Qualys Dataflow for VMDR Connector

Qualys VMDR is a cloud-based platform that expands the capabilities of the Qualys Cloud Platform. It allows organizations to discover, assess, prioritize, and patch critical vulnerabilities in real time across their global hybrid-IT landscape. The solution quantifies cyber risk, provides insights into risk posture, and offers actionable steps to reduce risk. Additionally, Qualys VMDR identifies malware and threat indicators globally. 

What is the Dataflow for VMDR Connector?

Qualys Dataflow for VMDR connector enables you to import VMDR findings and host assets data from another Qualys subscription, helping you to aggregate data from multiple Qualys subscriptions for better risk visibility. Qualys ETM then processes this data by:

  • Deduplicating redundant entries
  • Normalizing data formats
  • Enriching findings with additional context
  • Calculating risk scores using TruRisk
Category  Supported Asset Type Supported Finding Type
API Connector Host Asset Vulnerability

Prerequisites

The Qualys Dataflow for VMDR Connector is available on demand. To activate it for your subscription,  contact your Technical Account Manager (TAM) or Qualys Support.

You need an active VMDR subscription to create this connector.

You will require your Base URL, Qualys username and password to authenticate yourself.

The Base URL for your platform is available at Qualys Platform Identification

Connector Configuration

Follow the steps below to get started.

Create a New API Connector

Basic DetailsBasic Details

  1. Provide the Connector's Name and Description.
  2. Select the type of findings you want to import or export - currently, we support Vulnerability.
  3. Select the Asset Type - currently, we support Host Asset.
    The following screenshot displays the Basic Details fields.
  4. Next, provide the API authentication details of the VMDR environment. You need to provide the following.

    1. Base URL
    2. Qualys Username 
    3. Qualys Password

Data ModelData Model

The VMDR API Connector offers an out-of-box data model mapping for you to map with Qualys ETM schema. You can view the schema to understand the attributes in the data model.

Transform MapsTransform Maps

Map the fields from VMDR  to the corresponding fields in your target system. Transform Maps ensure the data is transformed correctly during the import or export process.

The VMDR Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation.

To learn more about the data mapping from VMDR to Qualys ETM, refer to Data Model Mapping.

ProfileProfile

Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Click the "+" to create a new profile.

In the Add Profile screen, provide the necessary inputs for your new profile.

Provide a Name and Description.

You can filter findings by specifying the type of vulnerabilities and the severity score to discover.

You can also provide a Tag Filter, a list of tags seperated by commas, to filter asset ingestion based on active Qualys tags.
For example, "eval-214027-test, exec-220563"

Select the required Transform Map for the data mapping.

The Status field determines whether the connector should be in Active or Inactive state after creation. 

Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurence execution and provide the Start and End date/time for the Recurring schedule.

Select Identification RulesSelect Identification Rules

The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.

You can proceed to the next step without making any changes to this screen.

Select Identification Rules screen.

If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.

To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.

Once you are done with all the configuration, review the configurations provided in the previous steps. Ensure all details are correct and complete. Confirm the setup to finalize the configuration of the API connector.

Save and run the connector to process the data accordingly, transforming and importing it as per the configurations set.

How Does a Connection Work?

The VMDR connector functions through configured profiles that determine what data gets synchronized and when.

A Connection usually involves creating a profile that defines which asset to import based on detection data types and asset types. The connector then automatically executes according to the schedule (or on-demand), pulling asset data from VMDR into ETM where it can be viewed alongside other security findings.

With the VMDR API Connector successfully configured, you are almost ready to view all the assets and findings from VMDR.

In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.

Connector States

A successfully configured connector goes through 4 states.

  1. Registered - The connector is successfully created and registered to fetch data from the vendor.
  2. Scheduled - The connector is scheduled to execute a connection with the vendor.
  3. Processing - A connection is executed and the connector is fetching the asset and findings data.
  4. Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.

This entire process may take up some time for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).

View Assets in ETM

Navigate to Enterprise TruRisk Management to get started with analyzing your Connector's vulnerability findings.

You can view the assets imported from the VMDR connection by navigating to Inventory tab of ETM.

Go to Assets > Host to find all of your imported assets.

