Skip to main content

Qualys Vulnerability Management

Qualys Vulnerability Management (VM) is a vulnerability scanning tool that scans hosts and generates vulnerabilities against those hosts. You can bring these findings into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Qualys Vulnerability Management and how to obtain that information from Qualys. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Qualys Vulnerability Management from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Qualys Vulnerability Management with Brinqa:

  • API Server URL: The Qualys API Server URL. For information on how to determine your Qualys API URL, see Qualys documentation.

  • Username and Password: The username and password associated with the Qualys user, which must have permissions to log in to the API server and return data.

Create a Qualys user

To ensure the user account that the Qualys VM connector uses to access the Qualys server has the appropriate permissions, follow these steps.

  1. Log in to your organization's Qualys server.

  2. Navigate to Users, and then select the Users tab.

  3. Click New and select User. The New User dialog displays.

    Qualys VM New User

  4. Fill out the general information.

  5. Click User Role on the left menu.

    • From the User Role drop-down, select Reader.

    • Select GUI and API to enable API access, and leave Business Unit Unassigned.

      Qualys VM User Role settings

  6. Click Asset Groups.

    • From the Add asset groups drop-down, select All.
  7. Click Permissions and select all of the available permissions.

  8. Click Options to modify the notification options as needed.

  9. Click Save.

The new Qualys user with appropriate permissions to retrieve data displays on the Qualys Users page.

If you do not wish to create a new Qualys user, you can leverage an existing user with the appropriate permissions.

note

If you do not have permissions to create a new Qualys user, contact your Qualys administrator. For additional information, see Qualys documentation.

Enable CVSS scoring in Qualys

To ensure that the Qualys VM connector accurately retrieves CVSS scoring information, including Temporal Scores, from your Qualys environment, you must enable a specific setting in Qualys. This setting is not enabled by default. To enable this setting, follow these steps:

  1. Log in to your organization's Qualys server.

  2. Navigate to Vulnerability Management > Reports.

  3. Click the Setup tab and then click CVSS.

    Qualys VM CVSS

    The CVSS Setup window displays.

  4. Click Enable CVSS Scoring and then click Save.

    Qualys VM enable CVSS scoring

Additional settings

The Qualys Vulnerability Management connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 2.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Qualys API before giving up and reporting a failure. The default setting is 5.

Types of data to retrieve

The Qualys Vulnerability Management connector can retrieve the following types of data from the Qualys API:

Table 1: Data retrieved from Qualys

Connector ObjectRequiredMaps to Data Model
HostYesHost
VulnerabilityYesVulnerability
Vulnerability DefinitionYesVulnerability Definition
info

For detailed steps on how to view the data retrieved from Qualys VM in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Host

Table 2: Host attribute mappings

Source Field NameMaps to Attribute
ACCOUNT_IDLocal variable
AVAILABILITY_ZONELocal variable
CATEGORIES/ASSET_CATEGORYcategories
FIRST_DISCOVEREDfirstSeen
host.getASSETCRITICALITYSCORELocal variable
host.getASSETRISKSCORELocal variable
host.getASSETIDLocal variable
host.getCLOUDPROVIDERLocal variable
host.getCLOUDPROVIDERTAGSLocal variable
host.getCLOUDRESOURCEIDcloudInstanceId
host.getCLOUDSERVICELocal variable
host.getDNSDATA.getDOMAINLocal variable
host.getDNSDATA.getFQDNpublicDnsName, privateDnsName
host.getIPpublicIpAddresses
host.getLASTVMAUTHSCANNEDDATELocal variable
host.getLASTVULNSCANDATETIMElastSeen
host.getNETBIOShostnames
host.getOSdescription
host.getOWNERLocal variable
host.getQGHOSTIDLocal variable
host.getTAGS.getTAGtags
host.getTRACKINGMETHODLocal variable
host.getIDuid
IMAGE_IDLocal variable
INSTANCE_IDcloudInstanceId
INSTANCE_STATEstatus
INSTANCE_TYPELocal variable
IPV6Local variable
LOCAL_HOSTNAMEprivateDnsName
LOCATIONLocal variable
MACLocal variable
MAC_ADDRESSmacAddresses
MACHINE_TYPELocal variable
NAMEname
NETWORKLocal variable
OS_TYPELocal variable
PRIVATE_IPLocal variable
PRIVATE_IPV4Local variable
PROJECT_IDLocal variable
PUBLIC_HOSTNAMEpublicDnsName
PUBLIC_IPV4publicIpAddresses
REGIONLocal variable
RESOURCE_GROUP_NAMELocal variable
SECURITY_GROUPLocal variable
STATEstatus
SUBNETLocal variable
SUBSCRIPTION_IDLocal variable
VM_IDLocal variable
ZONELocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Vulnerability

