Qualys Cloud Platform
  • 26 Apr 2022
  • 13 Minutes to read
  • Dark
    Light
  • PDF

Qualys Cloud Platform

  • Dark
    Light
  • PDF

Qualys Cloud Platform monitors customers' global security and compliance posture using sensors. This adapter connects to the Qualys Cloud Platform service to import information about devices and vulnerabilities.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

Parameters

  1. Qualys Cloud Platform Domain (required) - The hostname of the Qualys API (for example, qualysapi.apps.qualys.com). For more details on how to determine your Qualys API URL, see Identify your Qualys platform.

  2. User Name and Password (required) - The credentials for a user account that has the Required Permissions to fetch assets.

  3. Qualys Tags Include list (optional, default: empty) - Specify a comma-separated list of Qualys tags.

    • If supplied, the connection for this adapter will only fetch devices tagged in Qualys with the tags provided in this list.
    • If not supplied, the connection for this adapter will fetch all devices from Qualys Cloud Platform.
  4. API Rate Limit (Requests per Hour) (optional, default: empty) - Specify a rate limit for the number of requests per hour to be sent to Qualys.

    • If supplied, the number of requests initiated per hour by the connection for this adapter will be limited to the specified value. During data fetch from this connection, if the API rate limit is reached, the connection will be paused for an hour, and then will resume the data fetch.
    • If not supplied, the number of requests initiated by the connection for this adapter will not be limited.
    Note:

    This setting is applicable only for the Global IT Asset Inventory API.

  5. Verify SSL (required, default: false) - Select whether to verify the SSL certificate offered by the value supplied in Hostname or IP Address. For more details, see SSL Trust & CA Settings.

  6. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the value supplied in Qualys Cloud Platform Domain.

    • If supplied, Axonius will utilize the proxy when connecting to the value supplied in Qualys Cloud Platform Domain.
    • If not supplied, Axonius will connect directly to the value supplied in Qualys Cloud Platform Domain.
  7. HTTPS Proxy User Name (optional, default: empty) - The user name to use when connecting to the value supplied in Qualys Cloud Platform Domain via the value supplied in HTTPS Proxy.

    • If supplied, Axonius will authenticate with this value when connecting to the value supplied in HTTPS Proxy.
    • If not supplied, Axonius will not perform authentication when connecting to the value supplied in HTTPS Proxy.
  8. HTTPS Proxy Password (optional, default: empty) - The password to use when connecting to the value supplied in Qualys Cloud Platform Domain via the value supplied in HTTPS Proxy.

    • If supplied, Axonius will authenticate with this value when connecting to the value supplied in HTTPS Proxy.
    • If not supplied, Axonius will not perform authentication when connecting to the value supplied in HTTPS Proxy.
  9. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

    Qualys.png


Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Use Qualys API (required, default: true) - Select whether to use the Qualys API to fetch data.

  2. Use Global IT Asset Inventory API (required, default: false) - Select whether to use Global IT Asset Inventory API.

    • If enabled, all connections for this adapter will use the Global IT Asset Inventory API to fetch data.
      Note:
      • If enabled, Axonius will not fetch vulnerabilities from Qualys Cloud Platform, even if the Fetch vulnerabilities data option is enabled. For more information, see Fetch Vulnerabilities.
      • If enabled, it is highly recommend to clear the Use Qualys API option in Advanced Settings in order to prevent fetching multiple Qualys entities for a single device.
    • If disabled, all connections for this adapter will not use the Global IT Asset Inventory API to fetch data.
  3. Request timeout (required, default: 200) - Specify how many seconds all connections for this adapter will wait for a response before considering the request as timed out.

  4. Chunk size (required, default: 50) - Specify the number of parallel requests all connections for this adapter will send to Qualys.

  5. Devices per page (optional, default: 1) - Specify the number of results per page received for a given query to Qualys API to gain better control on the performance of all connections for this adapter.

  6. Intervals between retries (seconds) (optional, default: 3) - Specify how many seconds all connections for this adapter will wait in between each retry when the Qualys API returns a response with an error.

    • If supplied, Axonius will wait for the specified number of seconds before resending the request to the Qualys API.
    • If not supplied, Axonius will immediately resend the request to the Qualys API.
      The default value for this parameter is '3'.
  7. Number of retries (optional, default: 3) - Specify how many times all connections for this adapter will retry a request when the Qualys API returns a response with an error.

    • If supplied, upon an error response from Qualys API, up to the specified number, Axonius will resend the request to the Qualys API.
    • If not supplied, upon an error response from Qualys API, Axonius will not resend the request to the Qualys API.
  8. Fetch vulnerabilities data (required, default: true) - Select to fetch vulnerabilities from the Qualys Cloud Platform. For more information, see Fetch Vulnerabilities.

  9. Fetch authentication report (required, default: false) - Select whether to fetch authentication report information from Qualys Cloud Platform. The authentication report includes the authentication status for the scanned hosts: Passed, Failed, Passed with insufficient privileges, or Not Attempted.

