Add Azure Sentinel Integration
The first step towards the integration is the creation of Azure Sentinel integration. To add the Azure Sentinel integration, you need to provide the workspace Id, and primary key in the API request body. The workspace Id and primary key can be obtained from Azure workspace that you create. You can specify other optional parameters (base category, minimum severity, etc) as per your requirement.
Once you create the Azure Sentinel integration, the response provides a unique integration identifier (id) for the Azure Sentinel integration.
Input ParametersInput Parameters
|
Parameter |
Optional/ Mandatory |
Data Type |
Description |
|---|---|---|---|
|
workspaceId={value} |
Mandatory | Integer |
Provide the unique Id assigned to the workspace in Azure Sentinel. |
|
primaryKey={value} |
Mandatory | Integer |
Provide the primary key Id assigned to the workspace in Azure Sentinel. |
|
name={value} |
Mandatory | Text |
Provide a unique name for the integration in the API request. The maximum length allowed for name is 50 characters. |
|
baseCategory={IG|Potential| Confirmed} |
Optional | Text |
Category of the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the Azure Sentinel. The valid values are IG, Confirmed, and Potential. By default, it is configured to Confirmed. In this case, only confirmed vulnerabilities are included. If you configure the baseCategory as Potential, both Potential and Confirmed vulnerabilities are included.If you configure the baseCategory as IG, all three categories: IG, Potential and Confirmed vulnerabilities are included. |
|
customLogName={value} |
Optional | Text |
Provide a unique name for the data collector APIs. You can identify the log details with the name you provide. If you do not provide a custom log name, we use QUALYS_SECURITY_VM_FINDINGS by default. The custom log name can only contain letters, numbers, and underscore (_), and should not exceed 100 characters. |
|
minSeverity={value} |
Optional | Text |
The minimum severity level of the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on the Azure Sentinel. By default, it is configured to severity level 3 and above. For example, if you set the value to 1, all findings with severity level 1 to 5 are fetched and available on Azure Sentinel. |
|
resultSectionNeeded={true|false} |
Optional | Boolean |
Set this to true to include the result section in the response. If you want to exclude the result section, set this parameter to false. By default, the resultSectionNeeded parameter is configured to false. |
|
apiVersion={value} |
Optional | String |
Azure Sentinel data collector API version. By default, 2016-04-01 API version is used. For more information on supported API version refer to Data Collector API learn page. |
Add Azure Sentinel IntegrationAdd Azure Sentinel Integration
API Request
"curl --location --request POST""<qualys_gateway_url>/partner-integration/azure/sentinel""-H""Authorization: Bearer <token>""
Note":"“integration.json” contains the request POST data."
Request POST Data (integration.json)
{
" ""workspaceId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
" ""primaryKey":" ""XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
" ""minSeverity":4,
" ""baseCategory":"Potential",
" ""customLogName":"QUALYS_FINDINGS",
" ""name":"Sample Integration",
" ""resultSectionNeeded":false,
" ""apiVersion":"2016-04-01"
}
JSON Output
{
" ""integrationId"=68
}