Qualys Flow (QFlow)

Qualys Training Team, training@qualys.com

1
 Play Lab Tutorials

Qualys, Inc. Corporate Presentation 2

1. When you click the link to open a lab tutorial, it will open-up in your default Web
browser. If you would like to play the tutorial in a different browser, you can copy
this link and paste it into the address field of another browser.

2. When the lab tutorial opens, click the icon in the upper-right corner, to maximize
your screen size.

3. When your ready to play the tutorial, click the start button.

2
 Agenda
Qualys Flow

Part One
qIntroduction to Qualys Flow (QFlow)
• QFlow UI & Editor
• Lab 1: Simple “Data Collection” QFlow
qQFlow Nodes Overview
Part Two
qCreate Custom Security Controls for Unique Cloud Apps
• Lab 2: QFlow “CloudView Control” Node
• Lab 3: CSA Custom Control
qEC2 Perimeter Scan
• Filter, Data Formatter, Custom, HTTP, and Report Nodes

The agenda for this course is divided into two parts:

Part One, will introduce you to the QFlow Editor and the various nodes provided by
the QFlow application.

In Part Two, you’ll apply the various nodes you learned about in Part One, to a couple
of common use-cases.

The first use-case provides a solution for securing your unique or custom cloud-based
applications and services. This involves the integration of QFlow with Qualys
CloudView via the “CloudView Control” node. The workflow for this use-case
requires 3 nodes.

The second use case will highlight the way QFlow orchestrates and automates the
applications, sensors and services within the Qualys Cloud Platform. This use-case
will examine the different QFlow nodes (7) that work together to perform an EC2
Perimeter Scan.

3
 Course Objectives
Qualys Flow

§ Understand the benefits of Qualys Flow and how it helps to coordinate, execute and
automate tasks between different Qualys applications.
§ Learn to create a simple “data collection” QFlow in the QFlow editor.
§ Identify and understand the different functions of the various QFlow nodes.
§ Learn to use QFlow and the “CloudView Control” node to continuously monitor your cloud
infrastructure and identify misconfiguration issues and compliance risks.
§ Build a “CloudView Control” node.
§ Create a custom control in Qualys CloudView (i.e., CSA).

§ Identify the QFlow nodes and functions that comprise an EC2 Perimeter Scan.

By the end of this course, you will accomplish the following objectives:
• Understand the benefits of Qualys Flow and how it helps to coordinate,
execute and automate tasks between different Qualys applications.
• Learn to create a simple “data collection” QFlow in the QFlow editor.
• Identify and understand the different functions of the various QFlow nodes.
• Learn to use QFlow and the “CloudView Control” node to continuously
monitor your cloud infrastructure and identify misconfiguration issues and
compliance risks.
• Build a “CloudView Control” node.
• Create a custom control in Qualys CloudView (i.e., CSA).
• Identify the QFlow nodes and functions that comprise an EC2 Perimeter
Scan.

4
 Security & Automation Challenges

Lack of Skilled Time from Detection to Some applications Different tools for
Security Resources Remediation is too long have unique change mgt., incident
security mgt., patching, alerting,
requirements etc.

One way to understand the benefits of an application like QFlow, is to examine the
problems and challenges that it addresses. Too much time from detection to
remediation is a common symptom of the automation challenges organizations face.

Organizations that attempt to shorten the time from vulnerability detection to

remediations, often find it difficult to acquire the skilled personnel needed to meet
this objective, especially when different tools are used for change and incident
management, alerting, and patching & remediation.

Organizations with unique security requirements sometimes find it difficult to find a

solution that meets their specific needs.

6
 QFlow Features & Solutions

Quickly automate security Workflows using

graphical nodes. No Coding Required.
Build custom “user-defined” security controls for
custom cloud-based applications (CloudView
Integration)

Coordinate, execute and automate tasks

between different applications and sensors
within the Qualys Cloud Platform.