    • If enabled, all connections for this adapter will also fetch authentication report information from Qualys Cloud Platform.
    • If disabled, all connections for this adapter will not fetch authentication report information from Qualys Cloud Platform.
  10. Fetch tickets (required, default: false) - Select whether to fetch tickets associated with devices from information Qualys Cloud Platform.

    • If enabled, all connections for this adapter will also fetch tickets information for tickets associated with devices from Qualys Cloud Platform.
    • If disabled, all connections for this adapter will not fetch tickets associated with devices from Qualys Cloud Platform.
  11. Use DNS name as hostname even if NetBIOS name exists (required, default: false) - Select whether to use DNS name or NetBIOS name as the device hostname if both exists.

    • If enabled, all connections for this adapter use the DNS name as the device hostname even if NetBIOS name also exists.
    • If disabled, all connections for this adapter use the NetBIOS name as the device hostname, when exists.
  12. Fetch unscanned IP addresses (required, default: false) - Select whether to fetch yet-to-be-scanned hosts. Such devices' data will contain only an IP address (also as ID).

    • If enabled, all connections for this adapter will also fetch unscanned IP addresses from Qualys Cloud Platform.
    • If disabled, all connections for this adapter will not fetch unscanned IP addresses from Qualys Cloud Platform.
  13. Fetch Asset Groups (required, default: false) - Select whether to fetch Asset Groups.

    • If enabled, all connections for this adapter will also fetch Asset Groups.
    • If disabled, all connections for this adapter will not fetch Asset Groups.
  14. Do not fetch devices with no MAC address and hostname (required, default: false) - Select whether to exclude fetching devices without MAC addresses and hostnames.

    • If enabled, all connections for this adapter will only fetch devices that have MAC addresses or hostnames.
    • If disabled, all connections for this adapter will fetch devices even if they do not have MAC addresses and hostnames.
  15. Fetch PCI and Patchable Flags (required, default: false) - Select whether to add PCI and Patchable flags to fetched vulnerabilities. When you fetch the Patchable flag you can create queries based on patch availability.

    • If enabled, all connections for this adapter will add a PCI Flag and a Patchable flag to fetched vulnerabilities.
    • If disabled, all connections for this adapter will not add a PCI Flag and a Patchable flag to fetched vulnerabilities.
    Note:

    To use this functionality, the value supplied in User Name must have one of the following roles: Manager, Unit Manager, Scanner, Reader.

  16. Fetch scanner appliances (required, default: false) - Select whether to fetch scanner appliances as devices.

    • If enabled, all connections for this adapter will fetch scanner appliances as devices.
    • If disabled, all connections for this adapter will not fetch scanner appliances data.
  17. Fetch policy posture information (required, default: false) - Select whether to fetch the posture information of every policy compliance.

    • If enabled, all connections for this adapter will also fetch policy posture information associated with policy compliance.
    • If disabled, all connections for this adapter will not fetch policy posture information.
  18. Fetch policy compliance (required, default: false) - Select whether to fetch policy compliance associated with devices.

    • If enabled, all connections for this adapter will also fetch policy compliance associated with each device.
    Note:

    Policy compliance is only fetched if Fetch policy posture information is enabled.

    • If disabled, all connections for this adapter will not fetch policy compliance associated with each device.
  19. Add STIG rules to policy posture (required, default: false) - Select whether to fetch STIG rule IDs and add that information to the fetched posture information.

    • If enabled, all connections for this adapter will also fetch STIG rule IDs associated with policy compliance.
    Note:

    STIG rules are fetched only if Fetch policy posture information is enabled.

    • If disabled, all connections for this adapter will not fetch STIG rule IDs associated with policy compliance.
  20. Fetch vm detection (required, default: false) - Select whether to fetch additional vulnerability management information for AWS, Azure and GCP cloud appliance.

    • If enabled, all connections for this adapter will also fetch additional vulnerability management information for cloud appliances.
    • If disabled, all connections for this adapter will not fetch additional vulnerability management information for cloud appliances.
  21. Fetch QID CVE IDs (required, default: false) - Select whether to fetch additional CVEs for each QID in the vulnerability list from the next URL API.

    • If enabled, all connections for this adapter will fetch additional CVEs.
    • If disabled, all connections for this adapter will not fetch additional CVEs.
  22. Fetch users (required, default: false) - Select whether to fetch user account data from Qualys.

    • If enabled, all connections for this adapter will fetch user account data from Qualys.
    • If disabled, all connections for this adapter will not fetch user account data from Qualys.
  23. Use ‘lastCheckedIn’ field as ‘last_seen’ (required, default: false) - Define how to compute the 'last_seen' attribute in Qualys, depending on the API used to integrate with Axonius.

