Setup Integration from Qualys

Qualys Vulnerability Management, Detection and Response (VMDR)

This Qualys VMDR (external, opens in a new tab or window) integration is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

The Qualys VMDR integration uses REST API mode to collect data. Elastic Agent fetches data via API endpoints.

Compatibility

This module has been tested against the latest Qualys VMDR version v2.

Data streams

The Qualys VMDR integration collects data for the following three events:

Event Type
Asset Host Detection
Knowledge Base
User Activity Log

Starting from Qualys VMDR integration version 6.0, the Asset Host Detection data stream includes enriched vulnerabilities data from Qualys Knowledge Base API.

Requirements

Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations (external, opens in a new tab or window) and the Agentless integrations FAQ (external, opens in a new tab or window). Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

Description:

Integrate Qualys Vulnerability Management, Detection and Response (VMDR) with the Elastic Stack using REST API-based methods. This allows you to ingest vulnerability, asset, and detection data directly into Elasticsearch for centralized security monitoring, visualization, and analysis.

What It Does:

Option 1: API-Based Script Integration

Description:

Use Qualys' REST API with a custom script (e.g., Python) to pull data and send it to Elasticsearch.

What It Does:

Steps:

Prepare API Access:

Call the API:

 

GET https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/

 

Use Basic Authentication with your API user credentials.

Python Example Script:

 

import requests, json
from requests.auth import HTTPBasicAuth

response = requests.get(
    "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/",
    auth=HTTPBasicAuth("QUALYS_USER", "PASSWORD"),
    headers={"X-Requested-With": "curl"}
)

data = {"raw_data": response.text}

requests.post(
    "http://<elasticsearch>:9200/qualys-vulns/_doc",
    headers={"Content-Type": "application/json"},
    data=json.dumps(data)
)

 

Option 2: Elastic Agent – Qualys VMDR Integration (REST API)

Description:

Use Elastic Agent’s built-in Qualys VMDR integration to automatically fetch vulnerability and asset data via the REST API and ingest it directly into Elasticsearch.

What It Does:

Steps:

Enable API Access in Qualys:

Install Elastic Agent:

Add the Qualys VMDR Integration:

Choose Data Streams to Collect:

Save the Integration Policy:

References:

 

What Happens Next

When you run your custom script (Option 1):
→ Data is pulled from Qualys via REST API and posted to a target Elasticsearch index
→ You control the fetch frequency, field mappings, and transformation logic
→ Dashboards must be manually built or customized in Kibana

When you enable Elastic Agent integration (Option 2):
→ Agent continuously pulls vulnerability and detection data from Qualys
→ Prebuilt dashboards populate in Kibana
→ Vulnerabilities can be used in SIEM detection rules or custom queries

Integration Requirements Overview

Component Required for Option 1 (Script) Required for Option 2 (Elastic Agent) Purpose
Qualys API User Yes Yes Authenticates to Qualys for REST API access
VMDR Module Access Yes Yes Needed to access host, detection, and vulnerability data
Role-Based Access Control (RBAC) Yes Yes Ensures the API user only accesses required modules
Custom Script Yes No Required only for manual API integration
Elastic Agent No Yes Required for Fleet-managed automatic integration
Kibana Access Yes Yes Used to view dashboards and run security queries

Permissions
Asset Host Detection
Role
Permission
Managers
All VM scanned hosts in subscription
Unit Managers
VM scanned hosts in user’s business unit
Scanners
VM scanned hosts in user’s account
Readers
VM scanned hosts in user’s account
Knowledge Base

ManagersUnit ManagersScannersReaders have permission to download vulnerability data from the KnowledgeBase.

User Activity Log
Role
Permission
Managers
All actions taken by all users
Unit Managers
Actions taken by users in their business unit
Scanners
Own actions only
Readers
Own actions only

Setup

To collect data through REST API, follow the below steps:
Enabling the integration in Elastic:
  1. In Kibana go to Management > Integrations

  2. In "Search for integrations" search bar, type Qualys VMDR

  3. Click on the "Qualys VMDR" integration from the search results.

  4. Click on the Add Qualys VMDR Integration button to add the integration.

  5. While adding the integration, if you want to collect Asset Host Detection data via REST API, then you have to put the following details:

    • username
    • password
    • url
    • interval
    • input parameters
    • batch size

    or if you want to collect Knowledge Base data via REST API, then you have to put the following details:

    • username
    • password
    • url
    • initial interval
    • interval
    • input parameters

    or if you want to collect User Activity log data via REST API, then you have to put the following details:

    • username
    • password
    • url
    • initial interval
    • interval

Screenshot

image.png


Revision #3
Created 19 June 2025 07:26:59 by Kent Lauron
Updated 20 June 2025 01:33:21 by Kent Lauron