Qualys FIM
QualysFIM Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
#Qualys FIM: File Integrity Monitoring
Log and track file changes across global IT systems. This integration was integrated and tested with version 2.6.0.0-23 of qualys_fim
#
Configure qualys_fim in CortexParameter | Description | Required |
---|---|---|
Username | Username for authentication | True |
Password | Password for authentication | True |
Qualys API Platform URL | The Qualys API server URL that you should use for API requests depends on the platform where your account is located. Platforms and URLS: Qualys US Platform 1: https://gateway.qg1.apps.qualys.com Qualys US Platform 2: https://gateway.qg2.apps.qualys.com Qualys US Platform 3: https://gateway.qg3.apps.qualys.com Qualys EU Platform 1: https://gateway.qg1.apps.qualys.eu Qualys EU Platform 2: https://gateway.qg2.apps.qualys.eu Qualys India Platform 1: https://gateway.qg1.apps.qualys.in Qualys Private Cloud Platform(Custom Platform): https://gateway.\<customer_base_url> | True |
Fetch incidents | Fetch incidents | False |
Fetch time | First fetch timestamp (\<number> \<time unit>) e.g., 12 hours, 7 days | False |
Incident Type | Incident type | False |
Max Fetch | Max Fetch is limited to 200 incidents per fetch. Choose a value lower than 200. | False |
Fetch Filter | Filter the incidents fetching by providing a query using Qualys syntax i.e., "id:ebe6c64a-8b0d-3401-858d-d57fb25860c7". Refer to the "How to Search" Qualys FIM guide for more information about Qualys syntax: https://qualysguard.qg2.apps.qualys.com/fim/help/search/language.htm | False |
Insecure | Trust any certificate (not secure) | False |
Proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
qualys-fim-events-listRetrieve a list of all FIM events from the current user account.
#
Base Commandqualys-fim-events-list
#
InputArgument Name | Description | Required |
---|---|---|
filter | Filter the events list by providing a query using Qualys syntax. i.e., "id:ebe6c64a-8b0d-3401-858d-d57fb25860c7". Refer to the "How to Search" Qualys FIM guide for more information about Qualys syntax: https://qualysguard.qg2.apps.qualys.com/fim/help/search/language.htm. | Optional |
page_number | Page number (index) to list items from. The "limit" argument defines the page size (the number of items in a page). | Optional |
limit | The number of records to include. | Optional |
incident_ids | Comma-separated list of incident IDs to be included while searching for events in incidents. | Optional |
sort | The method by which to sort the requested events. Possible values: "most_recent" and "least_recent". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.Events.id | str | Event ID. |
QualysFIM.Events.fullPath | str | Full path of the event. |
QualysFIM.Events.dateTime | str | Date/time the event occurred. |
QualysFIM.Events.severity | int | Event severity. |
QualysFIM.Events.agentId | str | Agent ID. |
#
Command Example!qualys-fim-events-list limit=12 sort=least_recent filter=severity:4
#
Context Example#
Human Readable Output#
Listed 12 Events:
id severity dateTime agentId fullPath de361739-a082-3240-8459-786b8ed5fa3b 4 2021-01-17 16:16:57 12345678 \Device\HarddiskVolume2\Windows\System32\LogFiles\Sum\Svc.log a123456 4 2021-01-17 16:17:02 12345678 \Device\HarddiskVolume2\Windows\System32\config\SOFTWARE.LOG2 366b1576-57f2-335f-9929-3026f5111767 4 2021-01-17 16:17:52 12345678 \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx ea119f31-162a-3d0c-b2f7-01b32b6bc015 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.blf 16aff3b1-6198-3996-bfb7-ee99cd3bbe2d 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.0.regtrans-ms 8c96931f-db80-3e47-a79a-a0585ec77037 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.blf 421c080f-ebae-35ca-8ad4-19ac62554a0c 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.0.regtrans-ms 0cf60a82-b006-385a-ba14-f666733a063b 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.1.regtrans-ms 0e5d5385-8dac-31a8-846c-29755c73cf88 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.1.regtrans-ms 68047fa3-8f25-3063-bce8-0b988b87190c 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.2.regtrans-ms 5d6084f2-3a47-3c71-8131-ebd2f1d7c684 4 2021-01-17 16:18:20 12345678 \Device\HarddiskVolume2\Windows\System32\config\COMPONENTS{b30b23f5-4b70-11e6-80e6-e41d2d18dfd0}.TxR.2.regtrans-ms 2e84bdd4-5395-3549-a29f-548e3aca0e83 4 2021-01-17 16:18:46 12345678 \Device\HarddiskVolume2\Windows\System32\config\SOFTWARE.LOG2
#
qualys-fim-event-getRetrieve information about a given event, by event ID.
