Skip navigation
1 2 3 Previous Next

API Notifications

116 posts

A new release of Qualys Cloud Suite, Version 8.15.2, includes an updated API which is targeted for release in October 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

 

What's new

Apache Authentication - Multiple Improvements - Instance Discovery, Auto Record Creation and More
Instance discovery and auto record creation is now supported using Apache authentication records (UI and API). As before a single Apache record may be used when the same record configuration (Apache configuration file, Apache control command) is replicated across hosts in the record.

 

List Apache Authentication Records API - new filter options, DTD updated /api/2.0/fo/auth/apache/?action=list
New input parameters allow you to filter the Apache authentication record list by status (active or inactive) and creation type (user created or system created). Elements for these properties were added to the Apache auth record list output DTD.

 

Create/Update Apache Authentication Record API - set record to Active or Inactive
/api/2.0/fo/auth/apache/?action=create
/api/2.0/fo/auth/apache/?action=update
We added a new input parameter to support creation of Apache auth records with a certain status (active or inactive). This parameter can also be set when updating user-created Apache records. Note that system-created records cannot be updated.

 

Scan Option Profile Import/Export API - enable Apache instance discovery and auto record creation /api/2.0/fo/subscription/option_profile/
We’ve added new tags and definitions to the DTD and XSD used by the Scan Option Profile Import/Export API to support new capabilities. There were no changes to input parameters.

 

Compliance Scan Results - updated XML/DTD /api/2.0/fo/scan/compliance/?action=fetch
You’ll now see instances discovered under <AUTH_DISCOVERY_INSTANCE_LIST> in the XML output when instance discovery and system record creation is enabled in the option profile used for the scan.

A new release of Qualys Cloud Suite, Version 2.34, includes an updated API which is targeted for release in September 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.  Release notes are attached to this post.

 

What’s New
Fetch Docker information through Asset Management API
/qps/rest/2.0/get/am/hostasset
/qps/rest/2.0/search/am/hostasset
The Asset Management API now returns docker (container) information for host assets
matching the provided criteria.

 

Continuous Monitoring (CM) Licensing
/qps/rest/1.0/search/cm/alert/
/qps/rest/1.0/get/cm/alert/<id>
/qps/rest/1.0/download/cm/alert/?format=<format>
/qps/rest/1.0/search/cm/profile/
/qps/rest/1.0/get/cm/profile/<id>
With this release asset licensing is implemented in the Continuous Monitoring (CM) app,
for internal and external assets. This applies to non trial CM customers only. After login to
the CM UI, the customer can add asset tags to be used for licensing under the
Configuration tab called Licensing Details. This allows the customer to select the asset
tags to enforce the licensing.

 

New XSS Power Mode Option Profile in WAS
/qps/rest/3.0/get/was/optionprofile/<id>
/qps/rest/3.0/create/was/optionprofile
/qps/rest/3.0/update/was/optionprofile/<id>
You can now execute specialized scan that performs comprehensive tests for cross-site
scripting vulnerabilities using the new option profile with XSS Power Mode detection scope
that we have introduced. The detection scope performs tests using the standard XSS
payloads, which detect the most common instances of XSS, but also with additional
payloads that can identify XSS in certain, less-common situations. Running a scan with
option profile that has XSS Power Mode detection scope will provide the best assurance
that your web application is free from XSS vulnerabilities.

 

New Security Filters in WAF for Cipher Selection in Web Applications
/qps/rest/2.0/get/waf/webapp/<id>
/qps/rest/2.0/search/waf/webapp/
/qps/rest/2.0/create/waf/webapp
/qps/rest/2.0/update/waf/webapp/<id>
We have made cipher selection for your web applications simple with new security filters.
You can choose one or more one security filters based on your security requirements.
Available security filters are Strong, Good, Weak and Unsafe.

 

Separate VULNSIGS information in Asset Management API for split manifest
/qps/rest/2.0/get/am/hostasset
/qps/rest/2.0/search/am/hostasset
The Asset Management API now returns separate VULNSIGS information for host asset
when using a split manifest for VM, PC, or SCA.

