Qualys Vulnerability Management
Qualys Vulnerability Management (VM) is a vulnerability scanning tool that scans hosts and generates vulnerabilities against those hosts. You can bring these findings into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Qualys Vulnerability Management and how to obtain that information from Qualys. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Qualys Vulnerability Management from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Qualys Vulnerability Management with Brinqa:
-
API Server URL: The Qualys API Server URL. For information on how to determine your Qualys API URL, see Qualys documentation.
-
Username and Password: The username and password associated with the Qualys user, which must have permissions to log in to the API server and return data.
Create a Qualys user
To ensure the user account that the Qualys VM connector uses to access the Qualys server has the appropriate permissions, follow these steps.
-
Log in to your organization's Qualys server.
-
Navigate to Users, and then select the Users tab.
-
Click New and select User. The New User dialog displays.
-
Fill out the general information for the new user.
-
Click User Role on the left menu.
-
From the User Role drop-down, select Reader.
-
Select GUI and API to enable API access, and leave Business Unit Unassigned.
-
-
Click Asset Groups.
- From the Add asset groups drop-down, select All or only the asset groups the Qualys user needs access to.
-
Click Permissions and select all of the available permissions.
-
Click Options to modify the notification options as needed.
-
Click Save.
The new Qualys user with appropriate permissions to retrieve data displays on the Qualys Users page.
If you do not wish to create a new Qualys user, you can leverage an existing user with the appropriate permissions.
note
If you do not have permissions to create a new Qualys user, contact your Qualys administrator. For additional information, see Qualys documentation.
Enable CVSS scoring in Qualys
To ensure that the Qualys VM connector accurately retrieves CVSS scoring information, including Temporal Scores, from your Qualys environment, you must enable a specific setting in Qualys. This setting is not enabled by default. To enable this setting, follow these steps:
-
Log in to your organization's Qualys server.
-
Navigate to Vulnerability Management > Reports.
-
Click the Setup tab and then click CVSS.
The CVSS Setup window displays.
-
Click Enable CVSS Scoring and then click Save.
Additional settings
The Qualys Vulnerability Management connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 2.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Qualys API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Qualys Vulnerability Management connector can retrieve the following types of data from the Qualys API:
Table 1: Data retrieved from Qualys
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Host | Yes | Host |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
info
For detailed steps on how to view the data retrieved from Qualys VM in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Host
Table 2: Host attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| accountId | Local variable |
| availability zone | Local variable |
| categories/asset category | categories |
| first discovered | firstSeen |
| getName | name |
| host.getAGENTSTATUS | Local variable |
| host.getARSFACTORS.getARSFORMULA | Local variable |
| host.getASSETCRITICALITYSCORE | Local variable |
| host.getASSETRISKSCORE | Local variable |
| host.getASSETID | Local variable |
| host.getCLOUDAGENTRUNNINGON | Local variable |
| host.getCLOUDPROVIDER | Local variable |
| host.getCLOUDPROVIDERTAGS | Local variable |
| host.getCLOUDRESOURCEID | instanceId |
| host.getCLOUDSERVICE | Local variable |
| host.getDNSDATA.getDOMAIN | Local variable |
| host.getDNSDATA.getFQDN | publicDnsNames, privateDnsNames |
| host.getHARDWAREUUID | Local variable |
| host.getID | uid |
| host.getIP | publicIpAddresses |
| host.getLASTVMAUTHSCANNEDDATE | Local variable |
