Policy Audit Release 1.5 API
November 3, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
We have implemented versioning for APIs. For more information on API versioning, refer to the Updates on API Versioning Standards & Deprecation Timelines blog.
Manage Policies Using Various Policy APIs
With this release, we are introducing certain APIs that can help you manage policies better.
A policy is a collection of controls used to measure and report compliance for a set of hosts. Your compliance reports display the host compliance status (pass or fail) with the policy controls. Use the following policy APIs to manage policy details such as sections, controls, and technologies, and evaluate data. They support functionalities such as retrieval, update, addition, and removal of these policy details.
- Policy
- Lock Policy
- Policy Technology
- Policy Section
- Policy Section Control
- Policy Section Control Technology
- Policy Section Control Technology Evaluate
Policy APIs support only System Defined Controls (SDC). It does not support User Defined Controls (UDC).
Policy API: Export, Update, or Delete Compliance Policies
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/ |
| Method | GET, PUT, and DELETE |
| DTD or XSD changes | No |
Using this API, you can export, update, or delete compliance policies.
Ensure to evaluate the policy after making any changes to the policy.
Export Compliance Policies
With this API, you can export compliance policies in JSON format.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy you want to export. |
| policyTitle={value} | Required | String | The title of the policy you want to export. Note: When using the GET method with the parameter policyTitle, it is essential to encode the title appropriately for URL compatibility. |
Users can enter either the policyId or the policyTitle. Providing both fields is not mandatory.
Sample - Export policy with policy IDSample - Export policy with policy ID
API Request
curl -X 'GET'
\ '<qualys_base_url>/pcas/v3/policy?policyId=<PolicyID>'
\ -H 'accept: application/json'
\ -H 'Authorization: Bearer <Auth Token>'
API Response
{
"policyId": 5656121,
"policyTitle": "Documentation_Policy",
"exported": "20-06-2024 06:05:25",
"coverPage": "CoverPage-PC-24431",
"isActive": true,
"isLocked": false,
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista"
}
],
"sections": [
{
"sectionNumber": 1,
"sectionHeading": "Section-1",
"controls": [
{
"controlId": 1072,
"sectionNumber": 1,
"controlNumber": 1,
"statement": "Status of the 'Minimum Password Age' setting",
"criticality": "CRITICAL",
"isControlDisable": false,
"referenceText": "Control 1072",
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista",
"evaluate": {
"dp": {
"k": "win.auth.passwords.minage",
"v": [
"1"
],
"description": "The following Integer value <B>X</B>
indicates the current status of the <B>'Minimum Password Age' (min_pass_age)</B> within the <B>Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age</B>setting for local accounts.",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Attribute not found"
}
],
"op": "eq"
}
},
"remediation": "To establish the recommended configuration
via GP, set the following UI path to 1 or more day(s): Computer
Configuration\\Policies\\Windows Settings\\Security Settings\\Account
Policies\\Password Policy\\Minimum password age",
"rational": "Among the characteristics that make 'user
identification' via password a workable security solution is setting a
'minimum password age.' Without this minimum age requirement, any user(s)
who wish to re-use the same password can merely cycle through a number of
previously used passwords until returning to the preferred one (this is
determined by the 'Password History' setting). While no specific 'minimum
password age' can guarantee password security, one (1) day is generally
considered to be the shortest length of time permissible, along with
requiring other password security factors, such as increasing the
variability of the symbol set-space by requiring mixed-cases, special
characters, further increases the difficulty of breaking any password
using brute-force methods. Consider implementing this control for all
account passwords in conjunction with CID 1318 (Password History) and CID
1071 (Minimum Password Length) and CID 1073 (Maximum Password Age)."
}
]
}
]
}
]
}
Sample - Export Policy with policy titleSample - Export Policy with policy title
API Request
curl -X 'GET' \ '<qualys_base_url>/pcas/v3/policy?policyTitle=<PolicyTitle>'
\ -H 'accept: application/json'
\ -H 'Authorization: Bearer<Auth Token>'
API Response
{
"policyId": 5656121,
"policyTitle": "Documentation_Policy",
"exported": "20-06-2024 06:07:13",
"coverPage": "CoverPage-PC-24431",
"isActive": true,
"isLocked": false,
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista"
}
],
"sections": [
{
"sectionNumber": 1,
"sectionHeading": "Section-1",
"controls": [
{
"controlId": 1072,
"sectionNumber": 1,
"controlNumber": 1,
"statement": "Status of the 'Minimum Password Age' setting",
"criticality": "CRITICAL",
"isControlDisable": false,
"referenceText": "Control 1072",
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista",
"evaluate": {
"dp": {
"k": "win.auth.passwords.minage",
"v": [
"1"
],
"description": "The following Integer value <B>X</B> indicates the current status of the
<B>'Minimum Password Age' (min_pass_age)</B> within the <B>Computer Configuration\\Windows
Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age</B>setting for local accounts.",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Attribute not found"
}
],
"op": "eq"
}
},
"remediation": "To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age", "rational": "Among the characteristics that make 'user identification' via password a workable security solution is setting a 'minimum password age.' Without this minimum age requirement, any user(s) who wish to re-use the same password can merely cycle through a number of previously used passwords until returning to the preferred one (this is determined by the 'Password History' setting). While no specific 'minimum password age' can guarantee password security, one (1) day is generally
considered to be the shortest length of time permissible, along with requiring other password security factors, such as increasing the variability of the symbol set-space by requiring mixed-cases, special characters, further increases the difficulty of breaking any password
using brute-force methods. Consider implementing this control for all account passwords in conjunction with CID 1318 (Password History) and CID 1071 (Minimum Password Length) and CID 1073 (Maximum Password Age)."