 

WAF APIs for version 1.0 deprecated
WAF APIs for version 1.0 are now deprecated and no longer available. You can use
equivalent version 2.0 APIs to perform WAF operations.

A new release of Qualys Cloud Suite, Version 8.15, includes an updated API which is targeted for release in September 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

 

What’s New
Posture Profile API - DTD Change for show_remediation_info /api/2.0/fo/compliance/posture/info/
In the Posture Profile Information DTD the V value in element <!ELEMENT TP (LABEL, V+)> replaced with <!ELEMENT TP (LABEL, V*)> to ensure that the validation does not fail. This is an optional value.

 

Posture Profile API - New Parameter to Show Cause of Failure /api/2.0/fo/compliance/posture/info/
We added a new parameter to the Posture Profile API to show the cause of failure for CIDs.

 

New EC2 Information in the Host Based Report /api/2.0/fo/report
You will now see three new fields: Account ID, Region Code and Subnet ID in host based reports when you create your report using the Scan or PCI Scan template with the EC2 Related Information option checked.

 

New MariaDB Authentication API /api/2.0/fo/auth/ /api/2.0/fo/auth/mariadb/
MariaDB authentication is now supported for compliance scans. The new MariaDB Authentication API (<baseurl>/api/2.0/fo/auth/mariadb/) lets you list, create, update and delete MariaDB authentication records. User permissions for this API are the same as other authentication record APIs.

 

New JBOSS Server Authentication Record /api/2.0/fo/auth/jboss
We have now added a new API to support JBoss Server Authentication. Using the JBoss Server API (.../api/2.0/fo/auth/jboss) you can perform these actions: create, update, list, delete

 

MySQL DB Authentication API - Support for Vaults /api/2.0/fo/auth/mysql/
Now API users can configure MySQL authentication records to use vaults to access credentials used for authentication. Vaults are already supported for MySQL authentication in the UI.

 

List Tomcat Records - DTD Change /api/2.0/fo/auth/tomcat/?action=list
The Auth Tomcat List Output DTD is used when you list Tomcat authentication records in your account. In this DTD, we changed the element SERVICE_NAME to SERVICE_NAME_WINDOWS.

 

Scanner Appliance: IPv6 Support for VLANs and Static Routes /api/2.0/fo/appliance/*/
We now support IPv6 addresses when defining VLANs and static routes for virtual and physical scanner appliances. Appliances can have a mix of IPv4 configurations and IPv6 configurations.

 

NOTE: We are making our formerly Limited Customer Release Subscription API Generally Available (GA) for all customers. Do note this is only of use if you have and manage multiple subscriptions on the Qualys Cloud Platform. For the majority of customers, this is of no use.


Option Profile API - Export System Profiles /api/2.0/fo/subscription/option_profile/

More Option Profile functions for VM, PCI, PC /api/2.0/fo/subscription/option_profile/*/
You can now create, update, list and delete option profiles for VM, PCI, and PC.

(UPDATE: prior release notes only included partial information on this new API)

A new release of Qualys Cloud Suite, Version 8.15, this version # applies to Qualys Vulnerability Management (VM) and Policy Compliance (PC), includes an updated API which is targeted for release in August 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.


What's new

Posture Profile API - DTD Change for show_remediation_info /api/2.0/fo/compliance/posture/info/

In the Posture Profile Information DTD the V value in element <!ELEMENT TP (LABEL, V+)> replaced with <!ELEMENT TP (LABEL, V*)> to ensure that the validation does not fail. This is an optional value.


Posture Profile API - New Parameter to Show Cause of Failure  
/api/2.0/fo/compliance/posture/info/
We added a new parameter to the Posture Profile API to show the cause of failure for CIDs.

 

New EC2 Information in the Host Based Report  /api/2.0/fo/report
You will now see three new fields: Account ID, Region Code and Subnet ID in host based reports when you create your report using the Scan or PCI Scan template with the EC2 Related Information option checked.

A new release of Qualys Cloud Suite, Version 2.34, this version # applies to Asset Management and Tagging API's (PORTAL), includes an updated API which is targeted for release in August 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.