#
Base Commandqualys-fim-event-get
#
InputArgument Name | Description | Required |
---|---|---|
event_id | ID of the event to retrieve information about. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.Event.id | str | Event ID. |
QualysFIM.Event.fullPath | str | Full path of the event. |
QualysFIM.Event.dateTime | str | Date/time the event occurred. |
QualysFIM.Event.name | str | Event name. |
QualysFIM.Event.severity | int | Event severity. |
QualysFIM.Event.action | str | Event action. |
QualysFIM.Event.incidentId | str | Event ID. |
QualysFIM.Event.profiles | str | List of all monitoring profiles name. |
#
Command Example!qualys-fim-event-get event_id=de361739-a082-3240-8459-786b8ed5fa3b
#
Context Example#
Human Readable Output#
Found Event:
name action id severity action incidentId profiles type dateTime fullPath Svc.log Content de361739-a082-3240-8459-786b8ed5fa3b 4 Content 4710aa44-8d69-4c00-8013-737768cb54be test_01 File 2021-01-17 16:16:57 \Device\HarddiskVolume2\Windows\System32\LogFiles\Sum\Svc.log
#
qualys-fim-incidents-listRetrieve a list of all FIM incidents from the current user account.
#
Base Commandqualys-fim-incidents-list
#
InputArgument Name | Description | Required |
---|---|---|
filter | Filter the events list by providing a query using Qualys syntax. i.e., "id:ebe6c64a-8b0d-3401-858d-d57fb25860c7". Refer to the "How to Search" Qualys FIM guide for more information about Qualys syntax: https://qualysguard.qg2.apps.qualys.com/fim/help/search/language.htm. | Optional |
page_number | Page number (index) to list items from. The "limit" argument defines the page size (the number of items in a page). | Optional |
limit | The number of records to include. | Optional |
attributes | Comma-separated list of attributes to include in the response. By default, all attributes will be returned in the result, i.e., attributes="attributes=name,id". | Optional |
sort | The method by which to sort the requested events. Possible values: "most_recent" and "least_recent". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.Incidents.id | str | Incident ID. |
QualysFIM.Incidents.name | str | Incident name. |
QualysFIM.Incidents.type | str | Incident type. |
QualysFIM.Incidents.occurred | str | Indicates when the incident was created. |
QualysFIM.Incidents.username | str | Name of the user who created this incident. |
QualysFIM.Incidents.status | str | Incident status. |
#
Command Example!qualys-fim-incidents-list sort=least_recent limit=15 attributes=name,status,id filter=status:closed
#
Context Example#
Human Readable Output#
Listed 15 Incidents:
id name status 4710aa44-8d69-4c00-8013-737768cb54be Deletion of Log Files CLOSED 179e5d4e-1153-4d12-9980-4807b78fee62 test700 CLOSED b53eac81-902a-4c38-aee0-11f3b62d92fb w2www CLOSED b1f8c69b-e6ff-4470-8cf1-b37bd793d90d ppp3 CLOSED b576c51b-480a-44d2-a19e-98b2c6cda4af www CLOSED 497ab672-c65b-42c1-a913-8c62a8262cce rrr CLOSED 7b182a08-413e-4777-9493-9a23eb8c7e9e testtest2 CLOSED 2ebf1510-2fa3-4e53-9475-a9377cb81673 test_incident_31 CLOSED 61c90caf-ea98-45eb-82db-469a27105e91 test 15 CLOSED 7b63aed9-b849-4c49-8b33-b6bf56bcfc79 ppp CLOSED d223968d-fa86-43c2-b7d6-4de0e2100a0d 777 CLOSED 2ad82774-d6e9-4e33-913c-d6a1729530e0 ll2 CLOSED c5815a31-508b-469e-8990-e81ce2c6f33e testtest1 CLOSED b6997b4d-8451-438b-9333-0f1ec81b870c test100 CLOSED a9be84fd-5a7f-45b1-9f69-b1507ab2b218 wwww CLOSED
#
qualys-fim-incidents-get-eventsRetrieve a list of the events logged under an incident.
