Qualys Blog

www.qualys.com

Qualys Continuous Monitoring API Update

As part of CM 1.4 release we have exposed the following list of APIs in the system. This will enable seamless integration of Qualys continuous monitoring with existing SIEM solutions such as Arcsight, QRadar, etc. A detailed user guide will be published in the Developer community.

What’s New

Get Alert

GET SINGLERequest URL: http://<server>/qps/rest/1.0/get/cm/alert/246213

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/alert.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<data>
 
<Alert>
 
<id>246213</id>
 
<source>REMEDIATION</source>
 
<eventType>HOST_UPDATED</eventType>
 
<triggerUuid>3d41baf9-7caa-4269-9889-d7377aeaace5</triggerUuid>
 
<ipAddress>10.10.30.240</ipAddress>
 
<hostname>qbcwin12-30-240</hostname>
 
<eventDate>2014-06-04T18:11:54Z</eventDate>
 
<alertDate>2014-06-04T18:11:59Z</alertDate>
 
<isHidden>false</isHidden>
 
<profile>
 
<id>7401</id>
 
<title>All Tomato</title>
 
<dateCreated>2013-09-16T19:54:48Z</dateCreated>
 
<dateUpdated>2013-09-16T19:54:48Z</dateUpdated>
 
<frequency>FREQ_NEVER</frequency>
 
<isActive>true</isActive>
 
<includedIps>10.10.10.1-10.10.31.255</includedIps>
 
<targetList>10.10.10.1-10.10.31.255</targetList>
 
</profile>
 
<alertInfo>
 
<operatingSystem>Windows Server 2012 Standard 64 bit Edition</operatingSystem>
 
<port>0</port>
 
</alertInfo>
 
</Alert>
 
</data>
</ServiceResponse>

Get Profile

GET SINGLERequest URL: http://qualysapi.qualys.com/qps/rest/1.0/get/cm/profile/7401

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/profile.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<data>
 
<Profile>
 
<id>7401</id>
 
<title>All Tomato</title>
 
<uuid>d7af450c-828c-4101-a653-737f10d596c6</uuid>
 
<dateCreated>2013-09-16T19:54:48Z</dateCreated>
 
<dateUpdated>2013-09-16T19:54:48Z</dateUpdated>
 
<frequency>FREQ_NEVER</frequency>
 
<isActive>true</isActive>
 
<includedIps>10.10.10.1-10.10.31.255</includedIps>
 
<targetList>10.10.10.1-10.10.31.255</targetList>
 
<ruleset>
 
<id>4001</id>
 
<title>All Tomato</title>
 
<description>You give me the whole tomato, or else.</description>
 
<dateCreated>2013-09-16T19:36:10Z</dateCreated>
 
<dateUpdated>2013-09-16T19:36:10Z</dateUpdated>
 
<isTemplate>false</isTemplate>
 
</ruleset>
 
</Profile>
 
</data>
</ServiceResponse>

Get RuleSet

GET SINGLERequest URL: http://qualysapi.qualys.com/qps/rest/1.0/get/cm/ruleset/4001

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/ruleset.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<data>
 
<RuleSet>
 
<id>4001</id>
 
<title>All Tomato</title>
 
<description>You give me the whole tomato, or else.</description>
 
<dateCreated>2013-09-16T19:36:10Z</dateCreated>
 
<dateUpdated>2013-09-16T19:36:10Z</dateUpdated>
 
<isTemplate>false</isTemplate>
 
<rule>
 
<list>
 
<Rule>
 
<id>6001</id>
 
<ruleType>HOST</ruleType>
 
<eventTypes>HOST_FOUND, HOST_UPDATED, HOST_PURGED</eventTypes>
 
<jsonData>{"ruleType":"HOST","eventTypes":["HOST_FOUND","HOST_UPDATED","HOST_PURGED"],"criteria":[],"uiState":{"eventType.HOST_FOUND":"on","eventType.HOST_UPDATED":"on","eventType.HOST_PURGED":"on","operatingSystemType":"","operatingSystemValue":"","hostnameType":"","hostnameValue":"","netbiosNameType":"","netbiosNameValue":""}}</jsonData>
 