| host.getLASTVULNSCANDATETIME | lastScanned, lastSeen |
| host.getNETBIOS | hostnames |
| host.getOS | description |
| host.getOWNER | Local variable |
| host.getQGHOSTID | Local variable |
| host.getTRACKINGMETHOD | Local variable |
| host.getTRURISKSCORE | Local variable |
| host.getTRURISKSCOREFACTORS().getTRURISKSCOREFORMULA | Local variable |
| host.getASSETCRITICALITYSCORE | Local variable |
| host.getARSFACTORS.getARSFORMULA | Local variable |
| hostnames | hostnames |
| host.getCLOUDPROVIDERTAGS | Local variable |
| host.getOS | description |
| host.getNETBIOS | hostname |
| host.getDNSDATA.getDOMAIN | domain |
| host.getLASTVMAUTHSCANNEDDATE | lastAuthScanned |
| host.getARSFACTORS.getARSFORMULA | arsFormula |
| host.getDNSDATA.getDOMAIN | domain |
| host.getOS | operatingSystem |
| host.getDNSDATA.getDOMAIN | domain |
| instance id | instanceId |
| instance state | status |
| instance type | Local variable |
| ipv6 | Local variable |
| location | Local variable |
| local hostname | privateDnsNames |
| mac | Local variable |
| name | Local variable |
| network | Local variable |
| os type | Local variable |
| port | Local variable |
| private ip | Local variable |
| private ipv4 | Local variable |
| project id | Local variable |
| protocol | Local variable |
| public hostname | publicDnsNames |
| public ip | Local variable |
| public ipv4 | publicIpAddresses |
| region | Local variable |
| resource group name | Local variable |
| scan type | Local variable |
| security group | Local variable |
| state | status |
| subnet | Local variable |
| subscription id | Local variable |
| target | Local variable |
| type | Local variable |
| uuid | uid |
| vm id | instanceId |
| zone | Local variable |
Vulnerability
Table 3: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| detection.getAFFECTEXPLOITABLECONFIG | Local variable |
| detection.getAFFECTRUNNINGKERNEL | Local variable |
| detection.getAFFECTRUNNINGSERVICE | Local variable |
| detection.getFIRSTFOUNDDATETIME | firstFound |
| detection.getFIRSTREOPENEDDATETIME | Local variable |
| detection.getLASTFIXEDDATETIME | lastFixed |
| detection.getLASTFOUNDDATETIME | lastFound |
| detection.getLASTREOPENEDDATETIME | Local variable |
| detection.getLASTTESTDATETIME | lastScanned |
| detection.getLASTUPDATEDATETIME | sourceLastModified |
| detection.getRESULTS | results |
| detection.getSTATUS | status |
| detection.getTIMESFOUND | timesFound |
| detection.getTIMESREOPENED | Local variable |
| detection.getTYPE | Local variable |
| host.getDNS | publicDnsNames |
| host.getID | targets |
| host.getIP | ipAddresses |
| host.getNETBIOS | hostnames |
| host.getQGHOSTID | Local variable |
| is disabled | Local variable |
| is ignored | Local variable |
| mac address | macAddresses |
| port | port |
| protocol | protocol |
| severity | severity |
| service | service |
| ssl | Local variable |
| status category | statusCategory |
| type | type |
| uid | uid |
Vulnerability Definition
Table 4: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cvssv2.getAttackComplexity | cvssV2AccessComplexity |
| cvssv2.getAvailability | cvssV2AvailabilityImpact |
| cvssv2.getAuthentication | cvssV2Authentication |
| cvssv2.getAttackVector | cvssV2AttackVector |
| cvssv2.getConfidentiality | cvssV2ConfidentialityImpact |
| cvssv2.getExploitability | cvssV2Exploitability |
| cvssv2.getIntegrity | cvssV2IntegrityImpact |
| cvssv2.getReportConfidence | cvssV2ReportConfidence |
| cvssv2.getRemediationLevel | cvssV2RemediationLevel |
| cvssv2.getSeverity | cvssV2Severity |
| cvssv3.getAttackComplexity | cvssV3AccessComplexity |
| cvssv3.getAvailability | cvssV3AvailabilityImpact |
| cvssv3.getAttackVector | cvssV3AttackVector |
| cvssv3.getConfidentiality | cvssV3ConfidentialityImpact |
| cvssv3.getExploitability | cvssV3ExploitCodeMaturity |
| cvssv3.getIntegrity | cvssV3IntegrityImpact |
| cvssv3.getPrivilegesRequired | cvssV3PrivilegesRequired |
| cvssv3.getReportConfidence | cvssV3ReportConfidence |
| cvssv3.getRemediationLevel | cvssV3RemediationLevel |
| cvssv3.getUserInteraction | cvssV3UserInteraction |