G E T M O R E S E C U R I T Y .

In this course, you’ll learn to use QFlow Nodes to automate security workflows,
without having to write code; coding is not required. However, you will learn about
the “Custom” node which supports JavaScript (i.e., node.js).

With the QFlow “CloudView Control” node providing integration between QFlow and
Qualys CloudView, you can provide coverage for your unique cloud apps and
services, by building “custom” CloudView Controls.

Although QFlow supports automation with third-party services and APIs, we’ll
examine an “EC2 Perimeter Scan” use-case that automates tasks within the Qualys
Cloud Platform. QFlow helps organizations automate security tasks throughout the
Qualys Cloud Platform, as well as third-party applications and services.

Companies are cutting “time-to-remediation” significantly, with ServiceNow (closed-

loop) ITSM integration.

7
 QFlow Requirements
• QFlow is a core component of the Qualys Platform.
• QFlow manages and orchestrates the functionality provided by other Qualys
application modules, which are managed by their own separate license
agreement.
• Need an active Qualys Platform subscription and at least one Qualys
application module.

As a core component of the Qualys Platform, there is no separate license or charge

for QFlow.

The following soft limits will be applied:

• 100 QFlows
• 50 concurrent QFlow executions
• 100,000 executions per month

8
 QFlow User Roles

Each user has a predefined role that determines the actions they can perform. The
Manager user has full privileges and permissions to create, execute, deploy, and
delete the QFlows.

Power Developer - create, edit, execute, delete, or deploy their own QFlows list,
read, assign tags, remove tags for their own QFlows, list, read, assign tags, or remove
tags for their own QFlows

Developer - create, edit, execute, or delete their own QFlows,

Deployer - list, read, execute, or deploy all the QFlows by using tags assigned by the
Manager user.

Reader - list and read all the QFlows by using tags assigned by the Manager user.

9
 QFlow Admin

10

Qualys Flow Admin - create, edit, execute, delete, or deploy all the
QFlows, list, read, assign tags, or remove tags for all the QFlows available in the
account

10
 QFlow Editor

• All QFlow workflows

begin with a “Trigger”
node.
• Click the “plus” symbol
or use the Node
Explorer to quickly and
easily add more
nodes.

Anytime a new QFlow is created, the “Trigger” node is automatically added to the
editor. Use the Node Explorer to add more nodes.

12
 Explore QFlow Nodes

• Resource & Action Nodes • General Nodes

Resource nodes provide QFlow with meta data from your cloud-based assets and
resources. Qualys Cloud Connecter must be configured with both read and
write privileges to support the use of “Action” nodes.

13
 LAB 1

Please consult pages 3-4 in the QFlow Lab

Tutorial Supplement.

6 min.
PLAY Simple “Data Collection” QFlow, pg. 3

14 Qualys, Inc. Corporate Presentation

1. This lab tutorial begins in the QFLOWS section of Qualys QFlow.

2. Create a new QFlow from scratch.
3. Edit the Basic Details of the QFlow and set category to Custom.
4. Edit the Trigger node and examine the different trigger options.
5. Add and Edit the “AWS Resource” node to target EC2 Instances.
6. Save the QFlow, configured with the AWS-SD-Connector and all US AWS Regions.
7. Use the “Run” button to execute the QFlow from within the editor.
8. View the output from the AWS Resource node and expand one of the EC2
Instances to display all the Key field data elements.

14
 Trigger Node

§ Schedule QFlow runs to recur:

• Hourly
• Daily
• Weekly
§ Schedule QFlow runs via Cron.

§ Run QFlows manually (default).

§ Integrate QFlow runs with
CloudView data collections.

Schedule QFlow runs hourly, daily, or weekly. You can also run QFlows manually via
the “Run” button. When enabled, the “CloudView” trigger will synchronize QFlow
runs with CloudView data collections via Qualys Cloud Connector.

