Skip navigation
1 2 3 Previous Next

API Notifications

39 Posts
0

This update to QualysGuard 8.0 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).

 

What’s New

 

 

 

QualysGuard API Server URL.

The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.

 

 

Account LocationAPI Server URL for login
QualysGuard US Platform 1https://qualysapi.qualys.com
QualysGuard US Platform 2https://qualysapi.qg2.apps.qualys.com
QualysGuard EU Platformhttps://qualysapi.qualys.eu
QualysGuard Private Cloud Platformhttps://qualysapi.<customer_base_url>


 

QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.

 

 


Vulnerability Management (VM)

“Security Risk Score” summary added to  XML and CSV reports

With this release vulnerability scan reports include a security risk score summary for the report and per host, in all report formats - earlier this was not in XML or  CSV. As before the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The asset_data_report.dtd was updated - we’ll show you the changes.

 

Tell me about the Security Risk Score. The score for the overall report is the average security risk for all hosts in the report. The score for each host is the average severity level detected (the default) or the highest severity level detected. Managers can configure the calculation method for the subscription by going to Reports > Setup > Security Risk. Are you an Express Lite user? If yes the average severity level is always used.

 

Sample reports. These reports were created using a scan report template configured with host based findings and Text Summary is selected (under Display > Detailed Results).

 

CSV report

New rows show you the security risk score summary for the report and per host.

8.0Image.png

 

XML report

New XML elements show you the security risk summary for the report (see  <RISK_SCORE_SUMMARY>)  and per host <see RISK_SCORE_PER_HOST>.

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ASSET_DATA_REPORT SYSTEM https://qualysguard.qualys.com/asset_data_report.dtd>
<ASSET_DATA_REPORT>
  <HEADER>
    <COMPANY><![CDATA[Qualys, Inc.]]></COMPANY>
    <USERNAME>USERNAME</USERNAME>
    <GENERATION_DATETIME>2014-03-11T23:56:22Z</GENERATION_DATETIME>
    ...
    <RISK_SCORE_SUMMARY>
      <TOTAL_VULNERABILITIES>14</TOTAL_VULNERABILITIES>
      <AVG_SECURITY_RISK>2.6</AVG_SECURITY_RISK>
      <BUSINESS_RISK>13/100</BUSINESS_RISK>
    </RISK_SCORE_SUMMARY>
  </HEADER>
<RISK_SCORE_PER_HOST>
  <HOSTS>
    <IP_ADDRESS>10.10.24.104</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>4</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.5</SECURITY_RISK>
  </HOSTS>
  <HOSTS>
    <IP_ADDRESS>10.10.24.106</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>10</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.6</SECURITY_RISK>
  </HOSTS>
</RISK_SCORE_PER_HOST>
  <HOST_LIST>
    <HOST>
      <IP>10.10.24.104</IP>
      <TRACKING_METHOD>IP</TRACKING_METHOD>
...

 

 

DTD updates

You’ll see the updated asset_data_report.dtd below.  There are new elements RISK_SCORE_PER_HOST and RISK_SCORE_SUMMARY.

 

<!-- QUALYS ASSET DATA REPORT DTD -->

<!ELEMENT ASSET_DATA_REPORT (ERROR | (HEADER, RISK_SCORE_PER_HOST?, HOST_LIST?, GLOSSARY?, APPENDICES?))>

<!ELEMENT ERROR (#PCDATA)*>
<!ATTLIST ERROR number CDATA #IMPLIED>


<!-- HEADER -->


<!ELEMENT HEADER (COMPANY, USERNAME, GENERATION_DATETIME, TEMPLATE,
                  TARGET, RISK_SCORE_SUMMARY?)>

<!ELEMENT COMPANY (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT GENERATION_DATETIME (#PCDATA)>
<!ELEMENT TEMPLATE (#PCDATA)>
<!ELEMENT TARGET (USER_ASSET_GROUPS?, USER_IP_LIST?, COMBINED_IP_LIST?, 
                  ASSET_TAG_LIST?)>

<!ELEMENT USER_ASSET_GROUPS (ASSET_GROUP_TITLE+)>
<!ELEMENT ASSET_GROUP_TITLE (#PCDATA)>

<!ELEMENT USER_IP_LIST (RANGE*)>
<!ELEMENT RANGE (START, END)>
<!ELEMENT START (#PCDATA)>
<!ELEMENT END (#PCDATA)>

<!ELEMENT COMBINED_IP_LIST (RANGE*)>

<!ELEMENT ASSET_TAG_LIST (INCLUDED_TAGS, EXCLUDED_TAGS?)>

<!ELEMENT INCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST INCLUDED_TAGS scope CDATA #IMPLIED>

<!ELEMENT EXCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST EXCLUDED_TAGS scope CDATA #IMPLIED>

<!-- AVERAGE RISK_SCORE_SUMMARY -->
<!ELEMENT RISK_SCORE_SUMMARY (TOTAL_VULNERABILITIES, AVG_SECURITY_RISK,
                              BUSINESS_RISK)>
<!ELEMENT TOTAL_VULNERABILITIES (#PCDATA)>
<!ELEMENT AVG_SECURITY_RISK (#PCDATA)>
<!ELEMENT BUSINESS_RISK (#PCDATA)>

<!-- RISK_SCORE_PER_HOST -->
<!ELEMENT RISK_SCORE_PER_HOST (HOSTS+)>
<!ELEMENT HOSTS (IP_ADDRESS, TOTAL_VULNERABILITIES, SECURITY_RISK)>
<!ELEMENT IP_ADDRESS (#PCDATA)>
<!ELEMENT SECURITY_RISK (#PCDATA)>

<!-- HOST_LIST -->

<!ELEMENT HOST_LIST (HOST+)>
...

 

 

Manage the EC2 Scan Workflow using the API

You can now manage the special Amazon EC2 Scan workflow in Vulnerability Management using the QualysGuard API. You’ll use the VM Scan API v2 (/api/2.0/fo/scan/) to launch EC2 scans and manage them within your account just like other vulnerability scans.

 

The Amazon EC2 Scan workflow using QualysGuard is pre-authorized by AWS. This workflow integrates with EC2 APIs, targets EC2 assets by their Instance ID, and allows scanning in Amazon EC2 Classic and EC2-VPC without the need to request pre-approval from AWS through their scan authorization request form. Want to learn more? Check out our Help Center for Amazon Web Services at the Qualys Community.

 

A few things to consider...

  • EC2 Scanning and EC2 Connector features must be enabled for your QualysGuard account.
  • Only a Manager user can launch EC2 scans.
  • You must have deployed an instance of the virtual scanner appliance using a QualysGuard appliance AMI published in AWS Marketplace.  Don’t have this? Log in to the user interface and go to VM > Scans > Appliances and select New > Virtual Scanner Appliance. When using the EC2 Scan workflow be certain to deploy the “Pre-Authorized Scanning” appliance and not the standard appliance.  Please see Choosing The Correct Scanner AMI (Amazon Machine Image) for more.
  • You need an EC2 Connector that you’ve configured using the user interface in QualysGuard Asset Management. Want to do this? Go to AM (Asset Management) > Connectors and select Actions > Create EC2 Connector. Our wizard will help you do this quickly. You’ll select EC2 hosts to scan and assign them asset tags. (Tip - When you launch an EC2 scan you’ll select EC2 host tags for the scan target.)

 

Ready to launch an EC2 scan? Here are the settings you’ll use. Many of the input parameters are also available for all vulnerability scans.

 

SettingParameters
Request

action=launch (Required)

echo_request (Optional)

Scan Titlescan_title (Optional)
EC2 environment

connector_name={value}

(Required) The name of the EC2 connector for the AWS integration you want to run the scan on.

ec2_endpoint={value}

(Required) The EC2 region code or the ID of the Virtual Private Cloud (VPC) zone. Need to find the region code? See: AWS Documentation-Region and Availability Zone Concepts

Option Profile

option_title={value} -or-

option_id={value}

(Required) The scan settings to be used for the scan, saved as an option profile.

Scanner Appliance

iscanner_name={value} -or-

iscanner_id={value}

(Required) The scanner appliance to be used for the scan.

Target Hosts

target_from={tags}

(Required) Use tags to select the EC2 hosts you want to scan.

use_ip_nt_range_tags={0}

The default setting is “0”.  Important - This cannot be set to “1” for EC2 scanning.

These tag parameters are used to select tags:

tag_set_include={tag1,tag2,...} (Required)

tag_set_exclude={tag1,tag2,...} (Optional)

tag_include_selector={any|all} (Default in bold)

tag_exclude_selector={any|all} (Default in bold)

tag_set_by={id|name} (Default in bold)

 

 

Show me a sample API request

This request will launch an EC2 vulnerability scan using the connector “EC2_Connector” on assets that match tags with IDs 1558997 and 1559222. You’ll notice the XML output uses the simple return DTD (simple_return.dtd).

 

API request

curl -H "X-Requested-With: Curl" -u "USERNAME:PASSWORD" -X "POST" -d "action=launch&scan_title=My+EC2+Scan&connector_name=EC2_Connector&ec2_endpoint=us-east-1&target_from=tags&use_ip_nt_range_tags=0&tag_include_selector=any&tag_set_by=id&tag_set_include=1558997,1559222&option_id=43165&iscanner_name=EC2-1" "https://qualysapi.qualys.com/api/2.0/fo/scan/" > outputfile.txt

 

XML output

cat outputfile.txt

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
    <DATETIME>2014-02-25T21:32:40Z</DATETIME>
    <TEXT>New vm scan launched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>136992</VALUE>
      </ITEM>
      <ITEM>
        <KEY>REFERENCE</KEY>
        <VALUE>scan/1358285558.36992</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

 

 


Policy Compliance (PC)

 

Limit Policy Reports to Selected IPs

Want your policy reports to show certain IPs only? Now you can select the IP addresses to report on each time you create a policy report. This way your report will show you compliance data for selected IPs only, instead of all IPs associated with your policy.

 

Ready to create your report? You’ll use the Report Share API (/api/2.0/fo/report/ with the parameter action=launch) to launch your policy report. Just add the “ips”input parameter and enter the IPs/ranges you want to include in your report -these IPs/ranges must be assigned to the policy you’re reporting on.

 

API request

This request launches a policy report on these IP addresses: 10.10.10.21,10.10.10.40-10.10.10.46. These IPs are assigned to policy ID 12345 and will be included in the report.

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d"action=launch&report_title=My+Policy+Report&policy_id=12345&output_format=xml&ips=10.10.10.21,10.10.10.40-10.10.10.46""https://qualysapi.qualys.com/api/2.0/fo/report/"

 

Compliance Scorecard Report XML - added NetBIOS name and DNS name

The Compliance Scorecard Report now lists the NetBIOS name and/or DNS name for each host listed under top hosts with changes, when this is available in your account. Be sure you’ve selected the layout option “Hosts with changes” in your report template.

 

We’ve updated the report DTD (compliance_scorecard_report.dtd) to include the new subelements NETBIOS and DNS (under HOST).

 

XML output

...
    <TOP_HOST_WITH_CHANGES>
     <TOP><![CDATA[10]]></TOP>
      <CHANGED_TO_PASS>
        <HOST>
         <IP_ADDRESS><![CDATA[10.10.10.29]]></IP_ADDRESS>
         <NETBIOS><![CDATA[XPSP3-10-29-1]]></NETBIOS>
         <DNS><![CDATA[xpsp3-10-29-1.corp10.com]]></DNS>
         <ASSET_GROUP_NAME><![CDATA[ComplianceHosts]]></ASSET_GROUP_NAME>
          <TECHNOLOGY>Windows XPdesktop</TECHNOLOGY>
         <NUMBER_OF_POLICIES>1</NUMBER_OF_POLICIES>
         <PASSED_TOTAL>12</PASSED_TOTAL>
         <PASSED_CHANGED>12</PASSED_CHANGED>
         <COMPLIANCE>100%</COMPLIANCE>
        </HOST>
      </CHANGED_TO_PASS>
      <CHANGED_TO_FAIL>
        <HOST>
         <IP_ADDRESS><![CDATA[10.10.10.29]]></IP_ADDRESS>
          <NETBIOS><![CDATA[XPSP3-10-29-1]]></NETBIOS>
         <DNS><![CDATA[xpsp3-10-29-1.corp123.com]]></DNS>
     ...       </HOST>
      </CHANGED_TO_FAIL>
...

 

DTD update

...
<!ELEMENT HOST(IP_ADDRESS, NETBIOS,DNS,NETWORK?, ASSET_GROUP_NAME?, ASSET_TAG_NAME?, TECHNOLOGY, NUMBER_OF_POLICIES,PASSED_TOTAL?, PASSED_CHANGED?, FAILED_TOTAL?, FAILED_CHANGED?, ERROR_TOTAL?,ERROR_CHANGED?, COMPLIANCE)>
...
<!ELEMENT NETBIOS (#PCDATA)>
<!ELEMENT DNS (#PCDATA)>

 

 

Policy XML updated to remove control checksum requirement

Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<baseurl>/api/2.0/fo/compliance/policy/policy_export_output.dtd).


Tell me about the changes

In previous releases the EVALUATE element included the checksum attribute and the content was text, like this:

 

<EVALUATEchecksum="3982342715fb297713b21d2baee13649e36f8f42cde75a2dbaf521b2ce584674">&lt;CTRL&gt;&lt;DP&gt;&lt;K&gt;ap00.system.cgi.scriptalias&lt;/K&gt;&lt;CD&gt;matches&lt;/CD&gt;&lt;OP&gt;xre&lt;/OP&gt;&lt;V&gt;&lt;![CDATA[.*]]&gt;&lt;/V&gt;&lt;FVset=&quot;1&quot;&gt;161803399999999&lt;/FV&gt;&lt;FVset=&quot;1&quot;&gt;314159265358979&lt;/FV&gt;&lt;/DP&gt;&lt;/CTRL&gt;</EVALUATE>

 

With this release the EVALUATE element does not include the checksum and the content isXML (not text), like this:

 

<EVALUATE>
    <CTRL><DP><K>ap00.system.cgi.scriptalias</K><CD>matches</CD><OP>xre</OP><V><![CDATA[.*]]></V><FVset="1">161803399999999</FV><FV set="1">314159265358979</FV></DP></CTRL>
</EVALUATE>

 

Can I still import policy XML with the checksum?

Yes, you can still do this - no problem.  Remember if you export your policy we’ll use the new XML output and the checksum attribute will be removed.

 

 

Posture Info API improvements

We’ve made improvements to the XML output of the Compliance Posture Info API v2 (resource/api/2.0/fo/compliance/posture/info/ with action=list). This gives you more details about the controls evaluated on your hosts and their posture. A new summary section tells you more about the control instances (posture info records) like the number of assets, controls and control instances evaluated.  We also report the percentage of controls that passed for each host.

 

Want to see the new details?  Be sure to specify the parameter details=All.  We’ve added more content to the XML output and the posture_info_list_output.dtd has been updated.

 

API request

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -d "action=list&policy_ids=10649&details=All&asset_group_ids=423117,423147""https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/"

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEPOSTURE_INFO_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/posture_info_list_output.dtd>
<POSTURE_INFO_LIST_OUTPUT>
  <RESPONSE>
   <DATETIME>2014-04-09T05:00:46Z</DATETIME>
    <POLICY>
    <ID>10649</ID>
   <DATETIME>2014-04-09T05:00:46Z</DATETIME>
    <INFO_LIST>
      <INFO>
        <ID>1794005</ID>
        <HOST_ID>2154769</HOST_ID>
       <CONTROL_ID>1061</CONTROL_ID>
       <TECHNOLOGY_ID>6</TECHNOLOGY_ID>
        <INSTANCE></INSTANCE>
        <STATUS>Passed</STATUS>
        <EVIDENCE>
          <BOOLEAN_EXPR><![CDATA[:dp_1match_all $tp_1]]></BOOLEAN_EXPR>
          <DPV_LIST>
            <DPVlastUpdated="2014-02-09T23:30:35Z">
              <LABEL>:dp_1</LABEL>
             <V><![CDATA[161803399999999]]></V>
              <TM_REF>@tm_1</TM_REF>
            </DPV>
          </DPV_LIST>
        </EVIDENCE>
      </INFO>
      <INFO>
        <ID>1794006</ID>
        <HOST_ID>2154769</HOST_ID>
       <CONTROL_ID>1071</CONTROL_ID>
       <TECHNOLOGY_ID>6</TECHNOLOGY_ID>
        <INSTANCE></INSTANCE>
        <STATUS>Passed</STATUS>
        <EVIDENCE>
         <BOOLEAN_EXPR><![CDATA[(:dp_2 in #fv_1 or :dp_2 >= $tp_2)]]></BOOLEAN_EXPR>
          <DPV_LIST>
            <DPVlastUpdated="2014-02-09T23:30:35Z">
              <LABEL>:dp_2</LABEL>
             <V><![CDATA[0]]></V>
            </DPV>
          </DPV_LIST>
        </EVIDENCE>
      </INFO>
...
    </INFO_LIST>
    <SUMMARY>
     <TOTAL_ASSETS>1</TOTAL_ASSETS>
     <TOTAL_CONTROLS>199</TOTAL_CONTROLS>
      <CONTROL_INSTANCES>
       <TOTAL>98</TOTAL>
       <TOTAL_PASSED>84</TOTAL_PASSED>
       <TOTAL_FAILED>14</TOTAL_FAILED>
       <TOTAL_ERROR>0</TOTAL_ERROR>
       <TOTAL_EXCEPTIONS>0</TOTAL_EXCEPTIONS>
      </CONTROL_INSTANCES>
    </SUMMARY>
    <GLOSSARY>
      <HOST_LIST>
        <HOST>
          <ID>2154769</ID>
          <IP>10.10.10.34</IP>
         <TRACKING_METHOD>IP</TRACKING_METHOD>
         <DNS><![CDATA[aix-53-10-34.vuln.qa.qualys.com]]></DNS>
          <OS><![CDATA[AIX5.3]]></OS>
          <LAST_VULN_SCAN_DATETIME>2014-01-19T17:49:27Z</LAST_VULN_SCAN_DATETIME>
         <LAST_COMPLIANCE_SCAN_DATETIME>2014-02-09T23:30:35Z</LAST_COMPLIANCE_SCAN_DATETIME>
          <PERCENTAGE><![CDATA[85.71% (84 of98)]]></PERCENTAGE>
        </HOST>
      </HOST_LIST>
      <CONTROL_LIST>
        <CONTROL>
          <ID>1061</ID>
          <STATEMENT><![CDATA[Statusof the existence of plus sign or '+' entries in the host's password-relatedfiles]]></STATEMENT>
...
    </GLOSSARY>
  </POLICY>
  </RESPONSE>
</POSTURE_INFO_LIST_OUTPUT>

 

DTD updates

1) The new SUMMARY subelement gives details for the request (in RESPONSE) and per policy (in POLICY). The summary tells you statistics about the control instances (posture info records) returned in the XML output including the total number of: assets, controls and control instances.  For control instances you’ll find the total number of: instances, instances having the status passed, failed and error, plus the instance defined as exceptions.

