Qualys Dataflow for TotalAppSec (TAS) Connector
Qualys TotalAppSec (TAS) is an application security platform that provides visibility into web applications and APIs along with vulnerability and risk findings across the application layer. This connector ingests application assets and associated vulnerability findings into Qualys Enterprise TruRisk™ Platform (ETM), enabling correlation with other asset data to deliver unified exposure and risk insights across the attack surface.
Connector Details
Overview of the TAS connector capabilities.
| Vendor | Qualys |
| Product Name | TotalAppSec |
| Category | Application Security |
| Asset Types Supported | Web Applications, API Endpoints |
| Findings Supported | Yes |
| Version | 1.0.0 |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Qualys TAS to Qualys ETM) |
| Delta Support | Supported |
Connection Settings
User Roles and Permissions
Generate OAuth credentials (Client ID and Client Secret) from the Qualys Developer API Portal.
Authentication Details
| Name | Key | Type | Description |
|---|---|---|---|
| Base URL | baseURL |
Dropdown | Base URL of TotalAppSec (e.g., https://gateway.qg1.apps.qualys.com) |
| Authentication Mechanism | - | Dropdown | OAuth |
| Client ID | clientId |
String | OAuth Client ID |
| Client Secret | clientSecret |
Encrypted | OAuth Client Secret |
How to Generate Client ID and Client Secret for Qualys Dataflow for TAS Connector
Subscription Level vs User Level
The Qualys platform supports two levels of client credentials:
| Subscription Level | Scoped to the entire subscription | Not Supported |
| User Level | Scoped to an individual user account | Supported |
TotalAppSec currently supports only user-level client credentials. Each user generates their own Client ID and Client Secret from their profile. Steps to Generate Credentials
- Navigate to My Profile (click your avatar > View Profile)
- Locate the Auth ID Client Management section
- Create a new user level client
- The system generates a Client ID and Client Secret
The Client Secret is displayed only once at the time of creation. Copy and store it securely. If you lose the Client Secret, you will need to generate a new one.
Connector Configuration
Basic Details
- Log in to Qualys ETM.
- Navigate to Connectors > Integration.
- Select QoQ TAS UAI Connector and click Manage.
- Provide Name and Description.
- Enter authentication details (Client ID and Client Secret).
- Optionally enable IS IP Restricted to disable certificate validation using public IP.
Profiles
- Create a new profile.
- Select asset types that you want the connector to fetch from TAS:
- APPLICATION
- APICOLLECTION
- Configure schedule to determine frequency of occurrence:
- Single occurrence or recurring
- Define start and end date/time
- Save the profile.
Mapping Details
Data Model
The connector supports two asset models:
- Application + Findings
- API Collection + Findings
Transform Maps
Default transformation maps are provided and used during connector execution. You can clone or customize them if needed.
Application Mapping
| Source Field | Target Field |
|---|---|
| id | asset.assetHeader.externalAssetId |
| url | asset.assetDetail.applicationAssetClass.baseUrl |
| name | asset.assetDetail.name |
| createdDate | asset.assetDetail.sourceCreatedAt |
| updatedDate | asset.assetDetail.sourceUpdatedAt |
| findings[].id | findingGroup.findings[].externalFindingId |
| findings[].title | findingGroup.findings[].name |
| findings[].severity | findingGroup.findings[].severity |
API Collection Mapping
| Source Field | Target Field |
|---|---|
| id | asset.assetHeader.externalAssetId |
| openApiFile.url | asset.assetDetail.apiCollectionAssetClass.specificationUrl |
| name | asset.assetDetail.name |
| createdDate | asset.assetDetail.sourceCreatedAt |
| updatedDate | asset.assetDetail.sourceUpdatedAt |
| findings[].id | findingGroup.findings[].externalFindingId |
| findings[].severity | findingGroup.findings[].severity |
How Does a Connection Work?
The connector runs on a configured schedule or on-demand to fetch TAS application and API collection data.
Connector lifecycle states:
- Registered – Connector created
- Scheduled – Execution planned
- Processing – Data ingestion in progress
- Processed – Data successfully fetched
Processing may take up to 2 hours depending on data volume.
Viewing Assets and Findings in ETM
- Assets: Go to Inventory > Assets and select Application or API Collection.
- Findings: Navigate to Risk Management to view vulnerabilities.
API Endpoints
The APIs used to fetch assets and findings from Qualys TAS.
|
Get Application +Findings |
https://gateway.p01.eng.sjc01.qualys.com/tas/rest/webapp/4.0/search |
|
Get API +Findings |
https://gateway.p01.eng.sjc01.qualys.com/tas/rest/api/1.0/search |