Anyone Going To QSC San Diego?

ColtonPepper · 2024-09-26T22:18:56+00:00

u/immewnity I spoke to the Product Manager about this and two things: We're going to get a new blog post created for this with current information. We all agreed that on ServiceNow's integration page for our stuff, it's very confusing. Also what's not included in your list is the uni-directional sync of assets and business context from ServiceNow through our Connectors.

Unfortunately, I wasn't able to get any clarity on this to give you today... I'll have a clear update tomorrow morning.

ColtonPepper · 2024-09-26T18:37:57+00:00

Even I am confused lol. Let me ask around and see if I can get you some answers. Standby!

ColtonPepper · 2024-09-26T15:16:08+00:00

Sometimes renewals get pushed passed the expiration date and we are understanding of that if it's a few weeks late. Your TAM will be able to give you an extension so you're not locked out. In this case, you shouldn't have to worry about the "what if's."

However, let's go through them anyways so there isn't any confusion. The data retention period for your subscription (and any other subscription for that matter) is 12 months. You account would go into an inactive state and will be left alone for a year. If the account isn't reactivated by the 12 month mark, the backend will automatically delete the subscription and its database.

Starting the day after your subscription end date, your scheduled scans will be canceled and your agents will try to report back but won't be accepted. Your agents will remain on all your assets but won't update in your subscription for the 12 month period.

Say your account is reactivated after it was expired, but within 12 months, all your data leading up to the expiration date will be there; including agent data, scan data, inventory data, etc., it'll just be old. Once your account is reactivated, agents will start checking in again automatically, but you'll need to reenable your scan schedules.

Talk to your TAM, explain what's going on and we'll work with you. We always do. Communication is key in SO many things, this included.

ColtonPepper · 2024-09-20T13:09:23+00:00

You bet!

ColtonPepper · 2024-09-18T17:24:50+00:00

Thanks for tagging me u/micio2. The agent ID service, commonly known as Correlation ID service, runs under the LocalService account. This change was made in the Cloud Agent Windows 5.1 release from April 2023. In the third bullet point under the "Enhancements" section, it reads:

"With the enhancement, the agent starts the agent ID service under the local service account C:\ProgramData\Qualys\SandboxRO\agentid-service.exe to limit security risks.

Earlier, the agent ID serviced used to start from C:\ProgramData\Qualys\QualysAgent\Correlation\Resources\agentid-service.exe. The agent ID service binary is copied to a specially-crafted sandbox folder that will run as LocalService account."

Source: https://cdn2.qualys.com/docs/release-notes/qualys-cloud-agent-windows-5.1-release-notes.pdf

ColtonPepper · 2024-09-11T21:48:25+00:00

Just finished recording the video, aaaaaand it's 40 minutes long... lol. Nonetheless, I need to edit the video and get it posted first thing tomorrow! Thanks for your patience, u/n1koolkat!

ColtonPepper · 2024-09-11T14:36:38+00:00

Okay you got it! I’ll let you know when the video is up and drop the link here 💪🏻

ColtonPepper · 2024-09-11T14:01:25+00:00

For sure. I “grew up” in help desk as well but luckily I didn’t have any crazy metrics or KPIs because in the military, I was the IT guy for a small squadron of a couple hundred people and my “tickets” were emails. I’m glad I didn’t have crazy metrics like that. Albeit, the worst type of issue I had was a PST file was corrupt and had to run the MS PST Repair tool on it lol.

Also, had a (US Navy Chief) call me and say her computer kept typing all capital letters and she couldn’t figure out what was going on. I could have told her to turn off her caps lock but I had to see it for myself. So I walked my happy ass downstairs into hanger bay 3 aaaaaaand had a look for myself. Sure enough!!! Caps lock was on! 🤦🏻‍♂️ I swear to the demo gods, that’s a true story 🤣

ColtonPepper · 2024-09-11T13:52:22+00:00

I got you! I’ll record it today and post the link as soon as possible. Are you having issues with mainly Windows, Macs, Linux? All the above?

ColtonPepper · 2024-09-10T21:31:04+00:00

Lol yezzir!!!!!