 

2) The new PERCENTAGE subelement (in HOST) tells you you the percentage of controls having the status passed. For example “85.71% (84 of 98)” mean 85.71% of the controls passed, 84 controls passed and 98 controls were evaluated.

 

...
<!ELEMENT RESPONSE(DATETIME, ((INFO_LIST?, SUMMARY?, WARNING_LIST?, GLOSSARY?) | POLICY+))>

<!ELEMENT POLICY(ID, DATETIME, INFO_LIST?, SUMMARY?, WARNING_LIST?, GLOSSARY?)>
...
<!ELEMENT HOST_LIST(HOST+)>
<!ELEMENT HOST (ID,IP, TRACKING_METHOD, DNS?, NETBIOS?, OS?, OS_CPE?,
                  LAST_VULN_SCAN_DATETIME?,LAST_COMPLIANCE_SCAN_DATETIME?, 
                PERCENTAGE?)>
...
<!ELEMENTPERCENTAGE (#PCDATA)>
...
<!ELEMENT SUMMARY(TOTAL_ASSETS, TOTAL_CONTROLS, CONTROL_INSTANCES)>
<!ELEMENT TOTAL_ASSETS(#PCDATA)>
<!ELEMENTTOTAL_CONTROLS (#PCDATA)>
<!ELEMENTCONTROL_INSTANCES (TOTAL, TOTAL_PASSED, TOTAL_FAILED,
                             TOTAL_ERROR,TOTAL_EXCEPTIONS)>
<!ELEMENT TOTAL(#PCDATA)>
<!ELEMENTTOTAL_PASSED (#PCDATA)>
<!ELEMENTTOTAL_FAILED (#PCDATA)>
<!ELEMENTTOTAL_ERROR (#PCDATA)>
<!ELEMENTTOTAL_EXCEPTIONS (#PCDATA)>

 

 

 


Vulnerability Management (VM) and Policy Compliance (PC)

 

Select Multiple Scanner Appliances for Scans

With this release you can select multiple scanner appliances for your internal vulnerability and compliance scans. This is especially useful when scanning a large number of hosts because it allows you to distribute the scan task across scanner appliances.

 

How do I launch a scan? For a vulnerability scan, use the VM Scan API v2 (resource/api/2.0/fo/scan/ with action=launch). For a compliance scan use PC Scan API v2 (resource /api/2.0/fo/scan/compliance/ with action=launch).

 

Want to select multiple appliances? Simply tell us the appliance IDs or friendly names when making your launch scan request.

 

Parameter

Description

iscanner_id={value}

 

(Optional)  The IDs of the scanner appliances to be used. Multiple entries are comma  separated.


These  parameters are mutually exclusive and cannot be specified in the same  request: iscanner_id and iscanner_name.

iscanner_name={value}

 

(Optional)  The friendly names of the scanner appliances to be used. Multiple entries are  comma separated.

These  parameters are mutually exclusive and cannot be specified in the same  request: iscanner_id and iscanner_name.

 

 

A few notes...

  • One of these parameters must be specified in a request for an internal scan: iscanner_name, iscanner_id, default_scanner, scanners_in_ag. (Note: The parameters default_scanner and scanners_in_ag have not changed. Refer to the API v2 User Guide for details on these parameters.)
  • For an Express Lite user, Internal Scanning must be enabled in the user’s account.

 

Show me a sample API request  This request will launch a vulnerability scan on the IP address range 10.10.10.2-10.10.10.255 using these scanner appliances:scanner1, scanner2 and scanner3. You’ll notice the XML output uses the simple return DTD (simple_return.dtd).

 

API request

curl -H"X-Requested-With: Curl" -u "USERNAME:PASSWORD" -X"POST" -d 
"action=launch&scan_title=My+Vulnerability+Scan&ip=10.10.10.2-10.10.10.255&option_id=43165&iscanner_name=scanner1,scanner2,scanner3""https://qualysapi.qualys.com/api/2.0/fo/scan/"

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPESIMPLE_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
   <DATETIME>2014-02-26T21:32:40Z</DATETIME>
    <TEXT>New vm scanlaunched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>136992</VALUE>
      </ITEM>
      <ITEM>
        <KEY>REFERENCE</KEY>
       <VALUE>scan/1358285558.36992</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

 

Launch Reports using Asset Tags

We’ve made it easier for you to launch reports by selecting asset tags for the hosts you want to report on using the Report Share API (/api/2.0/fo/report/ with action=launch). It’s possible to select asset tags for both vulnerability and compliance reports. Use the following tag parameters:

 

Parameter

Description

use_tags={0|1}

 

(Optional)  Specify “1” when your report target will include asset tags. Specify “0” (the  default) when your report target will include IP addreses/ranges and/or asset  groups. When not specified, use_tags=0 is used.

 

tag_include_selector=

{all|any}

 

(Optional)  Specify “any” (the default) to include hosts that match at least one of the  selected tags. Specify “all” to include hosts that match all of the selected  tags.

 

tag_include_selector  is valid only when use_tags=1 is specified.

 

tag_exclude_selector=

{all|any}

 

(Optional)  Specify “any” (the default) to exclude hosts that match at least one of the  selected tags. Specify “all” to exclude hosts that match all of the selected  tags.

 

tag_exclude_selector  is valid only when use_tags=1 is specified.

 

tag_set_by={id|name}

 

(Optional)  Specify “id” (the default) to select a tag set by providing tag IDs. Specify  “name” to select a tag set by providing tag names.

 

tag_set_by  is valid only when use_tags=1 is specified.

 

tag_set_include={value}

 

(Optional)  Specify a tag set to include. Hosts that match these tags will be included.  You identify the tag set by providing tag name or IDs. Multiple entries are  comma separated.

 

tag_set_include  is valid only when use_tags=1 is specified.

 

tag_set_exclude={value}

 

(Optional)  Specify a tag set to exclude. Hosts that match these tags will be excluded.  You identify the tag set by providing tag name or IDs. Multiple entries are  comma separated.

 

tag_set_exclude  is valid only when use_tags=1 is specified.

 

 

API request

This request launches a report on hosts with the asset tag Windows. The XML output uses the simple return DTD (simple_return.dtd).

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d"action=launch&template_id=55469&report_title=My+Windows+Report&output_format=pdf&use_tags=1&tag_set_by=name&tag_set_include=Windows"
"https://qualysapi.qualys.com/api/2.0/fo/report/"

 

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPE GENERICSYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
   <DATETIME>2014-02-20T21:45:23Z</DATETIME>
    <TEXT>New reportlaunched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>1665</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

 


QualysGuard Cloud Platform

 

Manage your Virtual Scanners using the API

The Scanner Appliance API v2 (/api/2.0/fo/appliance) includes multiple updates to help you manage all your scanner appliances - both physical and virtual. We’ve updated the list action to return all appliances in your account and you can filter the list by friendly name and appliance IDs. New actions allow Managers and Unit Managers to create, update and delete virtual scanners.

 

Tell me about Permissions. Managers can perform all actions on all virtual scanners(list, create, update, delete). Unit Managers can perform all actions on virtual scanners in their business unit. Scanners and Readers can list virtual scanners assigned to their accounts.

 

List all your Scanner Appliances - physical and virtual

Use the parameter action=list to return a list of scanner appliances in your account,as in previous releases. Now your virtual scanner appliances will be included.  We’ve added these new parameters:

 

Parameter

 

Description

 

name={string}

 

(Optional)  List only scanner appliances (physical and virtual) that have names matching  the string provided. Tip - Substring match is supported. For example, if you  have 2 appliances named “myscanner” and “anotherscanner” and you supply the  string “name=scan” both appliance both appliances will be returned in the XML  output.

 

ids={id1,id2,..}

 

(Optional)  List only scanner appliances (physical and virtual) that have certain IDs.  Multiple IDs are comma separated.

 

include_license_info={0|1}

 

(Optional)  Set to 1 to return virtual scanner license information in the XML output.  This tells you the number of licenses you have and the number used. This  information is not returned by default. When specified the XML output will  include the LICENSE_INFO element.

 

 

API request

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=list&echo_request=1&ids=777,1127,1131&include_license_info=1" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"


 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEAPPLIANCE_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/appliance/appliance_list_output.dtd>
<APPLIANCE_LIST_OUTPUT>
    <RESPONSE>
       <DATETIME>2014-01-02T09:26:01Z</DATETIME>
        <APPLIANCE_LIST>
            <APPLIANCE>
                <ID>777</ID>
               <NAME>scanner1</NAME>
                <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
               <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
               <STATUS>Online</STATUS>
            </APPLIANCE>
            <APPLIANCE>
                <ID>1127</ID>
               <NAME>scanner2</NAME>
               <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
               <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
               <STATUS>Online</STATUS>
            </APPLIANCE>
            <APPLIANCE>
                <ID>1131</ID>
               <NAME>scanner3</NAME>
               <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
               <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
               <STATUS>Offline</STATUS>
            </APPLIANCE>
        </APPLIANCE_LIST>
        <LICENSE_INFO>
           <QVSA_LICENSES_COUNT>10</QVSA_LICENSES_COUNT>
           <QVSA_LICENSES_USED>3</QVSA_LICENSES_USED>
        </LICENSE_INFO>
    </RESPONSE>
</APPLIANCE_LIST_OUTPUT>

 

DTD update:

<!-- QUALYSAPPLIANCE_LIST_OUTPUT DTD -->
<!ELEMENTAPPLIANCE_LIST_OUTPUT (REQUEST?,RESPONSE)>

<!ELEMENT REQUEST(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?,
                   POST_DATA?)>
...
<!ELEMENT RESPONSE(DATETIME, APPLIANCE_LIST?, LICENSE_INFO?)>
...
<!ELEMENT LICENSE_INFO (QVSA_LICENSES_COUNT, QVSA_LICENSES_USED)>
<!ELEMENT QVSA_LICENSES_COUNT (#PCDATA)>
<!ELEMENT QVSA_LICENSES_USED (#PCDATA)>

 

 

Add New Virtual Scanner

Use these parameters:

 

Parameter

Description

action=create

 

(Required)  The POST method must be used.

 

name={string}

 

(Required)  The friendly name. This name can’t already be assigned to an appliance in  your account. It can be a maximum of 15 characters, spaces are not allowed.

 

polling_interval={value}

 

(Optional)  The polling interval, in seconds. A valid value is 60 to 3600 (we recommend  180 which is the default). This is the frequency that the virtual scanner  will attempt to connect to our Cloud Security Platform. The appliance calls  home to provide health updates/heartbeats to the platform, to get software  updates from the platform, to learn if new scan jobs have been requested by  users, and to upload scan results data to the platform, if applicable.

 

 

API request

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=create&echo_request=1&name=scanner1" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"

 

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEAPPLIANCE_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/appliance/appliance_create_output.dtd>
<APPLIANCE_CREATE_OUTPUT>
    <RESPONSE>
       <DATETIME>2014-01-02T09:26:01Z</DATETIME>
        <ID>777</ID>
        <NAME>scanner1</NAME>
        <ACTIVATION CODE>ACTIVATION-CODE</ACTIVATIONCODE>
       <REMAINING_QVSA_LICENSES>4</REMAINING_QVSA_LICENSES>
    </RESPONSE>
</APPLIANCE_CREATE_OUTPUT>

 

New DTD:

<!-- QUALYSAPPLIANCE_CREATE_OUTPUT DTD -->
<!ELEMENTAPPLIANCE_CREATE_OUTPUT (REQUEST?,RESPONSE)>

<!ELEMENT REQUEST(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?,
                   POST_DATA?)>
<!ELEMENT DATETIME(#PCDATA)>
<!ELEMENTUSER_LOGIN (#PCDATA)>
<!ELEMENT RESOURCE(#PCDATA)>
<!ELEMENTPARAM_LIST (PARAM+)>
<!ELEMENT PARAM(KEY, VALUE)>
<!ELEMENT KEY(#PCDATA)>
<!ELEMENT VALUE(#PCDATA)>
<!-- if returned,POST_DATA will be urlencoded -->
<!ELEMENT POST_DATA(#PCDATA)>

<!ELEMENT RESPONSE(DATETIME, APPLIANCE)>

<!ELEMENT APPLIANCE(ID, FRIENDLY_NAME, ACTIVATION_CODE,
                     REMAINING_QVSA_LICENSES)>
<!ELEMENT ID(#PCDATA)>
<!ELEMENTFRIENDLY_NAME (#PCDATA)>
<!ELEMENTACTIVATION_CODE (#PCDATA)>
<!ELEMENTREMAINING_QVSA_LICENSES (#PCDATA)>

 

 

Update a Virtual Scanner

Use these parameters:

 

Parameter

Description

action=update

 

(Required)  The POST method must be used.

 

id={id}

 

(Required)  A valid ID of a virtual scanner.

 

name={string}

 

(Optional)  The friendly name. This name can’t already be assigned to an appliance in  your account.  It can be a maximum of  15 characters, spaces are not allowed.

 

polling_interval={value}

 

(Optional)  The polling interval, in seconds. A valid value is 60 to 3600 (we recommend  180 which is the default). This is the frequency that the virtual scanner  will attempt to connect to our Cloud Security Platform. The appliance calls  home to provide health updates/heartbeats to the platform, to get software  updates from the platform, to learn if new scan jobs have been requested by  users, and to upload scan results data to the platform, if applicable.

 

comment={value}

 

(Optional)  User-defined comments.

 

 

API request

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=update&echo_request=1&id=12345&name=scanner15" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"

 

 

XML output

The XML output uses the simple return (/api/2.0/simple_return.dtd).

 

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPESIMPLE_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
    <RESPONSE>
       <DATETIME>2014-04-03T12:12:45Z</DATETIME>
        <TEXT>Virtual scanner updatedsuccessfully</TEXT>
        <ITEM_LIST>
            <ITEM>
                <KEY>ID</KEY>
               <VALUE>17110</VALUE>
            </ITEM>
        </ITEM_LIST>
    </RESPONSE>
</SIMPLE_RETURN>

 

 

Delete a Virtual Scanner

Deleting a virtual scanner appliance results in these actions: 1) The virtual scanner will be removed from associated Asset Groups, and 2) Scheduled Scans using this virtual scanner will be deactivated.

 

Is your virtual scanner running scans? If yes it’s not possible to delete it. We recommend you check to be sure the virtual scanner you want to delete is not running scans.

 

Use these parameters:

 

Parameter

Description

action=delete

 

(Required)  The POST method must be used.

 

id={id}

 

(Required)  A valid ID of a virtual scanner.

 

 

 

API request

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=delete&echo_request=1&id=12345" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"

 

 

XML output

The XML output uses the simple return (/api/2.0/simple_return.dtd). If schedules and/or asset groups were impacted we’ll list them so you can update them as needed.

 

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEAPPLIANCE_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/simple_return.dtd>
<SIMPLE_RETURN>
    <RESPONSE>
       <DATETIME>2014-01-02T09:26:01Z</DATETIME>
        <TEXT>Virtual scanner deletedsuccessfully</ID>
        <ITEM_LIST>
             <ITEM>
                  <KEY>ID<KEY>
                  <VALUE>115<VALUE>
             </ITEM>
             <ITEM>
                 <KEY>DEACTIVATED_SCHEDULED_SCANS<KEY>
                 <VALUE>None<VALUE>
             </ITEM>
             <ITEM>
                 <KEY>AFFECTED_ASSET_GROUPS<KEY>
                 <VALUE>None<VALUE>
             </ITEM>
        <ITEM_LIST>
    </RESPONSE>
</SIMPLE_RETURN>

 

Network (Overlapping IP) Support

We’ve made several improvements and updates to the Network Support API for customers who have this feature turned on in their accounts. For users who do not have this feature, these changes have no impact - new input parameters are not available, and changes to DTDs and XML output are not visible.

 

Set Up Networks

 

Scanner Appliance List API v2 - filter by network ID

The Scanner Appliance List API v2 (resource /api/2.0/fo/appliance/ with action=list) returns scanner appliances in your account. Now you can use the new input parameter “network_id” (optional) to return a list of scanner appliances for a certain network. Specify 0 for the Global Default Network or a custom network ID.

