TotalCloud Release 2.17 API

June 11, 2025

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

Get Azure AI Service Resources

New or Updated API Updated
API Endpoint /cloudview-api/rest/v1/resource/<resourceid>
Method GET
DTD or XSD changes Not Applicable

With this release, we are introducing a new resource ID to the Get Azure Resources API to retrieve the list of Azure AI services of your cloud account.

The new resource ID we have introduced is - COGNITIVE_SERVICE

Your curl request would then appear as follows - https://<QualysBaseURL>/cloudview-api/rest/v1/resource/COGNITIVE_SERVICE/Azure

You can use this API to find details about the running AI workloads in your account, or you can try out Qualys TotalAI to learn more about AI security.

Sample Sample 

API Request

curl --location '<Qualys_Base_URL>/cloudview-api/rest/v1/resource/COGNITIVE_SERVICE/Azure?pageNo=0&pageSize=20

API Response

     {
    "content": [
        {
            "customerUuid": "exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx63e",
            "cloudType": "AWS",
            "collectorType": "cspSignal",
            "resourceType": "IAM_USER",
            "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxfa6",
            "resourceId": "OktaSSO_Compute",
            "threatClass": "api_activity",
            "threatType": null,
            "threatCategory": "Recon_MaliciousIPCaller.Custom",
            "cspAccount": "9xxxxxxxxxx5",
            "cspRegion": "us-west-2",
            "deploymentName": null,
            "triggeredResource": "7x.xxx.xxx.xx6",
            "affectedResource": "OktaSSO_Compute",
            "severity": 3,
            "eventMessage": "The reconnaissance API DescribeInstances was invoked from an IP address on a custom threat list.",
            "timestamp": "2025-05-09T20:00:42.000+00:00",
            "triggeredResourceGeoLocation": "37.7558,-121.9527",
            "triggeredResourceCity": "San Ramon",
            "triggeredResourceCountry": "United States",
            "hash": null,
            "vpcId": null,
            "protocol": null,
            "affectedResourcePort": null,
            "responseTime": null,
            "remoteIpDetails": {                 
				"geoLocation": "3x.xxxx,-xxx.x178",                 
				"city": "Oakland",                 
				"country": "United States",
				"ipAddress": "7x.xxx.xxx.xx6"
				},
            "networkInformation": null,
            "correlationId": null,
            "qlp": null,
            "pod": null,
            "podLabels": null,
            "containerName": null,
            "processName": null
        },
        {
            "customerUuid": "exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx63e",
            "cloudType": "AWS",
            "collectorType": "cspSignal",
            "resourceType": "IAM_USER",
            "uuid": "cxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxea",
            "resourceId": "OktaSSO_Compute",
            "threatClass": "api_activity",
            "threatType": null,
            "threatCategory": "Recon_MaliciousIPCaller.Custom",
            "cspAccount": "9xxxxxxxxxx5",
            "cspRegion": "us-west-2",
            "deploymentName": null,
            "triggeredResource": "7x.xxx.xxx.xx6",
            "affectedResource": "OktaSSO_Compute",
            "severity": 3,
            "eventMessage": "The reconnaissance API DescribeAutoScalingGroups was invoked from an IP address on a custom threat list.",
            "timestamp": "2025-05-09T20:00:42.000+00:00",
            "triggeredResourceGeoLocation": "37.7558,-121.9527",
            "triggeredResourceCity": "San Ramon",
            "triggeredResourceCountry": "United States",
            "hash": null,
            "vpcId": null,
            "protocol": null,
            "affectedResourcePort": null,
            "responseTime": null,
            "remoteIpDetails": {                 
				"geoLocation": "3x.xxxx,-xxx.x178",                 
				"city": "Oakland",                 
				"country": "United States",                 
				"ipAddress": "7x.xxx.xxx.xx6"             
				},
            "networkInformation": null,
            "correlationId": null,
            "qlp": null,
            "pod": null,
            "podLabels": null,
            "containerName": null,
            "processName": null
        }
    ],
    "pageable": {
        "pageNumber": 0,
        "pageSize": 2,
        "sort": {             
			"sorted": false,             
			"empty": true,             
			"unsorted": true         
			},
        "offset": 0,
        "paged": true,
        "unpaged": false
		},
    "totalPages": 23,
    "totalElements": 45,
    "last": false,
    "number": 0,
    "size": 2,
    "numberOfElements": 2,
    "sort": {         
		"sorted": false,         
		"empty": true,         
		"unsorted": true     
		},
    "first": true,
    "empty": false
}

Cloud Detection and Response (CDR)

The following sections describe the enhancements made to the CDR APIs in this release.

View CDR Findings

New or Updated API New
API Endpoint /cdr-api/rest/v1/findings
Method GET
DTD or XSD changes Not Applicable

With this release, we are introducing a new API that will enable you to view threat findings related to the CDR unified view, making the threat findings data more accessible and allowing for more refined, filterable results, improving overall user experience.

