Qualys REST messages
Qualys REST messages are used to make calls to the Qualys API.
Starting with version 12.9.2 of Qualys, you have the option to choose between Basic Authentication or OAuth. The instance parameter Qualys Cloud Authentication method is pre-configured for Basic Auth. If you prefer to use OAuth, you must modify integration instance parameter and then set up the rest message directly for the OAuth.
Qualys Host Detection REST message
The Qualys Host Detection REST message makes the initial call to the Host List Detection API for the Qualys Host Detection Integration.
| Parameter Name | Value | Description |
|---|---|---|
| action | list | Indicates the type of operation requested. Required parameter. Changes aren’t required. |
| output_format | XML | Sets the format of the report returned by Qualys. The various scripts and transforms assume XML, so changes to the value aren’t recommended. |
| detection_processed_after | ${lastScanDate} | Shows only detections whose detection status changed after a certain date and time. For detections that have never changed, the date is applied to the last detection date. |
| truncation_limit | 500 | The number of hosts to retrieve data from, according to request. This parameter is used for pagination purposes. The default value is 500, but larger or smaller values can be used. Don’t set at less than 100 since it significantly increases system load. Smaller values require more calls to the Qualys API and larger values result in larger result sets to process and potential data retrieval/processing timeouts. |
| status | New, Fixed, Active, Reopened | Detection statuses to retrieve from Qualys. The default is to retrieve all statuses. For large data pulls (often the initial pull of data), it can be beneficial to exclude Fixed statuses from this list. It’s important to include the Fixed status when updating vulnerabilities already in the system. |
Qualys Host Detection Integration REST message
The Qualys Host Detection – Standard REST message retrieves host detection data from Qualys.
| Parameter Name | Value | Description |
|---|---|---|
| vuln_detection_source | 1 | Returns the vulnerability detection source in the response. |
| show_tags | ${showTag} | Displays asset tags associated with each host in the XML output. |
| show_cloud_tags | 1 | Returns cloud provider tags for each scanned host asset in the output. |
| host_metadata | all | Lists all assets (cloud and non-cloud) and the metadata output applicable for cloud assets. |
| action | ${action} | Action to list host detections. |
| output_format | ${outputFormat} | Specifies the format of the host detection list output. |
| truncation_limit | ${truncationLimit} | Specifies the maximum number of host records processed per request. |
| status | ${status} | Returns only hosts with one or more of these status values. |
| severities | ${severities} | Returns only detection records that have the specified severities. |
Qualys Comprehensive Host Detection Integration REST message
The Qualys Host Detection - Standard REST message retrieves host detection data from Qualys.
| Parameter Name | Value | Description |
|---|---|---|
| vuln_detection_source | 1 | Returns the vulnerability detection source in the response. |
| show_tags | ${showTag} | Displays asset tags associated with each host in the XML output. |
| show_cloud_tags | 1 | Returns cloud provider tags for each scanned host asset in the output. |
| host_metadata | all | Lists all assets (cloud and non-cloud) and the metadata output applicable for cloud assets. |
| action | ${action} | Action to list host detections. |
| output_format | ${outputFormat} | Specifies the format of the host detection list output. |
| truncation_limit | ${truncationLimit} | Specifies the maximum number of host records processed per request. |
| status | ${status} | Returns only hosts with one or more of these status values. |
| severities | ${severities} | Returns only detection records that have the specified severities. |
Qualys Host List Integration REST message
The Qualys Host Detection - Standard REST message retrieves host detection data from Qualys.
| Parameter Name | Value | Description |
|---|---|---|
| show_tags | ${showTag} | Displays asset tags associated with each host in the XML output. |
| show_cloud_tags | 1 | Returns cloud provider tags for each scanned host asset in the output. |
| host_metadata | all | Lists all assets (cloud and non-cloud) and the metadata output applicable for cloud assets. |
| action | ${action} | Action to list host detections. |
| truncation_limit | ${truncationLimit} | Specifies the maximum number of host records processed per request. |
| details | ${status} | Specifies the requested amount of host information for each host to be returned in the response. |
Qualys Knowledge Base REST message
The Qualys Knowledge Base (Date Based) REST message retrieves vulnerability data from Qualys.