 

API request

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" "https://qualysapi.qualys.com/api/2.0/fo/appliance/?action=list&network_id=1002"

 


 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE APPLIANCE_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/appliance/appliance_list_output.dtd>
<APPLIANCE_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-04-01T05:42:29Z</DATETIME>
    <APPLIANCE_LIST>
      <APPLIANCE>
        <ID>15242</ID>
        <NAME>vscanner1</NAME>
        <NETWORK_ID>1002</NETWORK_ID>
        <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
        <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
        <STATUS>Offline</STATUS>
      </APPLIANCE>
      <APPLIANCE>
        <ID>15235</ID>
        <NAME>vscanner2</NAME>
        <NETWORK_ID>1002</NETWORK_ID>
        <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
        <RUNNING_SCAN_COUNT>1</RUNNING_SCAN_COUNT>
        <STATUS>Online</STATUS>
      </APPLIANCE>
    </APPLIANCE_LIST>
  </RESPONSE>
</APPLIANCE_LIST_OUTPUT>

 

 

Organize Assets by Network

 

Asset Group List API v1 - network ID added to group’s IPs / domains

The Asset Group List API v1 (/msp/asset_group_list.php) is used to retrieve a list of asset groups in your account. We added a new attribute “network_id” to the subelements /SCANIPS/IP and MAPDOMAINS/DOMAIN in the XML output (asset_group_list.dtd). This appears for an All asset group that is not the same as the subscription’s All asset group.

 

Have multiple All asset groups? Yes you might. There is always 1 All asset group for the subscription - this includes all assets, visible to Managers. If you have business units, there is 1 unique All asset group for each business unit. If you have Scanners and/or Readers, there is 1 unique All asset group for each Scanner/Reader account. (There is no All asset group for a network.)

 

XML output

Sample XML output showing an All asset group that is not the subscription’s All asset group:

 

...
<ASSET_GROUP>
  <ID>5010</ID>
  <TITLE><![CDATA[All]]></TITLE>
  <SCANIPS>
    <IP network_id="0"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="0"> 10.10.10.13-10.10.10.247</IP>
    <IP network_id="1193"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="1193"> 10.10.10.13-10.10.10.247</IP>
...
  <MAPDOMAINS>
    <DOMAIN network_id="0">qualys-test.com</DOMAIN>
    <DOMAIN network_id="0" netblock="10.10.10.10, 10.10.10.17">mydomain1.com</DOMAIN>
    <DOMAIN network_id="1193">qualys-test.com</DOMAIN>
  </MAPDOMAINS>
...

 

DTD update

New “network_id” attribute added to the subelements /IP and /DOMAIN.

 

...
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP network_id CDATA 0>
...
<!ATTLIST DOMAIN
          netblock CDATA #IMPLIED
          network_id CDATA 0
...

 

 

Asset Inventory

 

Support for IP List API v2

The IP List API v2 (resource /api/2.0/fo/asset/ip/ with action=list) is used to retrieve a list of IP addresses in your account. Use the new input parameter “network_id” (optional) to return a list of IPs for a certain network.

 

The XML output now lists the network ID for each IP address/range when the request is made by a sub-user with access to multiple networks. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Good to know:

 

  • Managers will not see the “network_id” attribute for any IP or IP_RANGE elements in the output since Managers can see all IPs for all networks.
  • Any sub-user with access to only a single network (the Global Default Network or a custom network) will not see the “network_id” attribute either. This is for consistency with the UI, where these users do not see the network workflows.

 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-02-14T22:47:32Z</DATETIME>
    <IP_SET>
      <IP_RANGE network_id="0">1.0.0.0-10.10.10.14</IP_RANGE>
      <IP_RANGE network_id="0">10.10.10.17-10.10.10.29</IP_RANGE>
      <IP network_id="0">10.10.10.32</IP>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

 

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

 

Support for Excluded IP List API v2

The Excluded IP List API v2 (/api/2.0/fo/asset/excluded_ip/ with action=list) returns a list of excluded hosts.

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/excluded_ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-20T20:49:19Z</DATETIME>
    <IP_SET>
      <IP network_id="0">10.10.10.19</IP>
      <IP_RANGE network_id="1275">10.10.50.6-10.10.50.10</IP_RANGE>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

 

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP Change History API v2

The excluded IP change history V2 API (/api/2.0/fo/asset/excluded_ip/history/ with action=list) returns a change history for excluded hosts.

Use the new input parameter “network_id” (optional) to return a list of change history for excluded hosts for a certain network.

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (history_list_output.dtd).

 

XML output

...
<HISTORY_LIST>
      <HISTORY>
        <ID>1441</ID>
        <IP_SET>
          <IP_RANGE network_id="0">10.10.10.234-10.10.10.235</IP_RANGE>
        </IP_SET>
        <ACTION>Added</ACTION>
...

 

DTD updates

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

 

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
    network_id  CDATA  0
...
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
    network_id  CDATA  0
...

 

 

Scan Configuration

 

Support for IPv6 List API v2

The IPv6 List API v2 (resource /api/2.0/fo/asset/ip/v4_v6/ with action=list) is used to view a list of IPv6 mapping records in your account. The XML output now identifies the network ID for each IPv6 mapping when the user’s account has more than 1 network. We added a new NETWORK_ID element to the XML output (ip_map_list_output.dtd).

 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_MAP_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/asset/ip/v4_v6/ip_map_list_output.dtd>
<IP_MAP_LIST_OUTPUT>
<RESPONSE>
   <DATETIME>2014-03-27T19:42:10Z</DATETIME>
   <IP_MAP_LIST>
     <IP_MAP>
       <ID>46947</ID>
       <V4>0.0.0.7</V4>
       <V6>2001:db8:85a3::8a2e:370:84</V6>
       <NETWORK_ID>1234</NETWORK_ID>
     </IP_MAP>
     <IP_MAP>
       <ID>47036</ID>
       <V4>0.0.0.1</V4>
       <V6>2001:db8:85a3::8a2e:370:77</V6>
       <NETWORK_ID>0</NETWORK_ID>
     </IP_MAP>
   </IP_MAP_LIST>
</RESPONSE>
</IP_MAP_LIST_OUTPUT>

 

 

 

DTD update

 

New NETWORK_ID subelement added for the subelement /IP_MAP.

 

...
<!ELEMENT RESPONSE (DATETIME, IP_MAP_LIST?, WARNING?)>


<!ELEMENT IP_MAP_LIST (IP_MAP+)>
<!ELEMENT IP_MAP (ID, V4, V6, NETWORK_ID?)>
<!ELEMENT ID (#PCDATA)>
<!ELEMENT V4 (#PCDATA)>
<!ELEMENT V6 (#PCDATA)>
<!ELEMENT NETWORK (#PCDATA)>
<!ELEMENT NETWORK_ID (#PCDATA)>

 

 

Support for Authentication Record List by Type

The Authentication Record List by Type API v2 (resource /api/2.0/fo/auth/<type>/ with action=list) is used to view a list of authentication records visible to the user for a specific authentication type (Unix, VMware, Windows etc).

 

The XML output now identifies the network ID for each record when the user’s account has more than 1 network. We added a new NETWORK_ID subelement for AUTH_<type> subelements (like AUTH_UNIX, AUTH_WINDOWS, AUTH_VMWARE, etc). 12 DTDs were updated.

 

 

XML output (Unix Record List)

 

<AUTH_UNIX_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-27T13:32:17Z</DATETIME>
    <AUTH_UNIX_LIST>
      <AUTH_UNIX>
        <ID>678</ID>
        <TITLE><![CDATA[My Unix Record]]></TITLE>
        <USERNAME><![CDATA[username]]></USERNAME>
        <ROOT_TOOL>Sudo</ROOT_TOOL>
        <CLEARTEXT_PASSWORD>0</CLEARTEXT_PASSWORD>
        <IP_SET>
          <IP_RANGE>10.10.10.168-10.10.10.195</IP_RANGE>
        </IP_SET>
        <NETWORK_ID>0</NETWORK_ID>
        <CREATED>
            <DATETIME>2014-02-20T01:01:01</DATETIME>
            <BY>username</BY>
        </CREATED>
...

 

DTD update - Unix Record List

<baseurl>/api/2.0/fo/auth/unix/auth_unix_list_output.dtd
...
<!ELEMENT AUTH_UNIX (ID, TITLE, USERNAME, CLEARTEXT_PASSWORD, ROOT_TOOL, RSA_PRIVATE_KEY?, DSA_PRIVATE_KEY?, PORT?, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?, USE_AGENTLESS_TRACKING?, AGENTLESS_TRACKING_PATH?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - Windows Record List

<baseurl>/api/2.0/fo/auth/windows/auth_windows_list_output.dtd
...
<!ELEMENT AUTH_WINDOWS (ID, TITLE, USERNAME, NTLM?, WINDOWS_DOMAIN?, WINDOWS_AD_DOMAIN?, WINDOWS_AD_TRUST?, IP_SET?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?, USE_AGENTLESS_TRACKING?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - VMware Record List

<baseurl>/api/2.0/fo/auth/vmware/auth_vmware_list_output.dtd
<!ELEMENT AUTH_VMWARE (ID, TITLE, USERNAME, PORT, SSL_VERIFY, HOSTS?, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
..
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - SNMP Record List

<baseurl>/api/2.0/fo/auth/snmp/auth_snmp_list_output.dtd
...
<!ELEMENT AUTH_SNMP (ID, TITLE, USERNAME?, AUTH_ALG?, PRIV_ALG?, SEC_ENG?, CONTEXT_ENG?, CONTEXT?, COMMUNITY_STRINGS?, VERSION, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - Oracle Record List

<baseurl>/api/2.0/fo/auth/oracle/auth_oracle_list_output.dtd
...
<!ELEMENT AUTH_ORACLE (ID, TITLE, USERNAME, (SID|SERVICENAME), PORT, IP_SET, PC_ONLY?, WINDOWS_OS_CHECKS, WINDOWS_OS_OPTIONS?, UNIX_OPATCH_CHECKS, UNIX_OS_CHECKS, UNIX_OS_OPTIONS?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

Oracle Listener Record List

<baseurl>/api/2.0/fo/auth/oracle_listener/auth_oracle_listener_list_output.dtd
...
<!ELEMENT AUTH_ORACLE_LISTENER (ID, TITLE, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

MS SQL Record List

<baseurl>/api/2.0/fo/auth/ms_sql/auth_ms_sql_list_output.dtd
...
<!ELEMENT AUTH_MS_SQL (ID, TITLE, USERNAME, (INSTANCE | AUTO_DISCOVER_INSTANCES), (DATABASE | AUTO_DISCOVER_DATABASES), (PORT|AUTO_DISCOVER_PORTS), DB_LOCAL, WINDOWS_DOMAIN?, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

MS IIS Server Record List

<baseurl>/api/2.0/fo/auth/ms_iis/auth_ms_iis_list_output.dtd
...
<!ELEMENT AUTH_MS_IIS (ID, TITLE, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

IBM WebSphere Record List

<baseurl>/api/2.0/fo/auth/ibm_websphere/auth_ibm_websphere_list_output.dtd 
...
<!ELEMENT AUTH_IBM_WEBSPHERE (ID, TITLE, IP_SET, UNIX_INSTLLATION_DIRECTORY, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

IBM DB2 Record List

<baseurl>/api/2.0/fo/auth/ibm_db2/auth_ibm_db2_list_output.dtd 
...
<!ELEMENT AUTH_IBM_DB2 (ID, TITLE, USERNAME, DATABASE, PORT, IP_SET, PC_ONLY?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

HTTP Record List

<baseurl>/api/2.0/fo/auth/http/auth_http_list_output.dtd 
...
<!ELEMENT AUTH_HTTP (ID, TITLE, USERNAME, SSL, (REALM|VHOST), IP_SET?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

Apache Web Server Record List

<baseurl>/api/2.0/fo/auth/apache/auth_apache_list_output.dtd 
...
<!ELEMENT AUTH_APACHE (ID, TITLE, IP_SET, UNIX_CONFIGURATION_FILE, UNIX_CONTROL_COMMAND, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

 

 

0

This update to QualysGuard 8.0 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).

 

What’s New

VM - “Security Risk Score” summary added to XML and CSV reports

VM & PC - "Network Support API” Updates

 

QualysGuard API Server URL. The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.

 

Account  Location

API  Server URL for login
QualysGuard  US Platform https://qualysapi.qualys.com

QualysGuard  US Platform 2

https://qualysapi.qg2.apps.qualys.com

QualysGuard  EU Platformhttps://qualysapi.qualys.eu
QualysGuard  @Customerhttps://qualysapi.<customer_base_url>

 

QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.

 

VM - “Security Risk Score” summary added to  XML and CSV reports

With this release vulnerability scan reports include a security risk score summary for the report and per host, in all report formats - earlier this was not in XML or  CSV. As before the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The asset_data_report.dtd was updated - we’ll show you the changes.

 

Tell me about the Security Risk Score. The score for the overall report is the average security risk for all hosts in the report. The score for each host is the average severity level detected (the default) or the highest severity level detected. Managers can configure the calculation method for the subscription by going to Reports > Setup > Security Risk. Are you an Express Lite user? If yes the average severity level is always used.

 

Sample reports. These reports were created using a scan report template configured with host based findings and Text Summary is selected (under Display > Detailed Results).

 

CSV report:

New rows show you the security risk score summary for the report and per host.

8.0Image.png

 

XML report:

New XML elements show you the security risk summary for the report (see  <RISK_SCORE_SUMMARY>)  and per host <see RISK_SCORE_PER_HOST>.

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ASSET_DATA_REPORT SYSTEM https://qualysguard.qualys.com/asset_data_report.dtd>
<ASSET_DATA_REPORT>
  <HEADER>
    <COMPANY><![CDATA[Qualys, Inc.]]></COMPANY>
    <USERNAME>USERNAME</USERNAME>
    <GENERATION_DATETIME>2014-03-11T23:56:22Z</GENERATION_DATETIME>
    ...
    <RISK_SCORE_SUMMARY>
      <TOTAL_VULNERABILITIES>14</TOTAL_VULNERABILITIES>
      <AVG_SECURITY_RISK>2.6</AVG_SECURITY_RISK>
      <BUSINESS_RISK>13/100</BUSINESS_RISK>
    </RISK_SCORE_SUMMARY>
  </HEADER>
<RISK_SCORE_PER_HOST>
  <HOSTS>
    <IP_ADDRESS>10.10.24.104</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>4</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.5</SECURITY_RISK>
  </HOSTS>
  <HOSTS>
    <IP_ADDRESS>10.10.24.106</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>10</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.6</SECURITY_RISK>
  </HOSTS>
</RISK_SCORE_PER_HOST>
  <HOST_LIST>
    <HOST>
      <IP>10.10.24.104</IP>
      <TRACKING_METHOD>IP</TRACKING_METHOD>
...

 

DTD updates:

You’ll see the updated asset_data_report.dtd below. There’s  new elements RISK_SCORE_PER_HOST and RISK_SCORE_SUMMARY.

<!-- QUALYS ASSET DATA REPORT DTD -->

<!ELEMENT ASSET_DATA_REPORT (ERROR | (HEADER, RISK_SCORE_PER_HOST?, HOST_LIST?, GLOSSARY?, APPENDICES?))>


<!ELEMENT ERROR (#PCDATA)*>
<!ATTLIST ERROR number CDATA #IMPLIED>




<!-- HEADER -->


<!ELEMENT HEADER (COMPANY, USERNAME, GENERATION_DATETIME, TEMPLATE,
                  TARGET, RISK_SCORE_SUMMARY?)>


<!ELEMENT COMPANY (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT GENERATION_DATETIME (#PCDATA)>
<!ELEMENT TEMPLATE (#PCDATA)>
<!ELEMENT TARGET (USER_ASSET_GROUPS?, USER_IP_LIST?, COMBINED_IP_LIST?, 
                  ASSET_TAG_LIST?)>


<!ELEMENT USER_ASSET_GROUPS (ASSET_GROUP_TITLE+)>
<!ELEMENT ASSET_GROUP_TITLE (#PCDATA)>


<!ELEMENT USER_IP_LIST (RANGE*)>
<!ELEMENT RANGE (START, END)>
<!ELEMENT START (#PCDATA)>
<!ELEMENT END (#PCDATA)>


<!ELEMENT COMBINED_IP_LIST (RANGE*)>


<!ELEMENT ASSET_TAG_LIST (INCLUDED_TAGS, EXCLUDED_TAGS?)>


<!ELEMENT INCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST INCLUDED_TAGS scope CDATA #IMPLIED>


<!ELEMENT EXCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST EXCLUDED_TAGS scope CDATA #IMPLIED>


<!-- AVERAGE RISK_SCORE_SUMMARY -->
<!ELEMENT RISK_SCORE_SUMMARY (TOTAL_VULNERABILITIES, AVG_SECURITY_RISK,
                              BUSINESS_RISK)>
<!ELEMENT TOTAL_VULNERABILITIES (#PCDATA)>
<!ELEMENT AVG_SECURITY_RISK (#PCDATA)>
<!ELEMENT BUSINESS_RISK (#PCDATA)>


<!-- RISK_SCORE_PER_HOST -->
<!ELEMENT RISK_SCORE_PER_HOST (HOSTS+)>
<!ELEMENT HOSTS (IP_ADDRESS, TOTAL_VULNERABILITIES, SECURITY_RISK)>
<!ELEMENT IP_ADDRESS (#PCDATA)>
<!ELEMENT SECURITY_RISK (#PCDATA)>


<!-- HOST_LIST -->


<!ELEMENT HOST_LIST (HOST+)>
...

 

VM & PC - Network Support API Updates

 

We made some updates to the Network Support API for QualysGuard 8.0. You’ll find the latest information integrated into this user guide. You might like to review the latest changes below.

 

Set Up Networks

 

Scanner Appliance List API v2 - filter by network ID

The Scanner Appliance List API v2 (resource /api/2.0/fo/appliance/ with action=list) returns scanner appliances in your account. Now you can use the new input parameter “network_id” (optional) to return a list of scanner appliances for a certain network. Specify 0 for the Global Default Network or a custom network ID.

 

For example:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl"

"https://qualysapi.qualys.com/api/2.0/fo/appliance/?action=list&network_id=1002"

 

Organize Assets by Network

 

Asset Group List API v1 - network ID added to group’s IPs

The Asset Group List API v1 (/msp/asset_group_list.php) is used to retrieve a list of asset groups in your account. We added a new attribute “network_id” to the subelement /SCANIPS/IP in the XML output (asset_group_list.dtd). This appears for an All asset group that is not the same as the subscription’s All asset group.

