Spelunking Your Qualys Data with Splunk

Jeff Leggett

For the uninitiated, “spelunking” is the exploration of underground caves and caverns, and it’s not for the faint of heart. This increasingly popular sport involves walking, climbing, crawling, or zip-lining blindly into the dark abyss with only a headlamp… and spiders and bats for company.

Luckily for Qualys enterprise customers, the act of plunging into the contextual security data stored in the Qualys Cloud Platform is not nearly so intimidating. What’s more, it’s just as rewarding an experience.

Splunk is one of the oldest integrations we have at Qualys and includes a whopping eight apps now in Splunk’s Splunkbase! Splunk allows the input of data in many different formats to then be indexed and searched at will, and dashboards and reports to be built correlating many disparate data sources.  

Qualys Cloud Platform services integrate with eight Splunk apps

The primary app that our customers begin with is Qualys Technology Add-on for Splunk, which acts as the connector for all Qualys data into Splunk. This app is required, but all the others are optional. That said, they each uniquely apply Qualys data using the appropriate App’s technology.  These apps use Splunk’s SPL language to build dashboards and reports as a starting point for a customer organization’s cybersecurity metrics.

Currently, the connector supports the following Qualys cloud services: 

Note: The older Qualys Indicator of Compromise app has been deprecated and is replaced by our EDR solution. Qualys VMDR and Qualys WAS are formatted into Splunk’s CIM (Common Information Model) for standardized uses.

The setup of Qualys TA for Splunk is an easy process. For enabling all of the above is done as with any Splunk app, with initial configuration completed on the App setup screen, as shown below. 

Configuring Qualys TA for Splunk

The final step is to set up the data inputs. 

Setting up inputs to feed Qualys data into Splunk

The Qualys TA for Splunk Setup Guide goes into a lot more detail, including default event types, app management and troubleshooting, and what’s new. Once you have completed these additional setup steps, all of the pre-made apps will auto-populate!

As a Qualys and Splunk joint customer, you can use this data in our cloud services, your own dashboards and reports, Splunk Enterprise, Splunk Enterprise Security, or Splunk Cloud. The flexibility and scalability of the Splunk platform are hard to beat, which is why so many of the world’s leading enterprises use us both in concert.

Hopefully as a successful Qualys/Splunk “spelunker”, you will emerge from the darkness with a better understanding of the power of Qualys data in Splunk’s ecosystem!

Share your Comments

Comments

Your email address will not be published.