}
]
}
]
}
]
}
Update Policy Details
With this API, you can update compliance policies. The policy fields that can be updated using this API are Policy Title, Cover page, and Status (Active/Inactive).
Ensure to evaluate policy after making any changes.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy you want to update. |
| policyTitle={value} | Optional | String | Enter a title for the policy. |
| coverPage={value} |
Optional | String | Specify the cover page that you want to replace. Replace the existing cover page text from policy and set the specified policy cover page. |
| isActive={0 or false|1 or true} |
Optional | Boolean | Specify 0 or false to change policy status to inactive, or else specify 1 or true. |
Sample - Update PolicySample - Update Policy
API Request
curl -X 'PUT'\'<qualys_base_url>/pcas/v3/policy'
\ -H 'accept: /'
\ -H 'Authorization: Bearer '
\ -H 'Content-Type: application/json'
\ -d '{"policyId":<policyId> , "policyTitle": "<policyTitle>", "coverPage":"<coverPage>", "isActive":<Boolean True / False> }'
API Response
204
Delete Policy Details
With this API, you can delete compliance policies and its postures. All details such as its exceptions and its posture are deleted.
- The delete method can be executed by the Manager and Auditor users only.
- Only one policy can be deleted at a time.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy you want to delete. |
Sample - Delete PolicySample - Delete Policy
API Request
curl --location --request DELETE
'https://<qualys_base_url>/pcas/v3/policy?policyId=<policy_id>' \
--header 'accept: */*' \
--header 'Authorization: Bearer <Bearer Token>'
API Response
204
Lock Policy API: Lock or Unlock Compliance Policies
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/lock/ |
| Method | PUT |
| DTD or XSD changes | No |
Using this API, you can lock or unlock compliance policies.
Ensure to evaluate the policy after making any changes to the policy.
Input ParametersInput Parameters
| Parameter Name | Required/ Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy you want to lock or unlock. |
| isLocked={0 or false|1 or true} | Required | Boolean | Use this parameter to lock the policy. Specify 1 or true to lock the policy. Specify 0 or false to unlock the policy. |
Sample - Lock PolicySample - Lock Policy
API Request
curl -X 'PUT' \ '<qualys_base_url>/pcas/v3/policy/lock'
\ -H 'accept: */*'
\ -H 'Authorization: Bearer <Auth Token>'
\ -H 'Content-Type:application/json'
\ -d '{ "policyId":<policyId> , "isLocked": <Boolean True / False>}'
API Response
204
Policy Technology API: Manage Technologies within a Compliance Policy
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/technology/ |
| Method | GET, POST, and DELETE |
| DTD or XSD changes | No |
Using this API, you can list details, add, and remove technologies within a compliance policy. When you add or remove new technologies to the policy, the existing technologies within the policy remain unaffected.
Ensure to evaluate the policy after making any changes to the policy.
List Details of Technologies
With this API, you can get all technologies associated with a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to obtain all associated technologies. |
Sample - List all technologies associated to the policy IDSample - List all technologies associated to the policy ID
API Request
curl -X 'GET' \'<qualys_base_url>/pcas/v3/policy/technology?policyId=<Policy ID>'
\ -H 'accept: application/json'
\ -H 'Authorization: Bearer <Auth Token>'
API Response
{
"policyId": 5656121,
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista"
}
]
}
Add New Technologies
With this API, you can add technologies within a compliance policy. When you add new technologies to the policy, the existing technologies within the policy remain
unaffected.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy where the new technology is to be added. |
| technologyIds={value} | Required | Integer List | Specify a valid technology ID in a list format to be added to the policy. |
Sample - Add a new technology to a policySample - Add a new technology to a policy
API Request
curl -X 'POST' \ '<qualys_base_url>/pcas/v3/policy/technology'
\ -H 'accept: application/json' \ -H 'Authorization: Bearer <Auth Token>'
\ -H 'Content-Type: application/json' \ -d { "policyId": 5656121, "technologyIds": [ 331 ]}'
API Response
[
{
"technologyId": 18,
"technologyName": "Windows Vista"
},
{
"technologyId": 331,
"technologyName": "Windows 11"
}
]
Delete Technology
With this API, you can delete technology from a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy from where the technology is to be deleted. |
| technologyId={value} | Required | Integer | Specify a valid technology ID to be removed from the policy. |
Sample - Remove or Delete a technology from a policySample - Remove or Delete a technology from a policy
API Request
curl -X 'DELETE' \'<qualys_base_url>/pcas/v3/policy/technology?policyId=<PolicyID>&technolo
gyId=<TechnologyID>'
\ -H 'accept: application/json'
\ -H 'Authorization: Bearer <Auth Token>'
API Response
204
Policy Section API: Manage Section within a Compliance Policy
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/section/ |
| Method | GET, POST, PUT, and DELETE |
| DTD or XSD changes | No |
Using this API, you can obtain details, add, update, and remove sections within a compliance policy.