 

Have multiple All asset groups? Yes you might. There is always 1 All asset group for the subscription - this includes all assets, visible to Managers. If you have business units, there is 1 unique All asset group for each business unit. If you have Scanners and/or Readers, there is 1 unique All asset group for each Scanner/Reader account. (There is no All asset group for a network.)

 

Sample XML output:

Sample XML output showing an All asset group that is not the subscription’s All asset group:

...
<ASSET_GROUP>
  <ID>5010</ID>
  <TITLE><![CDATA[All]]></TITLE>
  <SCANIPS>
    <IP network_id="0"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="0"> 10.10.10.13-10.10.10.247</IP>
    <IP network_id="1193"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="1193"> 10.10.10.13-10.10.10.247</IP>
...

 

DTD update:

New “network_id” attribute added to the subelement /IP.

...
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP network_id CDATA 0>
...

 

Asset Management

Support for IP List API v2

The IP List API v2 (resource /api/2.0/fo/asset/ip/ with action=list) is used to retrieve a list of IP addresses in your account. The XML output now lists the network ID for each IP address/range when the request is made by a sub-user with access to multiple networks. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Good to know:

 

  • Managers will not see the “network_id” attribute for any IP or IP_RANGE elements in the output since Managers can see all IPs for all networks.
  • Any sub-user with access to only a single network (the Global Default Network or a custom network) will not see the “network_id” attribute either. This is for consistency with the UI, where these users do not see the network workflows.

 

Sample XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-02-14T22:47:32Z</DATETIME>
    <IP_SET>
      <IP_RANGE network_id="0">1.0.0.0-10.10.10.14</IP_RANGE>
      <IP_RANGE network_id="0">10.10.10.17-10.10.10.29</IP_RANGE>
      <IP network_id="0">10.10.10.32</IP>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP List API v2

The Excluded IP List API v2 (/api/2.0/fo/asset/excluded_ip/ with action=list) returns a list of excluded hosts.

 

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

 

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Sample XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/excluded_ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-20T20:49:19Z</DATETIME>
    <IP_SET>
      <IP network_id="0">10.10.10.19</IP>
      <IP_RANGE network_id="1275">10.10.50.6-10.10.50.10</IP_RANGE>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP Change History API v2

The excluded IP change history V2 API (/api/2.0/fo/asset/excluded_ip/history/ with action=list) returns a change history for excluded hosts.

 

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

 

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (history_list_output.dtd).

 

Sample XML output:

...
 <HISTORY_LIST>
      <HISTORY>
        <ID>1441</ID>
        <IP_SET>
          <IP_RANGE network_id="0">10.10.10.234-10.10.10.235</IP_RANGE>
        </IP_SET>
        <ACTION>Added</ACTION>
...

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
    network_id  CDATA  0
>           
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
    network_id  CDATA  0
>
...
0

This API notification provides an early preview into the coming API changes in QualysGuard, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There is one primary API change in this release:

 

New API: Asset Management and Tagging API v2

 

This release will apply to the following platforms:

 

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements

 

Tag API

          The Tags API provides a suite of API functions for managing tags. The supported Tag operations are get, create, update, search, count, delete and evaluate.

 

          Tag operations

                    Get Tag

                    Create Tag

                    Update Tag

                    Search Tags

                    Count Tags

                    Delete Tag

                    Evaluate Tag

 

 

Example:

          Fetch tag ID 12345.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/tag/12345"

 

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/tag.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Tag>
      <id>12345</id>
      <name>Test Tag</name>
      <created>2014-02-06T19:14:50Z</created>
      <modified>2014-02-06T19:14:50Z</modified>
      <color>#FFFFFF</color>
      <ruleText>asset.installedSoftwares.contains { it.name == Windows }</ruleText>
      <ruleType>GROOVY</ruleType>
      <children>
        <list/>
      </children>
    </Tag>
  </data>
</ServiceResponse>

 

Host Asset API

          The Host Asset API provides a suite of API functions for managing host assets. In many cases these are hosts detected by our cloud scanners. Host assets can also be added manually by the QualysGuard API or user interface. The HostAsset members identify operating system, NetBIOS, tags, open ports, NICs, installed software, EC2 source information and current vulnerabilities (all instances).

 

          Host Asset operations

                    Get Host Asset

                    Create Host Asset

                    Update Host Asset

                    Search Hosts Assets

                    Count Host Assets

                    Delete Host Asset

                    Activate Host Asset

 

Example:

          Fetch the host asset ID 12345 and list host asset details.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/hostasset/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/hostasset.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <HostAsset>
      <id>2020094</id>
      <name>My Windows Asset</name>
      <created>2014-02-06T19:16:35Z</created>
      <modified>2014-02-06T19:16:35Z</modified>
      <type>HOST</type>
      <tags>
        <list>
            <TagSimple>
                <id>12345</id>
                <name>Tag 1</name>
            </TagSimple>
            <TagSimple>
                <id>54321</id>
                <name>Tag 2</name>
            </TagSimple>
        </list>
      </tags>
      <sourceInfo>
        <list/>
      </sourceInfo>
      <os>Windows 7</os>
      <dnsHostName>localhost</dnsHostName>
      <netbiosName>TEST</netbiosName>
      <netbiosNetworkId>10</netbiosNetworkId>
      <networkGuid>66bf43c8-7392-4257-b856-a320fde231eb</networkGuid>
      <address>127.0.0.1</address>
      <trackingMethod>IP</trackingMethod>
      <openPort>
        <list/>
      </openPort>
      <software>
        <list/>
      </software>
      <vuln>
        <list/>
      </vuln>
    </HostAsset>
  </data>
</ServiceResponse>

 

Asset API

          The Asset API is a subset of the Host Asset API. The Asset members identify name, tags, and EC2 source information.

 

          Asset operations

                    Get Asset

                    Update Asset

                    Search Assets

                    Count Assets

                    Delete Asset

                    Activate Asset

 

Example:

          This example fetches the asset ID 12345 and lists asset details.

 

Request:

          curl -n -u “USERNAME:PASSWORD” "https://qualysapi.qualys.com/rest/2.0/get/am/asset/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/asset.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Asset>
      <id>12345</id>
      <name>My Windows Asset</name>
      <created>2014-02-06T19:16:35Z</created>
      <modified>2014-02-06T19:16:35Z</modified>
      <type>HOST</type>
      <tags>
        <list>
            <TagSimple>
                <id>12345</id>
                <name>Tag 1</name>
            </TagSimple>
            <TagSimple>
                <id>54321</id>
                <name>Tag 2</name>
            </TagSimple>
        </list>
      </tags>
    </Asset>
  </data>
</ServiceResponse>

 

Host Instance Vulnerability API

          The Host Instance Vulnerability API provides a suite of API functions for managing vulnerability instances found on host assets. The supported Host Instance Vulnerability operations are get, count and search.

 

    Host Instance Vulnerability operations

                    Get Host Instance Vulnerability

                    Search Host Instance Vulnerabilities

                    Count Host Instance Vulnerabilities

 

Example:

          Fetch the host instance vulnerability with the ID 12345.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/hostinstancevuln/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/hostinstancevuln.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <HostInstanceVuln>
      <id>9534081</id>
      <hostAssetId>1543621</hostAssetId>
      <qid>38167</qid>
      <port>25</port>
      <ssl>true</ssl>
      <found>true</found>
      <ignored>false</ignored>
      <disabled>false</disabled>
      <updated>2012-10-19T21:56:23Z</updated>
      <protocol>TCP</protocol>
      <source>HOST</source>
    </HostInstanceVuln>
  </data>
</ServiceResponse>
0

A new release of QualysGuard WAS, Version 3.3, is targeted for release in late March and early April 2014.

 

More information on specific release dates that correspond to the QualysGuard platforms can be found on the platform release blog pages which will be updated no less than 15 days prior to the release of WAS 3.3.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.3, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 3 primary API changes in this release:

 

  • Web Application Report XML – Ignored Sensitive Content
  • Report Create API – Storage Limit Response
  • Scan Cancel API – Update

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

 

Web Application Report XML – Ignored Sensitive Content

The “Ignored” tag appears for a sensitive content detection when the detection has been marked as ignored. 

 

...

<SENSITIVE_CONTENT_LIST>

  <SENSITIVE_CONTENT>

    ...

    <IGNORED>true</IGNORED>

    <IGNORE_INFORMATION>

        <REASON>RISK_ACCEPTED</REASON>

        <DATE>2014-02-21T20:42:48Z</DATE>

        <USER><![CDATA[John Smith (acme_js)]]></USER>

        <COMMENT><![CDATA[Not an issue]]></COMMENT>

    </IGNORE_INFORMATION>

...

 

 

Report Create API – Storage Limit Response

A new error message appears in the response XML if the report storage limit has been reached when you make an API request using the report creation API (https://<baseurl>/3.0/create/was/report).

 

 

...

<ServiceResponse>

  <responseCode>OTHER_ERROR</responseCode>

  <responseErrorDetails>

    <errorMessage>Your [subscription|user] storage limit of 200.0 Mb has been reached.</errorMessage>

    <errorResolution>Delete existing reports and try again.</errorResolution>

  </responseErrorDetails>

</ServiceResponse>

...

 

 

Scan Cancel API – Update

Using the Scan Cancel API (https://<baseurl>/3.0/cancel/was/scan/<id>) now you can cancel any unfinished scan regardless of status.

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account islocated. For an account on US Platform 1 this is <qualysapi.qualys.com>,on US Platform 2 this is <qualysapi.qg2.apps.qualys.com>, on EU Platformthis is <qualysapi.qualys.eu>.

0

A new release of QualysGuard Portal, Version 2.3.0, is targeted for release in US production in March 2014. The exact release date has not yet been set.  This release contains changes to the APIs that requires a 30-day notification.  Only the API changes that impact existing APIs are included in the 30 day notification.  The notification will be updated to include any new API functionality at least 15 days prior to release.

 

AM v1 API Changes

 

In the Portal 2.3.0 release the VM v1 API will remove the <SITE> and <NETWORK> objects in preparation for the new multiple network support feature. These objects were not used in the VM v1 API and there should be no impact to customers.

 

Full release notes will be available to customers on the day of the release.

0

This update to QualysGuard 7.13 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).

 

Highlights Include:

 

  • VM and PC - “Report Share” API v2 download CSV reports without headers
  • VM - New "HTTP Authentication”
  • API v2 PC - New "Policy Merge”
  • API v2 PC - Policy Report XML now includes custom control references
  • PC - “Apache Authentication” API v2 - Support for multiple instances per host
  • PC - “MS SQL Authentication” API v2 - Auto discover database instances

 

VM and PC - “Report Share” API v2 download CSV reports without headers

 

The “Report Share” API v2 (/api/2.0/fo/report/) allows you to launch and download reports. With this release you can choose to download reports in CSV format without the header information for all VM reports and PC reports that can be downloaded in CSV format. Basically we’ll include just the central CSV tables containing your security and compliance data, not the header metadata.

 

Want to omit the header from your CSV report? Using the“Report Share” API v2 first launch this report with the input parameter “hide_header=1” and then download the report in the usual way.

 

Step 1 - Launch your report in CSV format

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl"-X "POST" -d "action=launch&template_id=123&output_format=csv&hide_header=1" "https://qualysapi.qualys.com/api/2.0/fo/report/

 

XML output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE GENERIC SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
    <DATETIME>2012-12-11T21:45:23Z</DATETIME>
    <TEXT>New report launched</TEXT>
    <ITEM_LIST>
      <ITEM>
      <KEY>ID</KEY>
      <VALUE>6622</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

Step 2 - Download your CSV report

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=fetch&id=6622" "https://qualysapi.qualys.com/api/2.0/fo/report/"

 

CSV output:

You’ll notice there’s no header information (report title, date,user who launched the report, etc).

 

         CSV - Headers.png

 

VM – New "HTTP Authentication” API v2

 

You now have the option to choose HTTP authentication for vulnerability scans using QualysGuard Vulnerability Management (VM). Use the“HTTP Authentication” API v2 (/api/2.0/fo/auth/http/) for scanning protected portions of web sites and devices like printers and routers that require HTTP protocol level authentication. (Note this is not Form-based authentication). By authenticating we can perform additional vulnerability tests that we couldn’t do otherwise.

 

How it works – During a vulnerability scan, if we come across a web page that requires HTTP authentication then we’ll check to see if an HTTP record exists in your account with applicable credentials. If yes,we’ll use the credentials in the record to perform HTTP authentication.

 

List HTTP records

 


API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d "action=list&ids=55111" "https://qualysapi.qualys.com/api/2.0/fo/auth/http/"

 

XML output:

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE AUTH_HTTP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/auth/http/auth_http_list_output.dtd>
<AUTH_HTTP_LIST_OUTPUT>
 <RESPONSE>
   <DATETIME>2014-01-03T08:08:19Z</DATETIME>
   <AUTH_HTTP_LIST>
     <AUTH_HTTP>
       <ID>55111</ID>
       <TITLE><![CDATA[My HTTPRecord]]></TITLE>
       <USERNAME><![CDATA[jsmith]]></USERNAME>
       <SSL>0</SSL>
       <REALM><![CDATA[MyHomepage]]></REALM>
       <CREATED>
         <DATETIME>2014-01-03T07:51:48Z</DATETIME>
         <BY>acme_ab1</BY>
       </CREATED>
       <LAST_MODIFIED>
       <DATETIME>2014-01-03T07:51:48Z</DATETIME>
       </LAST_MODIFIED>
     </AUTH_HTTP>
   </AUTH_HTTP_LIST>
 </RESPONSE>
</AUTH_HTTP_LIST_OUTPUT>

 

HTTP record list output DTD:

 

<!-- QUALYS AUTH_HTTP_LIST_OUTPUT DTD -->
<!ELEMENTAUTH_HTTP_LIST_OUTPUT (REQUEST?, RESPONSE)>
<!ELEMENT REQUEST (DATETIME,USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?)>
<!ELEMENT DATETIME(#PCDATA)>
<!ELEMENT USER_LOGIN (#PCDATA)>
<!ELEMENT RESOURCE(#PCDATA)>
<!ELEMENT PARAM_LIST (PARAM+)>
<!ELEMENT PARAM (KEY,VALUE)>
<!ELEMENT KEY (#PCDATA)>
<!ELEMENT VALUE (#PCDATA)>
<!-- if returned, POST_DATA will be urlencoded -->
<!ELEMENT POST_DATA(#PCDATA)>
<!ELEMENT RESPONSE (DATETIME, (AUTH_HTTP_LISTID_SET)?,WARNING_LIST?, GLOSSARY?)>
<!ELEMENT AUTH_HTTP_LIST (AUTH_HTTP+)>
<!ELEMENT AUTH_HTTP (ID, TITLE, USERNAME, SSL, (REALMVHOST), IP_SET?,CREATED, LAST_MODIFIED, COMMENTS?)>
<!ELEMENT ID (#PCDATA)>
<!ELEMENT TITLE (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT SSL (#PCDATA)>
<!ELEMENT REALM (#PCDATA)>
<!ELEMENTVHOST (#PCDATA)>
<!ELEMENT IP_SET (IPIP_RANGE)+>
<!ELEMENT IP(#PCDATA)>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ELEMENT CREATED(DATETIME, BY)>
<!ELEMENT BY (#PCDATA)>
<!ELEMENT LAST_MODIFIED(DATETIME)>
<!ELEMENT COMMENTS (#PCDATA)>
<!ELEMENT WARNING_LIST(WARNING+)>
<!ELEMENT WARNING (CODE?, TEXT, URL?, ID_SET?)>
<!ELEMENT CODE (#PCDATA)>
<!ELEMENT TEXT (#PCDATA)>
<!ELEMENTURL (#PCDATA)>
<!ELEMENT ID_SET (IDID_RANGE)+>
<!ELEMENT ID_RANGE(#PCDATA)>
<!ELEMENT GLOSSARY (USER_LIST?)>
<!ELEMENT USER_LIST(USER+)>
<!ELEMENT USER (USER_LOGIN, FIRST_NAME, LAST_NAME)>
<!ELEMENT FIRST_NAME (#PCDATA)>
<!ELEMENT LAST_NAME (#PCDATA)>
<!-- EOF -->

 

Create a new HTTP record - realm

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d "action=create&amp;username=jsmith&amp;password=abc123&amp;title=MyHTTPRecord1&amp;realm=MyHomepage" "https://qualysapi.qualys.com/api/2.0/fo/auth/http/"

 

XML output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE BATCH_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/batch_return.dtd>
<BATCH_RETURN>
  <RESPONSE>
    <DATETIME>2014-01-03T07:51:48Z</DATETIME>
    <BATCH_LIST>
      <BATCH>
        <TEXT>Successfully Created</TEXT>
        <ID_SET>
          <ID>55111</ID>
        </ID_SET>
      </BATCH>
    </BATCH_LIST>
  </RESPONSE>
</BATCH_RETURN>

 

 

Create a new HTTP record - virtual host

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d "action=create&amp;username=jsmith&amp;password=abc123&amp;title=MyHTTPRecord+2&amp;vhost=bank.us.corp1.com" "https://qualysapi.qualys.com/api/2.0/fo/auth/http/"

 

 

 

Update an HTTP record

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d "action=update&ids=55114&realm=11" "https://qualysapi.qualys.com/api/2.0/fo/auth/http/"

 

 

 

Delete an HTTP record

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" -d "action=delete&ids=55114" "https://qualysapi.qualys.com/api/2.0/fo/auth/http/"

 

 

 

List authentication records - now includes HTTP records

 

API request:
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -d "action=list&id_min=54190&id_max=54436" "https://qualysapi.qualys.com/api/2.0/fo/auth/"

 

 

PC - New "Policy Merge” API v2

 

We’re pleased to introduce the new “Policy Merge” API v2 (resource /api/2.0/fo/compliance/policy/ with the parameter action=merge). This new API allows you to merge (combine) 2 or more compliance policies using QualysGuard Policy Compliance (PC). You can choose to merge some or all parts of a new policy into an existing one. Also you can preview merge changes before saving them. This API is available to Managers and Auditors.

