Qualys
Visualize Qualys scanners and findings, monitor findings and changes through queries and alerts.
- Installation
- Data Model
- Types
Installation
For this integration, you will need to provide credentials for a Qualys user with the MANAGER or custom role for best results.
This integration is unable to ingest host findings with the built-in READER role event after adding all of the modules. This may be related to parts of the Qualys "host detection" feature being controlled by a license setting. Instead, use the built-in MANAGER role if you do not want to create a custom role. Please refer to the troubleshooting section below, if you would like to issue granular permissions to JupiterOne.
The Qualys API requires usage of a username and password associated with a non-test account user. See the Qualys API docs for more information.
Configuration in JupiterOne
To install the Qualys integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Qualys. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
The Account Name used to identify the Qualys account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.Your Qualys account Username, Password, and API URL.
Click Create once all values are provided to finalize the integration.
Troubleshooting Qualys user credentials
If your integration is not running successfully due to insufficient permissions from your Qualys user, we have created a bash script that hits the various endpoints used in this integration. Using the USERNAME, PASSWORD, and HOSTNAME that are used in your JupiterOne Qualys Integration configuration, you should be able to determine which endpoints your user does not have the appropriate permissions to invoke.
Please note that while you may receive a status 200 for a particular endpoint, the response may contain a message indicating your lack of permissions.
< HTTP/1.1 200
< X-Powered-By: Qualys:USPOD03:b3f3a819-7884-e60e-81d0-9725801da546:cbf7331a-292e-f3ed-8231-200b1fb10047
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 14 Jan 2022 03:55:39 GMT
< Server: Apache
<
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qg3.apps.qualys.com/qps/xsd/2.0/am/hostasset.xsd">
<responseCode>UNAUTHORIZED</responseCode>
<responseErrorDetails>
<errorMessage>You are not authorized to access the application through the API.</errorMessage>
<errorResolution>If you think this is an error, please contact your account manager.</errorResolution>
</responseErrorDetails>
* Connection #0 to host qualysapi.qg3.apps.qualys.com left intact
</ServiceResponse>
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | qualys_account | Account |
| Container | qualys_container | Container |
| Host | qualys_host | Host |
| Host Detection | qualys_host_finding | Finding |
| Image | qualys_container_image | Image |
| Image Finding | qualys_image_finding | Finding |
| Vulnerability Manager | qualys_vulnerability_manager | Service |
| Web App Finding | qualys_web_app_finding | Finding |
| Web Application Scanner | qualys_web_app_scanner | Service |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
qualys_account | HAS | qualys_web_app_scanner |
qualys_account | HAS | qualys_vulnerability_manager |
qualys_container | USES | qualys_container_image |
qualys_host | HAS | qualys_host_finding |
qualys_host_finding | IS | qualys_vuln |
qualys_host_finding | IS | cve |
qualys_image_finding | IS | qualys_vuln |
qualys_web_app_finding | IS | qualys_vuln |
qualys_web_app_finding | IS | cve |
qualys_web_app_scanner | SCANS | web_app |
qualys_web_app_scanner | IDENTIFIED | qualys_web_app_finding |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
qualys_vulnerability_manager | SCANS | qualys_host | FORWARD |
qualys_vulnerability_manager | SCANS | aws_instance | FORWARD |
qualys_vulnerability_manager | SCANS | google_compute_instance | FORWARD |
qualys_vulnerability_manager | SCANS | azure_vm | FORWARD |
Qualys Host
qualys_host inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
agentId | string | Agent ID | |
agentLastCheckedInOn | number | Agent last checked date | |
agentStatus | string | Agent Status | |
agentVersion | string | Agent Version | |
alibabaAccountId | string | Alibaba Cloud Account ID associated with the instance | |
alibabaDnsServer | string | DNS server used by the Alibaba Cloud instance | |
alibabaFirstDiscoveredOn | number | Timestamp when the Alibaba Cloud instance was first discovered | |
alibabaImageId | string | Image ID used to launch the Alibaba Cloud instance | |
alibabaInstanceType | string | Type of Alibaba Cloud instance (e.g., ecs.g6.large) | |
alibabaLastUpdatedOn | number | Timestamp when the Alibaba Cloud instance was last updated | |
alibabaNetworkInterfaceId | string | Network Interface ID associated with the instance | |
