Policy Audit Release 1.7 API
January 5, 2026
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
We have implemented versioning for APIs. For more information on API versioning, refer to the Updates on API Versioning Standards & Deprecation Timelines blog.
Get Posture Info API
| New or Updated API | Updated |
| API Endpoint (New Version) |
/pcrs/5.0/posture/postureInfo/ |
| Method | POST |
| DTD or XSD changes | No |
With this release we have implemented two new enhancements in the Get Posture Info API. They are:
View QDS Score in API Response
With this enhancement, you can view the Qualys Detection Score (QDS) in the API responses.
Previously, the QDS could be viewed only in the Posture tab.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| qdScoreRequired={0|1} | Optional | Integer | Set as 1 to retrieve QDS in API response or else set 0. By default, the value is set as 0. |
Sample - Display QDS in API responseSample - Display QDS in API response
API Request
curl -X POST "https://<qualys_base_url>/pcrs/5.0/posture/postureInfo?evidenceRequired=1&compressionRequired=0?qdScoreRequired=1"
-H "accept: */*"
-H "Authorization: Bearer Token"
-H "Content-Type: application/json"-d "[{\"policyId\":\"POLICY ID\",\"subscriptionId\":\"SUBSCRIPTION ID\",\"hostIds\":[\"HOST ID1\",\"HOST ID2\"]}]"
API Response
{
"id": 33529705,
"instance": "os",
"policyId": 5772988,
"policyTitle": "Centos policy",
"netBios": null,
"controlId": 2641,
"controlStatement": "Current list of 'inactive user accounts' and their 'last login Information' value(s)",
"rationale": "Periodic account reviews showing the 'inactive user accounts and their last login information' can be performed to support security and compliance policies. This check can be run against all accounts or only those you specify to quickly determine if unused accounts need to be disabled. This check can also be used in support of incident response activities and act as evidence to show timeliness associated with when specific accounts were last used to support legal investigations. As inactive accounts can provide access for unauthorized activities, this check should be run regularly according to the security and compliance policies of the business.",
"remediation": "Review and Verify Periodically the user accounts and their last login information to determine if inactive accounts need to be disabled as per business needs and the organization's security policy.",
"category": "Access Control Requirements",
"subCategory": "Account Creation/User Management",
"controlReference": null,
"technologyId": 80,
"status": "Failed",
"previousStatus": "Failed",
"firstFailDate": "2025-10-20T19:25:43Z",
"lastFailDate": "2025-12-08T20:37:38Z",
"firstPassDate": "",
"lastPassDate": "",
"postureModifiedDate": "2025-10-20T19:25:34Z",
"lastEvaluatedDate": "2025-12-08T20:37:38Z",
"created": "2025-12-11T10:48:01Z",
"hostId": 13440667,
"ip": "10.11.70.161",
"trackingMethod": "IP",
"os": null,
"osCpe": null,
"domainName": null,
"dns": null,
"qgHostid": null,
"networkId": 0,
"networkName": "Global Default Network",
"complianceLastScanDate": "2025-09-25T08:44:47Z",
"customerUuid": "8db3e9cd-8e85-494b-817b-098c0cd67934",
"customerId": "2591847",
"assetId": 54537016,
"technology": {
"id": 80,
"name": "CentOS 7.x"
},
"criticality": {
"label": "CRITICAL",
"value": 4
},
"evidence": {
"expectedValues": "\nLast login info not found\n------------ OR ------------\n/var/log/lastlog not found\n------------ OR ------------\nmatch all regular expression match\n.*:([0-9]$|[0-9][0-9]$|100$)",
"currentValues": [
"root:0",
"rdlab:1758",
"qtestos:1758"
],
"actualValues": null,
"directoryFimUdc": null,
"lastUpdated": "2025-09-25T08:44:47Z",
"extendedEvidence": null,
"description": "This List String value of X returns the information of the Inactive User's last login on the host. NOTE : It returns list of all active user name and the inactive days."
},
"causeOfFailure": {
"missing": {
"logic": null,
"value": [
"------------ OR ------------",
"Last login info not found",
"------------ OR ------------",
"/var/log/lastlog not found"
]
},
"unexpected": {
"value": [
"rdlab:1758",
"qtestos:1758"
]
}
},
"userDefinedAttributesList": null,
"currentDataSizeKB": "2.79",
"totalDataSizeKB": "233.56",
"currentBatch": 1,
"totalBatches": 1,
"qds": 56,
"CLOUD_RESOURCE_ID": null
}
Retrieve Posture Information with Posture ID
With this enhancement, we have introduced another way to retrieve posture information using the postureId. When postureId or postureIds are provided, specifying the policyId and hostId is no longer required. Each postureId is already associated to an IP address, control ID, and its associated policy, making the separate policyId parameter unnecessary.
- You can also retrieve posture information using policyId and hostId.
- If you are entering multiple comma-separated posture IDs, you can enter a maximum of 400 thousand posture IDs at one time. Otherwise, the size of the entire JSON body (in the curl request) must not exceed 4 megabytes (MB).
