Skip to main content

Qualys Vulnerability Management

Qualys Vulnerability Management (VM) is a vulnerability scanning tool that scans hosts and generates vulnerabilities against those hosts. You can bring these findings into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Qualys Vulnerability Management and how to obtain that information from Qualys. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Qualys Vulnerability Management from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Qualys Vulnerability Management with Brinqa:

  • API Server URL: The Qualys API Server URL. For information on how to determine your Qualys API URL, see Qualys documentation.

  • Username and Password: The username and password associated with the Qualys user, which must have permissions to log in to the API server and return data.

Create a Qualys user

To ensure the user account that the Qualys VM connector uses to access the Qualys server has the appropriate permissions, follow these steps.

  1. Log in to your organization's Qualys server.

  2. Navigate to Users, and then select the Users tab.

  3. Click New and select User. The New User dialog displays.

    Qualys VM New User

  4. Fill out the general information for the new user.

  5. Click User Role on the left menu.

    • From the User Role drop-down, select Reader.

    • Select GUI and API to enable API access, and leave Business Unit Unassigned.

      note

      GUI access allows the user to log in to the Qualys GUI (graphical user interface). After you create the new Qualys user, log in to the Qualys GUI using the new credentials. The system prompts the user to reset their password. The Qualys connector will not function until you complete the password reset.

      Qualys VM User Role settings

  6. Click Asset Groups.

    • From the Add asset groups drop-down, select All or only the asset groups the Qualys user needs access to.

  7. Click Permissions and select all of the available permissions.

  8. Click Options to modify the notification options as needed.

  9. Click Save.

The new Qualys user with appropriate permissions to retrieve data displays on the Qualys Users page.

If you do not wish to create a new Qualys user, you can leverage an existing user with the appropriate permissions.

note

If you do not have permissions to create a new Qualys user, contact your Qualys administrator. For additional information, see Qualys documentation.

Enable CVSS scoring in Qualys

To ensure that the Qualys VM connector accurately retrieves CVSS scoring information, including Temporal Scores, from your Qualys environment, you must enable a specific setting in Qualys. This setting is not enabled by default. To enable this setting, follow these steps:

  1. Log in to your organization's Qualys server.

  2. Navigate to Vulnerability Management > Reports.

  3. Click the Setup tab and then click CVSS.

    Qualys VM CVSS

    The CVSS Setup window displays.

  4. Click Enable CVSS Scoring and then click Save.

    Qualys VM enable CVSS scoring

Additional settings

The Qualys Vulnerability Management connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 2.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Qualys API before giving up and reporting a failure. The default setting is 5.

  • Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.

Types of data to retrieve

The Qualys Vulnerability Management connector can retrieve the following types of data from the Qualys API:

Table 1: Data retrieved from Qualys

Connector ObjectRequiredMaps to Data Model
HostYesHost
VulnerabilityYesVulnerability
Vulnerability DefinitionYesVulnerability Definition
info

For detailed steps on how to view the data retrieved from Qualys VM in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Host

