TotalCloud Release 2.17 API
June 11, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
Get Azure AI Service Resources
| New or Updated API | Updated |
| API Endpoint | /cloudview-api/rest/v1/resource/<resourceid> |
| Method | GET |
| DTD or XSD changes | Not Applicable |
With this release, we are introducing a new resource ID to the Get Azure Resources API to retrieve the list of Azure AI services of your cloud account.
The new resource ID we have introduced is - COGNITIVE_SERVICE
Your curl request would then appear as follows - https://<QualysBaseURL>/cloudview-api/rest/v1/resource/COGNITIVE_SERVICE/Azure
You can use this API to find details about the running AI workloads in your account, or you can try out Qualys TotalAI to learn more about AI security.
Sample Sample
API Request
curl --location '<Qualys_Base_URL>/cloudview-api/rest/v1/resource/COGNITIVE_SERVICE/Azure?pageNo=0&pageSize=20
API Response
{
"content": [
{
"customerUuid": "exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx63e",
"cloudType": "AWS",
"collectorType": "cspSignal",
"resourceType": "IAM_USER",
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxfa6",
"resourceId": "OktaSSO_Compute",
"threatClass": "api_activity",
"threatType": null,
"threatCategory": "Recon_MaliciousIPCaller.Custom",
"cspAccount": "9xxxxxxxxxx5",
"cspRegion": "us-west-2",
"deploymentName": null,
"triggeredResource": "7x.xxx.xxx.xx6",
"affectedResource": "OktaSSO_Compute",
"severity": 3,
"eventMessage": "The reconnaissance API DescribeInstances was invoked from an IP address on a custom threat list.",
"timestamp": "2025-05-09T20:00:42.000+00:00",
"triggeredResourceGeoLocation": "37.7558,-121.9527",
"triggeredResourceCity": "San Ramon",
"triggeredResourceCountry": "United States",
"hash": null,
"vpcId": null,
"protocol": null,
"affectedResourcePort": null,
"responseTime": null,
"remoteIpDetails": {
"geoLocation": "3x.xxxx,-xxx.x178",
"city": "Oakland",
"country": "United States",
"ipAddress": "7x.xxx.xxx.xx6"
},
"networkInformation": null,
"correlationId": null,
"qlp": null,
"pod": null,
"podLabels": null,
"containerName": null,
"processName": null
},
{
"customerUuid": "exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx63e",
"cloudType": "AWS",
"collectorType": "cspSignal",
"resourceType": "IAM_USER",
"uuid": "cxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxea",
"resourceId": "OktaSSO_Compute",
"threatClass": "api_activity",
"threatType": null,
"threatCategory": "Recon_MaliciousIPCaller.Custom",
"cspAccount": "9xxxxxxxxxx5",
"cspRegion": "us-west-2",
"deploymentName": null,
"triggeredResource": "7x.xxx.xxx.xx6",
"affectedResource": "OktaSSO_Compute",
"severity": 3,
"eventMessage": "The reconnaissance API DescribeAutoScalingGroups was invoked from an IP address on a custom threat list.",
"timestamp": "2025-05-09T20:00:42.000+00:00",
"triggeredResourceGeoLocation": "37.7558,-121.9527",
"triggeredResourceCity": "San Ramon",
"triggeredResourceCountry": "United States",
"hash": null,
"vpcId": null,
"protocol": null,
"affectedResourcePort": null,
"responseTime": null,
"remoteIpDetails": {
"geoLocation": "3x.xxxx,-xxx.x178",
"city": "Oakland",
"country": "United States",
"ipAddress": "7x.xxx.xxx.xx6"
},
"networkInformation": null,
"correlationId": null,
"qlp": null,
"pod": null,
"podLabels": null,
"containerName": null,
"processName": null
}
],
"pageable": {
"pageNumber": 0,
"pageSize": 2,
"sort": {
"sorted": false,
"empty": true,
"unsorted": true
},
"offset": 0,
"paged": true,
"unpaged": false
},
"totalPages": 23,
"totalElements": 45,
"last": false,
"number": 0,
"size": 2,
"numberOfElements": 2,
"sort": {
"sorted": false,
"empty": true,
"unsorted": true
},
"first": true,
"empty": false
}
Cloud Detection and Response (CDR)
The following sections describe the enhancements made to the CDR APIs in this release.
View CDR Findings
| New or Updated API | New |
| API Endpoint | /cdr-api/rest/v1/findings |
| Method | GET |
| DTD or XSD changes | Not Applicable |
With this release, we are introducing a new API that will enable you to view threat findings related to the CDR unified view, making the threat findings data more accessible and allowing for more refined, filterable results, improving overall user experience.
