Adding a Beyond Security AVDS vulnerability scanner

Beyond Security Automated Vulnerability Detection System (AVDS) appliances create vulnerability data in Asset Export Information Source (AXIS) format. AXIS formatted files can be imported by XML files that can be imported.

About this task

To successfully integrate Beyond Security AVDS vulnerabilities with QRadar, you must configure your Beyond Security AVDS appliance to publish vulnerability data to an AXIS formatted XML results file. The XML vulnerability data must be published to a remote server that is accessible by using Secure File Transfer Protocol (SFTP). The term remote server refers to any appliance, third-party host, or network storage location that can host the published XML scan result files.

The most recent XML results that contain Beyond Security AVDS vulnerabilities are imported to when a scan schedule starts. Scan schedules determine the frequency with which vulnerability data created by Beyond Security AVDS is imported. After you add your Beyond Security AVDS appliance to QRadar, create a scan schedule to import the scan result files. Vulnerabilities from the scan schedule updates the Assets tab after the scan schedule completes.

Procedure

Click the Admin tab.
Click the VA Scanners icon.
Click Add.
In the Scanner Name field, type a name to identify your Beyond Security AVDS scanner.
From the Managed Host list, select an option that is based on one of the following platforms:
- On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar® Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
From the Type list, select Beyond Security AVDS.
In the Remote Hostname field, type the IP address or host name of the system that contains the published scan results from your Beyond Security AVDS scanner.

Choose one of the following authentication options:

Option Description

Option	Description
Login Username	To authenticate with a user name and password: In the Login Username field, type a username that has access to retrieve the scan results from the remote host. In the Login Password field, type the password that is associated with the user name.
Enable Key Authorization	To authenticate with a key-based authentication file: Select the Enable Key Authentication check box. In the Private Key File field, type the directory path to the key file. The default directory for the key file is/opt/qradar/conf/vis.ssh.key. If a key file does not exist, you must create the vis.ssh.key file. Important: The vis.ssh.key file must have `vis qradar` ownership. For example, # ls -al /opt/qradar/conf/vis.ssh.key -rw------- 1 vis qradar 1679 Aug 7 06:24 /opt/qradar/conf/vis.ssh.key

To authenticate with a user name and password:

In the Login Username field, type a username that has access to retrieve the scan results from the remote host.
In the Login Password field, type the password that is associated with the user name.

Enable Key Authorization

To authenticate with a key-based authentication file:

Select the Enable Key Authentication check box.
In the Private Key File field, type the directory path to the key file.

The default directory for the key file is/opt/qradar/conf/vis.ssh.key.

If a key file does not exist, you must create the vis.ssh.key file.

Important: The vis.ssh.key file must have vis qradar ownership. For example,

# ls -al /opt/qradar/conf/vis.ssh.key
-rw------- 1 vis qradar 1679 Aug  7 06:24 /opt/qradar/conf/vis.ssh.key

In the Remote Directory field, type the directory location of the scan result files.
In the File Name Pattern field, type a regular expression (regex) to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.

The default value is .*\.xml. The .*\.xml pattern imports all xml files in the remote directory.
In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and timestamp on the report file are excluded when the schedule scan starts. The default value is 7 days.
To configure the Ignore Duplicates option:
- Select this check box to track files that are already processed by a scan schedule. This option prevents a scan result file from being processed a second time.
- Clear this check box to import vulnerability scan results each time the scan schedule starts. This option can lead to multiple vulnerabilities associated with one asset.
If a result file is not scanned within 10 days, the file is removed from the tracking list and is processed the next time the scan schedule starts.
To configure a CIDR range for your scanner:
1. Type the CIDR range for the scan or click Browse to select a CIDR range from the network list.
2. Click Add.
Click Save.
On the Admin tab, click Deploy Changes.

What to do next

You are now ready to create a scan schedule. See Scheduling a vulnerability scan.