<dateCreated>2013-09-17T15:32:10Z</dateCreated>
 
</Rule>
 
<Rule>
 
<id>6002</id>
 
<ruleType>VULN</ruleType>
 
<eventTypes>VULN_OPEN, VULN_CLOSED, VULN_ACTIVE, VULN_REOPENED</eventTypes>
 
<jsonData>{"ruleType":"VULN","eventTypes":["VULN_OPEN","VULN_CLOSED","VULN_ACTIVE","VULN_REOPENED"],"criteria":[],"uiState":{"eventType.VULN_OPEN":"on","eventType.VULN_CLOSED":"on","eventType.VULN_ACTIVE":"on","eventType.VULN_REOPENED":"on","titleType":"","titleValue":"","qidType":"","qidValue":"","cveType":"","cveValue":""}}</jsonData>
 
<dateCreated>2013-09-17T15:32:11Z</dateCreated>
 
</Rule>
 
</list>
 
</rule>
 
</RuleSet>
 
</data>
</ServiceResponse>

Get Rule

GET SINGLERequest URL: http://qualysapi.qualys.com/qps/rest/1.0/get/cm/rule/6002

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/rule.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<data>
 
<Rule>
 
<id>6002</id>
 
<ruleType>VULN</ruleType>
 
<eventTypes>VULN_OPEN, VULN_CLOSED, VULN_ACTIVE, VULN_REOPENED</eventTypes>
 
<jsonData>{"ruleType":"VULN","eventTypes":["VULN_OPEN","VULN_CLOSED","VULN_ACTIVE","VULN_REOPENED"],"criteria":[],"uiState":{"eventType.VULN_OPEN":"on","eventType.VULN_CLOSED":"on","eventType.VULN_ACTIVE":"on","eventType.VULN_REOPENED":"on","titleType":"","titleValue":"","qidType":"","qidValue":"","cveType":"","cveValue":""}}</jsonData>
 
<dateCreated>2013-09-17T15:32:11Z</dateCreated>
 
<criteria>
 
<list />
 
</criteria>
 
</Rule>
 
</data>
</ServiceResponse>

Search Alerts

POST SINGLE BULKRequest URL: http://qualysapi.qualys.com/qps/rest/1.0/search/cm/alert/

Sample Request Payload

<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
 
<filters>
 
<Criteria field="ipAddress" operator="EQUALS">10.10.30.70</Criteria>
 
</filters>
</ServiceRequest>

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/alert.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<hasMoreRecords>false</hasMoreRecords>
 
<data>
 
<Alert>
 
<id>244402</id>
 
<source>REMEDIATION</source>
 
<eventType>SSL_NEW</eventType>
 
<triggerUuid>3d41baf9-7caa-4269-9889-d7377aeaace5</triggerUuid>
 
<ipAddress>10.10.25.69</ipAddress>
 
<hostname>josh.com-25-69.qualys.com</hostname>
 
<eventDate>2014-06-04T10:57:43Z</eventDate>
 
<alertDate>2014-06-04T10:57:48Z</alertDate>
 
<isHidden>true</isHidden>
 
<profile>
 
<id>7401</id>
 
<title>All Tomato</title>
 
<dateCreated>2013-09-16T19:54:48Z</dateCreated>
 
<dateUpdated>2013-09-16T19:54:48Z</dateUpdated>
 
<frequency>FREQ_NEVER</frequency>
 
<isActive>true</isActive>
 
<includedIps>10.10.10.1-10.10.31.255</includedIps>
 
<targetList>10.10.10.1-10.10.31.255</targetList>
 
</profile>
 
<alertInfo>
 
<port>0</port>
 
<sslName>josh.com-25-69.qualys.com</sslName>
 
<sslIssuer>josh.com-25-69.qualys.com</sslIssuer>
 
</alertInfo>
 
</Alert>
 
</data>
</ServiceResponse>

Supported Filters

The following are the fields those are exposed for filtering or searching alerts

Search Profiles

POST SINGLE BULKRequest URL: http://qualysapi.qualys.com/qps/rest/1.0/search/cm/profile/

Sample Request Payload

<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
 
<filters>
 
<Criteria field="ruleSetTitle" operator="CONTAINS">tomato</Criteria>
 
</filters>
</ServiceRequest>

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/profile.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<hasMoreRecords>false</hasMoreRecords>
 
