NetWitness Community

MarcinGryga · ‎2015-09-15

Hello,

I want to ask if anyone tried do integrate both products ? I need information from Qualys cloud VM to be available in RSA SA.

I thought it may be possible using feeds, but don't have experience with them.

Any info appreciated.

Regards

Marcin

MarcinGryga · ‎2015-09-16

Can anyone help ?

Anonymous · ‎2015-09-17

I suppose a feed could work here, but you would really need to see what the data looked like first and what you wanted to key off of to enrich.

Odds are, the data in Qualys maybe accessible through an API, but might not be in a csv consumable format for the decoders. That might just require some data massaging though.

Anonymous · ‎2015-09-17

I've done something similar but in our case we use a third party vulnerability management tool to pull the data from Qualys and then take a feed from that.

I have a feed file which is basically ip, port, vuln name, vuln severity. Then when I get an IDS signature firing against a known vulnerability, I can use an ESA rule to alert if the vulnerability flags are set.

I also pull the qualys audit trail back via their API and parse this so we can detect against unexpected use of the Qualys access.

I don't think I can share any of the code here unfortunately.

MarcinGryga · ‎2015-09-28

Thanks, it's possible to do, but it's a lot of work.

On PoC we used feed to enrich our SA, we added exported from Qualys report to a csv file.

Recurring feed can be also used, but we need additional script ( i.e. in ) python for converting data from qualys API to something understandable for SA 🙂

Regards

Marcin

NetWitness Community

RSA SA 10.5 integration with Qualys Cloud Platform