Adding an IBM AppScan Enterprise vulnerability scanner

You can add a scanner to define which scan reports in the Security AppScan® are collected by QRadar.

Before you begin

If your AppScan installation is set up to use HTTPS, a server certificate is required. IBM QRadar supports certificates with the following file extensions: .crt, .cert, or .der. To copy a certificate to the /opt/qradar/conf/trusted_certificates directory, choose one of the following options:
  • Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by using SCP or SFTP.
  • SSH into the Console or managed host and retrieve the certificate by using the following command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443 default>. A certificate is then downloaded from the specified host name or IP and placed into /opt/qradar/conf/trusted_certificates directory in the appropriate format.

About this task

You can add multiple IBM AppScan scanners to QRadar, each with a different configuration. Multiple configurations provide QRadar the ability to import AppScan data for specific results. The scan schedule determines the frequency with which scan results are imported from the REST web service in IBM AppScan Enterprise.

Procedure

  1. Click the Admin tab.
  2. Click the VA Scanners icon.
  3. Click Add.
  4. In the Scanner Name field, type a name to identify your IBM AppScan Enterprise scanner.
  5. From the Managed Host list, select an option that is based on one of the following platforms:
    • On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
    • On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar® Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
  6. From the Type list, select HCL AppScan Scanner.
  7. In the ASE Instance Base URL field, type the full base URL of the AppScan Enterprise instance. HTTP and HTTPS are supported in the URL address.
    Example: XML API - http://myasehostname/ase
    Example: JSON API - http://myasehostname/ase/api
  8. From the API Type list, select one of the following options:
    • XML (Before v9.02) - If your version of AppScan Enterprise is earlier than v9.02, select this option. This API type uses the AppScan XML REST web service.
    • JSON (v9.0.2 and later) - If your version of AppScan Enterprise is version 9.02 or later, select this option. This API type uses the AppScan JSON REST web service.
  9. If you selected XML (Before v9.02) as the API Type, select one of the following options from the Authentication Type list:
    • Windows Authentication (AppScan Enterprise 9.0 and previous) - Select this option to use Windows Authentication with the REST web service.
    • AppScan Enterprise Authentication - Select this option to use AppScan Enterprise Authentication with the REST web service.
  10. In the Username field, type the user name to retrieve scan results from AppScan Enterprise.
  11. In the Password field, type the password to retrieve scan results from AppScan Enterprise.
  12. In the Report Name Pattern field, type a regular expression (regex) to filter the list of vulnerability reports available from AppScan Enterprise.
    By default, the Report Name Pattern field contains .* as the regex pattern. The .* pattern imports all scan reports that are published to QRadar. All matching files from the file pattern are processed by QRadar. You can specify a group of vulnerability reports or an individual report by using a regex pattern.
  13. Configure a CIDR range for your scanner:
    1. Type the CIDR range for the scanner or click Browse to select a CIDR range from the network list.
    2. Click Add.
  14. Click Save.
  15. On the Admin tab, click Deploy Changes.

What to do next

You are now ready to create a scan schedule for IBM AppScan Enterprise. See Scheduling a vulnerability scan