Table 3: Vulnerability attribute mappings

Source Field NameMaps to Attribute
AFFECT_EXPLOITABLE_CONFIGLocal variable
AFFECT_RUNNING_KERNELLocal variable
AFFECT_RUNNING_SERVICELocal variable
DETECTION_TYPELocal variable
detection.getFIRSTFOUNDDATETIMEfirstFound
detection.getLASTFIXEDDATETIMELocal variable
detection.getLASTFOUNDDATETIMElastFound
detection.getLASTTESTDATETIMELocal variable
detection.getLASTUPDATEDATETIMEsourceLastModified
FIRST_REOPENEDLocal variable
host.getDNSpublicDnsName
host.getIDtargets
host.getIPipAddresses
host.getNETBIOShostnames
host.getQGHOSTIDLocal variable
HOST_IDLocal variable
IS_DISABLEDLocal variable
IS_IGNOREDLocal variable
LAST_REOPENEDLocal variable
PORTport
PROTOCOLprotocol
QG_HOST_IDLocal variable
RESULTSresults
SERVICEservice
SEVERITYseverity, sourceSeverity
SSLLocal variable
STATUSstatus, statusCategory
STATUS_CATEGORYstatusCategory
TIMES_FOUNDLocal variable
TIMES_REOPENEDLocal variable
TYPEtype
UIDuid
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Vulnerability Definition

Table 4: Vulnerability Definition attribute mappings

Source Field NameMaps to Attribute
cvssv2.getAttackComplexitycvssV2AccessComplexity
cvssv2.getAvailabilitycvssV2AvailabilityImpact
cvssv2.getAuthenticationcvssV2Authentication
cvssv2.getAttackVectorcvssV2AttackVector
cvssv2.getConfidentialitycvssV2ConfidentialityImpact
cvssv2.getExploitabilitycvssV2Exploitability
cvssv2.getIntegritycvssV2IntegrityImpact
cvssv2.getReportConfidencecvssV2ReportConfidence
cvssv2.getRemediationLevelcvssV2RemediationLevel
cvssv2.getSeveritycvssV2Severity
cvssv3.getAttackComplexitycvssV3AccessComplexity
cvssv3.getAvailabilitycvssV3AvailabilityImpact
cvssv3.getAttackVectorcvssV3AttackVector
cvssv3.getConfidentialitycvssV3ConfidentialityImpact
cvssv3.getExploitabilitycvssV3ExploitCodeMaturity
cvssv3.getIntegritycvssV3IntegrityImpact
cvssv3.getPrivilegesRequiredcvssV3PrivilegesRequired
cvssv3.getReportConfidencecvssV3ReportConfidence
cvssv3.getRemediationLevelcvssV3RemediationLevel
cvssv3.getUserInteractioncvssV3UserInteraction
discovery.getREMOTELocal variable
getAffectedSoftware.vuln.getSOFTWARELISTaffected
getBugTracIds.vuln.getBUGTRAQLISTLocal variable
getComplianceTypes.vuln.getCOMPLIANCELISTLocal variable
getDiscoveryAuthTypes(discovery.getAUTHTYPELISTLocal variable
getExploits.vuln.getCORRELATIONexploits
getMalwares.vuln.getCORRELATIONmalware
getPCIReasons.vuln.getPCIREASONSLocal variable
getThreatIndicators.vuln.getTHREATINTELLIGENCELocal variable
getVendorReferences.vuln.getVENDORREFERENCELISTreferences
uiduid
vuln.getCATEGORYcategories
vuln.getCVSS.getBASEcvssV2BaseScore, cvssV3BaseScore
vuln.getCVSS.getTEMPORALcvssV2TemporalScore, cvssV3TemporalScore
vuln.getCVSS.getVECTORSTRINGcvssV2Vector, cvssV3Vector
vuln.getCONSEQUENCEsummary
vuln.getDIAGNOSISdescription
vuln.getLASTSERVICEMODIFICATIONDATETIMEsourceLastModified
vuln.getPATCHABLEpatchAvailable
vuln.getPUBLISHEDDATETIMEpublishedDate
vuln.getSEVERITYLEVELseverity, severityScore, sourceSeverity
vuln.getSOLUTIONrecommendation
vuln.getTITLEname
vuln.getVULNTYPELocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Operation options

