Qualys Continuous Monitoring API Update
Last updated on: September 6, 2020
As part of CM 1.4 release we have exposed the following list of APIs in the system. This will enable seamless integration of Qualys continuous monitoring with existing SIEM solutions such as Arcsight, QRadar, etc. A detailed user guide will be published in the Developer community.
What’s New
Get Alert
GET SINGLERequest URL: http://<server>/qps/rest/1.0/get/cm/alert/246213
Sample Output
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/alert.xsd"> <responseCode>SUCCESS</responseCode> <count>1</count> <data> <Alert> <id>246213</id> <source>REMEDIATION</source> <eventType>HOST_UPDATED</eventType> <triggerUuid>3d41baf9-7caa-4269-9889-d7377aeaace5</triggerUuid> <ipAddress>10.10.30.240</ipAddress> <hostname>qbcwin12-30-240</hostname> <eventDate>2014-06-04T18:11:54Z</eventDate> <alertDate>2014-06-04T18:11:59Z</alertDate> <isHidden>false</isHidden> <profile> <id>7401</id> <title>All Tomato</title> <dateCreated>2013-09-16T19:54:48Z</dateCreated> <dateUpdated>2013-09-16T19:54:48Z</dateUpdated> <frequency>FREQ_NEVER</frequency> <isActive>true</isActive> <includedIps>10.10.10.1-10.10.31.255</includedIps> <targetList>10.10.10.1-10.10.31.255</targetList> </profile> <alertInfo> <operatingSystem>Windows Server 2012 Standard 64 bit Edition</operatingSystem> <port>0</port> </alertInfo> </Alert> </data> </ServiceResponse> |
Get Profile
GET SINGLERequest URL: http://qualysapi.qualys.com/qps/rest/1.0/get/cm/profile/7401
Sample Output
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/profile.xsd"> <responseCode>SUCCESS</responseCode> <count>1</count> <data> <Profile> <id>7401</id> <title>All Tomato</title> <uuid>d7af450c-828c-4101-a653-737f10d596c6</uuid> <dateCreated>2013-09-16T19:54:48Z</dateCreated> <dateUpdated>2013-09-16T19:54:48Z</dateUpdated> <frequency>FREQ_NEVER</frequency> <isActive>true</isActive> <includedIps>10.10.10.1-10.10.31.255</includedIps> <targetList>10.10.10.1-10.10.31.255</targetList> <ruleset> <id>4001</id> <title>All Tomato</title> <description>You give me the whole tomato, or else.</description> <dateCreated>2013-09-16T19:36:10Z</dateCreated> <dateUpdated>2013-09-16T19:36:10Z</dateUpdated> <isTemplate>false</isTemplate> </ruleset> </Profile> </data> </ServiceResponse> |
Get RuleSet
GET SINGLERequest URL: http://qualysapi.qualys.com/qps/rest/1.0/get/cm/ruleset/4001
Sample Output
<?xml version="1.0" encoding="UTF-8"?> |
Get Rule
GET SINGLERequest URL: http://qualysapi.qualys.com/qps/rest/1.0/get/cm/rule/6002
Sample Output
<?xml version="1.0" encoding="UTF-8"?> |
Search Alerts
POST SINGLE BULKRequest URL: http://qualysapi.qualys.com/qps/rest/1.0/search/cm/alert/
Sample Request Payload
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest> <filters> <Criteria field="ipAddress" operator="EQUALS">10.10.30.70</Criteria> </filters> </ServiceRequest> |
Sample Output
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/alert.xsd"> <responseCode>SUCCESS</responseCode> <count>1</count> <hasMoreRecords>false</hasMoreRecords> <data> <Alert> <id>244402</id> <source>REMEDIATION</source> <eventType>SSL_NEW</eventType> <triggerUuid>3d41baf9-7caa-4269-9889-d7377aeaace5</triggerUuid> <ipAddress>10.10.25.69</ipAddress> <hostname>josh.com-25-69.qualys.com</hostname> <eventDate>2014-06-04T10:57:43Z</eventDate> <alertDate>2014-06-04T10:57:48Z</alertDate> <isHidden>true</isHidden> <profile> <id>7401</id> <title>All Tomato</title> <dateCreated>2013-09-16T19:54:48Z</dateCreated> <dateUpdated>2013-09-16T19:54:48Z</dateUpdated> <frequency>FREQ_NEVER</frequency> <isActive>true</isActive> <includedIps>10.10.10.1-10.10.31.255</includedIps> <targetList>10.10.10.1-10.10.31.255</targetList> </profile> <alertInfo> <port>0</port> <sslName>josh.com-25-69.qualys.com</sslName> <sslIssuer>josh.com-25-69.qualys.com</sslIssuer> </alertInfo> </Alert> </data> </ServiceResponse> |
