...
Properly deployed and operational Cloud Agents typically communicate directly with the Qualys Cloud over the Internetand, depending on the Cloud Agent Configuration Profile, the agent(s) will periodically send software and vulnerability information to the organisation’s Qualys cloud instance.
| Info |
|---|
NOTE: The Platform does not communicate with Cloud Agents directly, nor do Cloud Agents communicate with the Platform. The Platform relies on vulnerability data provided by Qualys vulnerability reports .(in XML format) |
An organisation’s Qualys cloud instance builds an inventory of software and vulnerability data for each deployed Cloud Agent and maintains this inventory on the basis of a ‘last known’ state.
...
| Info |
|---|
IMPORTANT NOTE: When a Cloud Agent is deemed offline by Qualys, the Qualys cloud still maintains a ‘last known' state of the agent’s software and vulnerability data. As such, reports generated by Qualys may also contain vulnerability for an offline agent’s ‘last known’ state. |
Reporting Qualys Cloud Agent Data in the Platform
...
Qualys vulnerability reports that are generated from data that is sourced from Qualys Cloud Agents Cloud Agent data will include all agents that match the scope of the vulnerability report.
For example, if the scope of Qualys Cloud Agent vulnerability report is based on a tag (assigned to the Cloud Agent(s)), the report will include any Cloud Agent that matches this tag; whether the Cloud Agent is offline or online at the time the report is generated.
| Note |
|---|
NOTE: Regardless of a Cloud Agents offline/online status, at the moment a vulnerability report is generated by Qualys, it will include all in-scope Cloud Agents that match the scope of the report |
Structure and Contents of a Qualys XML Report
The Platform supports the processing of XML reports generated by Qualys. This is the case whether an XML report is manually downloaded from Qualys (and imported in to the Platform), or whether the Platform is instructed to retrieve the report via the Qualys API.
Regardless of the how the Platform gets the XML report, it is the contents of that XML report that the Platform processes.
When reviewing the contents of a typical XML-formatted report from Qualys, it is apparent that metadata specific to Cloud Agent operation is absent from the report. This includes whether, at the time of the report, if an agent was offline, when an agent last checked-in (to Qualys) and when an agent last performed a scan (of its host)
The XML report provides a structure that is broadly separate into these sections:
Report Summary - Includes the type or report and summary of vulnerabilities and average score
Qualys Risk Score - Provided per host (not to be confused with the industry-adopted CVSS score)
Host List - Includes specific information per host (hostname, IP etc) and the relevant QID for each host
A Glossary - Includes detailed vulnerability data per QID
Reported Vulnerabilities in the Platform
As stated earlier in this article, the Platform can process and present vulnerability data from reports generated by Qualys, therefore the vulnerability data on which the Platform relies comes from the XML-based vulnerability reports created by Qualys.
When considering that Qualys will report on Cloud Agents vulnerabilities regardless of an agent’s online/offline status, the accuracy/relevance of the data provided in the vulnerability reports from Qualys can be called into question since inactive agents (for whatever reason they are inactive/offline) are being reported too!.
| Note |
|---|
NOTE: Since the Platform is reliant on the accuracy and relevance of vulnerability data in the Qualys vulnerability reports, it is not feasible for the Platform to determine if an agent should, or should not be reported in the Platform. The Platform retrieves a pre-generated XML report from Qualys and processes all results in that report. If a host appears in a an XML vulnerability report from Qualys, the host will also be reported into the Platform |
...
Please see Further Information / References for a QUalys Qualys article on creating asset purge rules
...
When Cloud Agents will become inactive / offline indefinitely, the Qualys Cloud Agent will need to be removed / uninstalled from the Qualys Cloud Agent console; in effect removing the ‘asset’ from the Qualys cloud instance.
Whilst an offline Cloud Agent remains ‘known’ to an organisation’s Qualys cloud instance, it may still be reported in vulnerability reports (that are later retrieved by the Platform)
Uninstalling the Cloud Agent from the host alone is not sufficient as Qualys will still consider the agent as registered / known. Uninstallation must occur (be instigated) from the Qualys Cloud console.
...
First, a view of offline Cloud Agents in the Qualys Cloud Agent console. The “Last Checked In” column and the timestamp of the VM Scan under “Last Activity” column illustrates 5 offline agents.
Also there is a A common tag has been assigned to the Cloud Agents. This tag will be used for the scope of the Cloud Agent report generationgenerated in Qualys, as is often the method used when generating these reports in Qualys.
...
For this example, this XML report will be manually imported to the Platform. However the Platform can retrieve this XML report automatically from Qualys via the Qualys API and is the typical the use-case when automating vulnerability data imports
...
The issues reported into the Scan/Phase in the Platform include results from all 55 agents, even though 5 agents were offline at the time the XML report was generated in Qualys.
Furthermore, 2 of the 5 offline agents have been highlighted in this screen shot below (the other 3 offline agents are off the page)
...