    • If you are using the Qualys API:
      • If selected, the last_seen attribute is calculated from lastCheckedIn. If the lastCheckedIn value isn't present, the last_seen attribute is calculated from lastVulnScan.
      • If cleared, the last_seen attribute is calculated from the most recent date fetched from any of the following fields: lastVulnScan, lastCheckedIn, lastComplianceScan, lastSystemBoot, or modified.
    • If you are using the Global IT Asset Inventory API:
      • If selected, the last_seen attribute is calculated from lastCheckedIn. If the lastCheckedIn value isn't present, the last_seen attribute is calculated from lastVulnScan.
      • If cleared, the last_seen attribute is calculated from the most recent date fetched from any of the following fields: createdDate, lastCheckedIn, sensorLastUpdatedDate, lastModifiedDate, lastUpdated, lastActivity, lastInventory, lastVMScan, lastComplianceScan, lastFullScan.
  24. Do not fetch devices without Last Seen (required, default: false) - Define whether to fetch devices without the last_seen attribute.

    • If enabled, all connections for this adapter will not fetch devices without the last_seen attribute.
    • If disabled, all connections for this adapter will fetch devices without the last_seen attribute.
  25. Do not populate hostname when tracking method is IP (required, default: false) - Set whether to populate the device hostname field when the tracking method is IP.

    • If enabled, all connections for this adapter will not populate the device hostname field when the tracking method is IP.
    • If disabled, all connections for this adapter will populate the device hostname field.
  26. Parse Software from VM detections (required, default: false) - Select whether to parse installed software using the Vulnerability Management detection. When you select this option the system will parse the software from the next detections QID’s: 45453, 90235, 90295, 91228, 372899, 105310, 45141. To implement this feature you must also select Fetch VM detection.

  27. Enrich vulnerabilities from detections (required, default: False) - Select whether to enrich the vulnerabilities information using results from the VM detection information for all connections for this adapter. This means it will add data from the VM detection to vulnerabilities by QID. To implement this feature you must also select Fetch vulnerabilities data and Fetch VM detection.

  28. Enrich vulnerabilities from vulnerability base (required, default: false) - Select whether to enrich the vulnerabilities information from the vulnerability base API by pulling all details of the vulnerabilities. To implement this feature you must also select Fetch vulnerabilities data.

  29. Fetch affect running kernel from vm detection (required, default: false) - Select whether to fetch the AFFECT_RUNNING_KERNEL field from the VM detection API . To implement this feature you must also select Fetch VM detection.

  30. Fetch affect running service from vm detection (required, default: false) - Select whether to fetch the AFFECT_RUNNING_SERVICE field from the VM detection API. To implement this feature you must also select Fetch VM detection.

  31. Fetch affect exploitable config from vm detection (required, default: false) - Select whether to fetch the AFFECT_EXPLOITABLE_CONFIG field from the VM detection API. To implement this feature you must also select Fetch VM detection.

  32. Fetch certificates as devices (required, default: false) - Select whether to fetch certificates as devices. Use Inventory API to fetch certificate information. Super User or CERTVIEW.API.ACCESS permissions are required for this,

  33. Fetch only fixed VM detections from last X days (optional, default: 0) - Specify the maximum number of days to fetch from VM detection only assets that have a Fixed vulnerability status. If a number is specified, VM detections will be fetched even if the Fetch VM detections option is unchecked.

Note:

The Global IT Asset Inventory API is supported. When using the Global IT Asset Inventory API, the following advanced settings also fetch devices:

  • Fetch VM detections
  • Fetch policy compliance
  • Fetch policy posture information
  • Fetch policy posture actual settings
  • Add STIG rules to policy posture
  • Fetch affect exploitable config from VM detection
  • Fetch affect running service from VM detection
  • Fetch affect running kernel from VM detection


Note:

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Fetch Vulnerabilities

You can fetch vulnerabilities via the Qualys API, which automatically fetches vulnerabilities by default.
Alternatively, you can fetch vulnerabilities via the Global IT Asset Inventory API.

To fetch vulnerabilities via the Global IT Asset Inventory API, select the following Advanced Settings options:

  • Use Global IT Asset Inventory API
  • Fetch vulnerabilities data or Enrich vulnerabilities from vulnerability base
  • Fetch VM detection


APIs

Axonius uses the following APIs for integration from Qualys:

Required Permissions

The value supplied in User Name must be associated with one of the following user roles and with the following permissions:

  • Manager role with full scope.

  • Reader role with full scope.

  • Non-manager role with the following permissions:

    • Access Permission "API Access".
    • Asset Management Permission "Read Asset".
    • Requested asset in their scope.
    Note:

    It is highly recommended to provide the user permissions and access to all objects in the subscription.

To provide permissions and access to all objects in the subscription:

  1. From the Qualys Administration utility, select Users > User Management.
  2. Click the user account and select Actions > Edit.

Qualys1.png

  1. Navigate to Roles and Scopes and select the Allow user full permissions and scope option.

Qualys2.png



To enable user access to the API:

  1. From the Qualys Administration utility, click User next to the Logout -> User Profile. The Edit User page is displayed.

    image.png

  2. From the left sidebar, click User Role. Then select the API option to enable API Access.
    image.png

  3. Click Save.


First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.