Use the token, inventory: (source: `VMDR`) to view all the imported VMDR assets.

Here, you can learn about the criticality of your assets and their Risk Scores. Click any of the asset to find more details about them.

Next, you can navigate to the Risk Management tab to view your vulnerability findings.

Go to Findings > Vulnerability to view all the discovered vulnerabilities.

Use the token, finding.vendorProductName: `VMDR` to view all the discovered VMDR vulnerabilities.

The imported vulnerability findings from VMDR provide rich context. Use these findings in the Qualys ETM to enhance your Risk Prioritization workflows and make informed business decisions.

To know more about how the VMDR API Connector leverages the findings, refer to the Qualys ETM Documentation.

Additional Resources

Additional Information related to VMDR Connector.

API Reference

Here are the APIs executed for the VMDR connection.

Operation Endpoint Notes
Auth API https://<qualys_base_url>/api/4.0/fo/asset/host/ Generates token (valid for 4 hrs)
Fetch Host Asset  https://<qualys_base_url>/api/4.0/fo/asset/host/ truncation_limit = 200
Fetch host list detection https://<qualys_base_url>/api/4.0/fo/asset/host/vm/detection/    
 

truncation_limit = 500

Fetch QID http://qids.<qualys_platform>.qualys.com:50261/qid/1.0/ URL/API will vary with respect to Qualys PODS 
Fetch QVS http://connector-metadata-service.connector-config.svc.cluster.local:8080/connector-metadata-service/connector-metadata/qvs-score  

Data Model Map

This section explains the attribute mappings of the values from Qualys VMDR and Qualys ETM.

VMDR Asset Transformation Mapping

Source Attribute Label

Target Attribute Label

ID

externalAssetId

VULNERABILITIES[].QID_INFO.qid.title

findingName

VULNERABILITIES[].UNIQUE_VULN_ID

externalFindingId

VULNERABILITIES[].SEVERITY

findingSeverity

DNS_DATA.HOSTNAME

assetName

CLOUD_RESOURCE_ID

cloudInstanceId

CLOUD_PROVIDER
AWS | Azure | GCP | OCI | Alibaba

cloudProvider
EC2 | AZURE | GCP | OCI | ALIBABA

VULNERABILITIES[].QID_INFO.qid.cvssTemporal

cvss2Temporal

VULNERABILITIES[].QID_INFO.qid.cvssBase

cvssV2Base

VULNERABILITIES[].QID_INFO.qid.cvss3Base

cvss3Base

VULNERABILITIES[].QID_INFO.qid.cvss3Temporal

cvss3Temporal

VULNERABILITIES[].QDS.value

detectionScore

VULNERABILITIES[].QID_INFO.corExploit[].vendorName

exploitedByList

VULNERABILITIES[].QID_INFO.qid.description

findingDescription

VULNERABILITIES[].FIRST_FOUND_DATETIME

findingFirstFoundOn

VULNERABILITIES[].LAST_FOUND_DATETIME

findingLastFoundOn

VULNERABILITIES[].PORT

findingPort

VULNERABILITIES[].PROTOCOL

findingProtocol

VULNERABILITIES[].FIRST_REOPENED_DATETIME

findingReopenedOn

VULNERABILITIES[].STATUS

findingStatus

VULNERABILITIES[].TYPE

findingSubType

DNS_DATA.FQDN

fqdn

VULNERABILITIES[].IS_IGNORED

ignoreFinding

VULNERABILITIES[].QID_INFO.qid.consequence

impact

IP

ipAddress

VULNERABILITIES[].QID_INFO.qid.patchExist

isPatchAvailable

NETBIOS

netBiosName

OS

operatingSystemName

VULNERABILITIES[].QID_INFO.qid.solution

recommendation

VULNERABILITIES[].QID

sourceVulnerabilityId

VULNERABILITIES[].QID_INFO.qid.cvssAccessVector

vector

VULNERABILITIES[].MITRE_TACTIC_ID

id

VULNERABILITIES[].MITRE_TACTIC_NAME

name

VULNERABILITIES[].MITRE_TECHNIQUE_ID

id

VULNERABILITIES[].MITRE_TECHNIQUE_NAME

name

VULNERABILITIES[].QID_INFO.qid.cveId

cveId