15
 Resource & Action Nodes Review

AWS Nodes
§ AWS Resource – access AWS Resources provided by the Qualys
Connector.
§ AWS Action – perform actions against AWS resources.*

Azure Nodes
§ Azure Resource – access Azure Resources provided by the
Qualys Connector.
§ Azure Action – perform actions against Azure resources.*

* Qualys Cloud Connecter must be configured with both “read” and ”write” privileges to support the use of “Action” nodes.

Resource nodes provide access to your cloud-based resources and data via the Qualys
Cloud Connector.

Action nodes leverage the services and functions provided by your cloud-based
accounts, to take actions or remediation steps that target account resources. Qualys
Cloud Connecter must be configured with both “read” and ”write” privileges to
support the use of “Action” nodes

16
 QFlows

The QUALYS APPS column indicates QFlow’s integration with other Qualys applications.

The QFlow workflows you have created can be found in the QFLOWS section of the
UI. QFlows that have been “deployed” for integration with Qualys CloudView, are
identified in the QUALYS APPS column.

17
 QFlow Templates

QFlow templates are provided in the TEMPLATES section of QFlow.

18
 Qualys CloudView

• Featured Sensor - Qualys Cloud

Connector:
Cloud
• Qualys Cloud Connectors provide Inventory
(CI)
meta data from your cloud-based
accounts (AWS, Azure, GCP).
• Qualys Cloud Security Assessment
Cloud
(CSA) provides controls and policies Security
to assess your cloud-based Assessment
resources and configurations. (CSA)

Qualys CloudView is comprised of two separate components:

• Cloud Inventory (CI)
• Cloud Security Assessment (CSA)

By default, Qualys Cloud Connectors continuously monitor resources in your AWS,

Azure, or GCP accounts. Qualys Cloud Security Assessment evaluates cloud resources
for misconfigurations and policy lapses. When configured with “write” access, Cloud
Connectors can provide remediation and response capabilities.

Although Cloud Connectors can be configured to add instance IPs to your ”scannable”
subscription automatically, our next case study will not leverage this feature.

20
 Cloud Security Assessment (CSA)

Based on industry best

practices, CSA continues to
provide “out-of-box” policies
and controls for your AWS,
Azure, and Google accounts
and resources.

21 Qualys, Inc. Corporate Presentation

With Qualys Cloud Security Assessment (CSA) you can leverage “out-of-box”
policies to assess technical controls and identify security-related
misconfigurations, for your AWS, Azure, and Google accounts.

21
 What About Your Unique Applications?
Use Case: You have a custom
configured application that is not
presently addressed by the controls
already provided by Qualys
CloudView (i.e., CSA).

Step 1: Create a QFlow (with the “CloudView Control”

node) to collect resource data from the custom app/service.
Step 2: Build a custom CloudView control, that uses the
output provided by QFlow’s CloudView Control Node.

If you have any applications not directly addressed by the existing CSA controls, you
can submit a request to Qualys to have the control added to the platform or build a
“custom” CSA control, using resource data, filtering and assessment provided by
QFlow.

• Create custom security controls for your unique cloud-based

resources (e.g., API Gateway, Redshift, CloudTrail, KMS, etc...).
• No need to wait for the publication of new security controls to meet your
changing policies and requirements.

22
 CloudView Integration Nodes

§ Trigger – scheduled to run periodically.

§ AWS Resource – collect EC2 instances.

§ CloudView Control – specify the Evaluation

Criteria and Evidence shared with Qualys CSA.

24

This use-case will leverage three QFlow nodes:

• Trigger
• AWS Resource
• CloudView Control

The “Trigger” node can be configured to synchronize QFlow runs with CloudView data
collections via the Qualys Cloud Connector. The “CloudView Control” node provides
the Evaluation Criteria and Evidence that will be consumed by Qualys CSA.

Alternatively, the Azure Resource node can also be used to meet the objectives of
this case study.