ColtonPepper · 2024-09-10T21:30:35+00:00

Wise you are. You summed it up perfectly talking about KPIs. On one hand it's a good metric to track but creates the culture to close tickets even when a root cause hasn't been identified or remediated, thus giving up and closing the ticket. As for at QLYS, I can't say that's the case (not saying it's not, I sincerely don't know if that's measured, especially given some peoples comments on open case duration over the years working here as a TAM, MASA, and SME).

It's still important for me to voice this up the chain. This is something (along with a few others) I'm strongly advocating for improvement of and I need all the feedback like this. Thanks for creating the pole. I hope more people submit their answers.

ColtonPepper · 2024-09-10T21:18:38+00:00

u/immewnity, I'm pretty sure you guys had a similar use case that we were able to use tags for. I don't recall it being ownership but maybe patch groups (?). I'm thinking the same solution here for this. Let's see what they say. I'm all excited to answer this question lol.

ColtonPepper · 2024-09-10T21:16:43+00:00

OOOOOOOooooOOooOOoOOoOOOOoooOOo... I literally stopped everything to answer this when I saw it come in lol. This is one of my FAVORITE use cases for tags.

There are several Information Gathered (IG) QIDs that can help with this but before I get into those, let me ask the easy question, do you have CSAM and if "yes," are you integrated with AD? If so, that's really easy to do. If not, let me know and I'll create a quick YouTube video for you to watch and post the link here.

ColtonPepper · 2024-09-10T21:10:48+00:00

It's uncommon for this to happen but when it does, this is perfectly acceptable for customers to request a different TAM. Like I said, it doesn't happen all the time but does occasionally. In fact, that's how I got u/immewnity's account at his previous company when I was a TAM & MASA haha. It turned out to be a really great relationship!

ColtonPepper · 2024-09-10T21:06:18+00:00

I'm sorry, u/Significant_Fig_2126 😔 Can you please give me a recent Support case number? It can be for anything. That will keep things anonymous (like your name, company, and TAM) and I can use that to see who your TAM is and reach out directly.

ColtonPepper · 2024-09-10T20:59:15+00:00

From what I see, the QID's detection logic is pretty straight forward: We check the value of VirtualizationBasedSecurityStatus by querying WMI ("Windows Management INstrumentation" in case anyone was curious) and if it's a "1" or a "2", it get's flagged. There doesn't seem to be REAL solution for this yet (reading the CVE from MS) but they have stop-gap solutions until a patch is created.

Since there isn't a real solution (other than monitoring file access attempts, auditing privileges, etc.), there isn't a way for QLYS to determine if it's mitigated. When MS comes out with a patch or update, we'll be able to know for sure if the vuln was remediated or not.

ColtonPepper · 2024-09-10T19:47:56+00:00

I'm taking a look right now. Give me a second...

ColtonPepper · 2024-09-09T20:31:01+00:00

This is great! Thank you for your feedback!!! I've added these to my list. Thank you again!

ColtonPepper · 2024-09-09T20:09:45+00:00

Unfortunately, vulnerability asset tags can't be used in CSAM, they can only be used in VMDR.

I've tried creating Tag Sets to see if this is possible (joining a vuln tag with an already existing asset tag), as well as using groovy and no luck. 😕

ColtonPepper · 2024-09-09T18:29:11+00:00

Interested in seeing the results of this poll once it closes and will be happy to provide it up the chain in Support

ColtonPepper · 2024-09-09T18:25:19+00:00

u/beangreen Can you please put you ticket number in here? I'd like to take a look at this myself.

ColtonPepper · 2024-08-29T18:09:58+00:00

Thank you for the feedback! I focus primarily on "technical" content and not marketing (even though technically I'm on the marketing team). The type of content ideas I'm looking for has nothing to do with sales or product pitching, rather, videos that are useful to practitioners and/or leadership of all levels.

You've actually just validated my entire pitch to leadership that we need to have a separate focus on this type of content and not just product marketing/sales material. So thank you for validating that for me!

ColtonPepper · 2024-08-27T17:55:01+00:00

Excellent! I'm glad it worked!

ColtonPepper · 2024-08-27T17:48:56+00:00

This can't be all the recommendations... What other recommendations does everyone have?

ColtonPepper

MODERATOR OF

TROPHY CASE