alibabaNetworkType | string | Network type of the Alibaba Cloud instance (e.g., VPC, Classic) | |
alibabaRegion | string | Region where the Alibaba Cloud instance is deployed | |
alibabaState | string | Current state of the Alibaba Cloud instance (e.g., Running, Stopped) | |
alibabaVpcCidr | string | CIDR block of the VPC associated with the instance | |
alibabaVpcId | string | VPC ID associated with the Alibaba Cloud instance | |
alibabaVSwitchCIDR | string | CIDR block of the VSwitch associated with the instance | |
alibabaVSwitchId | string | VSwitch ID where the Alibaba Cloud instance is deployed | |
alibabaZone | string | Zone where the Alibaba Cloud instance is located | |
azureFirstDiscoveredOn | number | Timestamp when the Azure VM was first discovered | |
azureLastUpdatedOn | number | Timestamp when the Azure VM was last updated | |
azureLocation | string | Azure region where the VM is deployed | |
azureOffer | string | Azure offer associated with the VM | |
azureOsType | string | Operating system type of the Azure VM (e.g., Linux, Windows) | |
azurePublisher | string | Publisher of the VM image | |
azureResourceGroupName | string | Name of the resource group containing the Azure VM | |
azureState | [object Object], [object Object] | ||
azureSubnet | string | Subnet ID where the Azure VM is deployed | |
azureSubscriptionId | string | Azure Subscription ID associated with the VM | |
azureVersion | string | Version of the VM image | |
azureVmSize | string | Size of the Azure VM (e.g., Standard_D2s_v3) | |
ec2AccountId | string | AWS Account ID associated with the EC2 instance | |
ec2AvailabilityZone | string | Availability Zone where the EC2 instance is running | |
ec2FirstDiscoveredOn | number | Timestamp when the EC2 instance was first discovered | |
ec2ImageId | string | AMI ID used to launch the EC2 instance | |
ec2InstanceType | string | Type of EC2 instance (e.g., t2.micro, m5.large) | |
ec2LastUpdatedOn | number | Timestamp when the EC2 instance was last updated | |
ec2PrivateDnsName | string | Private DNS name assigned to the EC2 instance | |
ec2PublicDnsName | string | Public DNS name assigned to the EC2 instance (if applicable) | |
ec2Region | string | AWS Region where the EC2 instance is located | |
ec2ReservationId | string | Reservation ID associated with the EC2 instance | |
ec2State | string | Current state of the EC2 instance (e.g., running, stopped) | |
ec2SubnetId | string | Subnet ID where the EC2 instance is deployed | |
ec2VpcId | string | VPC ID associated with the EC2 instance | |
gcpFirstDiscoveredOn | number | Timestamp when the GCP instance was first discovered | |
gcpImageId | string | Image ID used to launch the GCP instance | |
gcpLastUpdatedOn | number | Timestamp when the GCP instance was last updated | |
gcpMachineType | string | Type of GCP machine (e.g., n1-standard-1, e2-medium) | |
gcpNetwork | string | Network configuration associated with the GCP instance | |
gcpProjectId | string | Project ID associated with the GCP instance | |
gcpProjectIdNo | number | Numerical Project ID associated with the GCP instance | |
gcpState | string | Current state of the GCP instance (e.g., RUNNING, TERMINATED) | |
gcpZone | string | GCP zone where the instance is deployed (e.g., us-central1-a) | |
ibmDatacenterId | string | Identifier for the IBM Cloud datacenter hosting the instance | |
ibmDomain | string | Domain name associated with the IBM Cloud instance | |
ibmLocation | string | Geographical location where the IBM Cloud instance is deployed | |
ibmPrivateVlan | string | Private VLAN ID associated with the IBM Cloud instance | |
ibmPublicVlan | string | Public VLAN ID associated with the IBM Cloud instance | |
lastScannedOn | number | Last scanned date | |
ociAvailabilityDomain | string | Availability domain where the OCI instance is located | |
ociCompartmentName | string | Name of the compartment containing the OCI instance | |
ociDisplayName | string | Display name of the OCI instance | |
ociFaultDomain | string | Fault domain where the OCI instance is deployed | |
ociFirstDiscoveredOn | number | Timestamp when the OCI instance was first discovered | |
ociImage | string | Image ID or name used to launch the OCI instance | |
ociLastUpdatedOn | number | Timestamp when the OCI instance was last updated | |
ociRegion | string | Region where the OCI instance is deployed | |
ociShape | string | Shape of the OCI instance (e.g., VM.Standard2.1) | |
ociState | string | Current state of the OCI instance (e.g., RUNNING, TERMINATED) | |
ociTenantId | string | Tenant ID associated with the OCI instance | |
ociTenantName | string | Tenant name associated with the OCI instance | |
qualysAssetId | number | Qualys Asset ID | |
qualysCreatedOn | number | Qualys created date | |
qualysQwebHostId | number | Qualys Qweb Host ID | |
scannedBy | string | Scanned by |