Azure API Connector

What is the Azure API Connector?

The Azure API Connector enables automated integration between your Microsoft Azure environment and the Qualys TotalAppSec (TAS). The connector discovers APIs managed in Azure API Management and imports their metadata and Swagger specifications into Qualys for inventory and scan readiness.

Category	Supported Asset Type	Supported Finding Type
API Connector	APIs	N/A (Discovery only)

Prerequisites

Active TotalAppSec module subscription must be available.

Permissions

In Microsoft Azure, navigate to API Permissions. Ensure that the User.Read permissions is granted.

Authentication Details

Field	Description
Tenant ID	Azure Active Directory > Overview
Client ID	Azure AD > App registrations > Application ID
Client Secret	Generated in Azure > Certificates & secrets

How to Obtain Tenant ID, Client ID and Client Secret

Follow the steps to obtain the required authentication values.

Tenant ID

Navigate to your azure portal (https://portal.azure.com)

Go to Azure Active Directory
Click Overview
Copy Tenant ID

Client ID

Navigate to:
Azure Active Directory > App registrations > All applications
Search for the App name (you may need to ask for it if unknown)
Click the app
Under the App's Overview
Copy Application (client) ID — this is your client_id

Client Secret

You need to have this value stored at your local in secured storage.

Go to Certificates & secrets tab
Under "Client secrets", check if any are listed.

If a client secret exists, you can’t view its value again after it was created. You can only see:

Description
Expiry date

If you cannot see the value, you must create a new one (if you have permission).

Connector Configuration

To Enable the feature you should have TAS module.

TAS > Discovery > Sources > Azure API Connectors.

Azure API Connectors.

Basic Details

Provide a Name and Description
Select the Qualys Data Model (API Discovery) and Data Model Type (API)
Provide required Authentication Details.

Basic details.

Data Model

The Azure API Discovery Default Data Model offers an out-of-the-box data model mapping with Qualys TAS schema. You can view the schema to understand the attributes in the data model.

WAS Azure API Discovery Default Data Model

Here's the default data model mapping.

WAS Azure API Discovery Default Data Model backup.

Transform Maps

Map the fields from the CSV file to the corresponding fields in your target system. Transform Maps ensure the data is transformed correctly during the import or export process.

The TAS Azure API Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation.

Transform maps.

Profile Configuration

Create a profile for your connector. A profile decides the connector status, execution schedule, and transform map to choose. The connector follows the configurations of this profile for all future executions.

Create a profile for connector.

Click the to create a new profile.
In the Add Profile screen, provide the necessary inputs for your new profile.
Provide a Name and Description.
Select the required Transform Map for the data mapping.

The Resource Types determine which resources to select for the profile. The Resource Type determines the required resource whose findings should be ingested by Qualys TAS.

The Status field determines whether the connector should be in Active or Inactive state after creation.

Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurrence execution and provide the Start and End date/time for the Recurring schedule.

Connector States

A successfully configured connector goes through 4 states:

Registered: The connector is successfully created and registered to fetch data from the vendor.
Scheduled: The connector is scheduled to execute a connection with the vendor.
Processing: A connection is executed and the connector is fetching the asset and findings data.
Processed: The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.

Logs

End-to-end logging provides enhanced visibility into connector activities from the TotalAppSec, enabling more effective analysis and troubleshooting. You can access these logs from the Logs tab.

Logs tab.

View Assets in the TAS Application

Follow the steps to view your assets in the TAS application.

Discovered APIs

Here, you can view all the API assets discovered by the Azure connector with additional details like Status, URL, Endpoints, etc.

Discovered APIs

Additional Resources

Additional Information related to Azure Connector.

API Reference

Here are the APIs executed for the Azure connection.

Operation	API Endpoint
Login	`https://login.microsoftonline.com/{{tenantId}}/oauth2/token`
Get Subscriptions	`https://management.azure.com/subscriptions?api-version=2024-11-01`
List Resources	`https://management.azure.com/subscriptions/:subscriptionId/ resources?api-version=2024-06-01-preview`
Get Resource Groups & APIs	`https://management.azure.com/subscriptions/:subscriptionId/ resourceGroups/:resourceGroupName/providers/Microsoft.ApiManagement/ service/:serviceName/apis?api-version=2024-06-01-preview`
Get API Details	`https://management.azure.com/.../apis/ :apiId?format=swagger-link&export=true&api-version=2024-06-01-preview`
Download Swagger	`https://<<id>>.blob.core.windows.net/api-export/<<apiName>>.json?...`

Data Model Map

This section explains the attribute mappings of the values from Azure and Qualys TotalAppSec.

Source Attribute Label	Target Attribute Label
subscriptionId	subscriptionId
resourceGroups	resourceGroups (Required)
service	service (Required)
api	api
masifLocation	masifLocation