Custom Qualys-Jira Integration Whitepaper

Document created by Laura Seletos Employee on Sep 19, 2019Last modified by Laura Seletos Employee on Dec 5, 2019
Version 21Show Document
  • View in full screen mode

Custom Qualys-Jira Integration Whitepaper

Version 3 | Updated on 12/05/2019

Qualys Modules Covered in Scope: VM, PC, FIM, CS, WAS

 

Getting Started

Due to the high community demand for custom Jira integrations, this write-up is to guide you through best-practice architecture for scripting your own custom integration between Qualys and Jira.

 

Note: Qualys is currently exploring the development of an out-of-box integration with Jira for the second half of 2020.

 

When creating integrations, you always want to determine how your company wants to consume the data being sent from Qualys to your 3rd party tool. If the point of your integration is to drive remediation efforts, you should format the data integration to fit your team’s remediation workflow.

Here are some examples:

  • Vulnerability Management (VM) Example: Instead of creating a ticket for every vulnerability per host you should format your ticket structure where 1 ticket is created for a patch and all applicable hosts should be listed within that 1 ticket. That way when a remediation analyst received the ticket, they know what patch to deploy for what bulk group of hosts.
  • Policy Compliance (PC) Example: Instead of creating a ticket for every configuration failure per host you should format your ticket structure where 1 ticket is created for global control failures and all applicable hosts should be listed within that 1 ticket. That way when a remediation analyst received the ticket, they focus on changing the configuration change globally for all hosts listed.
  • File Integrity Monitoring (FIM) Example: Only create tickets for FIM incidents that require escalation vs creating a ticket for all FIM events.
  • Container Security (CS) Example: Only create tickets for container image vulnerabilities vs creating a ticket for all container vulnerabilities.
    • Note: If you collected vulnerabilities from all containers it would spam your Jira instance with stale data. Images are recommended for tracking and remediating vulnerabilities.
  • Web Application Scanning (WAS) Example: Only create 1 ticket per web app with the relevant vulnerabilities detailed in the body of the ticket vs creating a ticket for every vulnerability detected.

 

Technical Requirements

  1. Create a new Qualys User specifically for this integration (after activation, make this an API-only account by removing GUI access in the Qualys admin page)
  2. Identify your Qualys Platform
  3. Setup a Jira account with API access.
    • Note: It will be helpful to work with an internal Jira contact to determine how Jira is configured within your environment (cloud vs on-prem, setup to open tickets from emails, etc) and assist with Jira API calls.
  4. Scripting server to run your integration script (Linux host that runs python is most popular)
  5. Network access from your scripting server to your Qualys Platform and your Jira instance.

 

High-level Integration Logic Overview

  1. From your scripting server, run the Qualys API query against your Qualys subscription to collect relevant data.
  2. Have your script parse and reformat the response data from Qualys into your preferred Jira format.
  3. Send reformatted Qualys data to Jira API to create a new ticket.
    • Note: This can be done via an email-to-ticket or API-to-ticket workflow.
  4. [Optional] Use Qualys metadata to determine who to assign the Jira ticket to for remediation.
  5. [Optional] Close Jira ticket based on status changes within Qualys

 

Vulnerability Management (VM) Detailed Workflow


(Optional) Using Qualys Continuous Monitoring (CM) Module to Open Jira Tickets via Emails


Integration Setup Steps

Note: These will only need to be set up once vs the next section which will need to be run continuously

  1. Define your criteria for creating a ticket

    • Ex: Create tickets for Confirmed, Severity 4-5 Vulnerabilities where a patch is available.
  2. Once your ticket criteria are defined, you will create a dynamic search list

    • API Call Example: 
      • curl -u "username:password" -H "X-Requested-With: Curl" -X "POST" -d "action=create&title=JIRA+Integration+Dynamic+Ticket+Criteria&global=1&comments=JIRA+Integration&confirmed_severities=4,5&patch_available=1" "https://qualysapi.qualys.com/api/2.0/fo/qid/search_list/dynamic/"
      • Notes:
        • You can also create your dynamic Jira ticket criteria search list within the Qualys UI. Navigate there by going to Vulnerability Management -> KnowledgeBase -< Search Lists -> New Button -> Dynamic List and title your new search list = "JIRA Integration Dynamic Ticket+Criteria"
          • This supports ThreatDetection RTIs if you have that module enabled in your subscription.
        • You can find additional details by going to the API User Guide under the "Create dynamic search list" section in the table of contents (https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf ).

Integration Script to be run on a Schedule

  1. Pull all Relevant Host List Detection (HLD) Data

  2. Parse Host List Detection Data and Create Ticket with Jira API

  3. (Optional) Database tracking of ticket status

    • For more advanced use cases, you can have a local database track the ticket IDs that are open to maintain ticket-state awareness.

 

Policy Compliance (PC) Detailed Workflow

  1. Pull all Relevant Compliance Posture Information (Posture) Data

  2. Parse Compliance Posture Information Data and Create Ticket with Jira API

  3. (Optional) Database tracking of ticket status

    • For more advanced use cases, you can have a local database track the ticket IDs that are open to maintain ticket-state awareness.

 

File Integrity Monitoring (FIM) Detailed Workflow

  1. Pull all Relevant Compliance Posture Information (Posture) Data

  2. Parse File Integrity Monitoring Incident Data and Create Ticket with Jira API

    1. Jira REST API examples: https://developer.atlassian.com/server/jira/platform/jira-rest-api-examples/

    2. You can use their developer community for additional examples: Getting started 

  3. (Optional) Database tracking of ticket status

    • For more advanced use cases, you can have a local database track the ticket IDs that are open to maintain ticket-state awareness.

 

Container Security (CS) Detailed Workflow

  1. Pull all Relevant Container Image Vulnerability Data

  2. Parse the Container Image Vulnerability Data and Create Ticket with Jira API

    1. Jira REST API examples: https://developer.atlassian.com/server/jira/platform/jira-rest-api-examples/

    2. You can use their developer community for additional examples: Getting started 

  3. (Optional) Database tracking of ticket status

    • For more advanced use cases, you can have a local database track the ticket IDs that are open to maintain ticket-state awareness.
  4. (Optional) Advanced integration option

    • Create a Jira ticket for images found by a general sensor where they weren't found in CI or Registry.

 

Web Application Scanning (WAS) Detailed Workflow

  1. Pull all Relevant Web App Vulnerability (Findings) Data

    • API Call Example:
      curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
    • Sample “file.xml”:
      <ServiceRequest>
      <preferences>
      <verbose>false</verbose>
      </preferences>
      <filters>
      <Criteria field="type" operator="EQUALS">VULNERABILITY</Criteria>
      <Criteria field="severity" operator="IN">5</Criteria>
      <Criteria field="status" operator="IN">NEW,ACTIVE,REOPENED</Criteria>
      <Criteria field="findingType" operator="IN">QUALYS</Criteria>
      </filters>
      </ServiceRequest>
    • Notes
  2. Parse WAS Findings Data and Create Ticket with Jira API

      1. Jira REST API examples: https://developer.atlassian.com/server/jira/platform/jira-rest-api-examples/

      2. You can use their developer community for additional examples: Getting started 

    • (Optional) Database tracking of ticket status

      • For more advanced use cases, you can have a local database track the ticket IDs that are open to maintain ticket-state awareness.

     

    Helpful API Resources

    Attachments

      Outcomes