwroot%5CQualysTimerTrigger%5Crun.ps1%3A42%20char%3A1%2B%20%24base%20%3D%20%5Bregex%5D%3A%3Amatches(%24uri%2C%20'(https%3A%5C%2F%5C%2F%5B%5Cw%5C.%5D%2B%5C%2Fapi%5C%2F%5Cd%5C.%5Cd%5C%2Ffo)%20%E2%80%A6%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot%20%3A%3C%2FSCRIPTBLOCK%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1853777%22%20slang%3D%22en-US%22%3ERe%3A%20Integrating%20Qualys%20with%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1853777%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20getting%20that%20same%20error%20and%20finally%20traced%20it%20down%20to%20having%20%22%3A443%22%20with%20the%20URI.%26nbsp%3B%20So%20I%20took%20that%20out%2C%20and%20no%20longer%20get%20that%20error.%26nbsp%3B%20Instead%2C%20now%20I%20get%20HTTP%20404%20Page%20Not%20Found.%26nbsp%3B%20WTH.%26nbsp%3B%20This%20is%20the%20URL%20provided%20by%20Qualys%3A%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fqualysapi.qg3.apps.qualys.com%2Fapi%2F2.0%2Ffo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fqualysapi.qg3.apps.qualys.com%2Fapi%2F2.0%2Ffo%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20actually%20get%20this%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

There seems to be a dearth of info on this topic (or I'm just not searching correctly)
We have a customer who has Splunk and wants to do a parallel PoC of Sentinel.
One use case they called out was:

  • Vulnerability data
    • Ingest Qualys Raw data
    • Display Qualys Dasboards 

... how would this be achieved in Sentinel?
I can see there is Qualys integration with ASC but not finding much about Qualys with Sentinel

4 Replies

@Col_Sanders For raw data, see the following for an example of what exists from the ASC connector for Azure Sentinel:

 

SecurityAlert
| where ProviderName contains "asc" and ExtendedProperties contains "qualys"
| project RemediationSteps

 

For a Workbook for Qualys, see:  https://github.com/Azure/Azure-Security-Center/tree/master/Workbooks/ASCQualysDashboard

@rodtrent

 

I was working today to integrate Qualys with Sentinel with the Data connector available on Sentinel. When i execute the function i get the below error. I deployed the function as is as mentioned in the documentation.

 

onnected!
2020-09-01T17:02:19 Welcome, you are now connected to log-streaming service. The default timeout is 2 hours. Change the timeout with the App Setting SCM_LOGSTREAM_TIMEOUT (in seconds).
2020-09-01T17:02:26.017 [Information] Loading functions metadata
2020-09-01T17:02:26.078 [Information] 1 functions loaded
2020-09-01T17:02:27.463 [Information] Executing 'Functions.QualysTimerTrigger' (Reason='This function was programmatically called via the host APIs.', Id=0a3b0089-9827-4e78-8213-2154fc083)
2020-09-01T17:02:27.556 [Error] ERROR: Cannot index into a null array.Exception :Type : System.Management.Automation.RuntimeExceptionErrorRecord :Exception :Type : System.Management.Automation.ParentContainsErrorRecordExceptionMessage : Cannot index into a null array.HResult : -2146233087CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordExceptionFullyQualifiedErrorId : NullArrayInvocationInfo :ScriptLineNumber : 42OffsetInLine : 1HistoryId : -1ScriptName : C:\home\site\wwwroot\QualysTimerTrigger\run.ps1Line : $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo)').captures.groups[1].valuePositionMessage : At C:\home\site\wwwroot\QualysTimerTrigger\run.ps1:42 char:1+ $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo) …+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot : C:\home\site\wwwroot\QualysTimerTriggerPSCommandPath : C:\home\site\wwwroot\QualysTimerTrigger\run.ps1CommandOrigin : InternalScriptStackTrace : at <ScriptBlock>, C:\home\site\wwwroot\QualysTimerTrigger\run.ps1: line 42TargetSite : System.Object CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, Int32)StackTrace :at CallSite.Target(Closure , CallSite , Object , Int32 )at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)Message : Cannot index into a null array.Data : System.Collections.ListDictionaryInternalSource : Anonymously Hosted DynamicMethods AssemblyHResult : -2146233087CategoryInfo : InvalidOperation: (:) [], RuntimeExceptionFullyQualifiedErrorId : NullArrayInvocationInfo :ScriptLineNumber : 42OffsetInLine : 1HistoryId : -1ScriptName : C:\home\site\wwwroot\QualysTimerTrigger\run.ps1Line : $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo)').captures.groups[1].valuePositionMessage : At C:\home\site\wwwroot\QualysTimerTrigger\run.ps1:42 char:1+ $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo) …+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot :

I was getting that same error and finally traced it down to having ":443" with the URI.  So I took that out, and no longer get that error.  Instead, now I get HTTP 404 Page Not Found.  WTH.  This is the URL provided by Qualys:  https://qualysapi.qg3.apps.qualys.com/api/2.0/fo

 

Anyone actually get this to work?