| Parameter Name | Value | Description |
|---|---|---|
| action | ${action} | Action to list host detections. |
| details | ${status} | Specifies the requested amount of host information for each host to be returned in the response. |
| last_modified_after | ${dateStart} | Filters the XML output to show only vulnerabilities last modified after a certain date and time. |
| last_modified_before | ${dateEnd} | Filters the XML output to show only vulnerabilities last modified before a certain date and time. |
Qualys Knowledge Base (Backfill) REST message
The Qualys Knowledge Base (Backfill) REST message retrieves vulnerability backfill data from Qualys.
| Parameter Name | Value | Description |
|---|---|---|
| action | ${action} | Action to list host detections. |
| details | ${status} | Specifies the requested amount of host information for each host to be returned in the response. |
| ids | ${qids} | Filters the XML output to include only vulnerabilities that have QID numbers matching the QID numbers specified. |
Qualys host detection pagination REST message
The Host Detection Pagination REST message handles pagination requests to the Host Detection API.
When the primary host detection runs, if the Qualys API provides a URL to fetch the next page of data, this REST message retrieves that additional data. This data is used by the Host Detection Pagination Handler.
Host detection pagination REST is a specialized REST message and isn’t intended to be modified.
Qualys knowledge base (backfill) REST message
The Qualys Knowledge Base (Backfill) REST message retrieves Qualys knowledge base data based on the last modified timestamp of the vulnerability data for the Qualys Knowledge Base integration.
Changes to the REST message method record impact the request made to Qualys to retrieve knowledge base information.
The following table shows the request parameters that are sent.
| Parameter | Value | Description |
|---|---|---|
| action | list | Indicates the type of operation being requested. Required parameter. Changes aren’t recommended. |
| details | All | Indicates the level of detail shown for vulnerabilities retrieved. Safe to modify as needed. |
| ids | ${qids} | Specifies which QIDs to retrieve from Qualys. Referenced in code. Modifications aren’t recommended. |
Qualys knowledge base (date-based) REST message
The Qualys Knowledge Base (Date-Based) REST message is used to retrieve Qualys knowledge base data based on the last modified timestamp of the vulnerability data. This message is used by the Qualys Knowledge Base integration.
Changes to the REST message method record impact the request made to Qualys to retrieve knowledge base information.
The following table shows the request parameters that are sent.
| Source Field | Target Field | Description |
|---|---|---|
| action | list | Indicates the type of operation requested. Required parameter. Changes aren’t recommended. |
| details | All | Indicates the level of detail shown for vulnerabilities retrieved. Safe to modify as needed. |
| last_modified_after | ${dateStart} | Indicates when to start retrieving historical data. Used by code to determine both the start time and to assist with pagination. Modifications or removal isn’t recommended. |
| last_modifiedbefore | ${dateEnd} | Indicates when to end retrieving historical data. Used by code to determine both the end time and to assist with pagination. Modifications or removal isn’t recommended. |
Qualys tickets REST message
The Qualys tickets REST message retrieves Qualys ticket information for the Qualys Ticket Integration. Changes to the REST message method record impact the requests made to Qualys to retrieve ticket information.
The table shows the request parameters that are sent.
| Parameter Name | Value | Description |
|---|---|---|
| modified_since_datetime | ${lastRunDatetime} | Indicates the last run date of the integration and the date after which to pull data. Used by code. Changes aren’t recommended. |
| since_ticket_number | ${lastTicketNumber} | Indicates which ticket was last retrieved from Qualys. Used for pagination. Changes aren’t recommended. |
| show_vuln_details | 1 | Indicates whether the vulnerability details are retrieved. |