Setup Integration from Qualys

Qualys Vulnerability Management, Detection and Response (VMDR)

This Qualys VMDR (external, opens in a new tab or window) integration is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

The Qualys VMDR integration uses REST API mode to collect data. Elastic Agent fetches data via API endpoints.

Compatibility

This module has been tested against the latest Qualys VMDR version v2.

Data streams

The Qualys VMDR integration collects data for the following three events:

Event Type
Asset Host Detection
Knowledge Base
User Activity Log

Starting from Qualys VMDR integration version 6.0, the Asset Host Detection data stream includes enriched vulnerabilities data from Qualys Knowledge Base API.

• https://docs.qualys.com/en/vm/latest/

Requirements

• Elastic Agent must be installed.
• You can install only one Elastic Agent per host.
• Elastic Agent is required to stream data through the REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.

Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations (external, opens in a new tab or window) and the Agentless integrations FAQ (external, opens in a new tab or window). Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

• https://www.elastic.co/docs/solutions/security/get-started/agentless-integrations
• https://www.elastic.co/docs/troubleshoot/security/agentless-integrations

Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

• https://www.elastic.co/docs/reference/fleet/install-elastic-agents

Description:

Integrate Qualys Vulnerability Management, Detection and Response (VMDR) with the Elastic Stack using REST API-based methods. This allows you to ingest vulnerability, asset, and detection data directly into Elasticsearch for centralized security monitoring, visualization, and analysis.

What It Does:

• Connects to Qualys VMDR using the REST API
• Fetches vulnerability data, asset inventory, and host-level detections
• Enables structured indexing, Kibana dashboards, and Elastic SIEM correlation
• Supports both manual script-based integration and automated Elastic Agent setup

Option 1: API-Based Script Integration

Description:

Use Qualys' REST API with a custom script (e.g., Python) to pull data and send it to Elasticsearch.

What It Does:

• Fetches Qualys scan results, vulnerabilities, and asset data on demand
• Allows you to customize scheduling, parsing, and indexing behavior
• Works with any self-managed Elastic cluster or Elastic Cloud deployment

Steps:

Prepare API Access:

• Log in to Qualys Admin Portal → User Management

• Create a dedicated API user with:

  • API Access permission

  • Access to VMDR, Host, and Detection modules

• Save the username and password for authentication

Call the API:

GET https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/

Use Basic Authentication with your API user credentials.

Python Example Script:

import requests, json from requests.auth import HTTPBasicAuth response = requests.get(     "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/",     auth=HTTPBasicAuth("QUALYS_USER", "PASSWORD"),     headers={"X-Requested-With": "curl"} ) data = {"raw_data": response.text} requests.post(     "http://<elasticsearch>:9200/qualys-vulns/_doc",     headers={"Content-Type": "application/json"},     data=json.dumps(data) )

Option 2: Elastic Agent – Qualys VMDR Integration (REST API)

Description:

Use Elastic Agent’s built-in Qualys VMDR integration to automatically fetch vulnerability and asset data via the REST API and ingest it directly into Elasticsearch.

What It Does:

• Connects to Qualys VMDR using a dedicated API user
• Fetches data streams like detections, vulnerabilities, and host asset inventory
• Provides ready-made Kibana dashboards and works with Elastic Security rules
• Fully managed through Fleet UI in Elastic Cloud or self-managed Elastic Stack

Steps:

Enable API Access in Qualys:

• Ensure a Qualys API user exists

• Grant the following:

  • API Access

  • Access to VMDR, Host, Detection, and Inventory modules as needed

Install Elastic Agent:

• Install Elastic Agent on your server, endpoint, or VM

• Enroll it into Fleet via Kibana or Elastic Cloud

Add the Qualys VMDR Integration:

• Go to Kibana → Fleet → Integrations

• Search for “Qualys VMDR” and click Add Integration

• Enter:

  • API Server URL (e.g., https://qualysapi.qualys.com)

  • API Username

  • API Password

  • Optional: page size or polling interval

Choose Data Streams to Collect:

• vulnerability

• detection

• host

• asset_inventory (if supported)

Save the Integration Policy:

• Attach the policy to an Elastic Agent

• Agent will start fetching and shipping data automatically

References:

• https://www.elastic.co/docs/reference/integrations/qualys_vmdr
• https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf

 

What Happens Next

When you run your custom script (Option 1):
→ Data is pulled from Qualys via REST API and posted to a target Elasticsearch index
→ You control the fetch frequency, field mappings, and transformation logic
→ Dashboards must be manually built or customized in Kibana

When you enable Elastic Agent integration (Option 2):
→ Agent continuously pulls vulnerability and detection data from Qualys
→ Prebuilt dashboards populate in Kibana
→ Vulnerabilities can be used in SIEM detection rules or custom queries

Integration Requirements Overview

Component	Required for Option 1 (Script)	Required for Option 2 (Elastic Agent)	Purpose
Qualys API User	Yes	Yes	Authenticates to Qualys for REST API access
VMDR Module Access	Yes	Yes	Needed to access host, detection, and vulnerability data
Role-Based Access Control (RBAC)	Yes	Yes	Ensures the API user only accesses required modules
Custom Script	Yes	No	Required only for manual API integration
Elastic Agent	No	Yes	Required for Fleet-managed automatic integration
Kibana Access	Yes	Yes	Used to view dashboards and run security queries

Permissions

Asset Host Detection

Role	Permission
Managers	All VM scanned hosts in subscription
Unit Managers	VM scanned hosts in user’s business unit
Scanners	VM scanned hosts in user’s account
Readers	VM scanned hosts in user’s account

Knowledge Base

Managers, Unit Managers, Scanners, Readers have permission to download vulnerability data from the KnowledgeBase.

User Activity Log

Role	Permission
Managers	All actions taken by all users
Unit Managers	Actions taken by users in their business unit
Scanners	Own actions only
Readers	Own actions only

Setup

To collect data through REST API, follow the below steps:

• Considering you already have a Qualys user account, to identify your Qualys platform and get the API URL, refer this link.
  • https://www.qualys.com/platform-identification/
• Alternative way to get the API URL is to log in to your Qualys account and go to Help > About. You’ll find your URL under Security Operations Center (SOC).

Enabling the integration in Elastic:

1. In Kibana go to Management > Integrations

2. In "Search for integrations" search bar, type Qualys VMDR

3. Click on the "Qualys VMDR" integration from the search results.

4. Click on the Add Qualys VMDR Integration button to add the integration.

5. While adding the integration, if you want to collect Asset Host Detection data via REST API, then you have to put the following details:

   • username
   • password
   • url
   • interval
   • input parameters
   • batch size

   or if you want to collect Knowledge Base data via REST API, then you have to put the following details:

   • username
   • password
   • url
   • initial interval
   • interval
   • input parameters

   or if you want to collect User Activity log data via REST API, then you have to put the following details:

   • username
   • password
   • url
   • initial interval
   • interval

Screenshot