This is a simple modification to the Qualys TA for Splunk, created to change the default functionality to take "RESULTS" field data from the Qualys API, and "flatten" whitespace into a single space. While this functionality makes sense from a Splunk data parsing and conciseness perspective, it makes certain QIDs impossible to parse important information. For example, using this data will allow for separation of new line characters and tab characters to parse and separate multi-line and column results, such as "Installed Software Enumerated from Windows Installer".

This original intention was to use the splunkbase_download script to download the Splunk TA via Github Actions, add necessary code changes, for continious integrate of the small code change to the upstream Qualys TA from Splunkbase. Looks like SplunkBase authentication process changed a bit, so I took the script from the issue on the repo, and modified it to work for Github Actions to download the latest Qualys TA release.

This explanation is sort of a stub, I intend to elaborate on the use cases in the future.

This is the simple modification made to the detectionpopulator.py script:

Qualys coded the TA to collapse on purpose, see the end of this gist describing why the new line characters caused concern for unexpected parsing on the Splunk side.