 

For example, say you imported a policy from our library (Policy A) and configured it to add asset groups, controls and sections. Later we might release an updated version of this policy (Policy B) with new controls and technologies. In this scenario you can use the Policy Merge API to add the new controls and technologies from Policy B into Policy A (your existing policy) without losing the asset groups, controls and sections you added.

 

Policy Merge Request 1 - preview merged policy

 

Policy ID 15993 (Policy A) will be updated with content merged from policy ID 15994 (Policy B) and the XML output will show the merged policy in preview mode. Policy changes will not be saved in Policy 15993 since the request includes “preview_merge=1”.

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: curl" "https://qualysapi.qualys.com/api/2.0/fo/compliance/policy/?action=merge&id=15993&merge_policy_id=15994&replace_cover_page=1&add_new_asset_groups=1&add_new_technologies=1&update_section_heading=1&add_new_controls=1&update_existing_controls=1&preview_merge=1"

 

 

PC - Policy Report XML now includes custom control references

 

With this release you can choose to create policy reports with your custom control references in XML and CSV format - just follow the steps below.

 

The policy report XML output now lists the control references defined for each control. We’ve updated the policy report DTD (compliance_policy_report.dtd) to add the new element <CONTROL_REFERENCES>.

 

Step 1 - Configure the template settings

 

Configure your policy report template using the user interface (under PC > Reports > Templates). Be sure to choose the Group by Controls option and under Sections choose Control References.

 

 

Step 2 - Launch a PC policy report

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d"action=launch&template_id=55469&output_format=xml" "https://qualysapi.qualys.com/api/2.0/fo/report/"

 

 

XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPEGENERIC SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
    <DATETIME>2013-12-11T21:45:23Z</DATETIME>
    <TEXT>New reportlaunched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>1665</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

Step 3 - Download report XML

 

API request:
curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d"action=fetch&id=1665" "https://qualysapi.qualys.com/api/2.0/fo/report/"

 

 

XML output:

...          
         <CONTROL_LIST>           
           <CONTROL>             
             <CID>1376</CID>             
             <STATEMENT><![CDATA[Status of the'Interactive Logon: Do not require CTRLALTDEL'
                         setting]]></STATEMENT>             
             <CONTROL_REFERENCES>ABC123,4.6.88</CONTROL_REFERENCES>             
             <RATIONALE><![CDATA[The Windows OS behaves differently when the'CTRLALTDelete' is invoked 
                         before login--this guarantees that the authentication process for the system 
                         is engaged. Otherwise, when only the two-line login screen is presented, it
                         is possible that a Trojan program is displaying a phony userid/password login 
                         screen, which will collect the credentials and exit, leaving the user believing
                         that he/she simply mistype done or both of the required values. NOTE: As this 
                         is one of the reverse-logic controls, it is important to remember that this 
                         should be DISABLED to actually be enabled.]]>
             </RATIONALE>
             <STATUS><![CDATA[Passed]]></STATUS>
             <EVIDENCE><![CDATA[CHECK1]]></EVIDENCE>
           </CONTROL>  
... 

 

 

PC - “Apache Authentication” API v2 – Support for multiple instances per host

Apache Server authentication is available for compliance scans using QualysGuard Policy Compliance (PC). With this release the “Apache Authentication” API v2 (/api/2.0/fo/auth/apache/) now supports authentication to multiple Apache server instances on the same host.

 

Want to set it up? Just create multiple Apache server authentication records - 1 record for each host instance. In each record, a host instance is defined by a unique IP address and configuration file pair.You can create 2 records for the same IP address, but the config file can’t be the same in the 2 records.

 

Create multiple Apache records

 

To scan 2 Apache instances on the same IP, you’ll create 2 Apache authentication records. This is how you create 2 records for IP10.10.25.25 - note the 2 different configuration files.

 

 

API request (record 1):

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=create&amp;title=ApacheRecord1&amp;unix_apache_config_file=/opt/IBM/HTTPServer/conf/httpd.conf1&amp;unix_apache_control_command=/opt/IBM/HTTPServer/bin1&amp;ips=10.10.25.25" "https://qualysapi.qualys.com/api/2.0/fo/auth/apache/"

 

 

API request (record 2):

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=create&amp;title=ApacheRecord2&amp;unix_apache_config_file=/opt/IBM/HTTPServer/conf/httpd.conf2&amp;unix_apache_control_command=/opt/IBM/HTTPServer/bin1&amp;ips=10.10.25.25" "https://qualysapi.qualys.com/api/2.0/fo/auth/apache/"

 

 

List Apache records

 

This is a way you can review the authentication record settings before you scan. The Apache records list XML (auth_apache_list_output.dtd)did not change.

 

 

Reporting of Apache Server instances

 

Your PC reports identify compliance evaluation findings forApache instances. With this release each instance identifies the configuration file path.

 

PC - “MS SQL Authentication” API v2 - Autodiscover database instances

 

MS SQL Server authentication is available for compliance scans using QualysGuard Policy Compliance (PC). With this release the “MS SQL authentication” API v2 (/api/2.0/fo/auth/ms_sql/) supports the automatic discovery of MS SQL Server instances. Just specify the auto discovery option(s) in your records and we’ll find all matching instances on target hosts and attempt authentication.

 

Create MS SQL records

 

API request (record 1):

For IP 10.10.25.25 auto discover instance names, database names and ports.

curl -u "USERNAME:PASSWORD" -H "X-Requested-With:Curl" -X "POST" -d "action=create&amp;title=MSSQLRecord+1&amp;username=myname&amp;password=mypassword&amp;ips=10.10.25.25&amp;auto_discover_instances=1&amp;auto_discover_databases=1&amp;auto_discover_ports=1" "https://qualysapi.qualys.com/api/2.0/fo/auth/ms_sql/"

 

 

API request (record 2):

For IP 10.10.25.100 we’ll auto discover ports and instances but the database name will be set to “mydbname”.

curl -u "USERNAME:PASSWORD" -H "X-Requested-With:Curl" -X "POST" -d "action=create&amp;title=MSSQLRecord+2&amp;username=myname&amp;password=mypassword&amp;ips=10.10.25.100&amp;auto_discover_ports=1&amp;auto_discover_instances=1&amp;database=mydbname" "https://qualysapi.qualys.com/api/2.0/fo/auth/ms_sql/"

 

 

List MS SQL records

 

This is a way you can review the authentication record settings before you scan. The MS SQL records list XML (auth_ms_sql_list_output.dtd)has been updated.

 

API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list" "https://qualysapi.qualys.com/api/2.0/fo/auth/ms_sql/"

0

A new release of QualysGuard WAS, Version 3.2, is targeted for release in US production in February 2014. The exact release date has not yet been set.  This release contains changes to the APIs that requires a 30-day notification.  Only the API changes that impact existing APIs are included in the 30 day notification.  The notification will be updated to include any new API functionality at least 15 days prior to release. 

 

More information on specific release dates that correspond to the platforms can be found on the platform release blog pages which will be updated no less than 15 days prior to the release of WAS 3.2.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.2, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 3 primary API changes in this release:

 

  • Ignore Binary Files Tag Added to XML Reports
  • New cancelScanTime Element
  • Scan Status Data Reported

 

Full release notes will be available to customers on the day of the release. 

 

WAS WebApp and Schedule API now available to Express Lite Customers

Are you a QualysGuard Express Lite User? Now you can use the capabilities of the WAS Scan and Schedule APIs as described in the QualysGuard WAS API User Guide if you have the WAS API option enabled.

 

Ignore Binary Files Tag Added to XML Reports

A new XML tag appears in XML reports to tell you whether the new Ignore Binary Files option profile setting was turned on for the scan being reported on. If yes, the scan ignored files with these extensions: .pdf, .zip and .doc.

 

Scan Results XML

“Ignore Binary Files” is included in the XML output when a user downloads scan results in XML format.

 

Scan Results v3 XML - “Ignore Binary Files” appears in the scan results v3 XML format under the new WasScanOption tag. The v3 XML format is returned when a you make an API request using the download scan API (…/3.0/download/was/wasscan/<id>).

 

...

<WasScanOption>

    <name>Ignore Binary Files</name>

    <value>true</value>

</WasScanOption>

...

 

 

Scan Results v2 XML - “Ignore Binary Files” appears in the scan results v2 XML format (for version 2 and earlier) under the new SCAN_INFO tag. The v2 XML format is returned:

- when a you make an API request using the download scan API (…/2.0/download/was/wasscan/<id>)

- when you select the Download action for a scan using the user interface

 

 

 

 

...

<SUMMARY>

   <SCAN_SUMMARY>

      <SCAN_INFO>

          <KEY>Title</KEY>

          <VALUE><![CDATA[Vulnerability Scan - Ignore Binary On]]></VALUE>

      </SCAN_INFO>

...

 

 

Scan Details v3 XML - “Ignore Binary Files” appears in the scan results v3 XML format under the new WasScanOption tag. The v3 XML format is returned when a you make an API request using the get scan API (…/3.0/get/was/wasscan/<id>).

 

<WasScanOption>

   <name>Ignore Binary Files</name>

   <value><![CDATA[true]]></value>

</WasScanOption>

 

 

Report XML

“Ignore Binary Files” appears in the report XML in the appendix section when you make an API request using the download report API (…/3.0/download/was/report/<id>).

 

...

<APPENDIX_LIST>

    <APPENDIX>

        <VALUE_LIST>

            <VALUE name="Ignore Binary Types">true</VALUE>

 

 

New cancelScanTime Element

The new cancelScanTime element defines the precise hour to cancel a scan.

 

Launch Scan API

Using the launch scan API (…/3.0/launch/was/wasscan) you can include cancelScanTime as a name/value pair in your request POST data.

 

...

<options>

   <WasScanOption>

      <name>cancelScanTime</name>

      <value><![CDATA[1]]></value>

   </WasScanOption>

</options>

...

 

 

Create a Scan Schedule API

Using the create a scan schedule API (…/3.0/create/was/wasscanschedule) you can include cancelScanTime in your request POST data using the cancelTime element

 

 

<scheduling>

        <occurrenceType>WEEKLY</occurrenceType>

        <occurrence>

         <weeklyOccurrence>

                <everyNWeeks>5</everyNWeeks>

                <onDays>

                        <WeekDay>MONDAY</WeekDay>

                        <WeekDay>SATURDAY</WeekDay>

                        <WeekDay>SUNDAY</WeekDay>

                </onDays>

         </weeklyOccurrence>

        </occurrence>

        <timeZone>

          <code>Africa/Ceuta</code>

        </timeZone>

        <startDate>2012-08-01T10:00:00Z</startDate>

        <cancelTime>11:00</cancelTime>

</scheduling>

 

 

 

 

Get Scan Schedule XML

Using the get a scan schedule API (…/3.0/get/was/wassc anschedule/<id>) the XML output includes the cancelScanTime element if the scan cancel time setting is defined for the schedule.

 

 

      <scheduling>

        <startDate>2014-01-13T17:00:00Z</startDate>

        <timeZone>

          <code>Etc/GMT-3</code>

          <offset>+03:00</offset>

        </timeZone>

        <occurrenceType>ONCE</occurrenceType>

        <cancelTime>11:00</cancelTime>

      </scheduling>

 

 

 

New Scan Status Data Reported

Scan Results XML

Using the retrieve scan results API (.../3.0/download/was/wasscan/<id>) the XML output will show the number of links collected, and the average response time.

 

<summary>

    <crawlDuration>16</crawlDuration>

    <testDuration>138</testDuration>

    <linksCollected>10</linksCollected>

    <linksCrawled>1</linksCrawled>

    <nbRequests>503</nbRequests>

    <averageResponseTime>0.001554</averageResponseTime>

    <resultsStatus>SUCCESSFUL</resultsStatus>

    <authStatus>NONE</authStatus>

    <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>

</summary>

 

 

 

Get Scan Status XML

Using the get a scan schedule API (…/3.0/get/was/wassc anschedule/<id>) the XML output includes the cancelScanTime element if the scan cancel time setting is defined for the schedule.

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

  <responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <WasScan>

      <id>21993</id>

      <status>FINISHED</status>

      <summary>

            <linksCollected>12</linksCollected>

            <linksCrawled>5</linksCrawled>

            <nbRequests>89</nbRequests>

            <averageResponseTime>0.01234</averageResponseTime>

      </summary>

    </WasScan>

  </data>

</ServiceResponse>

 

 

 

Scan Details XML

Using the get scan details API (…/3.0/get/was/wasscan/<id>) the XML XML output will show links collected, links crawled, the number of requests performed and the average response time

<summary>

   <crawlDuration>16</crawlDuration>

   <testDuration>138</testDuration>

   <linksCollected>10</linksCollected>

   <linksCrawled>1</linksCrawled>

   <nbRequests>503</nbRequests>

   <averageResponseTime>0.001554</averageResponseTime>

   <resultsStatus>SUCCESSFUL</resultsStatus>

   <authStatus>NONE</authStatus>

   <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>

</summary>

 

 

 

0

A new release of QualysGuard, Version 7.13, will be available in production in February, 2014. The final date has not been determined, but this release contains changes to the APIs and DTDs that require 30-day notification. More information specific to this release, including the date of global availability, will be communicating 2 weeks before the release date via the Release Notification pages here:

 

 

This API notification provides an early preview into the coming API changes in QualysGuard 7.13, allowing you to proactively figure out any changes that might be required for your automated scripts or programs that make call to the API function describe provided below.

 

 

PC Policy Report XML - Control References Added

 

The QualysGuard Policy Compliance (PC) application allows you to add references to each control by using the new policy editor or by editing control details. With this release you can choose to create policy reports with your custom control references in XML format - just follow the steps below. The policy report XML output now lists the control references defined for each control. We’ve updated the policy report DTD (compliance_policy_report.dtd) to add a new element <CONTROL_REFERENCES>.

 

Step 1 - Configure the template settings

Configure your policy report template using the user interface (under PC > Reports > Templates). Be sure to choose the Group by Controls option and under Sections choose Control References.

 

Step 2 - Launch a PC policy report

API request:

 

       curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d

       "action=launch&template_id=55469&output_format=xml"

       "https://qualysapi.qualys.com/api/2.0/fo/report/"

 

 

XML output:

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE GENERIC SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
    <DATETIME>2013-12-11T21:45:23Z</DATETIME>
    <TEXT>New report launched</TEXT>
      <ITEM_LIST>
        <ITEM>
          <KEY>ID</KEY>
          <VALUE>1665</VALUE>
        </ITEM>
      </ITEM_LIST>
     </RESPONSE>
</SIMPLE_RETURN>

 

 

Step 3 - Download report XML

 

API request:

 

curl -k -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=fetch&id=1665" "https://qualysapi.qualys.com/api/2.0/fo/report/"

 

XML output:

 

...<CONTROL_LIST>
  <CONTROL>
    <CID>1376</CID>
    <STATEMENT><![CDATA[Status of the 'Interactive Logon: Do not require CTRL+ALT+DEL' setting]]></STATEMENT>
    <CONTROL_REFERENCES>ABC123,4.6.88</CONTROL_REFERENCES> 
    <RATIONALE><![CDATA[The Windows OS behaves differently when the 'CTRL+ALT+Delete' is invoked before login--this guarantees that the authentication process for the system is engaged. Otherwise, when only the two-line login screen is presented, it is possible that a Trojan program is displaying a phony userid/password login screen, which will collect the credentials and exit, leaving the user believing that he/she simply mistyped one or both of the required values. NOTE: As this is one of the reverse-logic controls, it is important to remember that this should be DISABLED to actually be enabled.]]></RATIONALE>
  <STATUS><![CDATA[Passed]]></STATUS>
  <EVIDENCE><![CDATA[CHECK1]]></EVIDENCE>
</CONTROL>

 

 

Updated DTD (updates in bold):

 

...
<!ELEMENT CONTROL_LIST (CONTROL*)>
<!ELEMENT CONTROL (CID, STATEMENT, CONTROL_REFERENCES?, DEPRECATED?,
                   RATIONALE?, INSTANCE?, STATUS, EVIDENCE?, EXCEPTION?)>
<!ELEMENT CID (#PCDATA)>
<!ELEMENT STATEMENT (#PCDATA)>
<!ELEMENT CONTROL_REFERENCES (#PCDATA)>
<!ELEMENT RATIONALE (#PCDATA)>
<!ELEMENT STATUS (#PCDATA)>
<!ELEMENT INSTANCE (#PCDATA)>
<!ELEMENT EVIDENCE (#PCDATA)>
<!ELEMENT EXCEPTION (ASSIGNEE, STATUS, END_DATE, CREATED_BY, CREATED_DATE,
...
MODIFIED_BY, MODIFIED_DATE, COMMENT_LIST?)>
0

An update of QualysGuard, Version 7.12, will be available in production in the coming weeks.

 

Enhancements include a set of new API inputs to:

  • Download posture data for multiple policies
  • Filter posture data to include certain asset groups

More information specific to this release, including the date of global availability, will be communicated 2 weeks before the release date via the Release Notification pages:

 

“Compliance Posture Info” API v2 - Enhancements

With this release we've added new input parameters to the "Compliance Posture Info" API v2 (with the endpoint /api/2.0/fo/compliance/posture/info/) to give you more flexibility with downloading compliance posture data from your account. The update to the DTD should not impact current integrations.

 

Download posture data for multiple policies

With this release the new “policy_ids” input parameter allows you to request compliance posture data (info records) for up to 10 policies. You can request posture data using the new parameter “policy_ids” or “policy_id” parameter (available in previous releases).