24
 LAB 2

Please consult pages 5-6 in the QFlow Lab

Tutorial Supplement.

10 min.
PLAY QFlow “CloudView Control” Node, pg. 5

25 Qualys, Inc. Corporate Presentation

QFlow Objective: List EC2 instances in AWS with Security Groups that allow SSH or
RDP access from ANY IP address.

This lab tutorial builds on the QFlow created in the previous lab tutorial by adding the
“CloudView Control” Node, which provides options to evaluate workflow data and
share evidence with the Qualys CloudView.

1. From the QFLOWS section, use the Quick Actions menu to edit the QFlow created
in the previous lab tutorial.
2. Update the Basic Details to reflect the new objective and change the category
from “Custom” to “Security.”
3. Add the “CloudView Control” node to QFlow Editor.
4. Edit the “CloudView Control” node and select ‘AWSResource.Instances’ as the
Data to evaluate.
5. Edit the Evaluation Criteria and select “Security Group” as the Filter type.
6. Configure the first condition to single-out Security Groups allowing inbound
access to SSH from any IP address.
7. Configure the second condition to single-out Security Groups allowing inbound
access to RDP from any IP address.

25
8. To meet the minimum evidence requirement, provide the ‘InstanceId’ and
‘PublicDnsName’ for each instance.
9. Add the “InstanceType” key as additional evidence.
10. Edit the “Trigger” node and activate CloudView synchronization.
11. Click the “tripple-dot” icon in the upper-right corner of the ”CloudView Control”
node and select Run Till.
12. Presently, all instances PASS the evaluation criteria.
13. Save the QFlow and return to the QFLOWS section.
14. Run the QFlow to update its status.
15. Use the Quick Actions menu to Enable the QFlow (i.e., Deploy)

25
 Activate CloudView in Trigger Node

When activated, the “CloudView” trigger will synchronize QFlow runs with CloudView
data collections via Qualys Cloud Connector.

26
 Connector Polling Frequency

§ By default, the connector is configured to poll every 4 hours to fetch inventory and assessment
data.
§ You can configure polling frequency from one hour (minimum) to 24 hours (maximum).

§ Qualys recommends a connector polling frequency of 4+ hours, to avoid impacting

connector performance and Cloud API throttling errors.

Connector polling frequency is configurable from every hour to every 24 hours.

Qualys recommends polling frequencies of 4+ hours.

27
 “CloudView Control” Node

1. Select target resource (i.e., data to evaluate).

2. Add evaluation criteria for PASS/FAIL outcomes.

3. Select Keys for evidence.

The primary components of the “CloudView Control” node include:

1. Target Resource
2. Evaluation Criteria
3. Evidence Keys

28
 Deploy QFlow to Qualys CSA

QFlows that leverage the CloudView

Control must first be enabled or deployed,
before resource data is consumed by
Qualys Cloud Security Assessment (CSA).

QFlows that contain the “CloudView Control” must first be enabled or

deployed, before resource data is consumed by Qualys Cloud Security
Assessment (CSA).

29
 Custom CloudView Controls

§ From Qualys CloudView (1), navigate to the POLICY section (2), open the “Controls” tab (3), and
click the “Create Control” button.

To create a custom control in Qualys CloudView (one that uses the output generated
by a QFlow), navigate to the Controls Library in CloudView and click the “Create
Control” button.

31
 LAB 3

Please consult pages 5-6 in the QFlow Lab

Tutorial Supplement.

5 min.
PLAY CSA Custom Control, pg. 6

32 Qualys, Inc. Corporate Presentation

1. Navigate to the “Controls” tab within the POLICIES section of Quals CloudView.
2. Click the “Create Control” button.
3. In the “Evaluation Details” step, select the QFlow created in the previous lab
tutorial.
4. Save the control.
5. The new control must be added to a CSA Policy, before it will produce assessment
results.