The Qualys VM connector supports the following operation options. See connector operation options for information about how to apply them.

Table 5: Qualys VM connector operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Hostag_idsAny Qualys asset group IDYou can use this option to retrieve hosts with the specified Qualys asset group IDs. You can use either a comma-separated list or specify a range with a dash.Key: ag_ids Value: 386941-386945. This key and value combination only retrieves hosts associated with the specified asset group IDs.
ag_titlesAny Qualys asset group titleA comma-separated list of asset group titles. You can use this option to retrieve hosts with the specified Qualys asset group title.Key: ag_titles Value: AssetGroup1,AssetGroup2. This key and value combination only retrieves hosts associated with the specified asset group titles.
ars_maxAny asset risk score (ARS) valueYou can use this option to only retrieve hosts with an ARS value less than or equal to the specified ARS max value.Key: ars_max Value: 100. This key and value combination only retrieves host records with an ARS value of 100 or less.
ars_minAny ARS valueYou can use this option to only retrieve hosts with an ARS value greater than or equal to the specified ARS min value.Key: ars_min Value: 50. This key and value combination only retrieves hosts with an ARS value of 50 or more.
host_metadataall, azure, ec2, googleRetrieve host metadata for all cloud providers (Azure, EC2, Google) or only the specified cloud providers.Key: host_metadata Value: all. This key and value combination retrieves metadata for hosts from all your cloud providers.
host_metadata_fieldsAny host metadata field attributeA comma-separated list of host metadata field attributes. The connector retrieves only the specified host metadata field attribtues.Key: host_metadata_fields Value: instance_id,region. This key and value combination only retrieves the instance_id and region host metadata attributes.
id_maxAny Qualys host IDYou can use this option to retrieve hosts up to and including the specified host ID value.Key: id_max Value: H500. This key and value combination retrieves hosts with ID values up to and including H500.
id_minAny Qualys host IDYou can use this option to retrieve hosts starting from and including the specified host ID value.Key: id_min Value: H100. This key and value combination retrieves hosts with ID values starting from and including H100.
idsAny Qualys host IDsYou can use this option to retrieve specific hosts from Qualys by their unique identifiers. You can use either a comma-separated list or specify a range with a dash.Key: ids Value: H101,H202. This key and value combination only retrieves controls with the specified control IDs.
ipsAny IP addresses or rangesYou can use this option to retrieve specific hosts from Qualys by the specified IP addresses. You can use either a comma-separated list or specify a range with a dash.Key: ips Value: 10.10.10.1-10.10.10.100. This key and value combination only retrieves hosts associated with the specified range of IP addresses.
network_idsAny Qualys custom network IDsA comma-separated list of custom network IDs. You can use this option to only retrieve hosts associated with the specified network IDs.Key: network_ids Value: N101,N202. This key and value combination only retrieves hosts associated with the specified custom network IDs.
os_patternAny regular expression that matches an operating system.You can use this option to retrieve hosts with operating systems that match a specific regular expression.Key: os_pattern Value: ^Windows.*. This key and value combination only retrieves hosts with operating systems starting with Windows.
show_ars0, 1You can use this option to determine whether the ARS value is retrieved. Specify 1 to display the ARS value or 0 to omit it.Key: show_ars Value: 1. This key and value combination displays the ARS value in the output.
show_ars_factors0, 1You can use this option to determine whether the ARS contributing factors associated with each host displays in the output. Specify 1 to show the factors or 0 to omit them.Key: show_ars_factors Value: 1. This key and value combination displays the ARS contributing factors for each host record retrieved.
tag_exclude_selectorany, allYou can this option to determine how hosts are excluded based on tag matching. Set to any to exclude hosts that match at least one of the selected tags, or set to all to exclude hosts that match all of the selected tags.Key: tag_exclude_selector Value: any. This key and value combination excludes hosts that match at least one of the selected tags.
tag_include_selectorany, allYou can use this option to determine how hosts are included based on tag matching. Set to any to retrieve hosts that match at least one of the selected tags, or set to all to retrieve hosts that match all of the selected tags.Key: tag_include_selector Value: all. This key and value combination only retrieves hosts that match all of the selected tags.
tag_set_byid, nameYou can use this option to determine how the tag set for hosts are retrieved. Set to id to retrieve tag sets by providing tag IDs, or set to name to retrieve tag sets by providing tag names.Key: tag_set_by Value: name. This key and value combination only retrieves tag sets for hosts based on tag names.
tag_set_excludeTag name or IDsYou can use this option to specify a set of tags for exclusion. Hosts matching these tags will be excluded from the results. Provide the tag names or IDs for identification, with multiple entries separated by commas.Key: tag_set_exclude Value: TagName1,TagName2. This key and value combination excludes hosts that match the specified tag names.
tag_set_includeTag name or IDsYou can use this option to specify a set of tags for inclusion. Hosts matching these tags will be included in the results. Provide the tag names or IDs for identification, with multiple entries separated by commas.Key: tag_set_include Value: TagName1,TagName2. This key and value combination only retrieves hosts that match the specified tag names.
use_tags0, 1You can use this option to indicate how hosts are retrieved. Set to 0 to retrieve hosts based on IP addresses/ranges and/or asset groups, or set to 1 to retrieve hosts based on asset tags.Key: use_tags Value: 1. This key and value combination only retrieves hosts based on asset tags.

