Azure API Connector

What is the Azure API Connector?

The Azure API Connector enables automated integration between your Microsoft Azure environment and the Qualys TotalAppSec (TAS). The connector discovers APIs managed in Azure API Management and imports their metadata and Swagger specifications into Qualys for inventory and scan readiness.

Category Supported Asset Type Supported Finding Type
API Connector APIs N/A (Discovery only)

Prerequisites

  • An active subscription to the Qualys TAS module
  • Access to your Microsoft Azure tenant with permissions to:
    • Register apps in Azure AD
    • Access Azure API Management
    • Grant required API permissions (minimum: User.Read)

Authentication Details

Field Description
Token URL https://login.microsoftonline.com
API Endpoint URL https://management.azure.com
Grant Type client_credentials
Tenant ID Azure Active Directory > Overview
Client ID Azure AD > App registrations > Application ID
Client Secret Generated in Azure > Certificates & secrets

How to Obtain Tenant ID, Client ID and Client Secret

Follow the steps to obtain the required authentication values.

Tenant ID

Navigate to your azure portal (https://portal.azure.com)

  1. Go to Azure Active Directory 
  2. Click Overview
  3. Copy Tenant ID

Client ID

  • Navigate to:
    Azure Active Directory > App registrations > All applications
  • Search for the App name (you may need to ask for it if unknown)
  • Click the app
  • Under the App's Overview
  • Copy Application (client) ID — this is your client_id

Client Secret

You need to have this value stored at your local in secured storage.

  • Go to Certificates & secrets tab

  • Under "Client secrets", check if any are listed.

If a client secret exists, you can’t view its value again after it was created. You can only see:

  • Description
  • Expiry date

If you cannot see the value, you must create a new one (if you have permission).

Permissions

  1. Go to API permissions
  2. Look at the list of APIs and scopes granted
  3. It should have atleast User.Read permission.

Connector Configuration

To Enable the feature you should have TAS module.

TAS > Discovery > Sources > Azure API Connectors.

Azure API Connectors.

Basic Details

  1. Provide a Name and Description
  2. Select the Qualys Data Model (API Discovery) and Data Model Type (API)
  3. Provide required Authentication Details. 
    Basic details.

Data Model

The Azure API Discovery Default Data Model offers an out-of-the-box data model mapping with Qualys TAS schema. You can view the schema to understand the attributes in the data model.

WAS Azure API Discovery Default Data Model

Here's the default data model mapping.

WAS Azure API Discovery Default Data Model backup.

Transform Maps

Map the fields from the CSV file to the corresponding fields in your target system. Transform Maps ensure the data is transformed correctly during the import or export process.

The TAS Azure API Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation.

Transform maps.

Click Create New for a new Transform Map.

Perform the following steps to configure a Transform Model:

  1. Transform Map Name: Enter a unique name for the Transform Map. This name helps identify the specific transformation configuration within this connector.
  2. Source Data Model: Select the data model that serves as the input for the transformation. This is the model from which data will be extracted.
  3. Target Data Model: Choose the data model that receives the transformed data. This model defines how the data will be structured after the transformation.

Refer the following Transform Map screenshot:

Create transform map.

Profile Configuration

Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Create a profile for connector.

  1. Click the + to create a new profile.
  2. In the Add Profile screen, provide the necessary inputs for your new profile.
  3. Provide a Name and Description.
  4. Select the required Transform Map for the data mapping.

The Resource Types determine which resources to select for the profile. The Resource Type determine the required resource whose findings should be ingested by Qualys TAS.

The Status field determines whether the connector should be in Active or Inactive state after creation.

Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurrence execution and provide the Start and End date/time for the Recurring schedule.

Connector States

A successfully configured connector goes through 4 states:

  • Registered: The connector is successfully created and registered to fetch data from the vendor.
  • Scheduled: The connector is scheduled to execute a connection with the vendor.
  • Processing: A connection is executed and the connector is fetching the asset and findings data.
  • Processed: The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.

Logs

You can check the logs for the connector configured under the Logs tab.

Logs tab.

View Assets in the TAS Application

Follow the steps to view your assets in the TAS application.

Discovered APIs

Here, you can view all the API assets discovered by the Azure connector with additional details like Status, URL, Endpoints, etc.

Discovered APIs

Additional Resources

Additional Information related to Azure Connector.

API Reference

Here are the APIs executed for the Azure connection.

Operation API Endpoint
Login https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Get Subscriptions https://management.azure.com/subscriptions?api-version=2024-11-01
List Resources https://management.azure.com/subscriptions/:subscriptionId/
resources?api-version=2024-06-01-preview
Get Resource Groups & APIs https://management.azure.com/subscriptions/:subscriptionId/
resourceGroups/:resourceGroupName/providers/Microsoft.ApiManagement/
service/:serviceName/apis?api-version=2024-06-01-preview
Get API Details https://management.azure.com/.../apis/
:apiId?format=swagger-link&export=true&api-version=2024-06-01-preview
Download Swagger https://<<id>>.blob.core.windows.net/api-export/<<apiName>>.json?...

Data Model Map

This section explains the attribute mappings of the values from Azure and Qualys ETM.

Source Attribute Label

Target Attribute Label

subscriptionId

subscriptionId

resourceGroups

resourceGroups (Required)

service

service (Required)

api

api

masifLocation

masifLocation

© Qualys , Inc. All rights reserved. Privacy Policy.