Professional Documents
Culture Documents
QFlow Slideshow
QFlow Slideshow
QFlow Slideshow
1
Play Lab Tutorials
1. When you click the link to open a lab tutorial, it will open-up in your default Web
browser. If you would like to play the tutorial in a different browser, you can copy
this link and paste it into the address field of another browser.
2. When the lab tutorial opens, click the icon in the upper-right corner, to maximize
your screen size.
3. When your ready to play the tutorial, click the start button.
2
Agenda
Qualys Flow
Part One
qIntroduction to Qualys Flow (QFlow)
• QFlow UI & Editor
• Lab 1: Simple “Data Collection” QFlow
qQFlow Nodes Overview
Part Two
qCreate Custom Security Controls for Unique Cloud Apps
• Lab 2: QFlow “CloudView Control” Node
• Lab 3: CSA Custom Control
qEC2 Perimeter Scan
• Filter, Data Formatter, Custom, HTTP, and Report Nodes
Part One, will introduce you to the QFlow Editor and the various nodes provided by
the QFlow application.
In Part Two, you’ll apply the various nodes you learned about in Part One, to a couple
of common use-cases.
The first use-case provides a solution for securing your unique or custom cloud-based
applications and services. This involves the integration of QFlow with Qualys
CloudView via the “CloudView Control” node. The workflow for this use-case
requires 3 nodes.
The second use case will highlight the way QFlow orchestrates and automates the
applications, sensors and services within the Qualys Cloud Platform. This use-case
will examine the different QFlow nodes (7) that work together to perform an EC2
Perimeter Scan.
3
Course Objectives
Qualys Flow
§ Understand the benefits of Qualys Flow and how it helps to coordinate, execute and
automate tasks between different Qualys applications.
§ Learn to create a simple “data collection” QFlow in the QFlow editor.
§ Identify and understand the different functions of the various QFlow nodes.
§ Learn to use QFlow and the “CloudView Control” node to continuously monitor your cloud
infrastructure and identify misconfiguration issues and compliance risks.
§ Build a “CloudView Control” node.
§ Create a custom control in Qualys CloudView (i.e., CSA).
§ Identify the QFlow nodes and functions that comprise an EC2 Perimeter Scan.
By the end of this course, you will accomplish the following objectives:
• Understand the benefits of Qualys Flow and how it helps to coordinate,
execute and automate tasks between different Qualys applications.
• Learn to create a simple “data collection” QFlow in the QFlow editor.
• Identify and understand the different functions of the various QFlow nodes.
• Learn to use QFlow and the “CloudView Control” node to continuously
monitor your cloud infrastructure and identify misconfiguration issues and
compliance risks.
• Build a “CloudView Control” node.
• Create a custom control in Qualys CloudView (i.e., CSA).
• Identify the QFlow nodes and functions that comprise an EC2 Perimeter
Scan.
4
Security & Automation Challenges
Lack of Skilled Time from Detection to Some applications Different tools for
Security Resources Remediation is too long have unique change mgt., incident
security mgt., patching, alerting,
requirements etc.
One way to understand the benefits of an application like QFlow, is to examine the
problems and challenges that it addresses. Too much time from detection to
remediation is a common symptom of the automation challenges organizations face.
6
QFlow Features & Solutions
G E T M O R E S E C U R I T Y .
In this course, you’ll learn to use QFlow Nodes to automate security workflows,
without having to write code; coding is not required. However, you will learn about
the “Custom” node which supports JavaScript (i.e., node.js).
With the QFlow “CloudView Control” node providing integration between QFlow and
Qualys CloudView, you can provide coverage for your unique cloud apps and
services, by building “custom” CloudView Controls.
Although QFlow supports automation with third-party services and APIs, we’ll
examine an “EC2 Perimeter Scan” use-case that automates tasks within the Qualys
Cloud Platform. QFlow helps organizations automate security tasks throughout the
Qualys Cloud Platform, as well as third-party applications and services.
7
QFlow Requirements
• QFlow is a core component of the Qualys Platform.
• QFlow manages and orchestrates the functionality provided by other Qualys
application modules, which are managed by their own separate license
agreement.
• Need an active Qualys Platform subscription and at least one Qualys
application module.
8
QFlow User Roles
Each user has a predefined role that determines the actions they can perform. The
Manager user has full privileges and permissions to create, execute, deploy, and
delete the QFlows.
Power Developer - create, edit, execute, delete, or deploy their own QFlows list,
read, assign tags, remove tags for their own QFlows, list, read, assign tags, or remove
tags for their own QFlows
Deployer - list, read, execute, or deploy all the QFlows by using tags assigned by the
Manager user.
Reader - list and read all the QFlows by using tags assigned by the Manager user.
9
QFlow Admin
10
Qualys Flow Admin - create, edit, execute, delete, or deploy all the
QFlows, list, read, assign tags, or remove tags for all the QFlows available in the
account
10
QFlow Editor
Anytime a new QFlow is created, the “Trigger” node is automatically added to the
editor. Use the Node Explorer to add more nodes.