32
 Include QFlow

Only QFlows that have been ”deployed” are eligible for selection.

Only QFlows that have been deployed will appear in the list to Select a QFlow.

33
 EC2 Perimeter Scan Objectives

1. Auto-discover EC2 instances in your account.

2. Identify public facing instances and Extract the public IP address from each
host.

3. Add the extracted IPs to your “scannable” subscription.

4. Target the same IPs in a perimeter scan (i.e., using Qualys Internet-based
Scanner Pool).

35

The EC2 Perimeter Scan in this use-case includes the following tasks and objectives:

1. Auto-discover EC2 instances in your account.

2. Identify public facing instances and Extract the public IP address from each host.

3. Add the extracted IPs to your “scannable” subscription.

4. Target the same IPs in a perimeter scan (i.e., using Qualys Internet-based Scanner
Pool).

35
 EC2 Perimeter Scan Nodes

1. Trigger – scheduled to run periodically.

2. AWS Resource – collect EC2 instances.

3. Filter – select instances with a public IP address.

4. Data Formatter – single out the public IP address as the key field.

5. Custom – add a custom script to auto-populate IP address field in API call.

6. HTTP – execute API call to add targeted IPs to subscription.

7. HTTP – launch EC2 perimeter scan against targeted IPs.

36

1. The “Trigger” node uses the “Schedule” option to run daily.

2. AWS Resources are collected as the input for this QFlow.
3. The “Filter” node is applied to single-out instances that are public facing.
4. Since the scanning objective only requires the public IP address from each
instance, the “Data Formatter” node is used to filter out all other Key fields.
5. The “Custom” node leverages JavaScript (node.js) to automatically add the public
IP addresses to Qualys API functions that add IPs to the scannable subscription
and then launch a perimeter scan against the same IPs
6. The first ”HTTP” node executes the API function call to “add IPs” to the
“scannable” subscription.
7. The second “HTTP” node executes the API function call to launch the scan.

36
 QFlow Editor – EC2 Perimeter Scan

37

We’ll begin our examination of the ”perimeter scan” nodes with the “Filter” node (3).

37
 Filter Node

Select instances with a public IP address.

38

The “Filter” node can filter data from previous nodes in the workflow. Since the
“AWS Resource” node is the only eligible node, it is selected as the “Node data to
filter.”

QFlow nodes have different Filter Types including dates, Asset Tags, Security Groups,
and Network ACLs. . The “Param” filter type allows for conditions that target Key
fields in the resource data.

The “Key” and “Operator” fields combine to single-out EC2 instances with a public IP
address (i.e., $.PublicIpAddress exists).

38
 Filter Node

• The “Filter” node potentially reduces

the number of EC2 instances.

• Each instance is accompanied by

dozens of Key fields.
• This use-case requires only one Key:
PublicIPAddress.

39

While the “Filter” node reduces the total number of EC2 instances down to twelve,
each instance is accompanied by dozens of Key fields.

The meet the objectives of this use-case, only the public IP address is required.

39
 Data Formatter Node

While the “Filter” node reduced

the number of EC2 instances,
the “Data Formatter” node allows
you to tune and filter instance
Keys for the QFlow output.

40

While the “Filter” node reduced the number of EC2 instances, the “Data Formatter”
node allows you to tune and filter instance Keys for the QFlow output. Since all
remaining nodes only require the public IP address from each instance, the “Data
Formatter” node filters-out all other Key fields.

40
 Custom Node

JavaScript (node.js) is used to add targeted public IPs to the “IP” and “SCAN” API functions.

41

The “Custom” node uses JavaScript (node.js) to add the targeted public IPs to the
“Asset” and “Scan” API functions within the “LaunchScan” and “AddIp” variables.

Display the output from the Custom Node to view the public IPs added to the Qualys
API URL.