| discovery.getREMOTE | Local variable |
| getAffectedSoftware.vuln.getSOFTWARELIST | affected |
| getBugTracIds.vuln.getBUGTRAQLIST | Local variable |
| getComplianceTypes.vuln.getCOMPLIANCELIST | Local variable |
| getDiscoveryAuthTypes(discovery.getAUTHTYPELIST | Local variable |
| getExploits.vuln.getCORRELATION | exploits |
| getMalwares.vuln.getCORRELATION | malware |
| getPCIReasons.vuln.getPCIREASONS | Local variable |
| getThreatIndicators.vuln.getTHREATINTELLIGENCE | Local variable |
| getVendorReferences.vuln.getVENDORREFERENCELIST | references |
| uid | uid |
| vuln.getCATEGORY | categories |
| vuln.getCVSS.getBASE | cvssV2BaseScore, cvssV3BaseScore |
| vuln.getCVSS.getTEMPORAL | cvssV2TemporalScore, cvssV3TemporalScore |
| vuln.getCVSS.getVECTORSTRING | cvssV2Vector, cvssV3Vector |
| vuln.getCONSEQUENCE | summary |
| vuln.getDIAGNOSIS | description |
| vuln.getLASTSERVICEMODIFICATIONDATETIME | sourceLastModified |
| vuln.getPATCHABLE | patchAvailable |
| vuln.getPUBLISHEDDATETIME | publishedDate |
| vuln.getSEVERITYLEVEL | severity, severityScore, sourceSeverity |
| vuln.getSOLUTION | recommendation |
| vuln.getTITLE | name |
| vuln.getVULNTYPE | Local variable |
note
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Qualys VM connector supports the following operation options. See connector operation options for information about how to apply them.
Expand the sections below to view the supported operation options for each connector object:
Host operation options
Table 5: Host operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Host | ag_ids | Any Qualys asset group ID | You can use this option to retrieve hosts with the specified Qualys asset group IDs. You can use either a comma-separated list or specify a range with a dash. | Key: ag_ids Value: 386941-386945. This key and value combination only retrieves hosts associated with the specified asset group IDs. |
| ag_titles | Any Qualys asset group title | A comma-separated list of asset group titles. You can use this option to retrieve hosts with the specified Qualys asset group title. | Key: ag_titles Value: AssetGroup1,AssetGroup2. This key and value combination only retrieves hosts associated with the specified asset group titles. | |
| ars_max | Any asset risk score (ARS) value | You can use this option to only retrieve hosts with an ARS value less than or equal to the specified ARS max value. | Key: ars_max Value: 100. This key and value combination only retrieves host records with an ARS value of 100 or less. | |
| ars_min | Any ARS value | You can use this option to only retrieve hosts with an ARS value greater than or equal to the specified ARS min value. | Key: ars_min Value: 50. This key and value combination only retrieves hosts with an ARS value of 50 or more. | |
| host_metadata | all, azure, ec2, google | Retrieve host metadata for all cloud providers (Azure, EC2, Google) or only the specified cloud providers. | Key: host_metadata Value: all. This key and value combination retrieves metadata for hosts from all your cloud providers. | |
| host_metadata_fields | Any host metadata field attribute | A comma-separated list of host metadata field attributes. The connector retrieves only the specified host metadata field attributes. | Key: host_metadata_fields Value: instance_id,region. This key and value combination only retrieves the instance_id and region host metadata attributes. | |
| id_max | Any Qualys host ID | You can use this option to retrieve hosts up to and including the specified host ID value. | Key: id_max Value: H500. This key and value combination retrieves hosts with ID values up to and including H500. | |
| id_min | Any Qualys host ID | You can use this option to retrieve hosts starting from and including the specified host ID value. | Key: id_min Value: H100. This key and value combination retrieves hosts with ID values starting from and including H100. | |
