Update Integration
Updates the integration details such as bucket name, bucket region, Severity, Category, name, resultSectionNeeded, sendVulnInfo, compressData, and roleArn of the AWS S3 bucket with Qualys.
You can also regenerate the externalID using this API if needed. If you regenerate the externalID using this API, you must re edit the trust relationship. For more information, see Appendix : Editing Trust Relationship after Regenerating External ID.
Input ParametersInput Parameters
|
Parameter |
Optional /Mandatory |
Data Type |
Description |
|---|---|---|---|
|
id |
Optional | Integer |
It is IntegrationID provided by Qualys. |
|
bucketName={value} |
Mandatory | Integer |
Provide the name of the AWS S3 bucket being used for integration. Set to " " if the parameter does not apply. |
|
bucketRegion={value} |
Optional | Text |
Provide the region where the AWS S3 bucket is located. |
|
roleArn={value} |
Mandatory | Text |
Specify the ARN of the cross-account role that you created in your AWS account. |
| accessPointArn | Mandatory | string |
Provide the Access Point ARN. Steps to obtain this value are documented in step 4 of the AWS S3 Configuration. Set to "null" if the parameter does not apply. When both bucketName and accessPointArn are set, the bucketName value is prioritized. |
|
name={value} |
Mandatory | Text |
Provide a unique name for the integration in the API request. The maximum length allowed for the name is 50 characters. |
|
minSeverity={value} |
Optional | Text |
The minimum severity level of the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the AWS S3 bucket. |
|
filterQuery |
Optional |
string |
Filter vulnerabilities and assets using the supported tokens listed below. The default values for severity is 3 category is "Confirmed". |
|
sendVulnInfo={true|false} |
Optional | Boolean |
Set this to true if you need the vulnerability information. Set this parameter to false if you want to exclude the vulnerability information. By default, the sendVulnInfo parameter isconfigured to false. |
|
compressData={true|false} |
Optional | Boolean |
Set this to true to compress the data in the response. It saves on disk and network IO. If you want to exclude the compression, set this parameter to false. By default, the compressData parameter is configured to be true. |
|
regenerateExternalId |
Optional | Boolean |
Set this to true if you want to regenerate the external ID. The default value is set to false. |
|
sendAlerts |
Optional | Boolean |
Set to true to receive ProActive alert notifications. |
|
errorEmails |
Optional | text |
When sendAlerts is set to true, provide the email list for ProActive Alert notifications. Add up to list of maximum of 5 email addresses as comma-separated values. |
Filter Query Tokens
The Qualys Query Language is used to build search queries and fetch information from the Qualys database. You can pick the tokens from our repository and build your own query to find the relevant information.
For example, the below query fetches assessments of a specified qid, discovers ignored vulnerabilities and searches from the specified range of dates.
"vuln" : "qId: 11547 ignored: true AND lastUpdate: [2023-07-06 .. 2023-07-07]"
The below query fetches information of a specified asset id within the provided IP range.
"asset" : "assetUuid: `151334c4-xxxx-xxxx-xxxx-cfd0064eb9f4` AND ip: (1.1.1.1 .. 5.5.5.5)"
Learn more about building search queries using the Qualys Query Language (QQL) here.
The “Now” keyword is not supported for QQL currently. Building search queries with it will not produce any results.
The tokens listed below can be used to create the filterQuery for vulnerabilities and assets.
Vulnerbility Filter Tokens:
| Token | Data Type | Description |
|---|---|---|
| qid | LONG |
Filters by Qualys ID (QID). Represents Confirmed, Potential, or Information Gathered QIDs. Example: qid: 45017 |
| port | LONG |
Filters by port on which the QID is detected. Supports single port or range. Applies to TCP or UDP. Example: port: 22 or port: (10001 .. 10005) |
| ignored | BOOLEAN |
Indicates whether the reported QID is ignored. 1 = true, 0 = false. Example: ignored: 1 |
| Disabled | BOOLEAN |
Indicates whether the reported QID is disabled. 1 = true, 0 = false. |
| ssl | BOOLEAN |
Indicates whether the vulnerability instance is associated with an SSL/TLS-enabled service. 1 = SSL enabled, 0 = not SSL, Null = not applicable. Example: ssl: 1 |
| protocol | STRING |
Indicates the transport protocol of the service/port where the vulnerability was detected. Example: protocol: TCP |
| timesFound | LONG |
Represents how many times the QID is reported on the scanned asset. Example: timesFound > 3 |
| status | STRING |
Represents vulnerability lifecycle status: 1 = NEW, 2 = ACTIVE, 3 = FIXED, 4 = REOPENED. Example: status: 2 |
| firstFound | STRING |
Date when the QID was first detected on the asset. Supports range queries. Example: firstFound: [01-07-23 .. 07-07-23] |
| lastUpdate | STRING |
Date when the QID record was last updated. Supports range queries. |
| lastProcessed | STRING |
Date when the QID was last processed internally. |
| lastReopened | STRING |
Date when the QID was reopened after being fixed. |
| lastFixed | STRING |
Date when the QID was marked as fixed. |
| lastFound | STRING |
Most recent date the QID was detected on the scanned asset. |
| lastTest | STRING |
Date when the QID was last tested during a scan. |
|
category Supported values are
|
STRING |
Filters by vulnerability classification category. Supported values:IG – Information GatheredPotentialConfirmed |
| severity Supported values are {1|2|3|4|5} |
LONG |
Filters by Qualys severity level:1 = Minimal2 = Low3 = Medium4 = High5 = CriticalExample: severity: 5 |
| removeVulnFilter | BOOLEAN | Controls whether the vulnerability filter is applied. When set to 1 (true), the defined vulnerability filter criteria are ignored and vulnerabilities are returned without applying the filterQuery. When set to 0 (false), the specified vulnerability filters are enforced. Example: removeVulnFilter: true |
The category token lets you specify the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the AWS S3. The valid values are IG, Confirmed, and Potential.
