We are seeing some strange browsing activity attached to our Qualys service account that we use for scanning. It's going to places like facebook, twitter, pandora, etc etc. This activity is being picked up by our Palo Alto device on hundreds, if not thousands of systems.. Some of the activity seems to be during scans of the source or destination of the traffic, but some of it is from sources that we haven't scanned for almost 2 years. We're very confused at what could be causing this type of activity from our Qualys service account from these systems. Any ideas would be much appreciated. Thanks.
Robert's right. Connect with support immediately.
Some quick steps and questions :
- Would it be possible to change password to that service account. Ensure you update the new password on the auth record so that jobs aren't impacted.
- Are you sure the service account wasn't shared with others.
- If you assigned a static IP to your scanner appliance and someone knows the IP then there are chances they know the appliance has special rules to ALLOW a few things (whitelisted) on the firewall. You should investigate and a Log management setup or SIEM can help you here.
- Using a Qualys supported Vault integration is recommended.
- I assumed you were using our VM module and not WAS module.