APIs

The Qualys VM connector uses the Qualys VM API v2. Specifically, it uses the following endpoints:

Table 6: Qualys VM API v2 Endpoints

Connector ObjectAPI Endpoint
HostGET <qualys_base_url>/api/2.0/fo/asset/host/
VulnerabilityGET <qualys_base_url>/api/2.0/fo/asset/host/vm/detection
Vulnerability DefinitionPOST https://qualysapi.qualys.com/api/2.0/fo/knowledge_base/vuln/

Changelog

The Qualys VM connector has undergone the following changes:

5.2.3

  • Added the following attributes on the Vulnerability object to retrieve the Qualys Detection Score:

    • QDS_FACTORS
    • QDS_SCORE
    • QDS_SEVERITY

5.2.2

  • Changed the SOURCE_SEVERITY attribute on the Vulnerability Definition object to SOURCE_SEVERITY_SCORE.

5.2.1

  • Changed the SOURCE_SEVERITY attribute on the Vulnerability object to SOURCE_SEVERITY_SCORE.

5.1.11

  • Added the NETWORK_ID attribute on the Host object.

5.1.10

  • Updated dependencies.

5.1.8

  • Added asset risk score (ARS) related operation options such as ars_max, ars_min, show_ars and show_ars_factors for the Host connector object.

5.1.5

  • Added checks for null Common Vulnerability Scoring System (CVSS) vectors.

5.1.3

  • Updated to trim trailing spaces from the CVE IDs present in certain vulnerability definitions.

5.0.18

  • Added a SEVERITY_SCORE attribute in the Vulnerability Definition object.

5.0.14

  • Added UID as identifier for all connector objects.

5.0.13

  • Replaced the CATEGORY attribute with CATEGORIES in the Vulnerability Definition object.

5.0.12

  • Replaced the CATEGORY attribute with CATEGORIES in the Host object.

5.0.10

  • Stopped using IP_ADDRESS as identifier for hosts or vulnerabilities.

5.0.4

  • Replaced Finding Definition with the Vulnerability Definition object.

5.0.0