#
Base Commandqualys-fim-incidents-get-events
#
InputArgument Name | Description | Required |
---|---|---|
incident_id | ID of the incident to retrieve the events for. | Required |
filter | Filter the events list by providing a query using Qualys syntax. i.e., "id:ebe6c64a-8b0d-3401-858d-d57fb25860c7". Refer to the "How to Search" Qualys FIM guide for more information about Qualys syntax: https://qualysguard.qg2.apps.qualys.com/fim/help/search/language.htm. | Optional |
page_number | Page number (index) to list items from. The "limit" argument defines the page size (the number of items in a page). | Optional |
limit | The number of records to include. | Optional |
attributes | Comma-separated list of attributes to include in the response. By default, all attributes will be returned in the result, i.e., attributes="attributes=name,id". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.IncidentEvents.id | str | Event ID. |
QualysFIM.IncidentEvents.name | str | Event name. |
QualysFIM.IncidentEvents.severity | str | Event severity. |
QualysFIM.IncidentEvents.type | str | Event type. |
QualysFIM.IncidentEvents.occurred | str | Indicates when the event was created. |
QualysFIM.IncidentEvents.username | str | Name of the user who created this incident. |
QualysFIM.IncidentEvents.status | str | Incident status. |
QualysFIM.IncidentEvents.action | str | Action that was taken that triggered the event creation. |
#
Command Example!qualys-fim-incidents-get-events incident_id=4710aa44-8d69-4c00-8013-737768cb54be limit=7 attributes=id,name,type page_number=2 filter=action:create
#
Context Example#
Human Readable Output#
Listed 7 Events From Incident:
id name type 85873770-2c46-3c1c-94f6-a1fd117ca504 8fe303d4743fc547b447af276bb19008 File 2e3ca9c5-354f-3f3d-a16b-c390b3b139d2 6f3604d7c44b1b44b1addd026d40f547 File cb8fd91a-5f0a-374e-9ccc-a1d762273322 tw-4080-41f0-b2f98d.tmp File b267ddd7-308d-33f6-863e-fc85efaae6de SRUtmp.log File b129d76f-827f-3f1e-babb-e96fbfbdc697 oem117.cat File 87399be0-69fe-3881-85a1-b01ce1288672 EtwRTTerminal-Services-LSM-ApplicationLag-6812.etl File 0636da15-3c33-359f-9574-0bbc2d331e8a SRUtmp.log File
#
qualys-fim-incident-createCreate a manual FIM incident of type "DEFAULT".
#
Base Commandqualys-fim-incident-create
#
InputArgument Name | Description | Required |
---|---|---|
from_date | Date from which to start the event search. Example format: yyyy-mm-dd, 2021-01-01. | Optional |
to_date | Date at which to stop the event search. Example format: yyyy-mm-dd, 2021-02-30. | Optional |
filters | Filter the events list by providing a query using Qualys syntax. i.e., "dateTime : ['2021-01-01'..'2021-03-29']. When you use this argument it will overwrite the "from_date" and "to_date" arguments. If you don't use the filter, the query will include the events from the last 24 hours. Refer to the "How to Search" Qualys FIM guide for more information about Qualys syntax: https://qualysguard.qg2.apps.qualys.com/fim/help/search/language.htm. | Optional |
name | The name of the incident. Must be less than 128 characters. | Required |
reviewers | Reviewers who will approve the incident. | Optional |
comment | Comments for approval of the incident. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.CreatedIncident.id | str | Incident ID. |
QualysFIM.CreatedIncident.name | str | Incident name. |
QualysFIM.CreatedIncident.occurred | str | Indicates when the incident was created. |
QualysFIM.CreatedIncident.username | str | Name of the user who created the incident. |
QualysFIM.CreatedIncident.status | str | Incident status. |
QualysFIM.CreatedIncident.reviewers | str | List of reviewers who will approve the incident. |
#
Command Example!qualys-fim-incident-create name=testtest7 comment=new_incident filters="dateTime: ['2021-01-01'..'2021-02-15']"
#
Context Example#
Human Readable Output#
Created New Incident: testtest7
id name reviewers username occurred filters approvalType 5f9f5504-46eb-4a30-b022-fd0dba7758eb testtest7 useruser Qmasters 2021-02-16 09:52:48 dateTime: ['2021-01-01'..'2021-02-15'] MANUAL
#
qualys-fim-incident-approveMark an existing FIM incident as approved.
