- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2018 11:10 AM
Hi,
We are trying to integrate ServiceNow with Qualys.
"Qualys Host Detection Integration" when executed uses the below command,
"https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&detection_updated_since=2018-07-18T17:36:33Z&show_tags=1&action=list&vm_scan_since=2018-07-18T17:36:33Z&truncation_limit=500&status=New,Fixed,Active,Re-Opened"
It is only return a response as below,
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2018 09:54 AM
Sorted. The issue was actually with the permissions that was given to the Qualys user.
Qualys user id had full access to Knowledge base, but needed more access for Host Detection.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2018 07:58 PM
Have you performed an initial load of the Qualys Host Detection Data already, and are now working towards trimming down the amount of data brought in for delta / subsequent loads? Or, are you trying to perform the initial Qualys import for the first time to begin with?
I think there is potentially an issue with the <date> parameters being used here. The API query is specifying two different date / time filters (i.e. API Parameters) that may be conflicting with each other, depending on the scenario of initial load vs subsequent load, and your particular use-case.
https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&detection_updated_since=2018-07-18T17:36:33Z&show_tags=1&action=list&vm_scan_since=2018-07-18T17:36:33Z&truncation_limit=500&status=New,Fixed,Active,Re-Opened
Referring to the Qualys docs, <detection_updated_since> is used to filter on detections where a change in status has occurred since a specified date (regardless of how many times you've scanned the asset, it will only bring in data for the assets where vulnerability finding's statuses have changed between New, Fixed, Active and Re-Opened, in Qualys).
So, if the states for Qualys Host Detections / findings have not changed since Jul 18, 2018, no data will be pulled into the payload that is returned based on the API parameter being passed here.
This API parameter could be beneficial for delta / subsequent loads, after an initial load has been performed so that you limit the data periodically being brought in.
As per Qualys Docs --> detection_updated_since={date}
(Optional) Show only detections whose detection status have
changed since a certain date. For detections that have never
changed the date is applied to the last detection date. Valid date
format is: YYYY-MM-DD format (UTC/GMT), like “2016-01-11”
One of these parameters may be specified in the same request:
detection_updated_since, max_days_since_detection
vm_scan_since
This parameter works at the host level, not at the vulnerability finding level. This works to bring in findings for hosts that have been scanned & processed since a certain time. All vulnerabilities from previous scans will be included (by default) since the Host List Detection API leverages Host Based Findings.
Qualys has some good documentation that reviews <vm_scan_since> here:
- https://blog.qualys.com/technology/2014/07/23/download-your-vm-data-faster
Also, check out "Modify REST message parameters to affect data retrieval" - Step 6 from the SN Docs page, going over steps to add <detection_updated_since> and deleting <vm_scan_since>:
- https://docs.servicenow.com/bundle/kingston-security-management/page/product/secops-integration-qualys-vulnerability/concept/optional-modifications.html#modify-rest-msg-params
I do not see <severities> values specified in the API call. You may want to validate which severity values should be brought in from Qualys (i.e. 5, 4, 3, 2, 1) and ensure it is configured on the REST API call made from ServiceNow (following the instructions from the SN Docs page above).
Lastly, if you have not checked it out already - Postman is a good tool to use for ensuring your credentials work and your API call + parameters are tuned appropriately. Check out the Postman section at the bottom of the page here:
- https://community.qualys.com/docs/DOC-4523-qualys-api-client-examples#jive_content_id_Web_browser_Chrome_Postman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2018 06:12 AM
Hi,
I have tried to run
https://qualysapi.<qualys>.eu/api/2.0/fo/asset/host/vm/detection/?output_format=XML&action=list
as well. Even in curl. It still provides same response.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2018 06:43 AM
Sorry, I think you may need to reach out to the Qualys support team again or perhaps create a post on the Qualys Community Page.
Have you confirmed the base url of the Qualys platform you are pointing to is appropriate - is this the same base url you used to successfully pull the Qualys KB?
If you are not seeing results come back from curl for a request like below - perhaps the issue could be the account being used, the Qualys platform you are pointing to or another issue.
curl -u "username:password" -H "X-Requested-With: curl" "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/?act ion=list&truncation_limit=10"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 09:03 AM
@andy_ojha
Exactly what script create discovered item.
Need help in understanding discovered item creation.
In my case discovered item wrongly fetching the CI name - i need to understand this further.
Please guide me on this.