Qualys VM KnowledgeBase (using Azure Functions) connector for Microsoft Sentinel
The Qualys Vulnerability Management (VM) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from the Qualys KB into Microsoft Sentinel.
This data can used to correlate and enrich vulnerability detections found by the Qualys Vulnerability Management (VM) data connector.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | QualysKB_CL |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
Vulnerabilities by Category
QualysKB
| summarize count() by Category
Top 10 Software Vendors
QualysKB
| summarize count() by SoftwareVendor
| top 10 by count_
Prerequisites
To integrate with Qualys VM KnowledgeBase (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- Qualys API Key: A Qualys VM API username and password is required. See the documentation to learn more about Qualys VM API.
Vendor installation instructions
NOTE: This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias QualysVM Knowledgebase and load the function code or click here, on the second line of the query, enter the hostname(s) of your QualysVM Knowledgebase device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.
This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to use the Kusto function alias, QualysKB
(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.
STEP 1 - Configuration steps for the Qualys API
- Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
- Click on the New drop-down menu and select Users.
- Create a username and password for the API account.
- In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
- Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account.
- Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
- Save all changes.
STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function
IMPORTANT: Before deploying the Qualys KB connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys API username and password, readily available.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for