Overview

Qualys provides cloud security, compliance and related services.
Qualys provides vulnerability management solutions using a "software as a service" model. It has added cloud-based compliance and web application security offerings

Supported Data Types

  • Qualys Knowledgebase - this data type offers a list of vulnerabilities from Qualys’ KnowledgeBase.

  • Qualys Host Detections - this data type offers a list of hosts with the hosts latest vulnerability data, based on the host based scan data available in the user’s account.

Sending Data to Hunters

To enable Hunters collection of Qualys logs for your tenant, you will need to provide Hunters:

  • Host - you can find your host here based on Qualys documentation.

  • User

  • Password

Alternately , you can collect the Qualys logs from your network to a shared Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

The expected format of the logs is the XML format as exported by Qualys. It is recommended to log the full schema, however any subset of the fields can be ingested given you are providing your specific schema to Hunters.

Qualys API credentials sample
{
  "host": "http://host.com",  
  "user_id": "user",  
  "password": "password"
}
JSON
Qualys data sample
  • Qualys Knowledgebase:

    <VULN_LIST>
      <VULN>
        <QID>1</QID>
        <VULN_TYPE>Vulnerability</VULN_TYPE>
        <SEVERITY_LEVEL>3</SEVERITY_LEVEL>
        <TITLE><![CDATA[Title]]></TITLE>
        <CATEGORY>Database</CATEGORY>
        <LAST_SERVICE_MODIFICATION_DATETIME>2022-08-03T00:00:00Z</LAST_SERVICE_MODIFICATION_DATETIME>
        <PUBLISHED_DATETIME>2022-08-03T00:00:00Z</PUBLISHED_DATETIME>
        <PATCHABLE>1</PATCHABLE>
        <SOFTWARE_LIST>
          <SOFTWARE>
            <PRODUCT><![CDATA[product]]></PRODUCT>
            <VENDOR><![CDATA[vendor]]></VENDOR>
          </SOFTWARE>
        </SOFTWARE_LIST>
        <VENDOR_REFERENCE_LIST>
          <VENDOR_REFERENCE>
            <ID><![CDATA[id]]></ID>
            <URL><![CDATA[url]]></URL>
          </VENDOR_REFERENCE>
        </VENDOR_REFERENCE_LIST>
        <CVE_LIST>
          <CVE>
            <ID><![CDATA[CVE-id]]></ID>
            <URL><![CDATA[url]]></URL>
          </CVE>
        </CVE_LIST>
        <DIAGNOSIS><![CDATA[diagnosis]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[consequence]]></CONSEQUENCE>
        <SOLUTION><![CDATA[possible solution]]></SOLUTION>
        <CVSS>
          <BASE>5.0</BASE>
          <TEMPORAL>3.0</TEMPORAL>
          <VECTOR_STRING>vector</VECTOR_STRING>
        </CVSS>
        <CVSS_V3>
          <BASE>7.0</BASE>
          <TEMPORAL>6.0</TEMPORAL>
          <VECTOR_STRING>vector</VECTOR_STRING>
          <CVSS3_VERSION>3.0</CVSS3_VERSION>
        </CVSS_V3>
        <PCI_FLAG>1</PCI_FLAG>
        <THREAT_INTELLIGENCE>
          <THREAT_INTEL id="5"><![CDATA[Easy_Exploit]]></THREAT_INTEL>
        </THREAT_INTELLIGENCE>
        <DISCOVERY>
          <REMOTE>0</REMOTE>
          <AUTH_TYPE_LIST>
            <AUTH_TYPE>Unix</AUTH_TYPE>
          </AUTH_TYPE_LIST>
          <ADDITIONAL_INFO>Patch Available</ADDITIONAL_INFO>
        </DISCOVERY>
      </VULN>
    </VULN_LIST>
    CODE
  • Qualys Host Detections:

    
    <HOST_LIST>
      <HOST>
        <ID>1</ID>
        <ASSET_ID>1</ASSET_ID>
        <IP>1.1.1.1</IP>
        <TRACKING_METHOD>IP</TRACKING_METHOD>
        <NETWORK_ID>0</NETWORK_ID>
        <OS><![CDATA[os]]></OS>
        <OS_CPE><![CDATA[cpe]]></OS_CPE>
        <DNS><![CDATA[dns]]></DNS>
        <DNS_DATA>
          <HOSTNAME><![CDATA[dub-citwi-01]]></HOSTNAME>
          <DOMAIN><![CDATA[iconcr.com]]></DOMAIN>
          <FQDN><![CDATA[dub-citwi-01.iconcr.com]]></FQDN>
        </DNS_DATA>
        <NETBIOS><![CDATA[netbios]]></NETBIOS>
        <LAST_SCAN_DATETIME>2022-08-03T11:10:19Z</LAST_SCAN_DATETIME>
        <LAST_VM_SCANNED_DATE>2022-08-03T11:10:19Z</LAST_VM_SCANNED_DATE>
        <LAST_VM_SCANNED_DURATION>1</LAST_VM_SCANNED_DURATION>
        <LAST_VM_AUTH_SCANNED_DATE>2022-08-03T11:10:19Z</LAST_VM_AUTH_SCANNED_DATE>
        <LAST_VM_AUTH_SCANNED_DURATION>1</LAST_VM_AUTH_SCANNED_DURATION>
        <DETECTION_LIST>
          <DETECTION>
            <QID>1</QID>
            <TYPE>Confirmed</TYPE>
            <SEVERITY>2</SEVERITY>
            <PORT>80</PORT>
            <PROTOCOL>tcp</PROTOCOL>
            <SSL>0</SSL>
            <RESULTS><![CDATA[result]]></RESULTS>
            <STATUS>Active</STATUS>
            <FIRST_FOUND_DATETIME>2017-06-11T04:55:13Z</FIRST_FOUND_DATETIME>
            <LAST_FOUND_DATETIME>2022-08-03T07:38:33Z</LAST_FOUND_DATETIME>
            <QDS severity="LOW">15</QDS>
            <QDS_FACTORS>
              <QDS_FACTOR name="name"><![CDATA[No_Patch]]></QDS_FACTOR>
            </QDS_FACTORS>
            <TIMES_FOUND>1</TIMES_FOUND>
            <LAST_TEST_DATETIME>2022-08-03T07:38:33Z</LAST_TEST_DATETIME>
            <LAST_UPDATE_DATETIME>2022-08-03T11:43:41Z</LAST_UPDATE_DATETIME>
            <IS_IGNORED>0</IS_IGNORED>
            <IS_DISABLED>0</IS_DISABLED>
            <LAST_PROCESSED_DATETIME>2022-08-03T11:43:41Z</LAST_PROCESSED_DATETIME>
          </DETECTION>
        </DETECTION_LIST>
      </HOST>
    </HOST_LIST>
    CODE