Table 2: Host attribute mappings

Source Field NameMaps to Attribute
accountIdLocal variable
availability zoneLocal variable
categories/asset categorycategories
first discoveredfirstSeen
getNamename
host.getAGENTACTIVATIONKEYLocal variable
host.getAGENTACTIVATIONTITLELocal variable
host.getAGENTSTATUSLocal variable
host.getARSFACTORS.getARSFORMULALocal variable
host.getASSETCRITICALITYSCORELocal variable
host.getASSETRISKSCORELocal variable
host.getASSETIDLocal variable
host.getCLOUDAGENTRUNNINGONLocal variable
host.getCLOUDPROVIDERLocal variable
host.getCLOUDPROVIDERTAGSLocal variable
host.getCLOUDRESOURCEIDinstanceId
host.getCLOUDSERVICELocal variable
host.getDNSDATA.getDOMAINLocal variable
host.getDNSDATA.getFQDNpublicDnsNames, privateDnsNames
host.getHARDWAREUUIDLocal variable
host.getIDuid
host.getIPpublicIpAddresses
host.getLASTVMAUTHSCANNEDDATELocal variable
host.getLASTVULNSCANDATETIMElastScanned, lastSeen
host.getNETBIOShostnames
host.getOSdescription
host.getOWNERLocal variable
host.getQGHOSTIDLocal variable
host.getTRACKINGMETHODLocal variable
host.getTRURISKSCORELocal variable
host.getTRURISKSCOREFACTORS().getTRURISKSCOREFORMULALocal variable
host.getASSETCRITICALITYSCORELocal variable
host.getARSFACTORS.getARSFORMULALocal variable
hostnameshostnames
host.getCLOUDPROVIDERTAGSLocal variable
host.getOSdescription
host.getNETBIOShostname
host.getDNSDATA.getDOMAINdomain
host.getLASTVMAUTHSCANNEDDATElastAuthScanned
host.getARSFACTORS.getARSFORMULAarsFormula
host.getDNSDATA.getDOMAINdomain
host.getOSoperatingSystem
host.getDNSDATA.getDOMAINdomain
instance idinstanceId
instance statestatus
instance typeLocal variable
ipv6Local variable
locationLocal variable
local hostnameprivateDnsNames
macLocal variable
nameLocal variable
networkLocal variable
os typeLocal variable
portLocal variable
private ipLocal variable
private ipv4Local variable
project idLocal variable
protocolLocal variable
public hostnamepublicDnsNames
public ipLocal variable
public ipv4publicIpAddresses
regionLocal variable
resource group nameLocal variable
scan typeLocal variable
security groupLocal variable
statestatus
subnetLocal variable
subscription idLocal variable
targetLocal variable
typeLocal variable
uuiduid
vm idinstanceId
zoneLocal variable
Vulnerability

Table 3: Vulnerability attribute mappings

Source Field NameMaps to Attribute
detection.getAFFECTEXPLOITABLECONFIGLocal variable
detection.getAFFECTRUNNINGKERNELLocal variable
detection.getAFFECTRUNNINGSERVICELocal variable
detection.getFIRSTFOUNDDATETIMEfirstFound
detection.getFIRSTREOPENEDDATETIMELocal variable
detection.getLASTFIXEDDATETIMElastFixed
detection.getLASTFOUNDDATETIMElastFound
detection.getLASTREOPENEDDATETIMELocal variable
detection.getLASTTESTDATETIMElastScanned
detection.getLASTUPDATEDATETIMEsourceLastModified
detection.getLATESTVULNERABILITYDETECTIONSOURCELocal variable
detection.getRESULTSresults
detection.getSTATUSstatus
detection.getTIMESFOUNDtimesFound
detection.getTIMESREOPENEDLocal variable
detection.getTYPELocal variable
detection.getVULNERABILITYDETECTIONSOURCESLocal variable
host.getDNSpublicDnsNames
host.getIDtargets
host.getIPipAddresses
host.getNETBIOShostnames
host.getQGHOSTIDLocal variable
is disabledLocal variable
is ignoredLocal variable
mac addressmacAddresses
portport
protocolprotocol
severityseverity
serviceservice
sslLocal variable
status categorystatusCategory
typetype
uiduid
Vulnerability Definition

