Register Onboard of Integration

Parameter	Optional/ Manadatory	Data Type	Description
bucketName={value}	Mandatory	Integer	Provide the name of the AWS S3 bucket being used for integration. Set to " " if the parameter does not apply.
bucketRegion={value}	Mandatory	Integer	Provide the region where the AWS S3 bucket is located.
roleArn={value}	Mandatory	Integer	Specify the ARN of the cross-account role which you created in your AWS account.
accessPointArn	Mandatory	string	Provide the Access Point ARN. Steps to obtain this value are documented in step 4 of the AWS S3 Configuration. Set to " " if the parameter does not apply. When both bucketName and accessPointArn are set, the bucketName value is prioritized.
name={value}	Mandatory	Integer	Provide a unique name for the integration in the API request. The maximum length allowed for the name is 50 characters.
filterQuery	Optional	string	Filter vulnerabilities and assets using the supported tokens.
resultSectionNeeded={true\|false}	Optional	Boolean	Set this to true to include the result section in the finding. If you want to exclude the result section, set this parameter to false. By default, the resultSectionNeeded parameter is configured to false.
sendVulnInfo={true\|false}	Optional	Boolean	Set this to true if you need the vulnerability information. If you want to exclude the vulnerability information, set this parameter to false. By default, the sendVulnInfo parameter is configured to false.
compressData={true\|false}	Optional	Boolean	Set this to true to compress the response data. It saves on disk and network IO. If you want to exclude the compression, set this parameter to false. By default, the compressData parameter is configured to true.
sendAlerts	Optional	Boolean	Set to true to receive ProActive alert notifications.
errorEmails	Optional		When sendAlerts is set to true, provide the email list for ProActive Alert notifications. Add upto a List of maximum 5 email addresses as comma-separated values.

Filter Query Tokens

The Qualys Query Language is used to build search queries and fetch information from the Qualys database. You can pick the tokens from our repository and build your own query to find the relevant information.
For example, the below query fetches assessments of a specified qid, discovers ignored vulnerabilities and searches from the specified range of dates.

"vuln" : "qId: 11547 ignored: true AND lastUpdate: [2023-07-06 .. 2023-07-07]"

The below query fetches information of a specified asset id within the provided IP range.

"asset" : "assetUuid: `151334c4-3811-40b5-ba92-cfd0064eb9f4` AND ip: (1.1.1.1 .. 5.5.5.5)"

Learn more about building search queries using the Qualys Query Language (QQL) here.

The “Now” keyword is not supported for QQL currently. Building search queries with it will not produce any results.

The tokens listed below can be used to create the filterQuery for vulnerabilities and assets.

Vulnerability Filter Tokens:

