Qualys

  • Updated on Mar 5, 2025
  • Published on May 30, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

📘 Note

  • This source is not currently mapped to an alert, schema, or IOC Search.

  • Qualys Host Detections is used for enrichment purposes only.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Qualys Knowledgebase

qualys_knowledgebase

XML

API

Qualys Host Detections

qualys_host_detections

XML

API

Qualys Hosts

qualys_hosts

XML

API

Overview

imageQualys is a cloud-based security and compliance platform that provides a range of solutions for vulnerability management, continuous monitoring, and policy compliance. The platform helps organizations identify, track, and mitigate security risks across their IT environments, including on-premises, cloud, and hybrid infrastructures. Qualys scans systems for vulnerabilities, misconfigurations, and compliance gaps, offering detailed insights into the state of security across networks, applications, and endpoints.

Supported data types

Qualys Knowledgebase

Table name: qualys_knowledgebase

Qualys Knowledgebase logs are detailed records generated by the Qualys platform related to vulnerability scanning, assessment, and management. These logs provide information about security vulnerabilities, patches, and configurations detected across an organization’s infrastructure. They include data about specific vulnerabilities found, including CVE identifiers, severity levels, and affected systems. The Knowledgebase logs also track the progress of vulnerability remediation efforts and any changes in the security posture over time. By reviewing these logs, security teams can gain insights into potential risks, compliance status, and the effectiveness of their patching or mitigation strategies.

Qualys Host Detections

Table name: qualys_host_detections

Qualys Host Detections are records generated by the Qualys platform that identify and track vulnerabilities, misconfigurations, or threats found on specific hosts (servers, workstations, or other devices) within an organization's network. These detections are part of vulnerability management and help security teams prioritize remediation based on the severity and impact of the issues detected on each host. The logs contain details about the host's IP address, operating system, the specific vulnerabilities identified (such as CVEs), and whether the issue has been mitigated or requires further action. By analyzing Host Detections, organizations can strengthen security and ensure compliance across their infrastructure.

Qualys Hosts

Table name: qualys_hosts

Qualys Hosts logs are records generated by the Qualys platform that provide detailed information about the devices (hosts) within an organization's network. These logs track various aspects of the hosts, including their configuration, vulnerability status, IP addresses, operating systems, and security posture. The logs capture any changes or actions taken on the hosts, such as detected vulnerabilities, system updates, or compliance checks. By analyzing Qualys Hosts logs, security teams can monitor the health of their infrastructure, prioritize remediation efforts, and ensure that all devices remain secure and compliant with industry standards.

Send data to Hunters

Hunters supports the collection of logs from Qualys using API.

To connect Qualys logs:

  1. Retrieve the following information from Qualys:

    • Host (you can find your host here based on Qualys documentation).

    • User ID

    • Password

  2. Complete the process on the Hunters platform, following this guide.

Expected format

Qualys API credentials sample

{
  "host": "http://host.com",  
  "user_id": "user",  
  "password": "password"
}

