RiskIQ / Qualys Utility Tool

Overview

Name

Qualys / RiskIQ Python Utility Tool 


Description

This utility tool allows you to select host and website assets from RiskIQ to import into Qualys as either an IP (Vulnerability Management Module) or a web application (Web Application Scanning Module).  Host and Web assets in RiskIQ are required to be tagged before processing, which users are able to dynamically do so in the platform.

  • Qualys - Vulnerability Management (VM) Module:
    • picks up both host and website assets in RiskIQ and capture the asset’s IP address, which is then imported to Qualys
  • Qualys - Web Application Scanning (WAS) Module:
    • picks up ONLY website assets in RiskIQ for the asset’s URL, which is then imported to Qualys

In addition to importing assets, there is additional functionality such as generating on demand VM scans, importing RiskIQ assets into existing Qualys asset groups, and creating tags within Qualys. 


Tags

Vulnerability, Vulnerability Scanner, Qualys, Asset Sync, Inventory Tagging 


Capabilities

Inventory Tagging, Inventory Import, Vulnerability Scanning, Workflow, Asset Grouping 

Supporting Materials

LIVE DEMO: 

 

REPOSITORY:  https://bitbucket.org/riskiq/whiplash-external/src/master/Integrations/


Functionality and usage

Overview

The utility tool allows user to create a variety of workflows between RiskIQ and Qualys, in 4 different ways.

  1. Sync Assets: Select assets in RiskIQ via tag(s) to be created to the Qualys Vulnerability Management module as IPs. Asset group(ag_title) is required for managers.
    Currently supporting asset type Hosts and Websites for its resolving IP.

  2. Scan Assets: Selected RiskIQ assets via tags are created as a custom asset group under the Vulnerability Management module (e.g. [2018-08-22 15:38:08] RiskIQ inventory scan.) A scan is then kicked off based on the scan profile passed in.

  3. Create Web App: Selected RiskIQ websites via tags are created under the Web Application Scanning module. (Qualys tag id optional)

  4. Get Scan Results: Automatically retrieve scan results through the “scan reference ID” and output it in a json format

RiskIQ API and Qualys API Configuration

Both RiskIQ and Qualys API credentials are setup in the home directory under ~/.config/riskiq

RiskIQ-> create a file named “api_config.json” with:

{
   "api_token": "api token",
   "api_private_key": "private key"
}

Qualys-> create a file named “qualys-settings.txt” with:

[info]
hostname = qualysapi.qg3.apps.qualys.com
username = username
password = password

# Set the maximum number of retries each connection should attempt. Note, this applies only to failed connections and timeouts, never to requests where the server returns a response.
max_retries = 10


Sync Assets

Based on the RiskIQ tag(s) provided, this will pull all the assets with the asset type of “host” and “website” for the resolving IP address and create it as a host asset. If a asset group (ag_title) is provided, it will assign the host assets under the asset group inside Qualys.

In order to create host assets under a specific asset group, the Qualys user must have the asset group under its business unit. (group_1, group_2 and group_3 are available in this example)



From the image above, the logged in Qualys user’s business unit has multiple asset groups under it. This gives the user proper scope to create host assets under these asset groups.


To run it:

Navigate to the root directory and run the command in command line:

Without an Asset Group

  • Python riskiq-qualys.py syncAssets “tag in riskiq”

With an Asset Group

  • Python riskiq-qualys.py syncAssets –a “group_1” “tag in riskiq”


Scan Assets

On-demanding vulnerability management scanning of RiskIQ assets with a specified scan profile will be performed through this action. Host assets will be created under an asset group with today’s date and time.


The image above shows the Qualys VM module. In a successful asset scan creation we can see one of the asset groups was created with the title “ [2018-8-22 15:38:08] RiskIQ inventory scan” along with multiple IPs within it.

When the asset group is created, a scan will be triggered by the tool automatically and the user can receive email notification on the status.

Navigate to the root directory and run the command in command line:

  • Python riskiq-qualys.py scanAssets “my scan profile” “riskiq tag1” “riskiq tag2”



Create Web App

Selected RiskIQ web apps (websites) via tags will be created as web applications in the Web Application Scanning module in Qualys. (If tag id is provided it will automatically tag the assets with the proper tags, see below)


In the RiskIQ portal, we can see 2 websites are assigned with the “For Qualys” tag.


To run it:

Navigate to the root directory and run the command in command line:

With the tag id:

  • Python riskiq-qualys.py createWebApp –i “12345” “For Qualys”

Without the tag id:

  • Python riskiq-qualys.py createWebApp “For Qualys”

By default the web apps are created with a name (the website URL), URL and an optional Qualys tag id


From image above we can see 2 web applications were created in Qualys with the RiskIQ tag(in this case the tag id is “12345”).


Get Scan Results

This fetches the result of a completed scan, it can only be fetched once the scan is finished


Above is a sample of the response output

To run it:

Navigate to the root directory and run the command in command line:

  • Python riskiq-qualys.py getScanResults “scan/id”