 

What's new
Fetch Docker information through Asset Management API
/qps/rest/2.0/get/am/hostasset
/qps/rest/2.0/search/am/hostasset

The Asset Management API now returns docker (container) information for host assets matching the provided criteria.

 

Continuous Monitoring (CM) Licensing
/qps/rest/1.0/search/cm/alert/
/qps/rest/1.0/get/cm/alert/<id>
/qps/rest/1.0/download/cm/alert/?format=<format>
/qps/rest/1.0/search/cm/profile/
/qps/rest/1.0/get/cm/profile/<id>

A new release of Qualys Cloud Suite, Version 8.14.1, this version # applies to Qualys Policy Compliance (PC), includes an updated API which is targeted for release in July 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.

 

What's new

Qualys Host ID Added to Posture Info and Policy Report /api/2.0/fo/compliance/posture/info/

When a Qualys Host ID (QG_HOSTID) is assigned to a host, you’ll now see the ID in the Posture Info API output and in Compliance Policy Reports. You can fetch reports from the API or download them from the UI.

 

A new release of Qualys Cloud Suite, Version 2.33, includes an updated API which is targeted for release in May 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

 

What’s New
Easily identify ignored WAS findings /qps/rest/3.0/search/was/finding
We have introduced a new element <isIgnored> to easily identify whether a WAS finding (detection) in the user’s scope is ignored or not.

 

HostAsset and Asset APIs show new Cloud Provider metadata for AWS, Azure and GCP

With this release Qualys Cloud Platform shows additional Cloud Provider metadata to users for Amazon AWS, Azure, and Google Cloud Platform. This asset metadata is collected from Vulnerability Scans (using VM), Compliance Scans (using PC or SCA), Cloud Agents and Data Connectors.

 

Schedule auto-update for appliances registered to a cluster
/qps/rest/2.0/create/waf/cluster
/qps/rest/2.0/update/waf/cluster
You can now use the cluster API to specify when the appliances registered with a cluster
get auto-updated. Specify days of the week and the start time. By default, auto-update is
enabled for all days of the week.

 

Validate XML/JSON payload
/qps/rest/2.0/create/waf/httpprofile
/qps/rest/2.0/update/waf/httpprofile
You can now use the HTTP Profiles API to enable XML/JSON parsing to validate that
transmitted payload is XML/JSON compliant. Parsing is not enabled by default.

 

Uninstall Cloud Agent using UUID
/qps/rest/2.0/uninstall/am/asset
/qps/rest/2.0/uninstall/am/hostasset
Cloud Agent uninstall API now allows you to specify the agent UUID to identify an agent
during uninstallation. Agent UUID can be specified in the request XML.

A new release of Qualys Cloud Suite, Version 8.14, this version # applies to Qualys Vulnerability Management (VM) and Policy Compliance (PC), includes an updated API which is targeted for release in June 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.

 

What's new
Vault Support API - Cyber-Ark changed to CyberArk
/api/2.0/fo/vault
/api/2.0/fo/auth
We have changed Cyber-Ark to CyberArk for improved integration of CyberArk vaults. The change affects vault-type input parameter during vault creation (CyberArk AIM and CyberArk PIM Suite). The response also reflects the change.

 

Support for Client Id and Name in Multiple APIs
APIs affected:
/api/2.0/fo/scan/?action=list
/api/2.0/fo/scan/?action=launch
/api/2.0/fo/scan/compliance/?action=list
/api/2.0/fo/scan/compliance/?action=launch
/api/2.0/fo/schedule/scan/?action=list
/api/2.0/fo/schedule/scan/?action=create
/api/2.0/fo/schedule/scan/?action=update
/api/2.0/fo/report/?action=list
We now support for client element (id and name) for Consultant type subscriptions in Scan API, Scheduled Scan API, Compliance Scan API, and Report API.

 

New Scan Summary API for Hosts Not Scanned /api/2.0/fo/scan/summary
This new Summary API lets you identify hosts that were not scanned and why.

 

New Support for Wallix AdminBastion (WAB) Vaults

/api/2.0/fo/vault/ /api/2.0/fo/auth/windows/ /api/2.0/fo/auth/unix/
This new vault type can be used to retrieve authentication credentials from a Wallix AdminBastion (WAB) vault. We updated the authentication vault API (create, update, list, view) and the authentication record API (create, update, list) to support the new vault type. We updated the DTDs for listing Windows and Unix records.