Ensure to evaluate the policy after making any changes to the policy.
List Sections for a Policy
With this API, you can list the details of a particular section within a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to list all section details. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to list all details. |
Sample - Retrieve details about a particular section in the policySample - Retrieve details about a particular section in the policy
API Request
curl -X 'GET' \<qualys_base_url>/pcas/v3/policy/section?policyId=5656121§ionNumber=1' \ -H 'accept: application/json' \ -H 'Authorization: Bearer 'token''
API Response
{
"sectionNumber": 1,
"sectionHeading": "Section-1",
"controls": [
{
"controlId": 1072,
"sectionNumber": 1,
"controlNumber": 1,
"statement": "Status of the 'Minimum Password Age' setting",
"criticality": "CRITICAL",
"isControlDisable": false,
"referenceText": "Control 1072",
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista",
"evaluate": {
"dp": {
"k": "win.auth.passwords.minage",
"v": [
"1"
],
"description": "The following Integer value <B>X</B> indicates the current status of the <B>'Minimum Password Age' (min_pass_age)</B> within the <B>Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age</B>setting for local accounts.",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Attribute not found"
}
],
"op": "eq"
}
},
"remediation": "Among the characteristics that make user identification via 'password' a workable security solution is setting a minimum password age. Without this minimum age requirement, any user(s) who wish to re-use the same password can merely cycle through a number of previously used passwords until returning to the preferred one (this is determined by the Password History setting)."
}
]
}
]
}
Add New Sections to a Policy
With this API, you can add sections within a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to add a section. |
| sectionHeading={value} | Required | Integer | Specify a title for the section to be added for the policy. |
Sample - Add a new section to a policySample - Add a new section to a policy
API Request
curl -X 'POST' \
<qualys_base_url>/pcas/v3/policy/section' \
-H 'accept: application/json' \
-H 'Authorization: Bearer 'Auth_Token'\
-H 'Content-Type: application/json' \
-d '{"policyId": 5656121,"sectionHeading": "section 6"
}'
API Response
{
"sectionNumber": 2,
"sectionHeading": "section 6",
"controls": []
}
Update Existing Sections in a Policy
With this API, you can update sections within a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to update a section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to update details. |
| sectionHeading={value} | Required | String | Specify the title for the section to be updated for the policy. |
Sample - Update an existing section in the policySample - Update an existing section in the policy
API Request
curl -X 'PUT' \
'<qualys_base_url>/pcas/v3/policy/section' \
-H 'accept: */*' \
-H 'Authorization: Bearer 'Auth_Token'\
-H 'Content-Type: application/json' \
-d '{"policyId": 5656121,"sectionNumber": 2,"sectionHeading": "section66"}'
API Response
204
Delete Sections in a Policy
With this API, you can delete a section within a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to delete a section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to delete. |
Sample - Delete an existing section in the policySample - Delete an existing section in the policy
API Request
curl -X 'DELETE' \'<qualys_base_url>/pcas/v3/policy/section?policyId=5656121§ionNumber=2' \ -H 'accept: */*' \ -H 'Authorization: Bearer 'token'
API Response
204
Policy Section Control API: Manage Controls within Section in a Policy
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/section/control/ |
| Method | GET, POST, PUT, and DELETE |
| DTD or XSD changes | No |
Using this API, you can obtain details, add, update, and remove specific controls within a specific section for a compliance policy. Retrieving the details of a specified control within a specified section of a compliance policy.
Ensure to evaluate the policy after making any changes to the policy.
Get Specific Control within a Section for a Policy
With this API, you can get the details of a specified control within a specified section of a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to list all section details. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to list all details. |
| controlId={value} | Required | Integer | Enter the ID of the control for which you want to retrieve the details. |
Sample - List the details of a specified control within a specified section of the policySample - List the details of a specified control within a specified section of the policy
API Request
curl -X 'GET' \'<qualys_base_url>/pcas/v3/policy/section/control?policyId=5656121§ionNumber=1&controlId=1072' \ -H 'accept: application/json' \ -H 'Authorization: Bearer 'token'
API Response
{
"controlId": 1071,
"sectionNumber": 1,
"controlNumber": 1,
"statement": "Status of the 'Minimum Password Length' setting",
"criticality": "URGENT",
"isControlDisable": false,
"technologies": [
{
"technologyId": 1,
"technologyName": "Windows XP desktop",
"evaluate": {
"dp": {
"k": "win.auth.passwords.minlen",
"v": [
"0"
],
"l": 0,
"description": "The following Integer value <B>X</B> indicates the current status of the <B>Minimum Password Length (min_pass_len)</B> setting for local accounts.",
"op": "ge",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Attribute not found"
}
]
}
},
"remediation": "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n\n\tComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack."
