Nmap scanner overview
QRadar uses SSH to communicate with the Nmap server to either start remote Nmap scans or download the completed Nmap scan results.
Restriction: Although there is an NMap binary
on each QRadar host,
it is reserved for internal QRadar use
only. Configuring an NMap vulnerability scanner to use a QRadar
Console or QRadar managed
host as the remote NMap scanner is not supported and can cause instabilities.
When administrators configure an Nmap scan, a specific Nmap user account can be created for the QRadar system. A unique user account ensures that QRadar possesses the credentials that are required to log in and communicate with the Nmap server. After the user account creation is complete, administrators can test the connection from QRadar to the Nmap client with SSH to verify the user credentials. This test ensures that each system can communicate before the system attempt to download vulnerability scan data or start a live scan.
The following options are available for data collection of vulnerability
information from Nmap scanners:
- Remote live scan. Live scans use the Nmap binary file to remotely start scans. After the live scan completes, the data is imported over SSH. See Adding a Nmap remote live scan.
- Remote results import. The result data from a previously completed scan is imported over SSH. See Adding a NMap remote result import