 

New Parameter:

policy_ids={value}

 

New Parameter Description:

(Optional) A comma-separated list of policy IDs for the policies you want to download compliance posture data for. You can specify up to 10 policies. When this parameter is specified, all posture data is downloaded (and the “truncation_limit” parameter is invalid). When ”policy_ids” is specified you can’t specify these parameters in the same request: “policy_id” and/or “truncation_limit”.

 

The compliance posture info list output DTD was updated (posture_info_list_output.dtd). When “policy_ids” is specified, the XML output shows policy information under the <POLICY> tag, and the <DATETIME> tag under this tag indicates when the policy’s posture data was collected from the API user’s account.

 

API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&policy_ids=1678,1738" "https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/"

 

 

XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE POSTURE_INFO_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/posture_info_list_output.dtd>

<POSTURE_INFO_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2013-10-17T21:03:53Z</DATETIME>
        <POLICY>
            <ID>1678</ID>
            <DATETIME>2013-10-17T21:03:53Z</DATETIME>
            <INFO_LIST>
                   <INFO>
                        <ID>5563330</ID>
                        <HOST_ID>927326</HOST_ID>
                        <CONTROL_ID>1200</CONTROL_ID>
                        <TECHNOLOGY_ID>1</TECHNOLOGY_ID>
                        <INSTANCE></INSTANCE>
                        <STATUS>Failed</STATUS>
                   </INFO>
                   <INFO>
                        <ID>5563332</ID>
                        <HOST_ID>927326</HOST_ID>
                        <CONTROL_ID>1198</CONTROL_ID>
                        <TECHNOLOGY_ID>1</TECHNOLOGY_ID>
                        <INSTANCE></INSTANCE>
                        <STATUS>Failed</STATUS>
                   </INFO>
              </INFO_LIST>
          </POLICY>
          <POLICY>
              <ID>1738</ID>
              <DATETIME>2013-10-17T21:04:09Z</DATETIME>
              <INFO_LIST>
                     <INFO>
                         <ID>5585969</ID>
                         <HOST_ID>943039</HOST_ID>
                         <CONTROL_ID>1336</CONTROL_ID>
                         <TECHNOLOGY_ID>7</TECHNOLOGY_ID>
                         <INSTANCE>oracle9:1:1527:ora9208p</INSTANCE>
                         <STATUS>Error</STATUS>
                     </INFO>
                     <INFO>
                         <ID>5586112</ID>
                         <HOST_ID>943048</HOST_ID>
                         <CONTROL_ID>1336</CONTROL_ID>
                         <TECHNOLOGY_ID>9</TECHNOLOGY_ID>
                         <INSTANCE>oracle11:1:1521:orcl</INSTANCE>
                         <STATUS>Error</STATUS>
                      </INFO>
                      <INFO>
                         <ID>5592798</ID>
                         <HOST_ID>940048</HOST_ID>
                         <CONTROL_ID>1336</CONTROL_ID>
                         <TECHNOLOGY_ID>9</TECHNOLOGY_ID>
                         <INSTANCE>oracle11:1:1521:qa11g2lu</INSTANCE>
                         <STATUS>Error</STATUS>
                       </INFO>
                </INFO_LIST>
        </POLICY>
    </RESPONSE>
</POSTURE_INFO_LIST_OUTPUT>

 

 

Updated DTD (updates in bold):

<!-- QUALYS POSTURE_INFO_LIST_OUTPUT DTD -->
<!ELEMENT POSTURE_INFO_LIST_OUTPUT (REQUEST?,RESPONSE)>
<!ELEMENT REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?,POST_DATA?)>
<!ELEMENT DATETIME (#PCDATA)>
<!ELEMENT USER_LOGIN (#PCDATA)>
<!ELEMENT RESOURCE (#PCDATA)>
<!ELEMENT PARAM_LIST (PARAM+)>
<!ELEMENT PARAM (KEY, VALUE)>
<!ELEMENT KEY (#PCDATA)>
<!ELEMENT VALUE (#PCDATA)>
<!-- if returned, POST_DATA will be urlencoded -->
<!ELEMENT POST_DATA (#PCDATA)>
<!ELEMENT RESPONSE (DATETIME, ((INFO_LIST?, WARNING_LIST?, GLOSSARY?) | POLICY+))>
<!ELEMENT POLICY (ID, DATETIME, INFO_LIST?, WARNING_LIST?, GLOSSARY?)>
<!ELEMENT INFO_LIST (INFO+)>
<!ELEMENT INFO (ID, HOST_ID, CONTROL_ID, TECHNOLOGY_ID, INSTANCE?, STATUS,
...
EXCEPTION?, EVIDENCE?)>

 

 

Filter posture data to include certain asset groups

Use the new “asset_group_ids” parameter to download compliance posture data for hosts in certain asset groups.

 

New Parameter:

asset_group_ids={value}

 

New Parameter Description:

(Optional) A comma-separated list of asset group IDs for the asset groups you want to download compliance posture data for. The asset groups specified do not need to be assigned to the one or more policies requested. Posture data will be returned as long as there are common hosts specified by “asset_group_ids” and asset groups that are assigned to the policies requested.

 

API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&echo_request=1&policy_ids=13888,15234,14028&asset_group_ids=456144,451051" "https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/"

 

XML output:

Compliance posture data is filtered to include only hosts in asset group ID 56144 and/or 451051. For policy ID 1 5234 compliance posture data is returned for host IDs 2162141 and 2162152 - you can check out the glossary section to see details on these hosts. No posture data is returned for policy IDs 13888 and 14028 (no hosts with posture data are in asset group ID 56144 or 451051).

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE POSTURE_INFO_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/posture_info_list_output.dtd>
<POSTURE_INFO_LIST_OUTPUT>
  <REQUEST>
    <DATETIME>2013-11-16T17:09:23Z</DATETIME>
    <USER_LOGIN>spt_km</USER_LOGIN>
    <RESOURCE>https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/</RESOURCE>
    <PARAM_LIST>
      <PARAM>
        <KEY>action</KEY>
        <VALUE>list</VALUE3E
      </PARAM>
      <PARAM>
        <KEY>echo_request</KEY>
        <VALUE>1</VALUE>
      </PARAM>
      <PARAM>
        <KEY>policy_ids</KEY>
        <VALUE>13888,15234,14028</VALUE>
      </PARAM>
      <PARAM>
        <KEY>asset_group_ids</KEY>
        <VALUE>456144,451051</VALUE>
      </PARAM>
    </PARAM_LIST>
  </REQUEST>
  <RESPONSE>
    <DATETIME>2013-11-16T17:09:23Z</DATETIME>
    <POLICY>
      <ID>13888</ID>
      <DATETIME>2013-11-16T17:09:23Z</DATETIME>
    </POLICY>
    <POLICY>
      <ID>15234</ID>
      <DATETIME>2013-11-16T17:09:28Z</DATETIME>
      <INFO_LIST>
        <INFO>
          <ID>2104640</ID>
          <HOST_ID>2162141</HOST_ID>
          <CONTROL_ID>2016</CONTROL_ID>
          <TECHNOLOGY_ID>2</TECHNOLOGY_ID>
          <INSTANCE></INSTANCE>
          <STATUS>Passed</STATUS>
        </INFO>
        <INFO>
          <ID>2104641</ID>
          <HOST_ID>2162141</HOST_ID>
          <CONTROL_ID>3773</CONTROL_ID>
          <TECHNOLOGY_ID>2</TECHNOLOGY_ID>
          <INSTANCE></INSTANCE>
          <STATUS>Passed</STATUS>
        </INFO>
        <INFO>
          <ID>2104676</ID>
          <HOST_ID>2162152</HOST_ID>
          <CONTROL_ID>2127</CONTROL_ID>
          <TECHNOLOGY_ID>2</TECHNOLOGY_ID>
          <INSTANCE></INSTANCE>
          <STATUS>Passed</STATUS>
        </INFO>
      </INFO_LIST>
      <GLOSSARY>
        <HOST_LIST>
          <HOST>
            <ID>2162141</ID>
            <IP>10.10.25.69</IP>
            <TRACKING_METHOD>IP</TRACKING_METHOD>
            <DNS><![CDATA[2k3-sp2-josh.com-25-69.vuln.qa.qualys.com]]></DNS>
            <NETBIOS><![CDATA[2K3-SP2-JOSH]]></NETBIOS>
            <OS><![CDATA[Windows 2003 Server AD Service Pack 2]]></OS>
          </HOST>
          <HOST>
            <ID>2162152</ID>
            <IP>10.10.25.88</IP>
            <TRACKING_METHOD>IP</TRACKING_METHOD>
            <DNS><![CDATA[2k364sp1-25-88p.2k364sp1.patch.ad.vuln.qa.qualys.com]]></DNS>
            <NETBIOS><![CDATA[2K364SP1-25-88P]]></NETBIOS>
            <OS><![CDATA[Windows 2003 Server 64 bit Edition AD Service Pack 2]]></OS>
          </HOST>
        </HOST_LIST>
      ...
      </GLOSSARY>
    </POLICY>
      <POLICY>
      <ID>14028</ID>
      <DATETIME>2013-11-16T17:09:36Z</DATETIME>
    </POLICY>
  </RESPONSE>
</POSTURE_INFO_LIST_OUTPUT>
0

A new release of QualysGuard, Version 7.12, will be available in production in Nov 2013.

 

Enhancements include a set of new APIs and a report related change

  • API Support for QualysGuard Express Lite Users
  • “Compliance Posture Info” API v2 - Support for retrieving batches of compliance posture info records “Compliance Control” API v2
  • “Asset IP” API v2 Enhancements - Ability to add and update IP addresses (VM and PC)
  • PC Authentication Report - Host Technology Added

 

More information specific to this release, including the date of global availability, will be communicating 2 weeks before the release date via the Release Notification pages here:

 

API Support for QualysGuard Express Lite Users

QualysGuard API now support for Express Lite users. Express Lite users have the ability to use the QualysGuard API to manage scans, assets (IP addresses and domains) and user accounts. Several APIs are available:

 

“Compliance Posture Info” API v2 - Support for retrieving batches of compliance posture info records

 

The Compliance Posture Info API v2 (with the endpoint /api/2.0/fo/compliance/posture/info/) is used to return a list of compliance posture info records for a selected policy in the user’s account.

 

The output of the Compliance Posture Info API is paginated. By default, a maximum of 5,000 posture info records are returned per request. You can customize the page size (i.e. the number of posture info records) by using the parameter:

  • “truncation_limit=10000” will be return with pages of 10,000 records.
  • “truncation_limit=0” will be return in a single page with all the records.

 

WARNING: “truncation_limit=0” can generate very large output and processing large XML files can consume a lot of resources on the client side. In this case it is recommended to use the pagination logic and parallel processing. The previous page can be processed while the next page is being downloaded.

 

API request:

 

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&echo_request=1&policy_id=13906&truncation_limit=1000"

"https://qualysapi.qualys.com//api/2.0/fo/compliance/posture/info/"

 

XML output:

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE POSTURE_INFO_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/posture_info_list_output.dtd>
<POSTURE_INFO_LIST_OUTPUT>
<REQUEST>
...
<RESPONSE>
  <DATETIME>2013-08-06T12:28:16Z</DATETIME>
  <INFO_LIST>
<INFO> ...
  </INFO_LIST>
  <WARNING_LIST>
    <WARNING>
      <CODE>1980</CODE>
      <TEXT>1000 record limit exceeded. Use URL to get next batch of results.</TEXT>
       <URL><![CDATAhttps://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/action=list&echo_request=1&policy_id=13906&truncation_limit=1000&id_min=1958791]>          
       </URL>
  </WARNING>
</WARNING_LIST>

 

“Compliance Control” API v2 - Support for retrieving batches of compliance controls

The Compliance Control API v2 (with the endpoint /api/2.0/fo/compliance/control/) is used to return a list of compliance controls in the user’s account.

 

Customize the Page Size using “truncation_limit” parameter

The output of the Compliance Control API is paginated. By default, a maximum of 1,000 control records are returned per request. You can customize the page size (i.e. the number of control records) by using the parameter:

  • “truncation_limit=10000” will be return with pages of 10,000 records.
  • “truncation_limit=0” will be return in a single page with all the records.

 

API request:


curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=list&echo_request=1&truncation_limit=200&details=Basic" "https://qualysapi.qualys.com//api/2.0/fo/compliance/control/"

 

XML output:

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE CONTROL_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/compliance/control/control_list_output.dtd>
<CONTROL_LIST_OUTPUT>
  <REQUEST>
 ...
  <RESPONSE>
    <DATETIME>2013-09-09T05:57:25Z</DATETIME>
    <CONTROL_LIST>
      <CONTROL>
        <ID>1044</ID>
        <UPDATE_DATE>2012-06-08T00:00:00Z</UPDATE_DATE>
        <CREATED_DATE>2007-10-12T00:00:00Z</CREATED_DATE>
...
    </CONTROL_LIST>
    <WARNING>
      <CODE>1980</CODE>
      <TEXT>200 record limit exceeded. Use URL to get next batch of
results.</TEXT>
<URL><![CDATA[https://qualysapi.qualys.com/api/2.0/fo/compliance/control/
?action=list&echo_request=1&truncation_limit=200&details=Basic&id_min=104
6]]></URL>
    </WARNING>
  </RESPONSE>
</CONTROL_LIST_OUTPUT>

 

“Asset IP” API v2 Enhancements - Ability to add and update IP addresses

 

The “Asset IP” API v2 (with the endpoint /api/2.0/fo/asset/ip/) now gives you the ability to add IP addresses for scanning to the subscription, and update them. You can choose to add IP addresses to VM and/or PC, depending on your license.

 

For additional information on the parameters available and additional examples, please refer to the release notes or documentations.

 

Add IP(s) Example

 

API request (POSTED raw data in CSV format):

curl -H "X-Requested-With: Curl" -H "Content-Type:text/csv" -u "USERNAME:PASSWORD" --data-binary @ips_list.csv "https://qualysapi.qualys.com/api/2.0/fo/asset/ip/?action=add&enable_vm=1&enable_pc=1&tracking_method=IP&owner=quays_es1"

 

API request (“ips” parameter):

curl -H "X-Requested-With: demo" -u "USERNAME:PASSWORD" -X "POST" -d "action=add&enable_vm=1&enable_pc=1&ips=10.10.10.1,10.10.10.10-

10.10.10.20,10.10.10.200" "https://qualysapi.qualys.com/api/2.0/fo/asset/ip/"

 

XML output:

 

<?xml version="1.0" encoding="UTF-8" ?>
  <!DOCTYPE SIMPLE_RETURN SYSTEM
https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
 <SIMPLE_RETURN>
    <RESPONSE>
      <DATETIME>2013-08-07T01:21:03Z</DATETIME>
<TEXT>IPs successfully added to Vulnerability Management/Compliance Management</TEXT>
    </RESPONSE>

 

PC Authentication Report - Host Technology Added

The Policy Compliance (PC) Authentication Report tells you whether hosts scanned for compliance passed authentication. If authentication failed, we give you the reason so you can look into it.

With this release, the PC Authentication Report includes the host technology associated with each host instance - this is the compliance technology the host’s operating system is mapped to. We added a new element <HOST_TECHNOLOGY> to the XML output and updated the report DTD.

 

Updated Report DTD

The report DTD can be found at the following URL (where qualysapi.qualys.com is the API server URL where your account is located):

       https://qualysapi.qualys.com/compliance_authentication_report.dtd

The new <HOST_TECHNOLOGY> appears under the <HOST> element.

 

...

<!ELEMENT TECHNOLOGY_LIST (TECHNOLOGY*)>

<!ELEMENT TECHNOLOGY (NAME, HOST_LIST)>

<!ELEMENT HOST_LIST (HOST*)>

<!ELEMENT HOST (TRACKING_METHOD, IP, DNS?, NETBIOS?, HOST_TECHNOLOGY?,

                INSTANCE?, STATUS, CAUSE?)>

<!ELEMENT TRACKING_METHOD (#PCDATA)>

<!ELEMENT IP (#PCDATA)>

<!ELEMENT DNS (#PCDATA)>

<!ELEMENT HOST_TECHNOLOGY (#PCDATA)> <!ELEMENT NETBIOS (#PCDATA)> <!ELEMENT INSTANCE (#PCDATA)>

...

 

Sample Report XML


<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE COMPLIANCE_AUTHENTICATION_REPORT SYSTEM

"https://qualysapi.qualys.com/compliance_authentication_report.dtd">

<COMPLIANCE_AUTHENTICATION_REPORT>

...

<TECHNOLOGY_LIST>

      <TECHNOLOGY>

        <NAME><![CDATA[Unix/Cisco IOS]]></NAME>

        <HOST_LIST>

          <HOST>

            <TRACKING_METHOD><![CDATA[IP]]></TRACKING_METHOD>

            <IP><![CDATA[10.10.24.12]]></IP>

            <DNS><![CDATA[]]></DNS>

            <NETBIOS><![CDATA[]]></NETBIOS>

            <HOST_TECHNOLOGY><![CDATA[Solaris 9.x]]></HOST_TECHNOLOGY>

            <STATUS><![CDATA[Passed]]></STATUS>

           </HOST>

...           

0

A new release of QualysGuard WAS, Version 3.1, will be available in production in mid-November 2013. The exact date depends on the platform and this release contains changes to the APIs that requires a 30-day notification. APIs will be updated for each platform on the same day version 3.1 is released. 

 

 

More information on specific release dates that correspond to the platforms can be found here:

 

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 2 primary API changes in this release:

 

  • New API for Managing Authentication Records
  • WAS Reports in XML – Findings are now Base64 Encoded

 

Full release notes will be available to customers on the day of the release.