}
]
}
Add New Controls to a Section in the Policy
With this API, you can add controls within a section of a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to add controls within a section. |
| sectionNumber={value} | Required | Integer | Enter the section number to which you want to add controls. |
| controls={value} | Required | String | Specify the list of controls to be added to a particular section of the policy. Each control should contain the following elements:
|
Sample - Add a new control to a particular section in the policySample - Add a new control to a particular section in the policy
API Request
curl -X 'POST' \
'https://<qualys_base_url>/pcas/v3/policy/section/control' \
-H 'accept: application/json' \
-H 'Authorization: Bearer 'Auth_Token' ' \
-H 'Content-Type: application/json' \
-d '{
"policyId": 5656121,
"sectionNumber": 1,
"controls": [
{
"controlId": 1048,
"referenceText": "Reference Text",
"isControlDisable": true,
"controlNumber": 2,
"criticality": "CRITICAL"
}
]
}
API Response
[
{
"controlId": 1048,
"sectionNumber": 1,
"controlNumber": 2,
"statement": "Status of the 'Shutdown: Clear virtual memory pagefile'
setting",
"criticality": "CRITICAL",
"isControlDisable": false,
"referenceText": null,
"technologies": [
{
"technologyId": 18,
"technologyName": "Windows Vista",
"evaluate": {
"dp": {
"k": "secman.system.clearpageonshut",
"v": [
"1"
],
"description": "This Integer value <B>X</B> indicates the current status of the setting <B>Shutdown: Clear virtual memory pagefile</B> using the registry key path <B>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\ClearPageFileAtShutdown</B> if configured via <B>Group Policy Editor</B> or
<B>Microsoft Intune / MDM</B>. A value of <B>0</B> indicates the setting is <B>Disabled</B>; a value of <B>1</B> indicates the setting is <B>Enabled</B>.",
"fv": [
{
"value": "0",
"set": "1",
"description": "Disabled"
},
{
"value": "1",
"set": "1",
"description": "Enabled"
},
{
"value": "314159265358979",
"set": "1",
"description": "Key not found"
}
],
"op": "eq"
}
},
"remediation": "To configure the group policy setting go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> 'Shutdown: Clear virtual memory pagefile'. Set its value as appropriate to the needs of the business or as per security policy of the organization.", "rational": "This check provides the current status of the 'Shutdown: Clear virtual memory pagefile' setting. The Windows Pagefile contains 'near-time' information stored by system and/or user processes on the hard disk in 'virtual memory,' so that space in the RAM can be freed up for real-time processing needs. Sensitive information, such as logon credentials and other company proprietary information cached from browser/database downloads may be stored in the Pagefile. As this can potentially be read by using an lternative OS when the Windows OS is shut down,this should be configured as appropriate to the needs of the business."
}
]
}
]
Update Control Within a Section in a Policy
With this API, you can update a control within a section of a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy from which you want to update control within a section. |
| sectionNumber={value} | Required | Integer | The section number from which you want to update control. |
| controlId={value} | Required | Integer | The ID of the control which needs to be updated from a particular section of the policy. |
| criticality={value} |
Optional | String | Specify the control criticality value as defined in the specific control Default Values: CRITICAL, MEDIUM, UNDEFINE, URGENT, MINIMAL, SERIOUS |
| referenceText={value} |
Optional | String | Reference text for the control to be updated within the section of the policy. |
| isControlDisable={value} |
Optional | String | The value as either 'true' or 'false' to disable/enable the control status. |
| controlNumber={value} |
Optional | Integer | The new control number if you desired to modify sequence of a control within the section of a policy. |
Sample - Update a control within a specified section of the policySample - Update a control within a specified section of the policy
API Request
curl -X 'PUT' \
'https://<qualys_base_url>/pcas/v3/policy/section/control' \
-H 'accept: */*' \
-H 'Authorization: Bearer 'token' \
-H 'Content-Type: application/json' \
-d '{
"policyId": 5656121,
"sectionNumber": 1,
"controlId": 1072,
"criticality": "CRITICAL",
"referenceText": "Control 1072",
"isControlDisable": false,
"controlNumber": 1
}'
API Response
204
Delete Control Within a Section in a Policy
With this API, you can delete a control within a section of a compliance policy.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | Enter the ID of the policy from which you want to delete a control within a section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to remove a control. |
| controlId={value} |
Required | Integer | Enter the ID of the control that needs to be removed from a particular section of the policy. |
Sample - Delete a control within a specified section of the policySample - Delete a control within a specified section of the policy
API Request
curl -X 'DELETE' \'<qualys_base_url>/pcas/v3/policy/section/control?policyId=<PolicyID>§ionNumber=<SectionNumber>&controlId=<ControlID>'
\ -H 'accept: */*'
\ -H 'Authorization: Bearer <Auth Token>'
API Response
204
Policy Section Control Technology API: Manage Technologies for a Control within a Policy Section
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/section/control/technology/ |
| Method | GET, POST, and DELETE |
| DTD or XSD changes | No |
Using this API, you can list details, add, and remove technology details associated to a specific control within the policy section.