<data>
 
<Profile>
 
<id>7401</id>
 
<title>All Tomato</title>
 
<uuid>d7af450c-828c-4101-a653-737f10d596c6</uuid>
 
<dateCreated>2013-09-16T19:54:48Z</dateCreated>
 
<dateUpdated>2013-09-16T19:54:48Z</dateUpdated>
 
<frequency>FREQ_NEVER</frequency>
 
<isActive>true</isActive>
 
<includedIps>10.10.10.1-10.10.31.255</includedIps>
 
<targetList>10.10.10.1-10.10.31.255</targetList>
 
<ruleset>
 
<id>4001</id>
 
<title>All Tomato</title>
 
<description>You give me the whole tomato, or else.</description>
 
<dateCreated>2013-09-16T19:36:10Z</dateCreated>
 
<dateUpdated>2013-09-16T19:36:10Z</dateUpdated>
 
<isTemplate>false</isTemplate>
 
</ruleset>
 
</Profile>
 
</data>
</ServiceResponse>

Supported Filters

The following are the fields those are exposed for filtering or searching profiles

  • id
  • title
  • uuid
  • frequency
  • isActive
  • ruleSetTitle

Search RuleSets

POST SINGLE BULKRequest URL: http://qualysapi.qualys.com/qps/rest/1.0/search/cm/ruleset/

Sample Request Payload
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
 
<filters>
 
<Criteria field="title" operator="CONTAINS">tomato</Criteria>
 
</filters>
</ServiceRequest>

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/ruleset.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>1</count>
 
<hasMoreRecords>false</hasMoreRecords>
 
<data>
 
<RuleSet>
 
<id>4001</id>
 
<title>All Tomato</title>
 
<description>You give me the whole tomato, or else.</description>
 
<dateCreated>2013-09-16T19:36:10Z</dateCreated>
 
<dateUpdated>2013-09-16T19:36:10Z</dateUpdated>
 
<isTemplate>false</isTemplate>
 
<rule>
 
<list>
 
<Rule>
 
<id>6001</id>
 
<ruleType>HOST</ruleType>
 
<eventTypes>HOST_FOUND, HOST_UPDATED, HOST_PURGED</eventTypes>
 
<jsonData>{"ruleType":"HOST","eventTypes":["HOST_FOUND","HOST_UPDATED","HOST_PURGED"],"criteria":[],"uiState":{"eventType.HOST_FOUND":"on","eventType.HOST_UPDATED":"on","eventType.HOST_PURGED":"on","operatingSystemType":"","operatingSystemValue":"","hostnameType":"","hostnameValue":"","netbiosNameType":"","netbiosNameValue":""}}</jsonData>
 
<dateCreated>2013-09-17T15:32:10Z</dateCreated>
 
</Rule>
 
<Rule>
 
<id>6002</id>
 
<ruleType>VULN</ruleType>
 
<eventTypes>VULN_OPEN, VULN_CLOSED, VULN_ACTIVE, VULN_REOPENED</eventTypes>
 
<jsonData>{"ruleType":"VULN","eventTypes":["VULN_OPEN","VULN_CLOSED","VULN_ACTIVE","VULN_REOPENED"],"criteria":[],"uiState":{"eventType.VULN_OPEN":"on","eventType.VULN_CLOSED":"on","eventType.VULN_ACTIVE":"on","eventType.VULN_REOPENED":"on","titleType":"","titleValue":"","qidType":"","qidValue":"","cveType":"","cveValue":""}}</jsonData>
 
<dateCreated>2013-09-17T15:32:11Z</dateCreated>
 
</Rule>
 
</list>
 
</rule>
 
</RuleSet>
 
</data>
</ServiceResponse>

Supported Filters

The following are the fields those are exposed for filtering or searching rulesets

  • id
  • title
  • description
  • dateCreated
  • dateUpdated

Search Rule

POST SINGLE BULKRequest URL:

Sample Request Payload

<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
 
<filters>
 
<Criteria field="ruleType" operator="EQUALS">HOST</Criteria>
 
</filters>
</ServiceRequest>

Sample Output

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/1.0/cm/rule.xsd">
 
<responseCode>SUCCESS</responseCode>
 
<count>19</count>
 
<hasMoreRecords>false</hasMoreRecords>
 
<data>
 
<Rule>
 
<id>1413</id>
 
<ruleType>HOST</ruleType>
 
<eventTypes>HOST_FOUND, HOST_UPDATED</eventTypes>
 
<jsonData>{"ruleType":"HOST","eventTypes":["HOST_FOUND","HOST_UPDATED"],"criteria":[{"propertyName":"name","propertyValue":"blah","expressionType":"EQUALS"},{"propertyName":"operatingSystem","propertyValue":"blah","expressionType":"EQUALS"},{"propertyName":"hostname","propertyValue":"blah","expressionType":"EQUALS"}]}</jsonData>
 