Input ParameterInput Parameter

Parameter Name Mandatory/Optional Data Type Description
query Mandatory String Specify the QQL query token to filter the CDR findings.
Example: tc.findings.cloudProvider: AWS
startAt Mandatory String Specify the starting timestamp or date for the findings you wish to retrieve.
Example: 2025-01-27T08:54:41.396Z
endAt Mandatory String Specify the ending timestamp or date for the findings you wish to retrieve.
Example: 2025-05-28T23:59:59.999Z
offSet Optional String Specify the number of findings data to skip before starting to retrieve data.
Example: 20
limit Optional String Specify the number of findings data to return in the response.
Example: 100
cloudProvider Optional String Specify the cloud provider name.
Accepted values: "AWS", "AZURE","GCP".
cloudAccount Optional Integer Specify the cloud account number.
Example: 123456789012.
severity Optional String Specify the findings severity.
Accepted values: "Low", "Medium","High", "Critical".
time Optional Integer Specify either an exact time and date, or a date/time range, to retrieve the threat findings.
Accepted Format:[ MM:DD:YYYY::HH:MM or MM:DD:YYYY::HH:MM - MM:DD:YYYY::HH:MM ]
Example: [05-13-2025 15:20:00] or [05-12-2025 15:20 - 05-13-2025 15:20]
alertClass Optional String Specify the alert class of the threat findings.
Example: API Activity, Network Activity etc.
category Optional String Specify the category of the threat findings.
Example: Data Protection etc.
cloudIdentifier Optional String Specify either the account, subscription, or project information to view threat findings for that identifer.
Example: 123456789012.
affectedResource Optional String Specify either the IP address, or cloudID to view threat findings for the affected resource.
Example: my-bucket-name.
remoteResource Optional String Specify the IP address to view threat findings for a specific resource.
Example: 19X.XXX.X.X00.
resourceType Optional String Specify to view threat findings related to virtual machines.
Example: BUCKET.
hash Optional String Specify the specific threat finding hash.
Example: a1b2c3d4e5f6.
region Optional String Specify to view threat findings based on the specified region.
Example: us-east-1
remote.country Optional String Specify the country name to filter the threat findings by location.
Example: United States
remote.city Optional String Specify the city name to filter the threat findings by specific locations.
Example: San Ramon

Sample API RequestSample API Request

API Request

curl --location 'https://<QualysBaseURL>/cdr-api/rest/v1/findings?query=tc.findings.cloudProvider%3AAWS&startAt=2025-01-27T08%3A54%3A41.396Z&endAt=2025-05-28T23%3A59%3A59.999Z&offset=50&limit=100' \
--header 'Authorization: Bearer <Bearer Token>' \
--header 'Accept: application/json'

API Response

     "content": [
        {
            "customerUuid": "edxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx663e",
            "cloudProvider": "AWS",
            "collectorType": "crs",
            "resourceType": "CONTAINER",
            "uuid": "a3xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx2fe",
            "resourceId": "37xxxxxxxxxxxxxxxxxxx76078",
            "threatClass": "crs_event",
            "threatType": null,
            "threatCategory": "BINARY_EXECUTION",
            "cspAccount": "951386378875",
            "cspRegion": null,
            "deploymentName": null,
            "triggeredResource": null,
            "affectedResource": "37f676c5ec7038c3ada06276bcb46ef0a680dfaee14cfc9c3ca2a174cbe76078",
            "severity": 3,
            "eventMessage": "Process Execution From Memory",
            "timestamp": "2025-05-28T23:47:38.000+00:00",
            "triggeredResourceGeoLocation": null,
            "triggeredResourceCity": null,
            "triggeredResourceCountry": null,
            "hash": null,
            "vpcId": null,
            "protocol": null,
            "affectedResourcePort": null,
            "responseTime": null,
            "remoteIpDetails": null,
            "networkInformation": null,
            "correlationId": "dxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxe5ff",
            "qlp": {
                "namespace": "default",
                "clusterName": "tc-qa-cdr-crs-eks",
                "nodeName": "ip-10-193-21-240.us-west-2.compute.internal"
            },
            "pod": null,
            "podLabels": "{\"app\":\"pexec-memory-t1106\",\"pod-template-hash\":\"54dc89d496\"}",
            "containerName": "pexec-memory-t1106",
            "processName": "/dev/fd/3",
            "mitreRulesInfo": [
                {
                    "ruleName": "Process Execution From Memory",
                    "riskScore": 4,
                    "mitreDetails": [
                        {
                            "tactic": {
                                "tacticId": "TA0002",
                                "tacticName": "Execution"
                            },
                            "techniques": [
                                {
                                    "techniqueId": "T1106",
                                    "techniqueName": "Native API"
                                }
                            ]
                        }
                    ]
                }
            ]
        },