 

Fix to Vault View API Output /api/2.0/fo/vault/
We fixed the XML output of the authentication vault view API to fix a DTD validation error. When echo_request=1 is specified as part of the API call, the REQUEST section now correctly appears before the RESPONSE section in the output.

 

Support for EC2 Scanning using only Instance ID /api/2.0/fo/scan/ /api/2.0/fo/scan/compliance/
We now support launch of on demand internal ec2 scans using only ec2 instance ids. You can use tags if needed. Using tags is now optional.

 

Update to CertView Scan Results to include FQDN /api/2.0/fo/scan/?action=fetch
We added FQDN to the header section of CertView scan results where we’ll now list the FQDNs in the scan target, if any. Previously we listed the target FQDNs with the target IPs. You can download scan results from the UI or fetch results from the API. These changes apply to CertView Scans only.

 

Patch Report is now available in XML format /api/2.0/fo/report
You can now launch and download patch reports in XML format using the API and UI.

 

Option Profile - Import/Export Map Authentication /api/2.0/fo/subscription/option_profile/
We have added 2 new values for the tag <MAP_AUTHENTICATION> to support future capabilities: vCenter, none. Also, the value VMware, available in previous release, is now renamed to VMware-ESXi.

A new release of Qualys Cloud Suite, Version 2.33, includes an updated API which is targeted for release in May 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

 

What’s New

Easily identify ignored WAS findings /qps/rest/3.0/search/was/finding
We have introduced a new element <isIgnored> to easily identify whether a WAS finding (detection) in the user’s scope is ignored or not.

 

HostAsset and Asset APIs show new Cloud Provider metadata for AWS, Azure and GCP

With this release Qualys Cloud Platform shows additional Cloud Provider metadata to users for Amazon AWS, Azure, and Google Cloud Platform. This asset metadata is collected from Vulnerability Scans (using VM), Compliance Scans (using PC or SCA), Cloud Agents and Data Connectors.

A new release of Qualys Cloud Suite, Version 2.32.2, includes an updated API which is targeted for release in May 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

 

What’s New

AWS EC2 Connector - Support for Cross-Account Role Authentication
Qualys now supports the creation of EC2 connectors using a cross-account access role. This allows you to grant Qualys access to your AWS EC2 instances without sharing your AWS security credentials. Qualys will access your AWS EC2 instances by assuming the IAM role that you create in your AWS account. With this support, we are discontinuing the creation of EC2 connectors using IAM access keys. We’ll help you migrate your existing EC2 connectors to now use cross-account access roles. Note that this migration to your existing EC2 connector to cross account role is unidirectional and cannot be reverted.

A new release of Qualys Cloud Suite, Version 8.14, this version # applies to Qualys Vulnerability Management (VM) and Policy Compliance (PC), includes an updated API which is targeted for release in June 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.


What's new
Vault Support API - Cyber-Ark changed to CyberArk
/api/2.0/fo/vault
/api/2.0/fo/auth
We have changed Cyber-Ark to CyberArk for improved integration of CyberArk vaults. The change affects vault-type input parameter during vault creation (CyberArk AIM and CyberArk PIM Suite). The response also reflects the change.

 

Support for Client Id and Name in Multiple APIs
APIs affected:
/api/2.0/fo/scan/?action=list
/api/2.0/fo/scan/?action=launch
/api/2.0/fo/scan/compliance/?action=list
/api/2.0/fo/scan/compliance/?action=launch
/api/2.0/fo/schedule/scan/?action=list
/api/2.0/fo/schedule/scan/?action=create
/api/2.0/fo/schedule/scan/?action=update
/api/2.0/fo/report/?action=list
We now support for client element (id and name) for Consultant type subscriptions in Scan API, Scheduled Scan API, Compliance Scan API, and Report API.

A new release of Qualys Cloud Suite, Version 8.13.1, this version # applies to Qualys Vulnerability Management (VM) and Policy Compliance (PC), includes an updated API which is targeted for release in May 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.


