Forum Discussion
Integrating Qualys with Sentinel
There seems to be a dearth of info on this topic (or I'm just not searching correctly)
We have a customer who has Splunk and wants to do a parallel PoC of Sentinel.
One use case they called out was:
- Vulnerability data
- Ingest Qualys Raw data
- Display Qualys Dasboards
... how would this be achieved in Sentinel?
I can see there is Qualys integration with ASC but not finding much about Qualys with Sentinel
- Rod_Trent
Microsoft
Col_Sanders For raw data, see the following for an example of what exists from the ASC connector for Azure Sentinel:
SecurityAlert
| where ProviderName contains "asc" and ExtendedProperties contains "qualys"
| project RemediationStepsFor a Workbook for Qualys, see: https://github.com/Azure/Azure-Security-Center/tree/master/Workbooks/ASCQualysDashboard
- CliveWatson
Also Qualys in these Sentinel workbooks (with some correlation logic to Sentinel)
https://techcommunity.microsoft.com/t5/azure-sentinel/compliance-reporting-for-azure/ba-p/1259574
I was working today to integrate Qualys with Sentinel with the Data connector available on Sentinel. When i execute the function i get the below error. I deployed the function as is as mentioned in the documentation.
onnected!2020-09-01T17:02:19 Welcome, you are now connected to log-streaming service. The default timeout is 2 hours. Change the timeout with the App Setting SCM_LOGSTREAM_TIMEOUT (in seconds).2020-09-01T17:02:26.017 [Information] Loading functions metadata2020-09-01T17:02:26.078 [Information] 1 functions loaded2020-09-01T17:02:27.463 [Information] Executing 'Functions.QualysTimerTrigger' (Reason='This function was programmatically called via the host APIs.', Id=0a3b0089-9827-4e78-8213-2154fc083)2020-09-01T17:02:27.556 [Error] ERROR: Cannot index into a null array.Exception :Type : System.Management.Automation.RuntimeExceptionErrorRecord :Exception :Type : System.Management.Automation.ParentContainsErrorRecordExceptionMessage : Cannot index into a null array.HResult : -2146233087CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordExceptionFullyQualifiedErrorId : NullArrayInvocationInfo :ScriptLineNumber : 42OffsetInLine : 1HistoryId : -1ScriptName : C:\home\site\wwwroot\QualysTimerTrigger\run.ps1Line : $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo)').captures.groups[1].valuePositionMessage : At C:\home\site\wwwroot\QualysTimerTrigger\run.ps1:42 char:1+ $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo) …+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot : C:\home\site\wwwroot\QualysTimerTriggerPSCommandPath : C:\home\site\wwwroot\QualysTimerTrigger\run.ps1CommandOrigin : InternalScriptStackTrace : at <ScriptBlock>, C:\home\site\wwwroot\QualysTimerTrigger\run.ps1: line 42TargetSite : System.Object CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, Int32)StackTrace :at CallSite.Target(Closure , CallSite , Object , Int32 )at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)Message : Cannot index into a null array.Data : System.Collections.ListDictionaryInternalSource : Anonymously Hosted DynamicMethods AssemblyHResult : -2146233087CategoryInfo : InvalidOperation: (:) [], RuntimeExceptionFullyQualifiedErrorId : NullArrayInvocationInfo :ScriptLineNumber : 42OffsetInLine : 1HistoryId : -1ScriptName : C:\home\site\wwwroot\QualysTimerTrigger\run.ps1Line : $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo)').captures.groups[1].valuePositionMessage : At C:\home\site\wwwroot\QualysTimerTrigger\run.ps1:42 char:1+ $base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo) …+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~PSScriptRoot :