Ensure to evaluate the policy after making any changes to the policy.
List Technologies for Specific Control and Sections
With this API, you can list technologies associated with a specific control within the policy section.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy from which you want to retrieve control technologies within a section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to retrieve control technologies. |
| controlId={value} | Required | Integer | Enter the ID of the control within a specific policy section for which you need to retrieve associated technologies. |
Sample - List technologies for specified control and section within the PolicySample - List technologies for specified control and section within the Policy
API Request
curl -X 'GET' \'<qualys_base_url>/pcas/v3/policy/section/control/technology?policyId=565
6121§ionNumber=1&controlId=1048'
\ -H 'accept: application/json'
\ -H 'Authorization: Bearer <Auth Token>'
API Response
{
"policyId": 725886,
"sectionNumber": 1,
"controlId": 1071,
"technologies": [
{
"technologyId": 1,
"technologyName": "Windows XP desktop",
"evaluate": {
"dp": {
"k": "win.auth.passwords.minlen",
"v": [
"0"
],
"l": 0,
"description": "The following Integer value <B>X</B> indicates the current status of the <B>Minimum Password Length (min_pass_len)</B> setting for local accounts.",
"op": "ge",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Attribute not found"
}
]
}
},
"remediation": "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n\n\tComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack."
}
]
}
Add New Technologies to a Control and Section
With this API, you can add new technologies for a specific control within the policy section.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | Enter the ID of the policy for which you want to add technologies within a section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to add technologies. |
| controlId={value} |
Required |
Integer | Enter the ID of the control within a specific policy section where the technologies needs to be added. |
| technologyIds={value} |
Required |
Integer List | Enter valid technology IDs in a list format to be added. |
Sample - Add technology to a controlSample - Add technology to a control
API Request
curl -X 'POST' \
'http://<Base URL>/pcas/v3/policy/section/control/technology' \
-H 'accept: */*' \
-H 'Authorization: Bearer <Auth Token>' \
-H 'Content-Type: application/json' \
-d '{
"policyId": 5656121,
"sectionNumber": 1,
"controlId": 1048,
"technologyIds": [
54
]
}'
API Response
[
{
"technologyId": 18,
"technologyName": "Windows Vista"
},
{
"technologyId": 54,
"technologyName": "Windows 8"
}
]
Delete Technology from a Control and Section
With this API, you can delete technology for a specific control within the policy section.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | Enter the ID of the policy from which you want to remove a technology within a section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to remove a technology. |
| controlId={value} | Required | Integer | Enter the ID of the control within a specific policy section where the technology needs to be removed. |
| technologyId={value} |
Required | Integer | Enter a valid technology ID that is to be removed. |
Sample - Delete technology from a control and sectionSample - Delete technology from a control and section
API Request
curl -X 'DELETE' \
'<qualys_base_url>/pcas/v3/policy/section/control/technology?policyId=5656121§ionNumber=1&controlId=1048&technologyId=54' \
-H 'accept: */*' \
-H 'Authorization: Bearer <Auth Token>.
API Response
204
Policy Section Control Technology Evaluate API: Manage Evaluations Associated to Specific Technology under Control for Policy
| New or Updated API | New |
| API Endpoint | /pcas/v3/policy/section/control/technology/evaluation/ |
| Method | GET and PUT |
| DTD or XSD changes | No |
Using this API, you can retrieve or modify evaluation fields for technology associated with a specified control within a policy section.
List Detailed Technology Evaluate Data
With this API, you can list evaluation fields for technology associated with a specified control within a policy section.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy from which you want to retrieve evaluation fields for technology associated with a specified control within a policy section. |
| sectionNumber={value} | Required | Integer | Enter the section number for which you want to obtain technology evaluation fields. |
| controlId={value} | Required | Integer | Enter the ID of the control within policy section for which you want to retrieve technology evaluation fields. |
| technologyId={value} | Required | Integer | Enter a valid technology ID for which you want to retrieve technology evaluation fields. |
Sample - List detailed technology evaluate data for given technologyId, control and section of the policySample - List detailed technology evaluate data for given technologyId, control and section of the policy
API Request
curl -X 'GET' \
'<qualys_base_url>/pcas/v3/policy/section/control/technology/evaluation?policyId=5656121§ionNumber=1&controlId=1048&technologyId=54' \ -H
'accept: application/json' \ -H 'Authorization: Bearer
API Response
{
"controlId": 1071,
"sectionNumber": 1,
"controlNumber": 1,
"statement": "Status of the 'Minimum Password Length' setting",
"criticality": "URGENT",
"isControlDisable": false,
"technologies": [
{
"technologyId": 1,
"technologyName": "Windows XP desktop",
"evaluate": {
"dp": {
"k": "win.auth.passwords.minlen",
"v": [
"0"
],
"l": 0,
"description": "The following Integer value <B>X</B> indicates the current status of the <B>Minimum Password Length (min_pass_len)</B> setting for local accounts.",
"op": "ge",
"fv": [
{
"value": "161803399999999",
"set": "0",
"description": "Attribute not found"
}
]
}
},
"remediation": "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n\n\tComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack."