Table 4: Vulnerability Definition attribute mappings

Source Field NameMaps to Attribute
cvssv2.getAttackComplexitycvssV2AccessComplexity
cvssv2.getAvailabilitycvssV2AvailabilityImpact
cvssv2.getAuthenticationcvssV2Authentication
cvssv2.getAttackVectorcvssV2AttackVector
cvssv2.getConfidentialitycvssV2ConfidentialityImpact
cvssv2.getExploitabilitycvssV2Exploitability
cvssv2.getIntegritycvssV2IntegrityImpact
cvssv2.getReportConfidencecvssV2ReportConfidence
cvssv2.getRemediationLevelcvssV2RemediationLevel
cvssv2.getSeveritycvssV2Severity
cvssv3.getAttackComplexitycvssV3AccessComplexity
cvssv3.getAvailabilitycvssV3AvailabilityImpact
cvssv3.getAttackVectorcvssV3AttackVector
cvssv3.getConfidentialitycvssV3ConfidentialityImpact
cvssv3.getExploitabilitycvssV3ExploitCodeMaturity
cvssv3.getIntegritycvssV3IntegrityImpact
cvssv3.getPrivilegesRequiredcvssV3PrivilegesRequired
cvssv3.getReportConfidencecvssV3ReportConfidence
cvssv3.getRemediationLevelcvssV3RemediationLevel
cvssv3.getUserInteractioncvssV3UserInteraction
discovery.getREMOTELocal variable
getAffectedSoftware.vuln.getSOFTWARELISTaffected
getBugTracIds.vuln.getBUGTRAQLISTLocal variable
getComplianceTypes.vuln.getCOMPLIANCELISTLocal variable
getDiscoveryAuthTypes(discovery.getAUTHTYPELISTLocal variable
getExploits.vuln.getCORRELATIONexploits
getMalwares.vuln.getCORRELATIONmalware
getPCIReasons.vuln.getPCIREASONSLocal variable
getThreatIndicators.vuln.getTHREATINTELLIGENCELocal variable
getVendorReferences.vuln.getVENDORREFERENCELISTreferences
uiduid
vuln.getCATEGORYcategories
vuln.getCVSS.getBASEcvssV2BaseScore, cvssV3BaseScore
vuln.getCVSS.getTEMPORALcvssV2TemporalScore, cvssV3TemporalScore
vuln.getCVSS.getVECTORSTRINGcvssV2Vector, cvssV3Vector
vuln.getCONSEQUENCEsummary
vuln.getDIAGNOSISdescription
vuln.getLASTSERVICEMODIFICATIONDATETIMEsourceLastModified
vuln.getPATCHABLEpatchAvailable
vuln.getPUBLISHEDDATETIMEpublishedDate
vuln.getSEVERITYLEVELseverity, severityScore, sourceSeverity
vuln.getSOLUTIONrecommendation
vuln.getTITLEname
vuln.getVULNTYPELocal variable
note

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Data lifecycle management (DLM) strategy

The following table details the DLM strategy for the Qualys VM connector:

Table 5: Qualys VM DLM strategy

Connector ObjectInactivity ConditionPurge PolicySummary
HostLAST_SCANNED NOT IN LAST 30 Days30 days after inactivityUses the LAST_SCANNED attribute to identify hosts that are inactive within the last 30 days, and then purges the records after 30 days of inactivity.
VulnerabilityInactivity is delegated to the Host object30 days after inactivityInactivity is determined by the lifecycle status of the associated host, and then purges the records after 30 days of inactivity.

Operation options

The Qualys VM connector supports the following operation options. See connector operation options for information about how to apply them.

Expand the sections below to view the supported operation options for each connector object:

Host

Table 6: Host operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Hosthost_metadataall, azure, ec2, googleRetrieve host metadata for all cloud providers (Azure, EC2, Google) or only the specified cloud providers.Key: host_metadata Value: all. This key and value combination retrieves metadata for hosts from all your cloud providers.
ipsAny IP addresses or rangesYou can use this option to retrieve specific hosts from Qualys by the specified IP addresses. You can use either a comma-separated list or specify a range with a dash.Key: ips Value: 10.10.10.1-10.10.10.100. This key and value combination only retrieves hosts associated with the specified range of IP addresses.
Vulnerability