| ids | Any Qualys host IDs | You can use this option to retrieve specific hosts from Qualys by their unique identifiers. You can use either a comma-separated list or specify a range with a dash. | Key: ids Value: H101,H202. This key and value combination only retrieves controls with the specified control IDs. | |
| ips | Any IP addresses or ranges | You can use this option to retrieve specific hosts from Qualys by the specified IP addresses. You can use either a comma-separated list or specify a range with a dash. | Key: ips Value: 10.10.10.1-10.10.10.100. This key and value combination only retrieves hosts associated with the specified range of IP addresses. | |
| network_ids | Any Qualys custom network IDs | A comma-separated list of custom network IDs. You can use this option to only retrieve hosts associated with the specified network IDs. | Key: network_ids Value: N101,N202. This key and value combination only retrieves hosts associated with the specified custom network IDs. | |
| os_pattern | Any regular expression that matches an operating system. | You can use this option to retrieve hosts with operating systems that match a specific regular expression. | Key: os_pattern Value: ^Windows.*. This key and value combination only retrieves hosts with operating systems starting with Windows. | |
| show_ars | 0, 1 | You can use this option to determine whether the ARS value is retrieved. Specify 1 to display the ARS value or 0 to omit it. | Key: show_ars Value: 1. This key and value combination displays the ARS value in the output. | |
| show_ars_factors | 0, 1 | You can use this option to determine whether the ARS contributing factors associated with each host displays in the output. Specify 1 to show the factors or 0 to omit them. | Key: show_ars_factors Value: 1. This key and value combination displays the ARS contributing factors for each host record retrieved. | |
| tag_exclude_selector | any, all | You can this option to determine how hosts are excluded based on tag matching. Set to any to exclude hosts that match at least one of the selected tags, or set to all to exclude hosts that match all of the selected tags. | Key: tag_exclude_selector Value: any. This key and value combination excludes hosts that match at least one of the selected tags. | |
| tag_include_selector | any, all | You can use this option to determine how hosts are included based on tag matching. Set to any to retrieve hosts that match at least one of the selected tags, or set to all to retrieve hosts that match all of the selected tags. | Key: tag_include_selector Value: all. This key and value combination only retrieves hosts that match all of the selected tags. | |
| tag_set_by | id, name | You can use this option to determine how the tag set for hosts are retrieved. Set to id to retrieve tag sets by providing tag IDs, or set to name to retrieve tag sets by providing tag names. | Key: tag_set_by Value: name. This key and value combination only retrieves tag sets for hosts based on tag names. | |
| tag_set_exclude | Tag name or IDs | You can use this option to specify a set of tags for exclusion. Hosts matching these tags will be excluded from the results. Provide the tag names or IDs for identification, with multiple entries separated by commas. | Key: tag_set_exclude Value: TagName1,TagName2. This key and value combination excludes hosts that match the specified tag names. | |
| tag_set_include | Tag name or IDs | You can use this option to specify a set of tags for inclusion. Hosts matching these tags will be included in the results. Provide the tag names or IDs for identification, with multiple entries separated by commas. | Key: tag_set_include Value: TagName1,TagName2. This key and value combination only retrieves hosts that match the specified tag names. | |
| use_tags | 0, 1 | You can use this option to indicate how hosts are retrieved. Set to 0 to retrieve hosts based on IP addresses/ranges and/or asset groups, or set to 1 to retrieve hosts based on asset tags. | Key: use_tags Value: 1. This key and value combination only retrieves hosts based on asset tags. |
note
For additional information on on the supported operation options and parameters, see Qualys documentation.
