Spelunking Your Qualys Data with Splunk
For the uninitiated, “spelunking” is the exploration of underground caves and caverns, and it’s not for the faint of heart. This increasingly popular sport involves walking, climbing, crawling, or zip-lining blindly into the dark abyss with only a headlamp… and spiders and bats for company.
Luckily for Qualys enterprise customers, the act of plunging into the contextual security data stored in the Qualys Cloud Platform is not nearly so intimidating. What’s more, it’s just as rewarding an experience.
Splunk is one of the oldest integrations we have at Qualys and includes a whopping eight apps now in Splunk’s Splunkbase! Splunk allows the input of data in many different formats to then be indexed and searched at will, and dashboards and reports to be built correlating many disparate data sources.
The primary app that our customers begin with is Qualys Technology Add-on for Splunk, which acts as the connector for all Qualys data into Splunk. This app is required, but all the others are optional. That said, they each uniquely apply Qualys data using the appropriate App’s technology. These apps use Splunk’s SPL language to build dashboards and reports as a starting point for a customer organization’s cybersecurity metrics.
Currently, the connector supports the following Qualys cloud services:
- Qualys VMDR
- Qualys Policy Compliance & PC Reporting Service
- Qualys Web Application Scanning
- Qualys Multi-Vector EDR
- Qualys Container Security
- Qualys File Integrity Monitoring
- Qualys Security Enterprise Mobility
Note: The older Qualys Indicator of Compromise app has been deprecated and is replaced by our EDR solution. Qualys VMDR and Qualys WAS are formatted into Splunk’s CIM (Common Information Model) for standardized uses.
The setup of Qualys TA for Splunk is an easy process. For enabling all of the above is done as with any Splunk app, with initial configuration completed on the App setup screen, as shown below.
The final step is to set up the data inputs.
The Qualys TA for Splunk Setup Guide goes into a lot more detail, including default event types, app management and troubleshooting, and what’s new. Once you have completed these additional setup steps, all of the pre-made apps will auto-populate!
As a Qualys and Splunk joint customer, you can use this data in our cloud services, your own dashboards and reports, Splunk Enterprise, Splunk Enterprise Security, or Splunk Cloud. The flexibility and scalability of the Splunk platform are hard to beat, which is why so many of the world’s leading enterprises use us both in concert.
Hopefully as a successful Qualys/Splunk “spelunker”, you will emerge from the darkness with a better understanding of the power of Qualys data in Splunk’s ecosystem!
We are Using the Qualys Add-on for splunk bu we noticed Splunk TA Qualys: many vulnerability informations are missing in Splunk.
Documentation linked from apps.splunk.com is broken: https://community.qualys.com/docs/DOC-4876
The other apps you list here, don’t show the same dates available over at Splunkbase?
EDR app for example shows December 15, 2021 over there, but your screenshot shows Sept 15, 2022