Table 7: Vulnerability operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Vulnerabilityarf_filter_keysnon-running-kernel, non-running-service, config-not-exploitableYou can use this option to filter vulnerabilities based on advanced runtime conditions. This option is only applied if arf_key is set to true.Key: arf_filter_keys Value: non-running-kernel,non-running-service. This key and value combination retrieves vulnerabilities for the specified ARF conditions.
arf_kernel_filter0, 1, 2, 3, 4You can use this option to filter vulnerabilities on Linux kernels.
0 = vulnerabilities are not filtered based on kernel activity
1 = excludes kernel related vulnerabilities that are not exploitable
2 = only include kernel related vulnerabilities that are not exploitable
3 = only include kernel related vulnerabilities that are exploitable and found on running kernels
4 = only include kernel related vulnerabilities.		Key: arf_kernel_filter Value: 3. This key and value combination only retrieves exploitable kernel related vulnerabilities.
arf_keytrue, falseYou can use this option to enable advanced ARF filtering. When set to true, you can apply the arf_filter_keys and show_arf_data filters.Key: arf_key Value: true. This key and value combination enables advanced ARF filtering options.
idsAny valid host ID or rangeYou can use this option to filter vulnerabilities by specific host IDs or ranges. Multiple host IDs or ranges can be specified as a comma-separated list. Specify a host ID range using a hyphen (for example: 190-400). For additional information, see Qualys documentation.Key: ids Value: 123,200-250. This key and value combination retrieves vulnerabilities for the specified host IDs or ranges.
ipsAny valid IP address or rangeYou can use this option to filter vulnerabilities by specific IP addresses or ranges. Multiple IP addresses or ranges can be specified as a comma-separated list. Specify an IP range using a hyphen (for example: 10.10.10.1-10.10.10.100). For additional information, see Qualys documentation.Key: ips Value: 10.10.10.1,10.10.10.5-10.10.10.10. This key and value combination retrieves vulnerabilities for the specified IP addresses or ranges.
qds_maxAny Qualys Detection Score (QDS) value from 1–100You can use this option to filter vulnerabilities with a QDS value less than or equal to the specified value. For additional information on QDS scores, see Qualys documentation.Key: qds_max Value: 10. This key and value combination only retrieves vulnerabilities with a QDS value less than or equal to 10.
qds_minAny QDS value from 1–100You can use this option to filter vulnerabilities with a QDS value greater than or equal to the specified value. For additional information on QDS scores, see Qualys documentation.Key: qds_min Value: 90. This key and value combination only retrieves vulnerabilities with a QDS value greater than or equal to 90.
severities1, 2, 3, 4, 5You can use this option to filter vulnerabilities by their severity level. You can use a comma-separated list to retrieve multiple severity levels or a dash to retrieve a range of severity levels. For additional information on severity levels, see Qualys documentation.Key: severities Value: 4,5. This key and value combination only retrieves vulnerabilities with a severity level of 4 or 5.
show_arf_data0, 1You can use this option to show or hide tags for vulnerabilities affected by ARF conditions. This option is only applied if arf_key is set to true.Key: show_arf_data Value: 1. This key and value combination displays ARF tags in vulnerability records.
show_qds0, 1You can use this option to determine whether the QDS is displayed in the output for each vulnerability record. Specify 1 to show the QDS value for each detection record. Specify 0 if you do not want to show the QDS value.Key: show_qds Value: 1. This key and value combination displays the QDS value for each vulnerability record.
statusActive, Fixed, New, Re-OpenedYou can use this option to filter vulnerabilities by their status. You can use a comma-separated list of statuses. For additional information, see Qualys documentation.Key: status Value: Active,Re-Opened. This key and value combination only retrieves active and re-opened vulnerabilities.
vuln_detection_source0, 1You can use this option to include detection source metadata in the retrieved vulnerabilities.

Set to 1 to include detection source and latest detection source metadata. Set to 0 to omit them.