12
Explore QFlow Nodes
Resource nodes provide QFlow with meta data from your cloud-based assets and
resources. Qualys Cloud Connecter must be configured with both read and
write privileges to support the use of “Action” nodes.
13
LAB 1
6 min.
PLAY Simple “Data Collection” QFlow, pg. 3
14
Trigger Node
Schedule QFlow runs hourly, daily, or weekly. You can also run QFlows manually via
the “Run” button. When enabled, the “CloudView” trigger will synchronize QFlow
runs with CloudView data collections via Qualys Cloud Connector.
15
Resource & Action Nodes Review
AWS Nodes
§ AWS Resource – access AWS Resources provided by the Qualys
Connector.
§ AWS Action – perform actions against AWS resources.*
Azure Nodes
§ Azure Resource – access Azure Resources provided by the
Qualys Connector.
§ Azure Action – perform actions against Azure resources.*
* Qualys Cloud Connecter must be configured with both “read” and ”write” privileges to support the use of “Action” nodes.
Resource nodes provide access to your cloud-based resources and data via the Qualys
Cloud Connector.
Action nodes leverage the services and functions provided by your cloud-based
accounts, to take actions or remediation steps that target account resources. Qualys
Cloud Connecter must be configured with both “read” and ”write” privileges to
support the use of “Action” nodes
16
QFlows
The QUALYS APPS column indicates QFlow’s integration with other Qualys applications.
The QFlow workflows you have created can be found in the QFLOWS section of the
UI. QFlows that have been “deployed” for integration with Qualys CloudView, are
identified in the QUALYS APPS column.
17
QFlow Templates
18
Qualys CloudView
Although Cloud Connectors can be configured to add instance IPs to your ”scannable”
subscription automatically, our next case study will not leverage this feature.
20
Cloud Security Assessment (CSA)
With Qualys Cloud Security Assessment (CSA) you can leverage “out-of-box”
policies to assess technical controls and identify security-related
misconfigurations, for your AWS, Azure, and Google accounts.
21
What About Your Unique Applications?
Use Case: You have a custom
configured application that is not
presently addressed by the controls
already provided by Qualys
CloudView (i.e., CSA).
If you have any applications not directly addressed by the existing CSA controls, you
can submit a request to Qualys to have the control added to the platform or build a
“custom” CSA control, using resource data, filtering and assessment provided by
QFlow.
22
CloudView Integration Nodes
24
The “Trigger” node can be configured to synchronize QFlow runs with CloudView data
collections via the Qualys Cloud Connector. The “CloudView Control” node provides
the Evaluation Criteria and Evidence that will be consumed by Qualys CSA.
Alternatively, the Azure Resource node can also be used to meet the objectives of
this case study.
24
LAB 2
10 min.
PLAY QFlow “CloudView Control” Node, pg. 5
QFlow Objective: List EC2 instances in AWS with Security Groups that allow SSH or
RDP access from ANY IP address.
This lab tutorial builds on the QFlow created in the previous lab tutorial by adding the
“CloudView Control” Node, which provides options to evaluate workflow data and
share evidence with the Qualys CloudView.
1. From the QFLOWS section, use the Quick Actions menu to edit the QFlow created
in the previous lab tutorial.
2. Update the Basic Details to reflect the new objective and change the category
from “Custom” to “Security.”
3. Add the “CloudView Control” node to QFlow Editor.
4. Edit the “CloudView Control” node and select ‘AWSResource.Instances’ as the
Data to evaluate.
5. Edit the Evaluation Criteria and select “Security Group” as the Filter type.
6. Configure the first condition to single-out Security Groups allowing inbound
access to SSH from any IP address.
7. Configure the second condition to single-out Security Groups allowing inbound
access to RDP from any IP address.
25
8. To meet the minimum evidence requirement, provide the ‘InstanceId’ and
‘PublicDnsName’ for each instance.
9. Add the “InstanceType” key as additional evidence.
10. Edit the “Trigger” node and activate CloudView synchronization.
11. Click the “tripple-dot” icon in the upper-right corner of the ”CloudView Control”
node and select Run Till.
12. Presently, all instances PASS the evaluation criteria.
13. Save the QFlow and return to the QFLOWS section.
14. Run the QFlow to update its status.
15. Use the Quick Actions menu to Enable the QFlow (i.e., Deploy)
25
Activate CloudView in Trigger Node
When activated, the “CloudView” trigger will synchronize QFlow runs with CloudView
data collections via Qualys Cloud Connector.
26
Connector Polling Frequency
§ By default, the connector is configured to poll every 4 hours to fetch inventory and assessment
data.
§ You can configure polling frequency from one hour (minimum) to 24 hours (maximum).
27
“CloudView Control” Node
28
Deploy QFlow to Qualys CSA
29
Custom CloudView Controls
§ From Qualys CloudView (1), navigate to the POLICY section (2), open the “Controls” tab (3), and
click the “Create Control” button.
To create a custom control in Qualys CloudView (one that uses the output generated
by a QFlow), navigate to the Controls Library in CloudView and click the “Create
Control” button.