Vulnerability operations options
Table 6: Vulnerability operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability | arf_config_filter | 0, 1, 2, 3, 4 | You can use this option to filter vulnerabilities by their current host configuration, as determined by Qualys. | Key: arf_config_filter Value: 2. This key and value combination only retrieves vulnerabilities that are exploitable. |
| arf_kernel_filter | 0, 1, 2, 3, 4 | You can use this option to filter vulnerabilities on Linux kernels. | Key: arf_kernel_filter Value: 3. This key and value combination only retrieves exploitable kernel related vulnerabilities. | |
| arf_service_filter | 0, 1, 2, 3, 4 | You can use this option to filter vulnerabilities running on ports or services. | Key: arf_service_filter Value: 4. This key and value combination only retrieves service related vulnerabilities. | |
| exclude_search_list_ids | Any valid search list ID or range | You can use this option to filter vulnerabilities by excluding records based on their QID from one or more specified search list IDs. You can specify individual IDs with a comma or a range with a dash. | Key: exclude_search_list_ids Value: 40-42. This key and value combination only retrieves vulnerabilities that are not part of the search list IDs 40 to 42. | |
| exclude_search_list_titles | Any valid search list title | You can use this option to filter vulnerabilities by excluding records based on their QID from one or more specified search list titles. You can specify individual titles or multiple titles separated by commas. | Key: exclude_search_list_titles Value: Critical Vulnerabilities, High Risk Vulnerabilities. This key and value combination only retrieves vulnerabilities that are not part of the specified search list titles. | |
| filter_superseded_qids | 0, 1 | You can use this option to filter vulnerabilities by excluding those that have been superseded by another QID. Specify 1 to activate this filter. When set to 0 or unspecified, all vulnerabilities, including superseded ones, are included in the output. | Key: filter_superseded_qids Value: 1. This key and value combination only retrieves vulnerabilities that have not been superseded by another QID. | |
| include_search_list_ids | Any valid search list ID or range | You can use this option to filter vulnerabilities by including only those records whose QID is part of one or more specified search list IDs. You can specify individual IDs with a comma or a range with a dash. | Key: include_search_list_ids Value: 10-15. This key and value combination only retrieves vulnerabilities that are part of the search list IDs ranging from 10 to 15. | |
| include_search_list_titles | Any valid search list title | You can use this option to filter vulnerabilities by including only those records whose QID is part of one or more specified search list titles. Specify individual titles or multiple titles separated by commas. | Key: include_search_list_titles Value: Critical Updates, Security Updates. This key and value combination only retrieves vulnerabilities that are part of the specified search list titles. | |
| qds_max | Any Qualys Detection Score (QDS) value from 1-100 | You can use this option to filter vulnerabilities with a QDS value less than equal to the specified value. For additional information on QDS scores, see Qualys documentation. | Key: qds_max Value: 10. This key and value combination only retrieves vulnerabilities with a QDS value less than or equal to 10. | |
| qds_min | Any QDS value from 1-100 | You can use this option to filter vulnerabilities with a QDS value greater than or equal to the specified value. For additional information on QDS scores, see Qualys documentation. | Key: qds_min Value: 90. This key and value combination only retrieves vulnerabilities with a QDS value greater than or equal to 90. | |
| severities | 1, 2, 3, 4, 5 | You can use this option to filter vulnerabilities by their severity level. You can use a comma-separated list to retrieve multiple severity levels or a dash to retrieve a range of severity levels. For additional information on severity levels, see Qualys documentation. | Key: severities Value: 4,5. This key and value combination only retrieves vulnerabilities with a severity level of 4 or 5. | |
| show_igs | 0, 1 | You can use this option to filter vulnerabilities by including or excluding records with information gathered. Specify 1 to include detection records with information gathered along with confirmed and potential vulnerabilities. Specify 0 (default) to exclude these records. | Key: show_igs Value: 1. This key and value combination only retrieves vulnerabilities along with associated information gathered. | |