This option requires the Enable Detection Source for Host-Based Scan Report setting to be enabled in your Qualys subscription. If you use this option and the setting is not enabled, the Vulnerability object sync fails to retrieve vulnerabilities. For additional information, please contact Qualys Support.		Key: vuln_detection_source
Value: 1
This key and value combination includes detection source metadata in the retrieved vulnerabilities.
note

The option keys and values are case-sensitive as they are shown in this documentation

APIs

The Qualys VM connector uses the Qualys VM API v3 and v4. Specifically, it uses the following endpoints:

Table 8: Qualys VM API Endpoints

Connector ObjectAPI Endpoint
HostGET /api/4.0/fo/asset/host/
VulnerabilityGET /api/4.0/fo/asset/host/
GET /api/4.0/fo/asset/host/vm/detection
Vulnerability DefinitionPOST /api/3.0/fo/knowledge_base/vuln/

Changelog

The Qualys VM connector has undergone the following changes:

Table 9: Qualys VM connector changelog

note

This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.

VersionDescriptionDate Published
5.3.23Fixed an issue where the vuln_detection_source parameter was sent in all Vulnerability API calls, even when the operation option was not configured. The parameter is now only sent if the vuln_detection_source option is explicitly set. As a result, the Enable Detection Source for Host-Based Scan Report setting in Qualys is only required if this option is used.August 15th, 2025
5.3.22No change.August 5th, 2025
5.3.21No change.August 5th, 2025
5.3.20No change.July 11th, 2025
5.3.19No change.July 2nd, 2025
5.3.18- The /vm/detection Vulnerability API endpoint has been updated to v4.0.
- Added the DETECTION_GET_VULNERABILITY_DETECTION_SOURCES and DETECTION_GET_LATEST_VULNERABILITY_DETECTION_SOURCES attributes to the Vulnerability object.
- Added a new operation option on the Vulnerability object to include detection source metadata in the retrieved vulnerabilities: vuln_detection_source. This option enables you to include detection source metadata in the retrieved vulnerabilities. This option requires the Enable Detection Source for Host-Based Scan Report setting to be enabled in your Qualys subscription. If you use this option and the setting is not enabled, the Vulnerability object sync fails to retrieve vulnerabilities. For additional information, please Qualys Support.		June 30th, 2025
5.3.17Added the AGENT_ACTIVATION_KEY and AGENT_ACTIVATION_TITLE attributes to the Host object to support status configurations and data lifecycle management (DLM) policies.May 7th, 2025
5.3.16No change.April 23rd, 2025
5.3.15No change.April 8th, 2025
5.3.14
  • Updated the API endpoints used to retrieve data from Qualys. The connector now uses the following updated endpoints:
    • Host: /api/4.0/fo/asset/host/
    • Vulnerability: /api/3.0/fo/asset/host/vm/detection/
    • Vulnerability Definition: /api/3.0/fo/knowledge_base/vuln/
  • Added new operation options to the Vulnerability object to enhance vulnerability filtering: arf_key, arf_filter_keys, and show_arf_data. These options enable you to include or exclude vulnerabilities based on advanced runtime filtering (ARF) conditions.
March 26th, 2025
5.3.13No change.March 12th, 2025
5.3.12No change.March 3rd, 2025
5.3.11No change.February 28th, 2025
5.3.10No change.January 29th, 2025
5.3.9Fixed the following data type mismatches:
  • Changed the ASSET_ID attribute type on the Host object from string to long.
  • Changed the QDS_SCORE attributes on the Vulnerability object from string to long.
December 30th, 2024
5.3.8No change.November 14th, 2024
5.3.7No change.November 12th, 2024