Qualys Knowledgebase Sample

<VULN_LIST>
  <VULN>
    <QID>1</QID>
    <VULN_TYPE>Vulnerability</VULN_TYPE>
    <SEVERITY_LEVEL>3</SEVERITY_LEVEL>
    <TITLE><![CDATA[Title]]></TITLE>
    <CATEGORY>Database</CATEGORY>
    <LAST_SERVICE_MODIFICATION_DATETIME>2022-08-03T00:00:00Z</LAST_SERVICE_MODIFICATION_DATETIME>
    <PUBLISHED_DATETIME>2022-08-03T00:00:00Z</PUBLISHED_DATETIME>
    <PATCHABLE>1</PATCHABLE>
    <SOFTWARE_LIST>
      <SOFTWARE>
        <PRODUCT><![CDATA[product]]></PRODUCT>
        <VENDOR><![CDATA[vendor]]></VENDOR>
      </SOFTWARE>
    </SOFTWARE_LIST>
    <VENDOR_REFERENCE_LIST>
      <VENDOR_REFERENCE>
        <ID><![CDATA[id]]></ID>
        <URL><![CDATA[url]]></URL>
      </VENDOR_REFERENCE>
    </VENDOR_REFERENCE_LIST>
    <CVE_LIST>
      <CVE>
        <ID><![CDATA[CVE-id]]></ID>
        <URL><![CDATA[url]]></URL>
      </CVE>
    </CVE_LIST>
    <DIAGNOSIS><![CDATA[diagnosis]]></DIAGNOSIS>
    <CONSEQUENCE><![CDATA[consequence]]></CONSEQUENCE>
    <SOLUTION><![CDATA[possible solution]]></SOLUTION>
    <CVSS>
      <BASE>5.0</BASE>
      <TEMPORAL>3.0</TEMPORAL>
      <VECTOR_STRING>vector</VECTOR_STRING>
    </CVSS>
    <CVSS_V3>
      <BASE>7.0</BASE>
      <TEMPORAL>6.0</TEMPORAL>
      <VECTOR_STRING>vector</VECTOR_STRING>
      <CVSS3_VERSION>3.0</CVSS3_VERSION>
    </CVSS_V3>
    <PCI_FLAG>1</PCI_FLAG>
    <THREAT_INTELLIGENCE>
      <THREAT_INTEL id="5"><![CDATA[Easy_Exploit]]></THREAT_INTEL>
    </THREAT_INTELLIGENCE>
    <DISCOVERY>
      <REMOTE>0</REMOTE>
      <AUTH_TYPE_LIST>
        <AUTH_TYPE>Unix</AUTH_TYPE>
      </AUTH_TYPE_LIST>
      <ADDITIONAL_INFO>Patch Available</ADDITIONAL_INFO>
    </DISCOVERY>
  </VULN>
</VULN_LIST>

Qualys Host Detections Sample

<HOST_LIST>
  <HOST>
    <ID>1</ID>
    <ASSET_ID>1</ASSET_ID>
    <IP>1.1.1.1</IP>
    <TRACKING_METHOD>IP</TRACKING_METHOD>
    <NETWORK_ID>0</NETWORK_ID>
    <OS><![CDATA[os]]></OS>
    <OS_CPE><![CDATA[cpe]]></OS_CPE>
    <DNS><![CDATA[dns]]></DNS>
    <DNS_DATA>
      <HOSTNAME><![CDATA[dub-citwi-01]]></HOSTNAME>
      <DOMAIN><![CDATA[iconcr.com]]></DOMAIN>
      <FQDN><![CDATA[dub-citwi-01.iconcr.com]]></FQDN>
    </DNS_DATA>
    <NETBIOS><![CDATA[netbios]]></NETBIOS>
    <LAST_SCAN_DATETIME>2022-08-03T11:10:19Z</LAST_SCAN_DATETIME>
    <LAST_VM_SCANNED_DATE>2022-08-03T11:10:19Z</LAST_VM_SCANNED_DATE>
    <LAST_VM_SCANNED_DURATION>1</LAST_VM_SCANNED_DURATION>
    <LAST_VM_AUTH_SCANNED_DATE>2022-08-03T11:10:19Z</LAST_VM_AUTH_SCANNED_DATE>
    <LAST_VM_AUTH_SCANNED_DURATION>1</LAST_VM_AUTH_SCANNED_DURATION>
    <DETECTION_LIST>
      <DETECTION>
        <QID>1</QID>
        <TYPE>Confirmed</TYPE>
        <SEVERITY>2</SEVERITY>
        <PORT>80</PORT>
        <PROTOCOL>tcp</PROTOCOL>
        <SSL>0</SSL>
        <RESULTS><![CDATA[result]]></RESULTS>
        <STATUS>Active</STATUS>
        <FIRST_FOUND_DATETIME>2017-06-11T04:55:13Z</FIRST_FOUND_DATETIME>
        <LAST_FOUND_DATETIME>2022-08-03T07:38:33Z</LAST_FOUND_DATETIME>
        <QDS severity="LOW">15</QDS>
        <QDS_FACTORS>
          <QDS_FACTOR name="name"><![CDATA[No_Patch]]></QDS_FACTOR>
        </QDS_FACTORS>
        <TIMES_FOUND>1</TIMES_FOUND>
        <LAST_TEST_DATETIME>2022-08-03T07:38:33Z</LAST_TEST_DATETIME>
        <LAST_UPDATE_DATETIME>2022-08-03T11:43:41Z</LAST_UPDATE_DATETIME>
        <IS_IGNORED>0</IS_IGNORED>
        <IS_DISABLED>0</IS_DISABLED>
        <LAST_PROCESSED_DATETIME>2022-08-03T11:43:41Z</LAST_PROCESSED_DATETIME>
      </DETECTION>
    </DETECTION_LIST>
  </HOST>
</HOST_LIST>