| show_qds | 0, 1 | You can use this option to determine whether the QDS is displayed in the output for each vulnerability record. Specify 1 to show the QDS value for each detection record. Specify 0 if you do not want to show the QDS value. | Key: show_qds Value: 1. This key and value combination displays the QDS value for each vulnerability record. | |
| show_qds_factors | 0, 1 | You can use this option to determine whether the contributing factors for the QDS are displayed in the output for each vulnerability record. Specify 1 to show the QDS contributing factors for each detection record. Specify 0 if you do not want to show these contributing factors. | Key: show_qds_factors Value: 1. This key and value combination displays the contributing factors for the QDS of each vulnerability record. | |
| show_reopened_info | 0, 1 | You can use this option to determine whether to include information about reopened vulnerabilities in the output. This information includes the first and last reopened dates and the number of times a vulnerability has been reopened. Specify 1 to include this information. If not specified, this information will not be included by default. | Key: show_reopened_info Value: 1. This key and value combination includes detailed information about the reopening history of vulnerabilities. | |
| show_results | 0, 1 | You can use this option to control whether results are included in the output. When not specified, results are included by default. Specify 0 to exclude the results from the output. Excluding the results will result in an empty 'Results' column in CSV outputs and the absence of the 'Results' tag in XML outputs. | Key: show_results Value: 0. This key and value combination excludes the results from the output, leaving the 'Results' column empty in CSV and omitting the 'Results' tag in XML. | |
| status | Active, Fixed, New, Re-Opened | You can use this option to filter vulnerabilities by their status. You can use a comma-separated list statuses. For additional information, see Qualys documentation. | Key: status Value: Active,Re-Opened. This key and value combination only retrieves active and re-opened vulnerabilities. |
note
For additional information on on the supported operation options and parameters, see Qualys documentation.
note
The option keys and values are case-sensitive as they are shown in this documentation
APIs
The Qualys VM connector uses the Qualys VM API v2. Specifically, it uses the following endpoints:
Table 7: Qualys VM API v2 Endpoints
| Connector Object | API Endpoint |
|---|---|
| Host | GET /api/2.0/fo/asset/host/ |
| Vulnerability | GET /api/2.0/fo/asset/host/vm/detection |
| Vulnerability Definition | POST /api/2.0/fo/knowledge_base/vuln/ |
Changelog
The Qualys VM connector has undergone the following changes:
5.3.4
- Changed the ASSET_ID attribute type on the Host object from integer to string.
5.3.3
No change.
5.3.2
- Added support for Data lifecycle management to the Host and Vulnerability objects.
5.2.4
-
Added the following attributes on the Host object so it can utilize the TruRisk attribute from Qualys:
- AGENT_STATUS
- CLOUD_AGENT_RUNNING_ON
- FIRST_SEEN
- HARDWARE_ID
- LAST_ACTIVITY
- LAST_RESTART_OR_BOOT
- SERIAL_NUMBER
- TRURISK_SCORE
- TRURISK_SCORE_FORMULA
5.2.3
-
Added the following attributes on the Vulnerability object to retrieve the Qualys Detection Score:
- QDS_FACTORS
- QDS_SCORE
- QDS_SEVERITY
5.2.2
- Changed the SOURCE_SEVERITY attribute on the Vulnerability Definition object to SOURCE_SEVERITY_SCORE.
5.2.1
- Changed the SOURCE_SEVERITY attribute on the Vulnerability object to SOURCE_SEVERITY_SCORE.
5.1.11
- Added the NETWORK_ID attribute on the Host object.
5.1.10
- Updated dependencies.
5.1.8
- Added asset risk score (ARS) related operation options such as
ars_max,ars_min,show_arsandshow_ars_factorsfor the Host connector object.
5.1.5
- Added checks for null Common Vulnerability Scoring System (CVSS) vectors.
5.1.3
- Updated to trim trailing spaces from the CVE IDs present in certain vulnerability definitions.
5.0.18
- Added a SEVERITY_SCORE attribute in the Vulnerability Definition object.
5.0.14
- Added UID as identifier for all connector objects.
5.0.13
- Replaced the CATEGORY attribute with CATEGORIES in the Vulnerability Definition object.
5.0.12
- Replaced the CATEGORY attribute with CATEGORIES in the Host object.
5.0.10
- Stopped using IP_ADDRESS as identifier for hosts or vulnerabilities.
5.0.4
- Replaced Finding Definition with the Vulnerability Definition object.
5.0.0
- Initial Integration+ release.