Token	Data Type	Description
qid	LONG	Filters by Qualys ID (QID). Represents Confirmed, Potential, or Information Gathered QIDs. Example: qid: 45017
port	LONG	Filters by port on which the QID is detected. Supports single port or range. Applies to TCP or UDP. Example: port: 22 or port: (10001 .. 10005)
ignored	BOOLEAN	Indicates whether the reported QID is ignored. 1 = true, 0 = false. Example: ignored: 1
Disabled	BOOLEAN	Indicates whether the reported QID is disabled. 1 = true, 0 = false.
ssl	BOOLEAN	Indicates whether the vulnerability instance is associated with an SSL/TLS-enabled service. 1 = SSL enabled, 0 = not SSL, Null = not applicable. Example: ssl: 1
protocol	STRING	Indicates the transport protocol of the service/port where the vulnerability was detected. Example: protocol: TCP
timesFound	LONG	Represents how many times the QID is reported on the scanned asset. Example: timesFound > 3
status	STRING	Represents vulnerability lifecycle status: 1 = NEW, 2 = ACTIVE, 3 = FIXED, 4 = REOPENED Example: status: 2
firstFound	STRING	Date when the QID was first detected on the asset. Supports range queries. Example: firstFound: [01-07-23 .. 07-07-23]
lastUpdate	STRING	Date when the QID record was last updated. Supports range queries.
lastProcessed	STRING	Date when the QID was last processed internally.
lastReopened	STRING	Date when the QID was reopened after being fixed.
lastFixed	STRING	Date when the QID was marked as fixed.
lastFound	STRING	The most recent date the QID was detected on the scanned asset.
lastTest	STRING	Date when the QID was last tested during a scan.
patchable	BOOLEAN	Indicates whether a Qualys patch is available for the QID based on the detected operating system. 1 = Patch available, 0 = No patch available. Example: patchable: 1
superseded	BOOLEAN	Indicates whether the QID has been superseded by another QID based on the detected operating system. 1 = Superseded, 0 = Not superseded. Example: superseded: 1
runningKernel	BOOLEAN	Indicates whether the vulnerability is associated with the currently running kernel. 1 = Vulnerability detected on running kernel (potentially exploitable), 0 = Detected on non-running kernel (currently not exploitable). Example: runningKernel: 1
runningService	BOOLEAN	Indicates whether the vulnerability is associated with a running service. 1 = Service is running (vulnerability currently exploitable), 0 = Service not running (not currently exploitable). Example: runningService: 1
category Supported values are {IG\|Potential\|Confirmed}	STRING	Filters by vulnerability classification category. Supported values:IG – Information GatheredPotentialConfirmed
severity Supported values are {1\|2\|3\|4\|5}	LONG	Filters by Qualys severity level:1 = Minimal2 = Low3 = Medium4 = High5 = CriticalExample: severity: 5

The category token lets you specify the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the AWS S3. The valid values are IG, Confirmed, and Potential.

By default, it is configured to Confirmed. In this case, only confirmed vulnerabilities are included.

The severity token lets you specify the minimum severity level of the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the AWS S3 bucket.

Asset Filter Tokens:

Token	Data Type	Description
assetId	LONG	Unique identifier for the processed asset in the portal. Use to target a specific asset record. Example: assetId: 120045
assetUuid	STRING	Unique identifier in UUID format for the processed asset in the portal. Example: assetUuid: \151334c4-3811-40b5-ba92-cfd0064eb9f4``
hostId	LONG	Unique identifier for the processed asset in QWEB. Example: hostId: 987654
netBios	STRING	NetBIOS name of the asset. Example: NetBIOS: WIN-SRV-01
dns	STRING	DNS hostname of the asset. Example: dns: server01.company.com
ip	STRING	IPv4 or IPv6 address of the asset. Supports single IP or range queries. Example: ip: 192.168.1.10 or ip: (1.1.1.1 .. 5.5.5.5)
os	STRING	Operating system detected on the asset. Example: os: "Windows Server 2019"
trackingMethod	STRING	Asset categorization method:1 = IP Tracked2 = DNS Tracked3 = NETBIOS Tracked4 = Cloud Agent5 = OT Devices101 = EC2 Tracked103 = Azure Tracked104 = GCP TrackedExample: trackingMethod: 4

API Request

"curl -H ‘Authorization":"Bearer <token>’""Content-Type:application/json""<qualys_gateway_url>/partner-integration/aws/s3/vm""--data""@integration.json"

'integration.json' contains the request POST data.

Request POST Data (integration.json)

{
  "name": "string",
  "bucketName": "string",
  "bucketRegion": "string",
  "roleArn": "string",
  "resultSectionNeeded": true,
  "sendVulnInfo": true,
  "compressData": true,
  "sendAlerts": true,
  "errorEmails": [
    "string"
  ],
  "filterQuery": {
    "vuln": "category: [`Confirmed`] AND severity >= 3 and superseded: true and runningKernel: true and runningService: true and isPatchable: true",
    "asset": "string"
  }
}

Output

{
   "integrationId":5,
   "externalId":"US_POD_1-1-xxxxxxxx-xxxx-xxxx-xxxxxx-xxxxxxxxxxxxx"
}