By default, it is configured to Confirmed. In this case, only confirmed vulnerabilities are included.
The severity token lets you specify the minimum severity level of the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the AWS S3 bucket.
Asset Filter Tokens:
| Token | Data Type | Description |
|---|---|---|
| assetId | LONG |
Unique identifier for the processed asset in the portal. Use to target a specific asset record. Example: assetId: 120045 |
| assetUuid | STRING |
Unique identifier in UUID format for the processed asset in the portal. Example: assetUuid: \151334c4-3811-40b5-ba92-cfd0064eb9f4`` |
| hostId | LONG |
Unique identifier for the processed asset in QWEB. Example: hostId: 987654 |
| netBios | STRING |
NetBIOS name of the asset. Example: NetBIOS: WIN-SRV-01 |
| dns | STRING |
DNS hostname of the asset. Example: dns: server01.company.com |
| ip | STRING |
IPv4 or IPv6 address of the asset. Supports single IP or range queries. Example: ip: 192.168.1.10 or ip: (1.1.1.1 .. 5.5.5.5) |
| os | STRING |
Operating system detected on the asset. Example: os: "Windows Server 2019" |
| trackingMethod | STRING |
Asset categorization method:1 = IP Tracked2 = DNS Tracked3 = NETBIOS Tracked4 = Cloud Agent5 = OT Devices101 = EC2 Tracked103 = Azure Tracked104 = GCP TrackedExample: trackingMethod: 4 |
| removeAssetFilter | BOOLEAN | Controls whether the asset filter is applied. When set to 1 (true), the defined asset filter criteria are ignored and assets are returned without applying the filterQuery. When set to 0 (false), the specified asset filters are enforced. Example: removeAssetFilter: true |
When updating filterQuery values, previously used tokens will not be retained automatically. To keep any of them, you must reinclude them in the updated vulnerability or asset queries. Filter updates replace the entire query—they do not append to it. For example, to retain your Category and Severity values specified in the S3 registration, you have to give the following -
category: [`Confirmed`] AND severity >= 3 and superseded: true and runningKernel: true and runningService: true and isPatchable: true
This example is for updating the configuration details of the AWS S3 bucket integration by providing the integration ID in the request.
API Request
"curl -X PUT
--header""Content-Type:application/json""<qualys_gateway_url>/partner-integration/aws/s3/{id}/vm""--data""@integration.json""-H""Authorization: Bearer <token>"
'integration.json' contains the request PUT data.
Request PUT Data (integration.json)
{
"name": "string",
"bucketName": "string",
"bucketRegion": "string",
"roleArn": "string",
“accessPointArn”: “string”
"resultSectionNeeded": true,
"sendVulnInfo": true,
"compressData": true,
"sendAlerts": true,
"errorEmails": [
"string"
],
"filterQuery": {
"vuln": "category: [`Potential`] AND severity >= 4 and superseded: true and runningKernel: true and runningService: true and isPatchable: true",
"asset": "string",
"removeVulnFilter": false,
"removeAssetFilter": true
}
}
Output
{
"messsage":"AWS S3 VM integration successfully updated."
}
This sample is for updating the configuration details of the AWS S3 bucket integration by setting regenerateExternalId to true.
API Request
"curl -X PUT
--header""Content-Type:application/json""<qualys_gateway_url>/partner-integration/aws/s3/{id}/vm""--data""@integration.json""-H""Authorization: Bearer <token>"
Note: “integration.json” contains the request PUT data.
Request PUT Data (integration.json)
{
"name": "string",
"bucketName": "string",
"bucketRegion": "string",
"roleArn": "string",
"resultSectionNeeded": true,
"sendVulnInfo": true,
"compressData": true,
"regenerateExternalId": true,
"sendAlerts": true,
"errorEmails": [
"string"
],
"filterQuery": {
"vuln": "string",
"asset": "string"
}
}
Output
{
"message":"AWS S3 VM Integration successfully updated.",
"externalId":"US_POD_1-1- xxxxxxxx-xxxx-xxxx-xxxxxx-xxxxxxxxxxxxx"
}