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| Request Body | Optional | String | Enter the policy ID, subscription ID, host ID, and the JWT token. OR Enter the Posture ID, subscription ID, and the JWT token. |
Sample - Single Posture ID Sample - Single Posture ID
API Request
curl -X POST "<qualys_base_url>/5.0/posture/postureInfo?evidenceRequired=1" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '[
{
"subscriptionId": "583816",
"postureId": "256743"
}
]'
API Response
[
{
"postureId": 256743,
"hostId": 56433,
"policyId": 1614425,
"controlId": "CID-001",
"status": "passed",
"currentBatch": 1,
"totalBatches": 1,
"evidence": "...",
...
}
]
Sample - Multiple Posture IDsSample - Multiple Posture IDs
API Request
curl -X POST "<qualys_base_url>/5.0/posture/postureInfo?evidenceRequired=0" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '[
{
"subscriptionId": "583816",
"postureId": "25678328,25678329,25678330"
}
]'
API Response
[
{
"id": 25678328,
"instance": "os",
"policyId": 734560,
"policyTitle": "AllTech_policy- Exception",
"netBios": null,
"controlId": 1091,
"controlStatement": "Status of the number of days before a [Prompt user] password expiration warning prompt is displayed at login",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting the 'expiration warning date' requirement. This establishes the number of days before the host will begin to display 'password expiration warning' messages upon login. Without having a pre-expiration warning message, it is more likely that users will not prepare for this event, which may contribute to the selection of hard-to-remember or easily broken password sequences, which circumvents the intent of having rules for password complexity enforced. This may cause some users to forget or write down their new password, which can lead either to a system compromise or increased calls to Help Desk resources.",
},
{
"id": 25678329,
"instance": "os",
"policyId": 725886,
"policyTitle": "AllTech_policy",
"netBios": null,
"controlId": 1071,
"controlStatement": "Status of the 'Minimum Password Length' setting",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack.",
},
{
"id": 25678330,
"instance": "os",
"policyId": 725886,
"policyTitle": "AllTech_policy",
"netBios": null,
"controlId": 1072,
"controlStatement": "Status of the 'Minimum Password Age' setting",
"rationale": "Among the characteristics that make 'user identification' via password a workable security solution is setting a 'minimum password age.' Without this minimum age requirement, any user(s) who wish to re-use the same password can merely cycle through a number of previously used passwords until returning to the preferred one (this is determined by the 'Password History' setting). While no specific 'minimum password age' can guarantee password security, one (1) day is generally considered to be the shortest length of time permissible, along with requiring other password security factors, such as increasing the variability of the symbol set-space by requiring mixed-cases, special characters, further increases the difficulty of breaking any password using brute-force methods. Consider implementing this control for all account passwords in conjunction with CID 1318 (Password History) and CID 1071 (Minimum Password Length) and CID 1073 (Maximum Password Age).",
}
]
Sample - Posture ID RangeSample - Posture ID Range
API Request
curl -X POST "https://api.example.com/5.0/posture/postureInfo?evidenceRequired=1&extendedEvidenceRequired=1" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '[
{
"subscriptionId": "583816",
"postureId": "25678328-25678330"
}
]'
API Response
[
{
"id": 25678328,
"instance": "os",
"policyId": 734560,
"policyTitle": "AllTech_policy- Exception",
"netBios": null,
"controlId": 1091,
"controlStatement": "Status of the number of days before a [Prompt user] password expiration warning prompt is displayed at login",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting the 'expiration warning date' requirement. This establishes the number of days before the host will begin to display 'password expiration warning' messages upon login. Without having a pre-expiration warning message, it is more likely that users will not prepare for this event, which may contribute to the selection of hard-to-remember or easily broken password sequences, which circumvents the intent of having rules for password complexity enforced. This may cause some users to forget or write down their new password, which can lead either to a system compromise or increased calls to Help Desk resources.",
},
{
"id": 25678329,
"instance": "os",
"policyId": 725886,
"policyTitle": "AllTech_policy",
"netBios": null,
"controlId": 1071,
"controlStatement": "Status of the 'Minimum Password Length' setting",
"rationale": "Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a 'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the difficulty of breaking any password by brute-force attack.",
},
{
"id": 25678330,
"instance": "os",
"policyId": 725886,
"policyTitle": "AllTech_policy",
"netBios": null,
"controlId": 1072,
"controlStatement": "Status of the 'Minimum Password Age' setting",
"rationale": "Among the characteristics that make 'user identification' via password a workable security solution is setting a 'minimum password age.' Without this minimum age requirement, any user(s) who wish to re-use the same password can merely cycle through a number of previously used passwords until returning to the preferred one (this is determined by the 'Password History' setting). While no specific 'minimum password age' can guarantee password security, one (1) day is generally considered to be the shortest length of time permissible, along with requiring other password security factors, such as increasing the variability of the symbol set-space by requiring mixed-cases, special characters, further increases the difficulty of breaking any password using brute-force methods. Consider implementing this control for all account passwords in conjunction with CID 1318 (Password History) and CID 1071 (Minimum Password Length) and CID 1073 (Maximum Password Age).",
}
]