Automated Saving of Qualys Scan Reports to TheHive Workflow
This workflow automatically retrieves completed reports from the Qualys security scanning platform, filters out old reports, processes only the latest reports, and creates cases in TheHive. By executing on an hourly schedule, it ensures that the Security Operations Center has real-time access to vulnerability scanning data, enhancing the automation and efficiency of vulnerability management. This avoids manual operations, enabling rapid response to security incidents and centralized storage of reports for easier subsequent queries and audits.
No Workflow Diagram
Workflow Name
Automated Saving of Qualys Scan Reports to TheHive Workflow
Key Features and Highlights
This workflow automates the retrieval of completed scan reports from the Qualys security scanning platform, filters out previously processed reports, and creates cases in TheHive only for the latest reports. Corresponding PDF reports are downloaded and automatically uploaded as attachments to their respective cases. Triggered on an hourly schedule, it ensures the Security Operations Center (SOC) has real-time access to the latest vulnerability scan data, thereby enhancing automation and efficiency in vulnerability management.
Core Problems Addressed
- Automates the acquisition of Qualys scan reports, eliminating manual downloading and organization
- Prevents duplicate processing of archived reports by filtering new and old data based on timestamps
- Automatically creates cases in TheHive for unified report management, accelerating security incident response
- Centralizes report storage and archiving for easy future retrieval and auditing
Use Cases
- Automated vulnerability management in Security Operations Centers (SOC)
- Regular collection and archiving of enterprise vulnerability scan reports
- Unified management and tracking of scan results by security incident response teams
- Any organization requiring automatic import of Qualys reports into TheHive for analysis and management
Main Workflow Steps
- Scheduled Trigger: Runs the workflow once every hour to ensure continuous data updates.
- Set Global Variables: Initialize the Qualys API base URL and current timestamp.
- Call Qualys API to Retrieve Report List: Fetch only reports with status “Finished.”
- Convert XML to JSON: Facilitate subsequent data processing.
- Split Report List: Process each report individually.
- Filter Processed Reports: Select only new reports based on the last run timestamp.
- Create TheHive Case for Each New Report: Serve as containers and management units for reports.
- Download Report Content: Obtain the specific PDF report from Qualys.
- Upload Report as Attachment to Corresponding TheHive Case: Link reports with cases for centralized storage.
- Update Timestamp: Record the current processing time to avoid duplicate handling.
- Wait Node: Control request pacing to prevent API rate limiting.
Involved Systems or Services
- Qualys: Source of vulnerability scan reports, accessed via API.
- TheHive: Security incident response platform used for case creation and report management.
- n8n Automation Platform: Orchestrates the steps to enable automated workflow scheduling and execution.
Target Users and Value
- Security Operations Teams: Enhance automation in vulnerability management and reduce manual workload.
- Security Incident Responders: Quickly consolidate scan data for streamlined case tracking and handling.
- IT Operations and Compliance Teams: Achieve systematic archiving and auditing of scan reports.
- Any organization seeking automated collection and management of Qualys reports to improve efficiency and data accuracy.
This workflow example demonstrates how to leverage n8n’s powerful automation capabilities combined with Qualys and TheHive security tools to achieve end-to-end automated report collection, case management, and archiving—significantly boosting vulnerability management and security response efficiency. Deploy now to empower your security operations with intelligent automation.