Qualys Hosts Sample

<HOST_LIST>
    <HOST>
        <ID>111</ID>
        <ASSET_ID/>
        <IP>10.10.10.10</IP>
        <TRURISK_SCORE_FACTORS>
            <TRURISK_SCORE_FORMULA/>
            <VULN_COUNT qds_severity="1">0</VULN_COUNT>
            <VULN_COUNT qds_severity="2">0</VULN_COUNT>
            <VULN_COUNT qds_severity="3">0</VULN_COUNT>
            <VULN_COUNT qds_severity="4">0</VULN_COUNT>
            <VULN_COUNT qds_severity="5">0</VULN_COUNT>
        </TRURISK_SCORE_FACTORS>
        <TRACKING_METHOD>Cloud Agent</TRACKING_METHOD>
        <DNS>ip-10-10-10-10.ec2.internal</DNS>
        <DNS_DATA>
            <HOSTNAME>ip-10-10-10-10</HOSTNAME>
            <DOMAIN>ec2.internal</DOMAIN>
            <FQDN>ip-10-10-10-10.ec2.internal</FQDN>
        </DNS_DATA>
        <CLOUD_PROVIDER>AWS</CLOUD_PROVIDER>
        <CLOUD_SERVICE>EC2</CLOUD_SERVICE>
        <CLOUD_RESOURCE_ID>i-000</CLOUD_RESOURCE_ID>
        <OS>Amazon Linux 2</OS>
        <QG_HOSTID>asdf</QG_HOSTID>
    </HOST>
    <HOST>
        <ID>222</ID>
        <ASSET_ID/>
        <IP>20.20.20.20</IP>
        <TRURISK_SCORE_FACTORS>
            <TRURISK_SCORE_FORMULA/>
            <VULN_COUNT qds_severity="1">0</VULN_COUNT>
            <VULN_COUNT qds_severity="2">0</VULN_COUNT>
            <VULN_COUNT qds_severity="3">0</VULN_COUNT>
            <VULN_COUNT qds_severity="4">0</VULN_COUNT>
            <VULN_COUNT qds_severity="5">0</VULN_COUNT>
        </TRURISK_SCORE_FACTORS>
        <TRACKING_METHOD>Cloud Agent</TRACKING_METHOD>
        <DNS>ip-20-20-20-20.us-west-2.compute.internal</DNS>
        <DNS_DATA>
            <HOSTNAME>ip-20-20-20-20</HOSTNAME>
            <DOMAIN>us-west-2.compute.internal</DOMAIN>
            <FQDN>ip-20-20-20-20.us-west-2.compute.internal</FQDN>
        </DNS_DATA>
        <CLOUD_PROVIDER>AWS</CLOUD_PROVIDER>
        <CLOUD_SERVICE>EC2</CLOUD_SERVICE>
        <CLOUD_RESOURCE_ID>i-111</CLOUD_RESOURCE_ID>
        <OS>Amazon Linux 2</OS>
        <QG_HOSTID>zxcv</QG_HOSTID>
    </HOST>
</HOST_LIST>