<dateCreated>2013-09-05T16:21:00Z</dateCreated>
 
<criteria>
 
<list>
 
<RuleCriteria>
 
<id>1437</id>
 
<propertyName>name</propertyName>
 
<propertyValue>blah</propertyValue>
 
<expressionType>EQUALS</expressionType>
 
</RuleCriteria>
 
<RuleCriteria>
 
<id>1439</id>
 
<propertyName>operatingSystem</propertyName>
 
<propertyValue>blah</propertyValue>
 
<expressionType>EQUALS</expressionType>
 
</RuleCriteria>
 
</list>
 
</criteria>
 
</Rule>
 
</data>
</ServiceResponse>

Supported Filters

The following are the fields those are exposed for filtering or searching rulesets

  • id
  • ruleType

Download Alerts

POST SINGLE BULK

Request URL: http://qualysapi.qualys.com/qps/rest/1.0/download/cm/alert/?format=<format>

Supported formats: csv and cef

Sample Request Payload
<?xml version="1.0" encoding="UTF-8" ?>

<ServiceRequest>

    <filters>

      <Criteria field="eventType" operator="EQUALS">PORT_OPEN</Criteria>

  </filters>

</ServiceRequest>

Sample CSV Output
"AlertId","Event Type","ProfileId","Profile Name","IP Address","Hostname","Operating System","Event Date","Alert Date"

"237124","PORT_OPEN","7401","All Tomato","10.10.30.21","2k8core.qualys.com","-","2013-12-31 15:57:21","2013-12-31 15:57:22"

"237172","PORT_OPEN","5601","Matt’s Profile","10.10.30.21","2k8core.qualys.com","-","2013-12-31 15:57:21","2013-12-31 15:57:23"

"238503","PORT_OPEN","7401","All Tomato","10.10.30.32","client-xp.qualys.com","-","2014-01-16 19:42:56","2014-01-16 19:42:58"

Sample CEF Output
Jun 06 2014 15:43:9 83306MM.local 10.40.2.210

CEF:0|QUALYS|QualysGuard|CM-1.4|PORT|PORT_OPEN|0|cat=PORT dhost=2k8core.qualys.com dst=10.10.30.21 dmac=NA dntdom=2K8CORE-30-21 rt=Nov 05 2013 15:57:21 cs1operatingSystem=Windows 2008 Enterprise Server Service Pack 2 dpt=61466 cs2protocol=udp cs3defaultService=NA

CEF:0|QUALYS|QualysGuard|CM-1.4|PORT|PORT_OPEN|0|cat=PORT dhost=2k8core.qualys.com dst=10.10.30.21 dmac=NA dntdom=2K8CORE-30-21 rt=Nov 05 2013 15:57:21 cs1operatingSystem=Windows 2008 Enterprise Server Service Pack 2 dpt=61466 cs2protocol=udp cs3defaultService=NA

CEF:0|QUALYS|QualysGuard|CM-1.4|PORT|PORT_OPEN|0|cat=PORT dhost=client-xp.qualys.com dst=10.10.30.32 dmac=NA dntdom=CLIENT-XP-30-32 rt=Nov 21 2013 19:42:56 cs1operatingSystem=Windows XP dpt=445 cs2protocol=tcp cs3defaultService=microsoft-ds

Supported Filters

Download alert uses all the filters that search alert can use.

Supported Filter Operators

For the post request to filter the search data or download data the following operators can be used in the filter criteria.

CONTAINS
IN
EQUALS
NOT EQUALS
GREATER
LESSER

Headers

The following are the headers required while making any API request

Name

Value

Method

user username of the portal-front user GET POST
password password GET POST
Content-Type All the input params for POST calls are in XML so the value should be "text/xml" POST

One response to “Qualys Continuous Monitoring API Update”

  1. This is awesome. However, we implemented ours using the qualysapi python libraries and it can’t resolve the CM version.

    File “build\bdist.win-amd64\egg\qualysapi\connector.py”, line 255, in request
    File “build\bdist.win-amd64\egg\qualysapi\connector.py”, line 129, in url_api_version
    Exception: Unknown QualysGuard API Version Number (False)

    I don’t suppose you’ve got an updated connector.py file or qualysapi python library?

Leave a Reply