}
]
}
Update Evaluation Condition within a Section of a Policy
With this API, you can update evaluation fields for technology associated with a specified control within a policy section. The following evaluation fields can be updated:
- op (Operator)
- v (Value)
- fv (Fixed Values)
- CD (Cardinalities)
- Remediation
Supporting Operators and Cardinalities are as follows:
- Operators (op)
- equal (=)
- less than (<)
- less than equal (<=)
- greater than (>)
- greater than equal (>=)
- not equal (!=)
- regular expression
- XEQ
- XRE
- RANGE
- IN
- Cardinalities - Regular expression, EXQ, and XRE operators can have the following cardinality options:
- match none
- match all
- match any
- empty
- not empty
- contain
- does not contain
- match
- intersect
- is contained in
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| policyId={value} | Required | Integer | The ID of the policy for which you want to update technology evaluation fields. |
| sectionNumber={value} | Required | Integer | The section number for which you want to update technology evaluation fields. |
| controlId={value} | Required | Integer | The ID of the control within policy section for which you want to update technology evaluation fields. |
| technologyId={value} | Required | Integer | Eneter a valid technology ID for which you want to update technology evaluation fields. |
| Evaluate={value} | Optional | String | Enter the evaluate data points to be updated: op (Operator), v (Value), fv (Fixed Values) can be enabled or disabled, CD (Cardinalities), and remediation. |
| remediation={value} | Optional | String | Enter the Remediation to be updated. |
Sample - Update technology evaluate data for control and policySample - Update technology evaluate data for control and policy
API Request
curl -X 'PUT' \
'<qualys_base_url>/pcas/v3/policy/section/control/technology/evaluation'
\
-H 'accept: */*' \
-H 'Authorization: Bearer <Auth Token>' \
-H 'Content-Type: application/json' \
-d '{
"policyId": 5656121,
"sectionNumber": 2,
"controlId": 1114,
"technologyId": 25,
"evaluate": {
"dp": {
"k": "secman.network.www-apache",
"v": [
"3",
"5"
],
"description": "The following List Integer value <B>X</B> indicates whether or not this host'\''s <B>Apache webserver</B> service is operational. When enabled for multiuser operation (console login only) the RUNLEVEL should be <B>3</B>; when enabled for multiuser operation
(console + GUI login), the RUNLEVEL should be <B>5</B>.","cd": "is contained in","op": "xeq",
"fv": [
{
"value": "161803399999999",
"set": "1",
"description": "Service disabled"
},
{
"value": "314159265358979",
"set": "1",
"description": "Service not found"
}
]
}
},
"remediation": "Remediation text to be updated"
} '
API Response
204
Get Posture Info API: View API Response in JSON Format
| New or Updated API | Updated |
| API Endpoint | /pcrs/3.0/posture/postureInfo/ |
| EOS Timeline: May 2026 | |
| EOL Timeline: November 2026 | |
| API Endpoint (New Version) |
/pcrs/4.0/posture/postureInfo/ |
| Method | POST |
| DTD or XSD changes | No |
Earlier, the cloud Resource Metadata for assets was received as a string in the API response, which was difficult to interpret the information. With this enhancement, you can now interpret the posture information for all the specified hosts for each policy ID included in the API response in JSON format.
With this feature, we have enhanced the posture info API response by having the API response in JSON format. When you execute an API request for posture information by providing the input parameter cloudResourceMetadata =1, you can view the information of cloud Resource Metadata for all asset types in the API response in JSON format. The asset types include GCP, Azure, AWS, and so on.
Sample - Retrieve compliance posture informationSample - Retrieve compliance posture information
API Request
curl --location
'<qualys_base_url>/pcrs/4.0/posture/postureInfo?evidenceRequired=1&compressionRequired=0&clou
dMetaDataRequired=1' \ --header 'accept: */*' \
--header 'Authorization: Bearer <JWT TOKEN>' \
--header 'Content-Type: application/json' \ --data '[
{
"policyId": "1438442",
"subscriptionId": "822838",
"hostIds": [
"4783735",
"4980343"
]
}
]'
API Response
[
{
"id": <id>,
"instance": "os",
"policyId": <policy_id>,
"policyTitle": "GCP policy-Neha",
"netBios": "NEW-SPIN123",
"controlId": <control_id>,
"controlStatement": "Status of the 'Minimum Password Length' setting",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack.",
"remediation": "To specify password length requirements for new accounts, edit the file
\"/etc/login.defs\" and add or correct the following lines: \n\nPASS_MIN_LEN <required
value>\n\nexample:\n\nPASS_MIN_LEN 14\n\n\nNote:\nThe DoD requirement is \"14\". If a program
consults \"/etc/login.defs\" and also another PAM module (such as \"pam_cracklib\") during a
password change operation, then the most restrictive must be satisfied.",
"category": "Access Control Requirements",