Supported Filters
The following are the fields those are exposed for filtering or searching alerts
- id
- eventType
- ipAddress
- hostname
- isHidden
- eventDate (Format expected: yyyy-MM-ddTHH:mm:ssZ OR yyyy-MM-ddTHHZ OR yyyy-MM-ddTHH:mmZ OR yyyy-MM-dd)
- alertDate (Format expected: yyyy-MM-ddTHH:mm:ssZ OR yyyy-MM-ddTHHZ OR yyyy-MM-ddTHH:mmZ OR yyyy-MM-dd)
- profileTitle
Search Profiles
POST SINGLE BULKRequest URL: http://qualysapi.qualys.com/qps/rest/1.0/search/cm/profile/
Sample Request Payload
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest> <filters> <Criteria field="ruleSetTitle" operator="CONTAINS">tomato</Criteria> </filters> </ServiceRequest> |
Sample Output
<?xml version="1.0" encoding="UTF-8"?> |
Supported Filters
The following are the fields those are exposed for filtering or searching profiles
- id
- title
- uuid
- frequency
- isActive
- ruleSetTitle
Search RuleSets
POST SINGLE BULKRequest URL: http://qualysapi.qualys.com/qps/rest/1.0/search/cm/ruleset/
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest> <filters> <Criteria field="title" operator="CONTAINS">tomato</Criteria> </filters> </ServiceRequest> |
Sample Output
<?xml version="1.0" encoding="UTF-8"?> |
Supported Filters
The following are the fields those are exposed for filtering or searching rulesets
- id
- title
- description
- dateCreated
- dateUpdated
Search Rule
POST SINGLE BULKRequest URL:
Sample Request Payload
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest> <filters> <Criteria field="ruleType" operator="EQUALS">HOST</Criteria> </filters> </ServiceRequest> |
Sample Output
<?xml version="1.0" encoding="UTF-8"?> |
Supported Filters
The following are the fields those are exposed for filtering or searching rulesets
- id
- ruleType
Download Alerts
POST SINGLE BULK
Request URL: http://qualysapi.qualys.com/qps/rest/1.0/download/cm/alert/?format=<format>
Supported formats: csv and cef
<? xml version = "1.0" encoding = "UTF-8" ?>
|
"AlertId","Event Type","ProfileId","Profile Name","IP Address","Hostname","Operating System","Event Date","Alert Date"
|
Jun 06 2014 15:43:9 83306MM.local 10.40.2.210
|
Supported Filters
Download alert uses all the filters that search alert can use.
Supported Filter Operators
For the post request to filter the search data or download data the following operators can be used in the filter criteria.
Headers
The following are the headers required while making any API request
Name
|
Value |
Method |
---|---|---|
user | username of the portal-front user | GET POST |
password | password | GET POST |
Content-Type | All the input params for POST calls are in XML so the value should be "text/xml" | POST |
This is awesome. However, we implemented ours using the qualysapi python libraries and it can’t resolve the CM version.
File “build\bdist.win-amd64\egg\qualysapi\connector.py”, line 255, in request
File “build\bdist.win-amd64\egg\qualysapi\connector.py”, line 129, in url_api_version
Exception: Unknown QualysGuard API Version Number (False)
I don’t suppose you’ve got an updated connector.py file or qualysapi python library?