/
Offline Hosts Reported by Qualys Cloud Agent

Offline Hosts Reported by Qualys Cloud Agent

Owned by Space Sync for Confluence
Last updated: yesterday at 6:53 pm
7 min read

This article details the technical relationship between the Platform and vulnerability data generated by Qualys Cloud Agents; specifically as it relates to vulnerability data being reported by Qualys for Cloud Agents (hosts) that are ‘offline’ either temporarily or indefinitely.

Overview

Amongst other data types, the Qualys Cloud Agent provides vulnerability data gathered from hosts on which their Cloud Agent product is installed.

Through the supported Qualys API integration, or via manual upload (of XML-formatted results), the Platform can process and present this vulnerability data provided by reports generated/sourced from Qualys

Qualys Cloud Agent Operation

NOTE: A detailed explanation of the Cloud Agent’s operation is beyond the scope of this article. Resources for the Cloud Agent can be found on the Qualys Documentation here:

https://docs.qualys.com/en/ca/portal/latest/#t=agents%2Fmanage_agents.htm

The Qualys Cloud Agent is a software-based agent installed on supported operating systems, enabling organisations to gather, amongst other data types, software and vulnerability data from their servers, workstations and laptops.

Properly deployed and operational Cloud Agents typically communicate directly with the Qualys Cloud over the Internet and, depending on the Cloud Agent Configuration Profile, the agent(s) periodically send software and vulnerability information to the organisation’s Qualys cloud instance.

NOTE: The Platform does not communicate with Cloud Agents directly, nor do Cloud Agents communicate with the Platform. The Platform relies on vulnerability data provided by Qualys vulnerability reports (in XML format)

An organisation’s Qualys cloud instance builds an inventory of software and vulnerability data for each deployed Cloud Agent and maintains this inventory on the basis of a ‘last known’ state.

Assuming a host asset, such as a server or workstation, remains active (i.e. powered on with access to the Internet), the Cloud Agent will typically provide ‘fresh’ software and vulnerability data every 4 hours (this frequency can be defined and adjusted using Cloud Agent Configuration Profiles)

Offline Qualys Cloud Agents

As is expected behaviour particularly with workstation and laptop use, they are frequently powered off when not in use; such as when users power-down their devices at the end of a working day, when on extended leave, or when a device is being decommissioned (i.e. when a user leaves an organisation).

Whilst servers are generally on 24/7, after decommissioning the Cloud Agent will appear offline to the Qualys cloud instance.

An organisation’s Qualys cloud instance will detect when Cloud Agents don’t ‘report back’ due to being offline; either powered down, unable to access the Internet.

IMPORTANT NOTE: When a Cloud Agent is deemed offline by Qualys, the Qualys cloud still maintains a ‘last known' state of the agent’s software and vulnerability data. As such, reports generated by Qualys may also contain vulnerability for an offline agent’s ‘last known’ state.

Reporting Qualys Cloud Agent Data in the Platform

Qualys Reporting Data

Qualys vulnerability reports that are generated from Cloud Agent data will include all agents that match the scope of the vulnerability report.

For example, if the scope of Qualys Cloud Agent vulnerability report is based on a tag (assigned to Cloud Agent(s)), the report will include any Cloud Agent that matches this tag; whether the Cloud Agent is offline or online at the time the report is generated.

NOTE: Regardless of a Cloud Agents offline/online status, at the moment a vulnerability report is generated by Qualys, it will include all in-scope Cloud Agents that match the scope of the report

Structure and Contents of a Qualys XML Report

The Platform supports the processing of XML reports generated by Qualys. This is the case whether an XML report is manually downloaded from Qualys (and imported in to the Platform), or whether the Platform is instructed to retrieve the report via the Qualys API.

Regardless of the how the Platform gets the XML report, it is the contents of that XML report that the Platform processes.