"subCategory": "Authentication/Passwords",
"controlReference": null,
"technologyId": 81,
"status": "Passed",
"previousStatus": "Passed",
"firstFailDate": "",
"lastFailDate": "",
"firstPassDate": "2025-03-23T07:10:02Z",
"lastPassDate": "2025-03-23T07:10:02Z",
"postureModifiedDate": "2025-03-23T07:10:02Z",
"lastEvaluatedDate": "2025-03-23T07:10:02Z",
"created": "2025-04-16T12:24:23Z",
"hostId": 4783735,
"ip": "10.xxx.x.19",
"trackingMethod": "AGENT",
"os": null,
"osCpe": null,
"domainName": "121.xxx.xxx.34.bc.googleusercontent.com",
"dns": "121.xxx.xxx.xx.bc.googleusercontent.com",
"qgHostid": "c4b0cde6-9017-4340-933e-afbbc71556b4",
"networkId": 0,
"networkName": "Global Default Network",
"complianceLastScanDate": "2024-10-04T09:39:21Z",
"customerUuid": "93f7ad53-1590-e3ac-83cd-322b91180e13",
"customerId": "1337821",
"assetId": 41157957,
"technology": {
"id": 81,
"name": "Red Hat Enterprise Linux 7.x"
},
"criticality": {
"label": "URGENT",
"value": 5
},
"evidence": {
"expectedValues": "\nSetting not found\n------------ OR ------------\nFile not found\n------------
OR ------------\ngreater than or equal to\n0",
"currentValues": [
"5"
],
"actualValues": null,
"directoryFimUdc": null,
"lastUpdated": "2025-04-20T08:52:58Z",
"extendedEvidence": "Row 1:File name,Setting,Value\nRow
2:/etc/login.defs,PASS_MIN_LEN,5\n",
"description": "The following Integer value X indicates the current value of the PASS_MIN_LEN
setting as defined within the /etc/login.defs file."
},
"causeOfFailure": null,
"userDefinedAttributesList": null,
"currentDataSizeKB": "3.39",
"totalDataSizeKB": "3.39",
"currentBatch": 1,
"totalBatches": 1,
"cloudMetaData": {
"cloudProvider": "GCP",
"cloudService": "Compute Engine",
"cloudResourceId": "3654664005469669138",
"cloudResourceType": "Instance",
"cloudAccountId": "175127636344",
"cloudImageId": null,
"cloudResourceMetadata": {
"publicIpAddress": "34.136.202.121",
"privateIpAddress": "10.128.0.19",
"machineType": "custom-1-1024",
"zone": null,
"projectId": "qlys-devqa-qweb",
"state": "STOPPED",
"network": "N/A",
"macAddress": null
}
},
"CLOUD_RESOURCE_ID": "3654664005469669138"
},
.......
{
"id": 19029079,
"instance": "os",
"policyId": 1438442,
"policyTitle": "GCP policy-Neha",
"netBios": "INSTANCE-20250423-173020",
"controlId": 1131,
"controlStatement": "Status of the 'Trivial File Transfer Protocol (TFTP)' service",
"rationale": "The 'TFTP' service is both a command and TCP protocol that is normally used only
for booting diskless workstations, getting or saving network component configuration files, or as a
'kickstart' type host configuration from a network-based template. The connection initiation and
data transfer is all done in clear text without requiring credentials of any kind. As a malicious user
with a 'sniffer' running on the network, could easily capture the data and/or reproduce the same
operation, simply by knowing the name of the file(s) and the source address(es), this process should
be disabled/restricted according to the needs of the business.",
"remediation": "Review \"/etc/inetd.conf\" file to check whether tftp service's configuration in line
with business needs and organization's security policies.\n\nExample: To disable the tftp
service,\n\nRemove or comment out any tftp lines in /etc/inetd.conf: \n# tftp stream tcp nowait root
internal",
"category": "Services",
"subCategory": "Guidelines/Procedures (Services)",
"controlReference": null,
"technologyId": 346,
"status": "Passed",
"previousStatus": "Passed",
"firstFailDate": "",
"lastFailDate": "",
"firstPassDate": "2025-04-06T09:48:19Z",
"lastPassDate": "2025-04-06T09:48:19Z",
"postureModifiedDate": "2025-04-06T09:48:19Z",
"lastEvaluatedDate": "2025-04-06T09:48:19Z",
"created": "2025-04-16T12:24:26Z",
"hostId": 4980343,
"ip": "34.xxx.xxx.84",
"trackingMethod": "AGENT",
"os": "Debian Linux 11.1",
"osCpe": null,
"domainName": "179.xx.xxx.35.bc.googleusercontent.com",
"dns": "179.xx.xxx.35.bc.googleusercontent.com",
"qgHostid": "4bd9e81e-12f8-4d8f-a51d-c475131a55b8",
"networkId": 0,
"networkName": "Global Default Network",
"complianceLastScanDate": "2025-04-06T09:39:21Z",
"customerUuid": "93f7ad53-1590-e3ac-83cd-322b91180e13",
"customerId": "1337821",
"assetId": 42078290,
"technology": {
"id": 346,
"name": "Debian GNU/Linux 11.x"
},
"criticality": {
"label": "SERIOUS",
"value": 3
},
"evidence": {
"expectedValues": "\nDisabled (0)\n------------ OR ------------\nEnabled (1)\n------------ OR ------------\nSetting not found\n------------ OR ------------\nFile not found",
"currentValues": [
"File not found"
],
"actualValues": null,
"directoryFimUdc": null,
"lastUpdated": "2025-04-04T09:39:21Z",
"extendedEvidence": "Row 1:\n",
"description": "The following List String value of X indicates the status of the tftp service
configured within the /etc/xinetd.conf, /etc/xinetd.d/*, /etc/inetd.conf and /etc/inetd.d/* files on the
host. A value of 0 indicates the service is disabled; and a value of 1 indicates the service is enabled on
the host."