 

New API for Managing Authentication Records

With WAS 3.1 we’re introducing a new API for managing authentication records called WebAppAuthRecord. This new API allows you to:

  • Manage authentication records independently from web application settings
  • Easily create an authentication record once and associate it with multiple web applications
  • Perform all authentication record operations – create, update, delete, get details, search and count

 

The new WebAppAuthRecord resource is located at this URL:

  • https://qualysapi.qualys.com/qps/rest/3.0/<operation>/was/webappauthrecord
    (where “qualysapi.qualys.com” is the QualysGuard API server URL for your QualysGuard platform, in this case US Platform 1. )

Supported Operations

 

  • Count authentication records
    <base URL for platform>/qps/3.0/count/was/webappauthrecord
  • Search authentication records
    <base URL for platform>/qps/3.0/search/was/webappauthrecord
  • Get authentication record details
    <base URL for platform>/qps/3.0/get/was/webappauthrecord
  • Create a new authentication record
    <base URL for platform>/qps/3.0/create/was/webappauthrecord
  • Update an authentication record
    <base URL for platform>/qps/3.0/update/was/webappauthrecord
  • Delete an authentication record
    <base URL for platform>/qps/3.0/delete/was/webappauthrecord

 

New XSD - The WebAppAuthRecord object is independent from the WebApp object. There’s a new webappauthrecord.xsd (…/qps/xsd/3.0/was/webappauthrecord.xsd). WebAppAuthRecord object has these new attributes:

 


<xs:complexType name="WebAppAuthRecord">
 <xs:all>
  <xs:element name="id" type="xs:long" minOccurs="0"/>
  <xs:element name="name" type="Cdata" minOccurs="0"/>
  <xs:element name="owner" type="User" minOccurs="0"/>
  <xs:element name="formRecord" type="WebAppAuthFormRecord" minOccurs="0"/>
  <xs:element name="serverRecord" type="WebAppAuthServerRecord" minOccurs="0"/>
  <xs:element name="tags" type="TagList" minOccurs="0"/>
  <xs:element name="comments" type="CommentList" minOccurs="0"/>
  <xs:element name="createdDate" type="xs:dateTime" />
  <xs:element name="createdBy" type="User" />
  <xs:element name="updatedDate" type="xs:dateTime" />
  <xs:element name="updatedBy" type="User" />
 </xs:all>
</xs:complexType>

 

Changes to the Web Application API

The WebApp API has been updated for this release.  Supported Operations – Please note these 2 changes:

  1. You will associate an authentication record with the web application using the CREATE and UPDATE operations (you can’t create the record within the web application settings as before). Just provide the id element as input with your API request.
  2. An API request to view web applications and get details (SEARCH and GET operations) returns only the ID and name for the web application.

 

 

XSD updates - The webapp.xsd has been updated (…/qps/xsd/3.0/was/webapp.xsd). Please note these changes:

1) The WebApp object still contains a list of WebAppAuthRecord elements (no changes):

 


<xs:complexType name="WebApp"> 
  <xs:all> 
     ... 
     <xs:element name="authRecords" type="WebAppAuthRecordList" minOccurs="0"/> 
     ... 
  </xs:all> 
</xs:complexType>

 

2) The WebAppAuthRecord elements allow only the id and name attributes (other attributes are no longer supported).

 


<xs:complexType name="WebAppAuthRecord">
  <xs:all>
    <xs:element name="id" type="xs:long" minOccurs="0"/>
    <xs:element name="name" type="Cdata" minOccurs="0"/>
  </xs:all>
</xs:complexType>

 

 

Creating Authentication Records and Apply them to Web Applications

Using the WAS API Version 3.1 you’ll first create independent authentication record(s) and link them to your web application. Then you’re ready to launch authenticated scans against your web application.

 

Step 1: Create Authentication Record(s)

Create new authentication record(s) and tell us how to authenticate to your web application. The sample request below indicates form authentication will be used. You can create multiple authentication records as needed for your various web applications. (You must have the new Create authentication record permission enabled under Web Application authentication record permissions.)

 

Request:


curl -u USERNAME:PASSWORD -H Content-type: text/xml -X POST --data-binary @-
https://qualysapi.qualys.com/qps/rest/3.0/create/was/webappauthrecord/ < file.xml

Note: “file.xml” contains the request POST data.

 

Request POST Data:


<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
 <data>
  <WebAppAuthRecord>
   <name><![CDATA[From API - Form]]></name>
   <formRecord>
    <type>STANDARD</type>
    <sslOnly>true</sslOnly>
    <fields>
     <set>
      <WebAppAuthFormRecordField>
       <name><![CDATA[password]]></name>
       <value><![CDATA[12345]]></value>
      </WebAppAuthFormRecordField>
      <WebAppAuthFormRecordField>
       <name><![CDATA[username]]></name>
       <value><![CDATA[user]]></value>
      </WebAppAuthFormRecordField>
     </set>
    </fields>
   </formRecord>
   <comments>
    <set>
     <Comment>
      <contents><![CDATA[This is a comment]]></contents>
     </Comment>
    </set>
   </comments>
   <tags>
    <set>
     <Tag>
      <id>102609</id>
     </Tag>
    </set>
   </tags>
  </WebAppAuthRecord>
 </data>
</ServiceRequest>

 

Step 2: Add Authentication Record(s) to web application settings

Add authentication record(s) to web application settings by creating or updating each web application you want to authenticate to. You just need to add the authentication record ID. Note the same authentication record can be linked to multiple web applications. (As long as you have permission to create/update web applications under WAS Asset Permissions, you can add authentication records to web app settings.)

 

Request:


curl -u USERNAME:PASSWORD -H Content-type: text/xml -X POST --data-binary @-
https://qualysapi.qualys.com/qps/rest/3.0/update/was/webapp/324539 < file.xml

Note: “file.xml” contains the request POST data.

 

Request POST Data:


<ServiceRequest>
 <data>
  <WebApp>
   <authRecords>
    <add>
      <WebAppAuthRecord><id>1688</id></WebAppAuthRecord>
      <WebAppAuthRecord><id>1689</id></WebAppAuthRecord>
      <WebAppAuthRecord><id>1690</id></WebAppAuthRecord>
      <WebAppAuthRecord><id>1691</id></WebAppAuthRecord>
    </add>
   </authRecords>
  </WebApp>
 </data>
</ServiceRequest>

 

Step 3: Check web application details

The web application details will include all web application settings and the authentication record(s) you’ve added. At scan time we’ll attempt authentication using all of the web application’s records.

 

Request:


curl -u USERNAME:PASSWORD -H Content-type: text/xml -X POST --data-binary @-
https://qualysapi.qualys.com/qps/rest/3.0/get/was/webapp/324539

 

Step 4: Start your scan

Launch a scan using the WasScan API at this URL:  https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wascan

0

A new release of QualysGuard, Version 7.11, will be available in production in August 2013. The final date has not been determined yet, but this release contains changes to the APIs and DTDs that requires a 30-day notification. More information specific to this release, including the date of global availability, will be communicating 2 weeks before the release date via the Release Notification pages here:

 

This API notification provides an early preview into the coming API changes in QualysGuard 7.11, allowing you to proactively figure out any changes that might be required for your automated scripts or programs that make call to the API functions describe provided below:

  • Enhancements to “/api/2.0/fo/asset/host” API
    • support for asset tags as input parameter for host selection
    • support for asset tags in the XML output
    • support for Qualys Host ID in the XML output when Agentless Tracking is used
    • support for custom page size output
    • “host_list_output.dtd” updated
  • Enhancements to “/api/2.0/fo/asset/host/vm/detection”
    • support for asset tags as input parameter for host selection
    • support for asset tags in the XML output
    • support for Qualys Host ID in the XML output when Agentless Tracking is used
    • “host_list_vm_detection_output.dtd” updated
  • New technology available in Authentication API V2 “/api/2.0/fo/auth”
    • support for Apache 2.2 (IBM http Server 7.x running on RHEL 5.x and 6.x)
    • support for Apache 2.2 (VMWare vFabric Web Server 5.2)
    • support for Microsoft IIS 6.x and 7.x
    • support for IBM WebSphere Application Server 7.0
  • Enhancements to “/api/2.0/fo/auth” API
    • output contains new authentication records mentioned above
    • “auth_records.dtd” updated

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account.


Enhancements to “/api/2.0/fo/asset/host” API

New input parameters

New input parameters allow you to list hosts using asset tags, and return the list of asset tags in the XML output. The example provided below is a request to list all the hosts tagged with the tag "US-HQ" but not tagged with the tag "US-HQ-FINANCE", and return the list of the asset tags for all the hosts record in the XML output:

 

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d
     "action=list&use_tags=1&show_tags=1&tag_set_by=name&tag_include_selector=any&
     tag_exclude_selector=any&tag_set_include=US-HQ&tag_set_exclude=US-HQ-FINANCE"
     "https://qualysapi.qualys.com/api/2.0/fo/asset/host/"

 

Support for custom page size output

To optimize the processing of the XML output by the API client, the output of the Host List API is paginated. By default, a maximum of 1,000 host records are returned per page. Now with QualysGuard 7,11, you can customize the page size (i.e. the number of host records) by using the parameter “truncation_limit=10000” for instance. In this case the results will be return with pages of 10,000 host records.

 

When using “truncation_limit=0” it means that the output is not paginated and all the records are returned in a single output.

 

XML output includes new elements

The XML output returned from a Host List API v2 request now includes new information and the output DTD was updated. This information is returned:

  • The QG Host ID assigned to each host when Agentless Tracking is used
  • The tags associated with each host when show_tags=1 is specified

 

"host_list_output.dtd" changes

[...]

<!ELEMENT HOST_LIST (HOST+)>

<!ELEMENT HOST (ID, IP?, TRACKING_METHOD?, DNS?, EC2_INSTANCE_ID?,

                      NETBIOS?, OS?, QG_HOSTID?, TAGS?, LAST_VULN_SCAN_DATETIME?,

                      LAST_COMPLIANCE_SCAN_DATETIME?, OWNER?, COMMENTS?,

                      USER_DEF?, ASSET_GROUP_IDS?)>

<!ELEMENT TAGS (TAG+)>

<!ELEMENT TAG (TAG_ID, NAME)>

[...]

 

Sample Output


<HOST_LIST>
  <HOST>
    <ID>2162066</ID>
    <IP>10.10.10.33</IP>
    <TRACKING_METHOD>IP</TRACKING_METHOD>
    <DNS><![CDATA[dhcp-33.qualys.com]]></DNS>
    <OS><![CDATA[AIX 5.3]]></OS>
    <QG_HOSTID><![CDATA[51da79a3-0375-0002-605b-005056a91eec]]></QG_HOSTID>
    <TAGS>
      <TAG>
        <TAG_ID><![CDATA[301370]]></TAG_ID>
        <NAME><![CDATA[US-HQ]]></NAME>
      </TAG>
      <TAG>
        <TAG_ID><![CDATA[262969]]></TAG_ID>
        <NAME><![CDATA[port-111]]></NAME>
      </TAG>
    </TAGS>
  </HOST>
</HOST_LIST>

 

Enhancements to “/api/2.0/fo/asset/host/vm/detection”

New input parameters

New input parameters allow you to list host detections using asset tags, and return the list of asset tags in the XML output. It is similar to the changes explained below for the host API.

 

XML output includes new elements

The XML output returned from a vulnerability detection API request now includes new information and the output DTD was updated. This information is returned:

  • The QG Host ID assigned to each host when Agentless Tracking is used
  • The tags associated with each host when show_tags=1 is specified
  • The fixed date/time for each vulnerability with a Fixed status (when the vulnerability was verified fixed by a scan)

 

"host_list_vm_detection_output.dtd" changes

[...]

<!ELEMENT HOST_LIST (HOST+)>

<!ELEMENT HOST (ID, IP?, IPV6?, TRACKING_METHOD?, OS?, OS_CPE?, DNS?,

                      NETBIOS?, QG_HOSTID?, TAGS?, LAST_SCAN_DATETIME?,

                      DETECTION_LIST?)>

<!ELEMENT TAGS (TAG+)>

<!ELEMENT TAG (TAG_ID, NAME)>

<!ELEMENT DETECTION_LIST (DETECTION+)>

<!ELEMENT DETECTION_LIST (DETECTION+)>

<!ELEMENT DETECTION (QID, TYPE, PORT?, PROTOCOL?, FQDN?, SSL?, INSTANCE?,

                     RESULTS?, STATUS?, FIRST_FOUND_DATETIME?, LAST_FOUND_DATETIME?,

                     LAST_TEST_DATETIME?, LAST_UPDATE_DATETIME?, LAST_FIXED_DATETIME?)>

[...]

 

Sample Output

 

 

<HOST_LIST>
  <HOST>
    <ID>2167925</ID>
    <IP>10.10.30.156</IP>
    <TRACKING_METHOD>IP</TRACKING_METHOD>
    <OS><![CDATA[Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP]]></OS>
    <LAST_SCAN_DATETIME>2013-06-11T18:04:43Z</LAST_SCAN_DATETIME>
    <TAGS>
      <TAG>
        <TAG_ID><![CDATA[299373]]></TAG_ID>
        <NAME><![CDATA[US-HQ]]></NAME>
      </TAG>
    </TAGS>
    <DETECTION_LIST>
      <DETECTION>
        <QID>12476</QID>
        <TYPE>Confirmed</TYPE>
        <PORT>8080</PORT>
        <PROTOCOL>tcp</PROTOCOL>
        <SSL>0</SSL>
        <RESULTS><![CDATA[JBoss HttpAdaptor JMXInvokerServlet is accessible to Unauthenticated Remote Users]]></RESULTS>
        <STATUS>New</STATUS>
        <FIRST_FOUND_DATETIME>2013-06-11T17:40:35Z</FIRST_FOUND_DATETIME>
        <LAST_FOUND_DATETIME>2013-06-11T17:40:35Z</LAST_FOUND_DATETIME>
        <LAST_TEST_DATETIME>2013-06-11T17:40:35Z</LAST_TEST_DATETIME>
        <LAST_FIXED_DATETIME>2013-06-11T18:04:43Z</LAST_FIXED_DATETIME>
      </DETECTION>
    </DETECTION_LIST>
  </HOST>
<HOST_LIST>

 

Update to the Authentication API to support new application server technologies

QualysGuard 7.11 now provides the ability to manage authentication record for the following technologies using the Authentication API V2 “/api/2.0/fo/auth”:

  • support for Apache 2.2 (IBM http Server 7.x runnign on RHEL 5.x and 6.x)
  • support for Apache 2.2 (VMWare vFabric Web Server 5.2)
  • support for Microsoft IIS 6.x and 7.x
  • support for IBM WebSphere Application Server 7.0

 

The Authentication API V2 includes the ability manage authentication records for the technologies listed above and:

  • Create new authentication records
  • Update authentication records
  • Delete authentication records
  • List Authentication records

 

Example: Create a new Apache record

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST"

          -d "action=create&title=Apache+Record&unix_apache_config_file=/opt/IBM/HTTPServer/conf/httpd.conf1&

     unix_apache_control_command=/opt/IBM/HTTPServer/bin2&ips=10.10.25.25"

          "https://qualysapi.qualys.com/api/2.0/fo/auth/apache/"

 

Example: Update an Apache record

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST"

          -d "action=update&ids=1234&unix_apache_config_file=/opt/IBM/HTTPServer/conf/httpd.conf2"

          "https://qualysapi.qualys.com/api/2.0/fo/auth/apache/"

 

Example: Delete an Apache record

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST"

          -d "action=delete&ids=1234"

          "https://qualysapi.qualys.com/api/2.0/fo/auth/apache/"

 

Example: List Apache records

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST"

          -d "action=list"

          "https://qualysapi.qualys.com/api/2.0/fo/auth/apache/"

 

Sample Apache record output:


 <?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE AUTH_APACHE_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/auth/apache/auth_apache_list_output.dtd>
<AUTH_APACHE_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2013-06-25T17:55:32Z</DATETIME>
      <AUTH_APACHE_LIST>
        <AUTH_APACHE>
          <ID>8795</ID>
          <TITLE><![CDATA[Apache - IBM HTS 7.0]]></TITLE>
          <IP_SET>
            <IP>10.10.26.26</IP>
            <IP>10.10.30.38</IP>
            <IP>10.10.30.71</IP>
          </IP_SET>
        <UNIX_CONFIGURATION_FILE><![CDATA[/opt/IBM/HTTPServer/conf/httpd.conf2]]></UNIX_CONFIGURATION_FILE>
        <UNIX_CONTROL_COMMAND><![CDATA[/opt/IBM/HTTPServer/bin2]]></UNIX_CONTROL_COMMAND>
        <CREATED>
          <DATETIME>2013-05-07T20:38:06Z</DATETIME>
          <BY>quays_cd3</BY>
        </CREATED>
        <LAST_MODIFIED>
          <DATETIME>2013-06-20T18:12:37Z</DATETIME>
        </LAST_MODIFIED>
        <COMMENTS><![CDATA[some comment text]]></COMMENTS>
      </AUTH_APACHE>
    </AUTH_APACHE_LIST>
  </RESPONSE>
</AUTH_APACHE_LIST_OUTPUT>

 

Enhancements to “/api/2.0/fo/auth” API

The “Authentication List” API v2 lists all authentication records in the user’s account.

 

Example:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d

       "action=list" "https://qualysapi.qualys.com/api/2.0/fo/auth/"

 

XML output modified and “/api/2.0/fo/auth/auth_records.dtd” updated:

 

[...]

<!ELEMENT RESPONSE (DATETIME, AUTH_RECORDS?, WARNING_LIST?)>

<!ELEMENT AUTH_RECORDS (AUTH_UNIX_IDS?, AUTH_WINDOWS_IDS?, AUTH_ORACLE_IDS?,

                                                AUTH_ORACLE_LISTENER_IDS?, AUTH_SNMP_IDS?, AUTH_MS_SQL_IDS?,

                                                AUTH_IBM_DB2_IDS?, AUTH_VMWARE_IDS?, AUTH_MS_IIS_IDS?, AUTH_APACHE_IDS?,

                                                AUTH_IBM_WEBSPHERE_IDS?)

<!ELEMENT AUTH_MS_IIS_IDS (ID_SET)>

<!ELEMENT AUTH_APACHE_IDS (ID_SET)>

<!ELEMENT AUTH_IBM_WEBSPHERE_IDS (ID_SET)>

[...]