What's new
Support for Cloud Perimeter Scan (coming soon)
We’ve made updates to support Cloud Perimeter Scans in a future release (keep in mind Cloud Perimeter Scans are not supported at this time).

A new release of Qualys Cloud Suite, Version 8.13, this version # applies to Qualys Vulnerability Management (VM) and Policy Compliance (PC), includes an updated API which is targeted for release in April 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.


What's new
Option Profile API - New Test Authentication Option /api/2.0/fo/subscription/option_profile/

We added a new element to the option profile API. When you export/import an option profile we’ll show you whether the Test Authentication option is enabled or disabled.

 

Option Profile API - DTD Change for DO_NOT_OVERWRITE_OS /api/2.0/fo/subscription/option_profile/
In the Option Profile Information DTD the element DO_NOT_OVERWRITE_OS appeared twice - under SCAN and under CONTROL_TYPES. We removed it from CONTROL_TYPES.

 

Scanner Appliance API - New Option to Filter Asset Tags /api/2.0/fo/appliance/
You can now choose whether to include asset tag information in the scanner appliance list output. Use the new show_tags input parameter in your API request to include or exclude tag information for each scanner appliance.

 

New Replace Scanner Appliance API /api/2.0/fo/appliance/replace_iscanner
Now you can replace a scanner appliance with a new one using the API. Just tell us the name of the appliance you want to replace and the one you want to use. By default we’ll transfer configurations from the old appliance to the new appliance for you but you can choose not to transfer settings.

 

Asset Group API - New Option for User Name /api/2.0/fo/asset/group/
You can now choose whether to display owner name in the asset group list output. Use the show_attributes input parameter with new attribute OWNER_USER_NAME in your API request to include or exclude owner user name for asset group.

A new release of Qualys Cloud Suite, Version 8.13, this version # applies to Qualys Vulnerability Management (VM) and Policy Compliance (PC), includes an updated API which is targeted for release in April 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API. Please refer to the detailed release notes attached to this notification for more information.

 

What's new
Option Profile API - New Test Authentication Option /api/2.0/fo/subscription/option_profile/

We added a new element to the option profile API. When you export/import an option profile we’ll show you whether the Test Authentication option is enabled or disabled.

A new release of Qualys Cloud Suite, Version 2.32, includes an updated API which is targeted for release in March 2018. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

 

What’s New

SAQ - New SAQ API introduced

We've introduced the first of new API's for SAQ. Full User Guide will be available in the documentation links shortly.

 

WAS - Burp API: Support for Latest Burp version /qps/rest/3.0/import/was/burp

We now support import of the latest version of Burp 1.7.24 for Burp API. You can now successfully import Burp files that belong to version 1.7.24.

 

WAS - Option Profile API: Enhancements to Detections /qps/rest/3.0/create/was/optionprofile

We have now introduced a new detection categories and enhanced the scope of detection in Option Profile API.You can now create option profile and associate pre-defined detection categories with Option Profile. 

 

CA - NOT EQUALS operator disabled during uninstall 

/qps/rest/2.0/uninstall/am/hostasset
/qps/rest/2.0/uninstall/am/asset

Use of NOT EQUALS operator is now disabled during agent uninstall. This is to avoid unintended consequences of Tags or Assets being deleted or updated. Service response now displays an error message if you use the NOT EQUALS operator while uninstalling an agent.

 

WAF - New criteria for searching assets many API's affected - see release notes

 

WAF - Add timeout for a Web Server many API's affected - see release notes

 

WAF - Deployment status and date in cluster API many API's affected - see release notes

 

WAF - Display custom page for custom rule many API's affected - see release notes

 

WAF - Add trusted IPs for a Cluster many API's affected - see release notes

 

AWS Asset Data Connector API - Support for EU (Paris) Region

Now you can easily scan EC2 instances included in the AWS EU (Paris) region for vulnerabilities and policy compliance using the Qualys Cloud Platform using the AWS region code “eu-west-3”. You can create/update EC2 connectors to pull instance info from the China region, activate discovered instances for the VM, PC or SCA module, and scan them using our EC2 scan workflow.