},
"causeOfFailure": null,
"userDefinedAttributesList": null,
"currentDataSizeKB": "3.27",
"totalDataSizeKB": "97.52",
"currentBatch": 1,
"totalBatches": 1,
"cloudMetaData": {
"cloudProvider": "GCP",
"cloudService": "Compute Engine",
"cloudResourceId": "2182777093928348127",
"cloudResourceType": "Instance",
"cloudAccountId": "175127636344",
"cloudImageId": null,
"cloudResourceMetadata": {
"publicIpAddress": "35.xxx.xx.179",
"privateIpAddress": "10.xxx.x.27",
"machineType": "e2-medium",
"zone": null,
"projectId": "qlys-devqa-qweb",
"state": "RUNNING",
"network": "N/A",
"macAddress": null
}
},
"CLOUD_RESOURCE_ID": "2182777093928348127"
}
]
Get Host ID API: Resolve Host IDs for Compliance Policies
| New or Updated API | Updated |
| API Endpoint | /pcrs/3.0/posture/hostids/ |
| EOS Timeline: NA | |
| EOL Timeline: NA | |
| API Endpoint (New Version) |
/pcrs/4.0/posture/hostids/ |
| Method | GET |
| DTD or XSD changes | No |
With this release, we have introduced the Get Host ID API (/pcrs/4.0/posture/hostids/) that help you resolve host IDs for one or more compliance policies. The API also consists of some optional filters such as policyId, lastScanDate, and statusChangedSince, that help in getting more accurate results for host IDs.
With launch of the new API endpoint - /pcrs/4.0/posture/hostids/, we will not be adding End of Support (EOS) and End of Life (EOL) for its previous versions, which are - /pcrs/3.0/posture/hostids/ and /pcrs/2.0/posture/hostids/.
The V4.0 and V3.0 APIs are designed specifically to retrieve Policy Audit (PA) / Policy Compliance (PC) asset data. To fetch both PA/PC and SCA asset data, you should continue using V2.0. If you require V4.0 and V3.0 to support SCA asset data, please contact your Technical Account Manager (TAM).
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| Authorization | Required | String | Enter the Authorization Bearer token. |
| policyId | Optional | String | Enter a comma-separated policy ID(s). If omitted, hosts are resolved for all policies in the subscription. |
| lastScanDate | Optional | String | Get the host IDs based on the date they were last scanned. |
| statusChangedSince | Optional | String | Resolve hosts whose posture/status was modified since this date. |
Sample - Resolve Host IDsSample - Resolve Host IDs
Resolve Host IDs With Single Policy ID
API Request
curl -X GET <qualys_base_url>/pcrs/4.0/posture/hostids?policyId=POLICY ID-H "accept:*/*"-H "Authorization: Bearer Token "
API Response
[
{
"policyId": "<POLICY ID>",
"subscriptionId": "SUBSCRIPTION ID",
"hostIds": [
"<HOST ID>"
]
}
]
Resolve Host IDs With Multiple Policy IDs
API Request
curl -X GET <qualys_base_url>/pcrs/4.0/posture/hostids?policyId=xxx,xxx-H "accept: */*"-H"Authorization: Bearer Token "
API Response
[
{
"policyId": "<POLICY ID>",
"subscriptionId": "<SUBSCRIPTION ID>",
"hostIds": [
"<HOST ID>"
]
},
{
"policyId": "<POLICY ID>",
"subscriptionId": "SUBSCRIPTION ID",
"hostIds": [
"<HOST ID>"
]
}
]
Resolve Host IDs Based on the Specified Last Scan Date
API Request
curl -X GET <qualys_base_url>/pcrs/4.0/posture/hostids?policyId=4677689&lastScanDate=2022-05-25-H "accept: */*"-H"Authorization:Bearer Token "
API Response
[
{
"policyId": "4677689",
"subscriptionId": "<SUBSCRIPTION ID>",
"hostIds": [
"<HOST ID 1>",
"<HOST ID 2>",
"<HOST ID 3>",
"<HOST ID 4>",
"<HOST ID 5>",
]
}
]
Sample- Resolve HostIDs based on the specific posture modification dateSample- Resolve HostIDs based on the specific posture modification date
API Request
curl -X GET <qualys_base_url>/pcrs/4.0/posture/hostids?policyId=<Policy_ID>& statusChangedSince= <Date>
-H "accept: */*" -H "Authorization: Bearer Token"
Response
[
{
"policyId": <Policy_ID>,
"subscriptionId": <Subscription_id>,
"hostIds": [
<Host_IDs>,
<Host_IDs>,
<Host_IDs>,
]
}
]