Input ParameterInput Parameter
| Parameter Name | Mandatory/Optional | Data Type | Description |
|---|---|---|---|
| query | Mandatory | String | Specify the QQL query token to filter the CDR findings. Example: tc.findings.cloudProvider: AWS |
| startAt | Mandatory | String | Specify the starting timestamp or date for the findings you wish to retrieve. Example: 2025-01-27T08:54:41.396Z |
| endAt | Mandatory | String | Specify the ending timestamp or date for the findings you wish to retrieve. Example: 2025-05-28T23:59:59.999Z |
| offSet | Optional | String | Specify the number of findings data to skip before starting to retrieve data. Example: 20 |
| limit | Optional | String | Specify the number of findings data to return in the response. Example: 100 |
| cloudProvider | Optional | String | Specify the cloud provider name. Accepted values: "AWS", "AZURE","GCP". |
| cloudAccount | Optional | Integer | Specify the cloud account number. Example: 123456789012. |
| severity | Optional | String | Specify the findings severity. Accepted values: "Low", "Medium","High", "Critical". |
| time | Optional | Integer | Specify either an exact time and date, or a date/time range, to retrieve the threat findings. Accepted Format:[ MM:DD:YYYY::HH:MM or MM:DD:YYYY::HH:MM - MM:DD:YYYY::HH:MM ] Example: [05-13-2025 15:20:00] or [05-12-2025 15:20 - 05-13-2025 15:20] |
| alertClass | Optional | String | Specify the alert class of the threat findings. Example: API Activity, Network Activity etc. |
| category | Optional | String | Specify the category of the threat findings. Example: Data Protection etc. |
| cloudIdentifier | Optional | String | Specify either the account, subscription, or project information to view threat findings for that identifer. Example: 123456789012. |
| affectedResource | Optional | String | Specify either the IP address, or cloudID to view threat findings for the affected resource. Example: my-bucket-name. |
| remoteResource | Optional | String | Specify the IP address to view threat findings for a specific resource. Example: 19X.XXX.X.X00. |
| resourceType | Optional | String | Specify to view threat findings related to virtual machines. Example: BUCKET. |
| hash | Optional | String | Specify the specific threat finding hash. Example: a1b2c3d4e5f6. |
| region | Optional | String | Specify to view threat findings based on the specified region. Example: us-east-1 |
| remote.country | Optional | String | Specify the country name to filter the threat findings by location. Example: United States |
| remote.city | Optional | String | Specify the city name to filter the threat findings by specific locations. Example: San Ramon |
Sample API RequestSample API Request
API Request
curl --location 'https://<QualysBaseURL>/cdr-api/rest/v1/findings?query=tc.findings.cloudProvider%3AAWS&startAt=2025-01-27T08%3A54%3A41.396Z&endAt=2025-05-28T23%3A59%3A59.999Z&offset=50&limit=100' \
--header 'Authorization: Bearer <Bearer Token>' \
--header 'Accept: application/json'
API Response
"content": [
{
"customerUuid": "edxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx663e",
"cloudProvider": "AWS",
"collectorType": "crs",
"resourceType": "CONTAINER",
"uuid": "a3xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx2fe",
"resourceId": "37xxxxxxxxxxxxxxxxxxx76078",
"threatClass": "crs_event",
"threatType": null,
"threatCategory": "BINARY_EXECUTION",
"cspAccount": "951386378875",
"cspRegion": null,
"deploymentName": null,
"triggeredResource": null,
"affectedResource": "37f676c5ec7038c3ada06276bcb46ef0a680dfaee14cfc9c3ca2a174cbe76078",
"severity": 3,
"eventMessage": "Process Execution From Memory",
"timestamp": "2025-05-28T23:47:38.000+00:00",
"triggeredResourceGeoLocation": null,
"triggeredResourceCity": null,
"triggeredResourceCountry": null,
"hash": null,
"vpcId": null,
"protocol": null,
"affectedResourcePort": null,
"responseTime": null,
"remoteIpDetails": null,
"networkInformation": null,
"correlationId": "dxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxe5ff",
"qlp": {
"namespace": "default",
"clusterName": "tc-qa-cdr-crs-eks",
"nodeName": "ip-10-193-21-240.us-west-2.compute.internal"
},
"pod": null,
"podLabels": "{\"app\":\"pexec-memory-t1106\",\"pod-template-hash\":\"54dc89d496\"}",
"containerName": "pexec-memory-t1106",
"processName": "/dev/fd/3",
"mitreRulesInfo": [
{
"ruleName": "Process Execution From Memory",
"riskScore": 4,
"mitreDetails": [
{
"tactic": {
"tacticId": "TA0002",
"tacticName": "Execution"
},
"techniques": [
{
"techniqueId": "T1106",
"techniqueName": "Native API"
}
]
}
]
}
]
},