31
LAB 3
5 min.
PLAY CSA Custom Control, pg. 6
1. Navigate to the “Controls” tab within the POLICIES section of Quals CloudView.
2. Click the “Create Control” button.
3. In the “Evaluation Details” step, select the QFlow created in the previous lab
tutorial.
4. Save the control.
5. The new control must be added to a CSA Policy, before it will produce assessment
results.
32
Include QFlow
Only QFlows that have been ”deployed” are eligible for selection.
Only QFlows that have been deployed will appear in the list to Select a QFlow.
33
EC2 Perimeter Scan Objectives
35
The EC2 Perimeter Scan in this use-case includes the following tasks and objectives:
2. Identify public facing instances and Extract the public IP address from each host.
4. Target the same IPs in a perimeter scan (i.e., using Qualys Internet-based Scanner
Pool).
35
EC2 Perimeter Scan Nodes
4. Data Formatter – single out the public IP address as the key field.
36
36
QFlow Editor – EC2 Perimeter Scan
37
We’ll begin our examination of the ”perimeter scan” nodes with the “Filter” node (3).
37
Filter Node
38
The “Filter” node can filter data from previous nodes in the workflow. Since the
“AWS Resource” node is the only eligible node, it is selected as the “Node data to
filter.”
QFlow nodes have different Filter Types including dates, Asset Tags, Security Groups,
and Network ACLs. . The “Param” filter type allows for conditions that target Key
fields in the resource data.
The “Key” and “Operator” fields combine to single-out EC2 instances with a public IP
address (i.e., $.PublicIpAddress exists).
38
Filter Node
39
While the “Filter” node reduces the total number of EC2 instances down to twelve,
each instance is accompanied by dozens of Key fields.
The meet the objectives of this use-case, only the public IP address is required.
39
Data Formatter Node
40
While the “Filter” node reduced the number of EC2 instances, the “Data Formatter”
node allows you to tune and filter instance Keys for the QFlow output. Since all
remaining nodes only require the public IP address from each instance, the “Data
Formatter” node filters-out all other Key fields.
40
Custom Node
JavaScript (node.js) is used to add targeted public IPs to the “IP” and “SCAN” API functions.
41
The “Custom” node uses JavaScript (node.js) to add the targeted public IPs to the
“Asset” and “Scan” API functions within the “LaunchScan” and “AddIp” variables.
Display the output from the Custom Node to view the public IPs added to the Qualys
API URL.
41
AddIp & LaunchScan API URLs
BEFORE
AddIp
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/ip/?action=add
LaunchScan
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/scan/?action=launch&scan_title
=Training_POC&ip=
AFTER
AddIp
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/ip/?action=add&ips=44.208.166.100,54.175.76.
231,18.204.9.2,34.229.9.191,184.72.131.183,18.212.51.240,54.84.186.9,3.208.89.138,34.229.130.103,
18.234.51.178,54.173.242.227,3.83.66.193,52.70.141.129,44.204.149.&tracking_method=DNS&enable_pc=
1&enable_vm=1&comment=VIA+API+2022-02-03+10%3A32
LaunchScan
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/scan/?action=launch&scan_title=Training_POC&ip=44.
208.166.100,54.175.76.231,18.204.9.2,34.229.9.191,184.72.131.183,18.212.51.240,54.84.186.9,3.208.89
.138,34.229.130.103,18.234.51.178,&option_id=1670451
42
The “Custom” node inserts the dynamic list of IPs into the API URL, along with other
necessary parameters.
42
HTTP Node – Add IPs
43
Once the “Custom” node constructs the appropriate URL to perform a Qualys API
function call (to add the targeted public IP addresses to your “scannable”
subscription), the “HTTP” node executes the function call via the “Endpoint URL”
field.
43
Report Node – Launch Scan
44
Once the “Custom” node constructs the appropriate URL to perform a Qualys API
function call (to launch a scan against the targeted IPs), the “HTTP” node executes
the function call via the “Endpoint URI” field.
44
Report Node
View and download targeted resource data in CSV or JSON file formats.
The “Report” node can be placed at strategic points throughout the QFlow to
produce a report in CSV or JSON format.
45
General Nodes Review
The HTTP node makes HTTP(S) calls from a QFlow. This allows you to integrate with
third-party applications or services with an HTTP endpoint.
By default, resources are associated with dozens of Key fields which are included in
the QFlow output. The “Data Formatter” node allows you to selectively choose the
key fields, from the list of available keys.
Raw API node will let users call any API for any service supported by the
respective CSPs. This node can help users to perform almost any action and
form almost any possible relation among their cloud resources.
46
Course Outcomes
Qualys Flow
§ Understand the benefits of Qualys Flow and how it helps to coordinate, execute and
automate tasks between different Qualys applications.
§ Identify and understand the different functions of the various QFlow nodes.
§ Use QFlow and the “CloudView Control” node to continuously monitor your cloud
infrastructure and identify misconfiguration issues and compliance risks.
§ Identify the QFlow nodes and functions that comprise an EC2 Perimeter Scan.
47
Thank you!
48