41
 AddIp & LaunchScan API URLs
BEFORE
AddIp
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/ip/?action=add

LaunchScan
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/scan/?action=launch&scan_title
=Training_POC&ip=

AFTER
AddIp
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/asset/ip/?action=add&ips=44.208.166.100,54.175.76.
231,18.204.9.2,34.229.9.191,184.72.131.183,18.212.51.240,54.84.186.9,3.208.89.138,34.229.130.103,
18.234.51.178,54.173.242.227,3.83.66.193,52.70.141.129,44.204.149.&tracking_method=DNS&enable_pc=
1&enable_vm=1&comment=VIA+API+2022-02-03+10%3A32
LaunchScan
https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/scan/?action=launch&scan_title=Training_POC&ip=44.
208.166.100,54.175.76.231,18.204.9.2,34.229.9.191,184.72.131.183,18.212.51.240,54.84.186.9,3.208.89
.138,34.229.130.103,18.234.51.178,&option_id=1670451

42

The “Custom” node inserts the dynamic list of IPs into the API URL, along with other
necessary parameters.

42
 HTTP Node – Add IPs

§ In this example, the

“HTTP” node does not
target a workflow
resource.
§ A POST method is
executed.
§ The “Endpoint URI”
field holds the “addIp”
variable, that now
provides the “Asset”
API function call URL
(with public IPs
included).

43

Once the “Custom” node constructs the appropriate URL to perform a Qualys API
function call (to add the targeted public IP addresses to your “scannable”
subscription), the “HTTP” node executes the function call via the “Endpoint URL”
field.

43
 Report Node – Launch Scan

§ In this example, the

“HTTP” node does not
target a workflow
resource.
§ A POST method is
executed.
§ The “Endpoint URI”
field holds the
“launchScan” variable,
that now provides the
“SCAN” API function
call URL (with public
IPs included).

44

Once the “Custom” node constructs the appropriate URL to perform a Qualys API
function call (to launch a scan against the targeted IPs), the “HTTP” node executes
the function call via the “Endpoint URI” field.

44
 Report Node

View and download targeted resource data in CSV or JSON file formats.

The “Report” node can be placed at strategic points throughout the QFlow to
produce a report in CSV or JSON format.

45
 General Nodes Review

§ Filter – performs filtering of resources based on your specified conditions.

§ Report – selectively download resource data into CSV or JSON files.
§ Custom – write scripts (node.js) to customize or automate tasks.
§ HTTP – execute HTTP(S) calls to ”third-party” applications or services
with an HTTP API endpoint.
§ Data Formatter – select from the list of available resource keys.
§ Data Joiner – combine the output from two separate nodes into a single
node.
§ CloudView Control (dedicated node for CloudView integration) – create
custom CloudView controls.
§ RAW – access other cloud service provider API services and functions
(e.g., acquire resources or perform actions).

The HTTP node makes HTTP(S) calls from a QFlow. This allows you to integrate with
third-party applications or services with an HTTP endpoint.

By default, resources are associated with dozens of Key fields which are included in
the QFlow output. The “Data Formatter” node allows you to selectively choose the
key fields, from the list of available keys.

Raw API node will let users call any API for any service supported by the
respective CSPs. This node can help users to perform almost any action and
form almost any possible relation among their cloud resources.

46
Course Outcomes
Qualys Flow

§ Understand the benefits of Qualys Flow and how it helps to coordinate, execute and
automate tasks between different Qualys applications.

§ Create a simple “data collection” QFlow in the QFlow editor.

§ Identify and understand the different functions of the various QFlow nodes.

§ Use QFlow and the “CloudView Control” node to continuously monitor your cloud
infrastructure and identify misconfiguration issues and compliance risks.

§ Build a “CloudView Control” node.

§ Create a custom control in Qualys CloudView (i.e., CSA).

§ Identify the QFlow nodes and functions that comprise an EC2 Perimeter Scan.

47
Thank you!

Qualys Training Team, training@qualys.com

48