Enable Azure Storage Blob Integration
The first step towards integration is enabling Azure Storage Blob integration. To enable the Azure Storage Blob integration, you need to provide a name and connection string in the API request body. The connection string can be obtained from the Azure Blob storage container that you have created. You can specify other optional parameters (base category, minimum severity, and so on.) as per your requirement.
Once you create the integration, the response provides a unique integration identifier (id) for the Azure Storage Blob integration.
Input ParametersInput Parameters
Parameter |
Mandatory/ Optional |
Data Type |
Description |
---|---|---|---|
connectionString={value} |
Mandatory |
String |
Provide the connection string assigned to the container in Azure Storage Blob. |
minSeverity={value} |
Optional |
Text |
The minimum severity level of the vulnerabilities fetched from Qualys (VM/VMDR app) to be posted on Azure Storage Blob. By default, it is configured to severity level 3 and above. For example, if you set the value to 1, all findings with severity levels 1 to 5 are fetched and available on Azure Storage Blob. |
baseCategory={IG|Potential| Confirmed}
|
Optional |
Text |
The category of the vulnerabilities fetched from Qualys (VM/VMDR app) is to be posted on Azure Storage Blob. The valid values are IG, Confirmed, and Potential.
|
name={value} |
Mandatory |
Text |
Provide a unique name for the integration in the API request. The maximum length allowed for a name is 50 characters. |
resultSectionNeeded={true|false} |
Optional |
Boolean |
Set this to true to include the result section in the findings. By default, the resultSectionNeeded parameter is set to false. |
sendVulnInfo={true|false} |
Optional |
Boolean |
Set this to true if you need the vulnerability information. By default, the sendVulnInfo parameter is set to false. |
compressData={true|false} |
Optional |
Boolean |
Set this to true to compress the data in the response. Batch and compressed data saved on disk and network IO. The compressData parameter is configured to true by default. |
containerName={value} |
Optional |
Text |
Provide the container’s name, which was created under Azure Storage Blob account for this integration. You can find the vulnerability findings and vulnerability information in this container. If you do not provide container name, we use ‘qualys-vm-findings’ by default. In such case, ensure that container with name ‘qualys-vm-findings’ is created under Azure Storage Blob. |
filterQuery |
Optional |
Query |
Filter vulnerabilities and assets using the supported tokens. |
Filter Query Tokens
The Qualys Query Language is used to build search queries and fetch information from the Qualys database. You can pick the tokens from our repository and build your own query to find the relevant information.
For example, the below query fetches assessments of a specified qid, discovers ignored vulnerabilities, and searches from the specified range of dates.
"vuln" : "qId: 11547 ignored: true AND lastUpdate: [2023-07-06 .. 2023-07-07]"
The below query fetches information of a specified asset id within the provided IP range.
"asset" : "assetUuid: `151334c4-3811-40b5-ba92-cfd0064eb9f4` AND ip: (1.1.1.1 .. 5.5.5.5)"
To learn more about building search queries, refer to Qualys Query Language (QQL).
The 'Now' keyword is not currently supported for QQL. Building search queries with it is not produce any results.
The tokens listed below can be used to create the filterQuery for vulnerabilities and assets.
Vulnerability Filter Tokens
Vulnerability filter tokens and their data type are given in the following table :
Token |
Data Type |
---|---|
qid |
LONG |
port |
LONG |
ignored |
BOOLEAN |
Disabled |
BOOLEAN |
filterQuery |
Optional |
ssl |
BOOLEAN |
protocol |
STRING |
timesFound |
LONG |
status |
STRING |
firstFound |
STRING |
lastUpdate |
STRING |
lastProcessed |
STRING |
lastReopened |
STRING |
lastFixed |
STRING |
lastFound |
STRING |
lastTest |
STRING |
Asset Filter Tokens
Asset filter tokens and their data type are given in the following table :
Token |
Data Type |
---|---|
assetId |
LONG |
assetUuid |
STRING |
hostId |
LONG |
netBios |
STRING |
dns |
STRING |
ip |
STRING |
os |
STRING |
trackingMethod |
STRING |
API Request
"curl""Content-Type:application/json""<qualys_gateway_url>/partner-integration/azure/storage-blob/vm""--data""@integration.json""-H""Authorization: Bearer <token>"
“integration.json” contains the request POST data.
Request POST Data (integration.json)
{
"connectionString":"BlobEndpoint=https://user_john.blob.core.windows.net/;SharedAccessSignature=sv=2019-12-12&ss=b&srt=co&sp=rwx&se=2020-09-04T22:36:36Z&st=2020-09-04T14:36:36Z&spr=https&sig=key%ckd%3D",
"minSeverity":4,
"baseCategory":"Potential",
"name":"Integration name",
"resultSectionNeeded":true,
"sendVulnInfo":true,
"compressData":true,
"containerName":"qualys-vm-findings"
}
Output
{
"integrationId":526
}