When reviewing the contents of a typical XML-formatted report from Qualys, it is apparent that metadata specific to Cloud Agent operation is absent from the report. This includes whether, at the time of the report, if an agent was offline, when an agent last checked-in (to Qualys) and when an agent last performed a scan (of its host)

The XML report provides a structure that is broadly separate into these sections:

  • Report Summary - Includes the type or report and summary of vulnerabilities and average score

  • Qualys Risk Score - Provided per host (not to be confused with the industry-adopted CVSS score)

  • Host List - Includes specific information per host (hostname, IP etc) and the relevant QID for each host

  • A Glossary - Includes detailed vulnerability data per QID

Reported Vulnerabilities in the Platform

As stated earlier in this article, the Platform can process and present vulnerability data from reports generated by Qualys, therefore the vulnerability data on which the Platform relies comes from the XML-based vulnerability reports created by Qualys.

When considering that Qualys will report on Cloud Agents vulnerabilities regardless of an agent’s online/offline status, the accuracy/relevance of the data provided in the vulnerability reports from Qualys can be called into question since inactive agents (for whatever reason they are inactive/offline) are being reported too.

NOTE: Since the Platform is reliant on the accuracy and relevance of vulnerability data in the Qualys vulnerability reports, it is not feasible for the Platform to determine if an agent should, or should not be reported in the Platform. The Platform retrieves a pre-generated XML report from Qualys and processes all results in that report.

If a host appears in an XML vulnerability report from Qualys, the host will also be reported into the Platform

Recommendations and Guidance

The ability to report on agents that are offline appears to be considered a benefit/feature that is documented in the Qualys Cloud Agent datasheet (see Further Information / References for link(s))

That being said, as it relates to integration with the Platform, there are some steps that can be taken to manage what may be considered ‘anomalous’ hosts and associated issues appearing in the Platform.

Use Auto-Purging for Cloud Agent Assets

The Auto Purge feature in the Qualys is one that is often disabled/unavailable by default in a new Qualys subscription. A Support ticket can be raised with Qualys Technical Support to request this feature be enabled on a Qualys subscription.

Please see Further Information / References for a Qualys article on creating asset purge rules

Implement an Offboarding Process for Obsolete Cloud Agents

When Cloud Agents will become inactive / offline indefinitely, the Qualys Cloud Agent will need to be removed / uninstalled from the Qualys Cloud Agent console; in effect removing the ‘asset’ from the Qualys cloud instance.

Whilst an offline Cloud Agent remains ‘known’ to an organisation’s Qualys cloud instance, it may still be reported in vulnerability reports (that are later retrieved by the Platform)

Uninstalling the Cloud Agent from the host alone is not sufficient as Qualys will still consider the agent as registered / known. Uninstallation must occur (be instigated) from the Qualys Cloud console.

Further Information / References

Example of Qualys Cloud Agent Reporting in the Platform

We’ll provide a working example of Qualys Cloud Agent vulnerability reports and the presentation of results in the Platform as it relates to offline hosts (Cloud Agents)

First, a view of offline Cloud Agents in the Qualys Cloud Agent console. The “Last Checked In” column and the timestamp of the VM Scan under “Last Activity” column illustrates 5 offline agents.

A common tag has been assigned to the Cloud Agents. This tag will be used for the scope of the Cloud Agent report generated in Qualys, as is often the method used when generating these reports in Qualys.

image-20250313-110011.png

To illustrate all online agents that have this same tag, we have in total 55 agents associated with the tag:

image-20250313-110336.png

Next, a report template called Rootshell_CloudAgent_Report has been defined with a scope of findings that will be based on the tag highlighted above:

image-20250313-101232.png

Lets create and run a new XML report from this template, ready for importing into the Platform:

image-20250313-102812.png

For this example, this XML report will be manually imported to the Platform. However the Platform can retrieve this XML report automatically from Qualys via the Qualys API and is the typical use-case when automating vulnerability data imports

image-20250313-103110.png

The issues reported into the Scan/Phase in the Platform include results from all 55 agents, even though 5 agents were offline at the time the XML report was generated in Qualys.

Furthermore, 2 of the 5 offline agents have been highlighted in this screen shot below (the other 3 offline agents are off the page)

image-20250313-103549.png

Related content