2

A new API to manage assets and asset tags, including dynamic tags, in the Asset Management module is now available in production. Details are in the QualysGuard Asset Management and Tagging API User Guide.

 

With this new API, users can perform "Create", "Update", "Get", "Count", "Search" and "Delete" operations for the following objects:

  • Static Tags
  • Dynamic Tags
  • Host Assets
  • Amazon EC2 Assets

 

Example:  Create a dynamic asset tag

This example create a dynamic asset tags that will be applied to any asset which hostname starts with "hostname-corp"

 

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST" --data-binary @-
     "https://qualysapi.qualys.com/qps/rest/1.0/create/am/tag" < file.xml

 

 

<ServiceRequest>
  <data>
    <Tag>
      <scope>USER</scope>
      <name><![CDATA[create dynamic tag - test]]></name>
      <description><![CDATA[sample dynamic tag for asset name - test]]></description>
      <dynamicTagEngine>NAME_CONTAINS</dynamicTagEngine>
      <dynamicTagRule><![CDATA[hostname-corp.*]]></dynamicTagRule>
      <reindex>false</reindex>
      <display>
        <foregroundColor>-7197</foregroundColor>
        <backgroundColor>-3407872</backgroundColor>
      </display>
      <parent>
        <id>737931</id>
      </parent>
    </Tag>
  </data>
</ServiceRequest>
0

A major release of QualysGuard WAS, Version 3.0, will be available as follows:

  • US Production 2 - May 7, 2013
  • US Production 1 - May 14, 2013
  • EU Production - May 21, 2013

 

This update includes enhancements to the web application API to add the new Malware Monitoring capability introduced in WAS 3.0. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PDT (19:00 GMT) and 8 PM PDT (03:00 AM GMT next day).

 

This API notification provides an early preview into the coming API changes, allowing you to proactively identify any changes that might be required for your automated scripts or programs that use the following functions or XML outputs All changes for WAS 3.0 should not impact existing API implementations as they are additive.

 

 

PlatformAPI Location
US Production 1qualysapi.qualys.com
US Production 2qualysapi.qg2.apps.qualys.com
EU Production 1qualysapi.qualys.eu

 

Introducing Malware Monitoring for Web Applications

We're pleased to announce that we've integrated malware detection capability into WAS to make it easy for you to perform scans that detect not only web application vulnerabilities, but also malware that may infect the same web properties. Now there's an easy way to combine web application scanning and malware detection to ensure that your Internet-facing web sites are free from web application vulnerabilities and malware. Web site malware is typically found only on Internet-facing web applications. To learn more about these scan types, refer to the WAS 3.0 feature announcement on Qualys Community.

 

 

WebApp Create and Update API

The new “malwareMonitoring” element is used to enable Malware Monitoring when creating or updating a web application using the WebApplication API. You can choose to start it sometime in the future using  the “malwareScheduleTime” and“malwareScheduleTimeZone” elements. The site owner will receive an email notification if any malware is detect when “malwareNotification=true” is used.

 

Example - Create a web application and enable Malware Monitoring

 

Request:
 
curl -u USERNAME:PASSWORD -HContent-type: text/xml -X POST --data-binary @- 
https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp/< file.xml

Note: “file.xml”contains the request POST data.

Request POST Data:

<ServiceRequest>
 <data>
   <WebApp>
     <name>My Web Application</name>
     <url>http://mywebapp.com</url>
     <malwareMonitoring>true</malwareMonitoring>
      <malwareNotification>true</malwareNotification>
      <malwareScheduleTime>23:59</malwareScheduleTime>
      <malwareScheduleTimeZone>
         <code>America/Vancouver</code>
      </malwareScheduleTimeZone>
   </WebApp>
 </data>
</ServiceRequest>

 


Response:

<?xml version="1.0"encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/webapp.xsd">
 <responseCode>SUCCESS</responseCode>
 <count>1</count>
 <data>
   <WebApp>
     <id>119</id>
     <name><![CDATA[My Web Application]]></name>
     <url><![CDATA[http://mywebapp.com]]></url>
     <owner>
       <id>123</id>
       <username>username</username>
       <firstName><![CDATA[John]]></firstName>
       <lastName><![CDATA[Smith]]></lastName>
     </owner>
     <scope>ALL</scope>
     <attributes>
       <count>0</count>
       <list/>
     </attributes>
     <defaultScanner>
       <type>EXTERNAL</type>
     </defaultScanner>
      <urlBlacklist>
       <count>0</count>
       <list/>
     </urlBlacklist>
     <urlWhitelist>
       <count>0</count>
       <list/>
     </urlWhitelist>
     <postDataBlacklist>
       <count>0</count>
       <list/>
     </postDataBlacklist>
     <authRecords>
       <count>0</count>
     </authRecords>
     <useRobots>IGNORE</useRobots>
     <useSitemap>false</useSitemap>
     <malwareMonitoring>true</malwareMonitoring>
     <malwareNotification>true</malwareNotification>
     <malwareScheduleTime>23:59</malwareScheduleTime>
     <malwareScheduleTimeZone>
       <code>America/Vancouver</code>
       <offset>-07:00</offset>
     </malwareScheduleTimeZone>
     <tags>
       <count>0</count>
     </tags>
     <comments>
        <count>0</count>
     </comments>
     <isScheduled>false</isScheduled>
     <createdBy>
       <id>123</id>
       <username>username</username>
       <firstName><![CDATA[John]]></firstName>
       <lastName><![CDATA[Smith]]></lastName>
      </createdBy>
     <createdDate>2013-03-21T20:16:06Z</createdDate>
     <updatedBy>
       <id>123</id>
       <username>username</username>
       <firstName><![CDATA[John]]></firstName>
       <lastName><![CDATA[Smith]]></lastName>
     </updatedBy>
      <updatedDate>2013-03-21T20:16:07Z</updatedDate>
   </WebApp>
 </data>
</ServiceResponse>

 

WebApp Get API

A new XML “malwareMonitoring” element will be added to theWebApp element to let user know if the malware monitoring is enabled. The value for this new element is a boolean so will be true or false. If true, you’ll also see the “malwareScheduleTime”, “malwareScheduleTimeZone” and“malwareNotification” elements.

 

Example - Get Web Application Details

Get webapplication details for a web application ID 16833.

 

Request:

curl -n -u “USERNAME:PASSWORD”https://qualysapi.qualys.com/qps/rest/3.0/get/was/webapp/16833
 
Response:

<?xmlversion="1.0" encoding="UTF-8"?>
<ServiceResponsexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">
 <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <WasScan>
      <id>16833</id>
…
    <malwareMonitoring>true</malwareMonitoring>
    <malwareNotification>true</malwareNotification>
    <malwareScheduleTime>23:59</malwareScheduleTime>
    <malwareScheduleTimeZone>
       <code>America/Vancouver</code>
    </malwareScheduleTimeZone>

 

WebApp Delete API

When a web application monitored for Malware is deleted, thecorresponding domain for malware scanning (in the MDS module) will be deleted.

 

Release Notes

Full release notes will be available to customers from within the Resources section of your QualysGuard account with the WAS 3.0 release.

9

A new release of QualysGuard, Version 7.9, will be available in production by the end of April 2013. The final date has not been determined yet, but this release contains changes to the APIs and DTDs that requires a 30-day notification. More information specific to this release, including the date of global availability, will be communicating 2 weeks before the release date via the Release Notification pages here:

 

This API notification provides an early preview into the coming API changes in QualysGuard 7.9, allowing you to proactively figure out any changes that might be required for your automated scripts or programs.

 

With this release users can view the Oracle DB instance a vulnerability was detected on. This information appears in scan reports when an Oracle authentication record was used for scanning. Multiple scan report DTDs have been updated to show vulnerability instance information:

 

  • scan results DTD "scan-1.dtd" used by:
    • Ouput of API "/msp/scan.php"
    • Ouput of API "/msp/scan_report.php"
    • XML scan results downloaded using the User Interface


  • scan report DTD "asset_data_report.dtd" used by:
    • Output of API "/msp/asset_data_report.php"
    • XML vulnerability reports downloaded using the User Interface


  • vulnerability detection DTD "host_list_vm_detection_output.dtd" used by:
    • Output of API "/api/2.0/fo/asset/host/vm/detection/?action=list"


  • host information DTD "get_host_info.dtd" used by:
    • Output of API "/msp/get_host_info.php"

 

  • ticket list output DTD "ticket_list_output.dtd" used by:
    • Output of API "/msp/ticket_list.php"

 

The Oracle DB instance includes the technology name, SID and port number like this: "Oracle9:ora9206p:1521"

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account.


Changes to scan-1.dtd

A new optional XML child element <INSTANCE> has been added to the following XML parent elements <INFO>, <SERVICE>, <VULN>, <PRACTICE> as show below in this DTD update:

 

<!ELEMENT INFO (TITLE, LAST_UPDATE?, PCI_FLAG, INSTANCE?,
                VENDOR_REFERENCE_LIST?, CVE_ID_LIST?, BUGTRAQ_ID_LIST?,
                DIAGNOSIS?, DIAGNOSIS_COMMENT?, CONSEQUENCE?,
                CONSEQUENCE_COMMENT?, SOLUTION?, SOLUTION_COMMENT?,
                COMPLIANCE?, CORRELATION?, RESULT?)>

<!ELEMENT SERVICE (TITLE, LAST_UPDATE?, PCI_FLAG, INSTANCE?,
                   VENDOR_REFERENCE_LIST?, CVE_ID_LIST?,
                   BUGTRAQ_ID_LIST?, DIAGNOSIS?, DIAGNOSIS_COMMENT?,
                   CONSEQUENCE?, CONSEQUENCE_COMMENT?, SOLUTION?,
                   SOLUTION_COMMENT?, COMPLIANCE?, CORRELATION?, RESULT?)>

<!ELEMENT VULN (TITLE, LAST_UPDATE?, CVSS_BASE?, CVSS_TEMPORAL?, PCI_FLAG, INSTANCE?,
                VENDOR_REFERENCE_LIST?, CVE_ID_LIST?, BUGTRAQ_ID_LIST?, DIAGNOSIS?,
                DIAGNOSIS_COMMENT?, CONSEQUENCE?, CONSEQUENCE_COMMENT?, SOLUTION?,
                SOLUTION_COMMENT?, COMPLIANCE?, CORRELATION?, RESULT?)>

<!ELEMENT PRACTICE (TITLE, LAST_UPDATE?, CVSS_BASE?, CVSS_TEMPORAL?,
                    PCI_FLAG, INSTANCE?, VENDOR_REFERENCE_LIST?,
                    CVE_ID_LIST?, BUGTRAQ_ID_LIST?, DIAGNOSIS?,
                    DIAGNOSIS_COMMENT?, CONSEQUENCE?,
                    CONSEQUENCE_COMMENT?, SOLUTION?, SOLUTION_COMMENT?,
                    COMPLIANCE?, CORRELATION?, RESULT?)>

<!ELEMENT INSTANCE (#PCDATA)>

 

Example:

 

 <INFO number="19129" severity="1">
     <TITLE><![CDATA[Oracle Authentication Method]]></TITLE>
     <LAST_UPDATE><![CDATA[2008-05-13T00:11:25Z]]></LAST_UPDATE>
     <PCI_FLAG>0</PCI_FLAG>
     <INSTANCE><![CDATA[Oracle9:ora9206p:1527]]></INSTANCE>
     <DIAGNOSIS><![CDATA[...]]></DIAGNOSIS>
     <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
     <SOLUTION><![CDATA[N/A]]></SOLUTION>
     <RESULT><![CDATA[...]]></RESULT>
</INFO>

 

Changes to asset_data_report.dtd

A new optional XML child element <INSTANCE> has been added to the following XML parent element <VULN_INFO> as show below in this DTD update:

 

<!ELEMENT VULN_INFO (QID, TYPE, PORT?, SERVICE?, FQDN?, PROTOCOL?, SSL?,
                     INSTANCE?, RESULT?, FIRST_FOUND?, LAST_FOUND?,
                     TIMES_FOUND?, VULN_STATUS?, CVSS_FINAL?,
                     TICKET_NUMBER?, TICKET_STATE?)>
<!ELEMENT INSTANCE (#PCDATA)>

 

Example:

 

<VULN_INFO>
     <QID id="qid_19134">19134</QID>
     <TYPE>Vuln</TYPE>
     <PORT>1521</PORT>
     <SERVICE>oracle</SERVICE>
     <PROTOCOL>tcp</PROTOCOL>
     <SSL>false</SSL>
     <INSTANCE><![CDATA[Oracle9:ora9206p:1521]]></INSTANCE>
     <RESULT><![CDATA[...]]></RESULT>
     <FIRST_FOUND>2013-03-13T04:00:49Z</FIRST_FOUND>
     <LAST_FOUND>2013-03-18T21:46:33Z</LAST_FOUND>
     <TIMES_FOUND>5</TIMES_FOUND>
     <VULN_STATUS>Active</VULN_STATUS>
</VULN_INFO>

 

Changes to host_list_vm_detection_output.dtd

A new optional XML child element <INSTANCE> has been added to the following XML parent element <DETECTION> as show below in this DTD update:

 

<!ELEMENT DETECTION (QID, TYPE, PORT?, PROTOCOL?, FQDN?, SSL?, INSTANCE?,
                     RESULTS?, STATUS?, FIRST_FOUND_DATETIME?,
                     LAST_FOUND_DATETIME?, LAST_TEST_DATETIME?,
                     LAST_UPDATE_DATETIME?)>
<!ELEMENT INSTANCE (#PCDATA)>

 

Example:

 

<DETECTION>
          <QID>19134</QID>
          <TYPE>Confirmed</TYPE>
          <PORT>1521</PORT>
          <PROTOCOL>tcp</PROTOCOL>
          <SSL>0</SSL>
          <INSTANCE><![CDATA[Oracle9:ora9206p:1521]]></INSTANCE>
          <RESULTS><![CDATA[...]]></RESULTS>
          <STATUS>Active</STATUS>
          <FIRST_FOUND_DATETIME>2013-03-13T04:00:49Z</FIRST_FOUND_DATETIME>
          <LAST_FOUND_DATETIME>2013-03-15T20:00:35Z</LAST_FOUND_DATETIME>
          <LAST_TEST_DATETIME>2013-03-15T20:00:35Z</LAST_TEST_DATETIME>
          <LAST_UPDATE_DATETIME>2013-03-15T21:13:15Z</LAST_UPDATE_DATETIME>
</DETECTION>

Changes to get_host_info.dtd

A new optional XML child element <INSTANCE> has been added to the following XML parent element <VULNINFO> as show below in this DTD update:

 

<!ELEMENT VULNINFO (QID, SEVERITY_LEVEL, TITLE, VULN_STATUS?, CATEGORY?,
                    PORT?, SERVICE?, PROTOCOL?, INSTANCE?,
                    CVSS_SCORE?, FIRST_FOUND?, LAST_FOUND?,
                    TIMES_FOUND?, VENDOR_REFERENCE_LIST?, CVE_ID_LIST?,
                    BUGTRAQ_ID_LIST?, LAST_UPDATE?, DIAGNOSIS?,
                    DIAGNOSIS_COMMENT?, CONSEQUENCE?,
                    CONSEQUENCE_COMMENT?, SOLUTION?, SOLUTION_COMMENT?,
                    COMPLIANCE?, CORRELATION?, RESULT?)>
<!ELEMENT INSTANCE (#PCDATA)>

 

Example:

 

<VULNINFO>
          <QID><![CDATA[19134]]></QID>
          <SEVERITY_LEVEL><![CDATA[2]]></SEVERITY_LEVEL>
          <TITLE><![CDATA[Oracle Server Accounts With Passwords That Do Not Expire]]></TITLE>
          <VULN_STATUS><![CDATA[Active]]></VULN_STATUS>
          <CATEGORY><![CDATA[Database]]></CATEGORY>
          <PORT><![CDATA[1521]]></PORT>
          <SERVICE><![CDATA[oracle]]></SERVICE>
          <INSTANCE><![CDATA[Oracle9:ora9206p:1521]]></INSTANCE>
          <CVSS_SCORE>
                    <CVSS_BASE source="service"><![CDATA[6.8]]></CVSS_BASE>
                    <CVSS_TEMPORAL><![CDATA[5.8]]></CVSS_TEMPORAL>
          </CVSS_SCORE>
          <FIRST_FOUND><![CDATA[2013-03-13T04:00:49Z]]></FIRST_FOUND>
          <LAST_FOUND><![CDATA[2013-03-14T22:25:51Z]]></LAST_FOUND>
          <TIMES_FOUND><![CDATA[2]]></TIMES_FOUND>
          <LAST_UPDATE><![CDATA[2005-06-21T01:22:01Z]]></LAST_UPDATE>
          <DIAGNOSIS><![CDATA[...]]></DIAGNOSIS>
</VULNINFO>

Changes to ticket_list_output.dtd

A new optional XML child element <INSTANCE> has been added to the following XML parent element <DETECTION> as show below in this DTD update:

 

<!ELEMENT DETECTION (IP, DNSNAME?, NBHNAME?, PORT?, SERVICE?, PROTOCOL?,
                     FQDN?, SSL?, INSTANCE?)>
<!ELEMENT INSTANCE (#PCDATA)>

 

Example:

 

<DETECTION>
        <IP>10.10.25.232</IP>
        <DNSNAME><![CDATA[ora9206-25-232]]></DNSNAME>
        <NBHNAME><![CDATA[ORA9206-25-232]]></NBHNAME>
        <PORT>1527</PORT>
        <SERVICE>Database</SERVICE>
        <PROTOCOL>tcp</PROTOCOL>
        <INSTANCE><![CDATA[Oracle9:ora9206p:1527]]></INSTANCE>
</DETECTION>

1 2 3 Previous Next

Bookmarked By (0)

Actions