5.3.6Fixed an issue where the Vulnerability Definition object sync was failing due to a NullPointerException error.November 7th, 2024
5.3.5Added a new additional setting to help prevent sync failures due to default timeout limits: Request timeout.October 21st, 2024
5.3.4Changed the ASSET_ID attribute type on the Host object from integer to string.September 23rd, 2024
5.3.3No change.September 20th, 2024
5.3.2- Added support for Data lifecycle management to the Host and Vulnerability objects.
- Added the following attributes to the Host object:
  • HOST_NAMES
  • INSTANCE_ID
  • MAC_ADDRESSES
  • PUBLIC_DNS_NAMES
  • PUBLIC_IP_ADDRESSES
  • SERIAL_NUMBER
  • UID
- Added the PROVIDER_STATUS attribute to the Vulnerability object.		August 23rd, 2024
5.3.1No change.August 15th, 2024
5.3.0No change.August 12th, 2024
5.2.4Added the following attributes on the Host object so it can utilize the TruRisk attribute from Qualys:
  • AGENT_STATUS
  • CLOUD_AGENT_RUNNING_ON
  • FIRST_SEEN
  • HARDWARE_ID
  • LAST_ACTIVITY
  • LAST_RESTART_OR_BOOT
  • SERIAL_NUMBER
  • TRURISK_SCORE
  • TRURISK_SCORE_FORMULA
July 26th, 2024
5.2.3Added the following attributes on the Vulnerability object to retrieve the Qualys Detection Score:
  • QDS_FACTORS
  • QDS_SCORE
  • QDS_SEVERIT`
July 2nd, 2024
5.2.2Changed the SOURCE_SEVERITY attribute on the Vulnerability Definition object to SOURCE_SEVERITY_SCORE.June 26th, 2024
5.2.1Changed the SOURCE_SEVERITY attribute on the Vulnerability object to SOURCE_SEVERITY_SCORE.May 15th, 2024
5.2.0No change.May 7th, 2024
5.1.13No change.April 16th, 2024
5.1.12No change.April 5th, 2024
5.1.11Added the NETWORK_ID attribute to the Host object.March 11th, 2024
5.1.10Updated dependencies.March 8th, 2024
5.1.9No change.February 8th, 2024
5.1.8Added asset risk score (ARS) related operation options such as ars_max, ars_min, show_ars, and show_ars_factors for the Host connector object.January 25th, 2024
5.1.7No change.September 19th, 2023
5.1.6No change.September 18th, 2023
5.1.5Added checks for null Common Vulnerability Scoring System (CVSS) vectors.September 12th, 2023
5.1.4Fixed an issue where the Vulnerability Definition object sync was not finishing.September 12th, 2023
5.1.3Updated to trim trailing spaces from the CVE IDs present in certain vulnerability definitions.August 29th, 2023
5.1.2No change.July 14th, 2023
5.1.1No change.July 10th, 2023
5.1.0No change.July 10th, 2023
5.0.18Added the SEVERITY_SCORE attribute to the Vulnerability Definition object.February 14th, 2023
5.0.17Code cleanup and general maintenance.December 17th, 2022
5.0.16Code cleanup and general maintenance.December 16th, 2022
5.0.15Code cleanup and general maintenance.December 15th, 2022
5.0.14Added UID as identifier for all connector objects.December 9th, 2022
5.0.13Replaced the CATEGORY attribute with CATEGORIES on the Vulnerability Definition object.December 8th, 2022
5.0.12Replaced the CATEGORY attribute with CATEGORIES on the Host object.December 8th, 2022
5.0.11Code cleanup and general maintenance.December 5th, 2022
5.0.10The connector no longer uses IP_ADDRESS as identifier for hosts or vulnerabilities.December 4th, 2022
5.0.9Code cleanup and general maintenance.December 3rd, 2022
5.0.8Code cleanup and general maintenance.December 3rd, 2022
5.0.7Code cleanup and general maintenance.December 3rd, 2022
5.0.6Code cleanup and general maintenance.December 2nd, 2022
5.0.5Code cleanup and general maintenance.July 8th, 2022
5.0.4Replaced the Finding Definition object with Vulnerability Definition.May 12th, 2022
5.0.3Code cleanup and general maintenance.April 26th, 2022
5.0.2Code cleanup and general maintenance.April 26th, 2022
5.0.1Code cleanup and general maintenance.April 19th, 2022
5.0.0Initial Integration+ release.April 19th, 2022
Last updated on