#
Base Commandqualys-fim-incident-approve
#
InputArgument Name | Description | Required |
---|---|---|
approval_status | The approval status of the incident. Possible values: "APPROVED", "POLICY_VIOLATION", "UNAPPROVED". | Required |
change_type | Type of incidents. Possible values: "MANUAL", "AUTOMATED", "COMPROMISE", "OTHER". | Required |
comment | Comments for the incidents. | Required |
incident_id | incident ID to approve. | Required |
disposition_category | The category of the incident created by the rule. Possible values: "PATCHING", "PRE_APPROVED_CHANGE_CONTROL", "CONFIGURATION_CHANGE", "HUMAN_ERROR", "DATA_CORRUPTION", "EMERGENCY_CHANGE", "CHANGE_CONTROL_VIOLATION", "GENERAL_HACKING", "MALWARE". | Required |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.ApprovedIncident.id | str | Incident ID. |
QualysFIM.ApprovedIncident.name | str | Incident name. |
QualysFIM.ApprovedIncident.type | str | Incident type. |
QualysFIM.ApprovedIncident.filterFromDate | str | The date from which to filter the approved incident. |
QualysFIM.ApprovedIncident.filterToDate | str | The date until when to filter the approved incident. |
QualysFIM.ApprovedIncident.approvalDate | str | Approval date of the incident. |
QualysFIM.ApprovedIncident.approvalStatus | str | Approval status of the incident. |
QualysFIM.ApprovedIncident.comment | str | Comments for incidents created by the rule. |
QualysFIM.ApprovedIncident.username | str | Name of the user who created this incident. |
QualysFIM.ApprovedIncident.status | str | Incident status. |
QualysFIM.ApprovedIncident.reviewers | str | List of reviewers who will approve the incident. |
#
Command Example!qualys-fim-incident-approve incident_id=8af30349-bd07-4c0d-8469-58d9d7218ffa approval_status=APPROVED change_type=AUTOMATED comment=approved disposition_category=MALWARE
#
Context Example#
Human Readable Output#
Approved Incident: testtest
id name type filterFromDate filterToDate filters approvalDate approvalStatus approvalType comment createdByName status reviewers dispositionCategory changeType 8af30349-bd07-4c0d-8469-58d9d7218ffa testtest DEFAULT 2021-01-01 00:00:00 2021-02-15 00:00:00 dateTime: ['2021-01-01'..'2021-02-15'] 2021-02-16 09:52:49 APPROVED MANUAL approved Qmasters CLOSED useruser MALWARE AUTOMATED
#
qualys-fim-assets-listRetrieve a list of all FIM assets.
#
Base Commandqualys-fim-assets-list
#
InputArgument Name | Description | Required |
---|---|---|
attributes | The list of comma-separated attributes that you want to include in the response. By default, all attributes will be returned in the result. i.e: attributes="attributes=interfaces.hostname". | Optional |
filter | Filter the events list by providing a query using Qualys syntax. i.e., "id:ebe6c64a-8b0d-3401-858d-d57fb25860c7". Refer to the "How to Search" Qualys FIM guide for more information about Qualys syntax: https://qualysguard.qg2.apps.qualys.com/fim/help/search/language.htm. | Optional |
page_number | Page number (index) to list items from. The "limit" argument defines the page size (the number of items in a page). | Optional |
limit | The number of records to include. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QualysFIM.Assets.hostname | str | Asset hostname. |
QualysFIM.Assets.lastCheckedIn | str | Date the asset was last checked. |
QualysFIM.Assets.created | str | Date the asset was created. |
#
Command Example!qualys-fim-assets-list limit=3
#
Context Example#
Human Readable Output#
Listed 2 Assets:
Hostname Last Activity Creation Time Agent Version Driver Version Last Agent Update Asset ID Qmasters_desktop 2021-02-16 08:18:39 2021-01-10 11:58:40 1.1.1.1 4.1.0.744 2021-02-16 09:31:25 b1caea93-0d21-4343-801c-92009f036c79 DC 2021-01-17 16:16:57 2021-01-17 16:01:41 4.0.0.411 1.1.1.1 2021-01-17 16:23:58 12345678