- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-27-2021 02:10 PM
Hi -
The built in Qualys commands from an instance don't quite do what I want to do so I have a python script that uses the api to grab the last report from a map scan, filter it for systems that have specific ports open, and then upload the ip addresses of those systems to an asset group. Runs fine from my pc but I need it to kick off on its own once a week.
I'm trying to put it in as an automation in Xsoar and I have one stupid beginner problem. How do I get the credentials from a Qualys instance to use in the script? My current version is run manually so I just do a prompt for them. I can see how you'd do it with the using : my_instance parameters with already defined commands but I can't figure it out with this. Is this a BYOI situation?
10-27-2021 02:45 PM
Yes, BYOI is one way.
BTW there is an good tutorial here if you like: https://xsoar.pan.dev/docs/tutorials/tut-integration-ui/
It does sound like however the integration has what you need to fetch report and update group. So your ‘report parsing’ code could be converted to an automation - and do this in the playbook. Eg fetch report, taking report data from context when you run your script/automation, which create list of ips in context. Then the next playbook task the standard ‘update group’ with $ctx.key[] using existing integration commands.
You could also take approach to clone OOTB integration. Modify the code with your function to run/ get api response result and additional api actions all in the customer integration code. Just add to the new command in code and yaml config.
Hope that helps!
10-27-2021 02:56 PM
The way the Qualys run map report works I'd still have the same problem with the credentials. I'd have to use custom code to find the latest run of the map scan to get the report number. Not worth the trouble when I already have a working program. I'll check out the tutorial and see if it helps.
11-08-2021 09:14 AM
How did you go? You could simply clone the integration, duplicate one of the API (Get/Post) functions, and add new command name. This way your simply adding the additional API end-point your looking for (re-using instance credentials).
If this has now answered your question, please kindly accept one of the solution answers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!