Set additional filter parameters for Qualys imports

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read

    • Customize the filtering parameters for your scheduled queries with the Qualys Vulnerability Integration to help you further refine the vulnerability data you import with the supported Qualys integrations.

    Before you begin

    Use cases: As a vulnerability manager or analyst, you might want to filter out data from your queries so that you can review only specific vulnerability details. For example, say you want to view imported vulnerabilities that are filtered by specific IPs or IP ranges. Or, you want to import only machines that are under your scope, for example, only machines within your corporate network that are not external devices.

    To help you gather this data, you might add Qualys parameters to help you import the specific vulnerability details you need.

    Without adding additional API calls or coding, this feature permits you to customize your HTTP Request information with Qualys parameters in your ServiceNow AI Platform. You modify or add these values on your HTTP Method record under the REST method for the supported Qualys integrations of the Qualys Vulnerability Integration.

    Role required: sn_vul.vulnerability_admin

    Procedure

    1. Locate the parameters supported by the Qualys product on the developer site that you want to use for your filtering.
      Parameters and values you enter from the Qualys product are supported only at the integration instance level in your ServiceNow AI Platform. All Qualys Integrations support filtering using query parameters.
    2. Navigate to All > Qualys Vulnerability Integration > Administration > Primary Integrations.
    3. On the Qualys Integrations list page, click the record for the integration that you want to open the record.
    4. With the Qualys REST Details tab selected, locate and click the information icon (I) for REST method followed by Open Record to open the HTTP Method record.
    5. Select the HTTP Request tab.
    6. In the HTTP Query Parameters for the request body, add the values you got from the Qualys developer site.

      In the following image, as an example, the parameter that ingests only certain IP addresses/ranges, ips={value} has been added. In this case, value is one or more IPs/ranges that you specify. Multiple entries are comma separated, 172.10.2.71, 172.10.3.159, and a range is specified with a hyphen, 10.10.10.1-10.10.10.100. Refer to the Qualys developer site for more information.

      Content field in Qualys HTTP Method record populated with IP address range

      If you want to enter more than one parameter, refer to the Qualys documentation for more information about how to separate each value.

      Note:
      You should be aware of you API requirements. You might have to add these API properties to the Query Parameters, or to the body content.
      Some other parameters you might find useful from the Qualys developer site:
      • ag_ids - Asset Group list IDs to retrieve. This parameter ensures only machines under your scope are brought in.
      • qids - This parameter limits results to only certain vulnerabilities (QID in Third-Party Entry table). This setting prevents flooding your system with informational records.
      • arf_filter_keys - Filters and returns host detections based on the specified values. Acceptable values: non-running-kernel, non-running-service, and config-not-exploitable. You can use any single value or comma-separated values. When you use this parameter in the REST parameters, set the following instance parameters to false because they are mutually exclusive: include_kernel_metadata, include_service_metadata, include_exploitable_config_metadata.
      • show_arf_data - Displays ARF-affected data for host detections along with the arf_filter_keys parameter. Acceptable values: 0 or 1. If you set the value to 0, the output does not include the ARF filter output data. When you use this parameter in the REST parameters, set the following instance parameters to false because they are mutually exclusive: include_kernel_metadata, include_service_metadata, include_exploitable_config_metadata.
      • code_modified_after - Returns QIDs modified after the specified date in the Knowledge Base integrations.
      • code_modified_before - Returns QIDs modified before the specified date in the Knowledge Base integrations.
      • assetDeploymentType - Returns host IDs of the specified deployment type for PCRS Policy Host integrations. Acceptable values: ON-PREM, CLOUD, or ALL. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • assetState - Returns host IDs of the specified state for PCRS Policy Host integrations. Acceptable values: TERMINATED, ACTIVE, or ALL. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • cloudMetaDataRequired - Fetches cloud metadata in the PCRS Test Results Integration response. Acceptable values: 0 or 1. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • status – Filters results based on result status. Acceptable values: Passed, Failed, and Error. You can provide multiple comma-separated values. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • previousStatus – Filters results based on the previous result status. Acceptable values: Passed, Failed, and Error. You can provide multiple comma-separated values. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • criticalityLabels – Filters results based on criticality level. Acceptable values: UNDEFINED, MINIMAL, MEDIUM, SERIOUS, CRITICAL, URGENT. You can provide multiple comma-separated values. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • criticalityValues – Filters results based on criticality level. Acceptable values: 0–5. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
      • extendedEvidenceRequired – Fetches extended evidence data. Acceptable values: 0 or 1. This parameter is available when the posture_api_version integration instance parameter is set to 5.0.
    7. Click Update.