Collect Qualys Vulnerability Management logs
Supported in:
This parser handles Qualys Vulnerability Management logs in either key-value (KV) or JSON format. It extracts vulnerability details, host information, and scan metadata, mapping them to the UDM. The parser also handles different log structures, prioritizing KV parsing and falling back to JSON if necessary, and splits the DetectionList array into individual vulnerability events.
Before you begin
- Ensure that you have a Google Security Operations instance.
- Ensure that you have privileged access to Qualys VMDR console.
Optional: Create a dedicated API User in Qualys
- Sign in to the Qualys console.
- Go to Users.
- Click New > User.
- Enter the General Information required for the user.
- Select User Role tab.
- Make sure the role has the API Access checkbox selected.
- Click Save.
Identify your specific Qualys API URL
Option 1
Identify your URLs as mentioned in the platform identification.
Option 2
- Sign in to the Qualys console.
- Go to Help > About.
- Scroll to see this information under Security Operations Center (SOC).
- Copy the Qualys API URL.
Configure a feed in Google SecOps to ingest Qulays VM logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, Qualys VM Logs).
- Select Third Party API as the Source type.
- Select the Qualys VM as the log type.
- Click Next.
- Specify values for the following input parameters:
- Username: enter the username.
- Secret: enter the password.
- API Full Path: provide the Qualys API server URL (for example,
https://<qualys_base_url>/api/2.0/fo/asset/host/?action=list) where<qualys_base_url>is the base URL to the Qualys API server where your account is located. - Asset namespace: the asset namespace.
- Ingestion labels: the label applied to the events from this feed.
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
DETECTION.FIRST_FOUND_DATETIME |
extensions.vulns.vulnerabilities.first_found |
Parsed from DETECTION.FIRST_FOUND_DATETIME field, converting the string value to a timestamp. |
DETECTION.LAST_FOUND_DATETIME |
extensions.vulns.vulnerabilities.last_found |
Parsed from DETECTION.LAST_FOUND_DATETIME field, converting the string value to a timestamp. |
DETECTION.QID |
extensions.vulns.vulnerabilities.name |
Concatenates "QID: " with the value of DETECTION.QID. |
DETECTION.RESULTS |
extensions.vulns.vulnerabilities.description |
Directly maps to the description field. Also used to extract network.ip_protocol and principal.port using grok. |
DETECTION.SEVERITY |
extensions.vulns.vulnerabilities.severity |
Mapped from DETECTION.SEVERITY. Values 0, 1, 2 become "LOW"; 3, 4 become "MEDIUM"; 5, 6, 7 become "HIGH". |
DETECTION.STATUS |
extensions.vulns.vulnerabilities.about.labels |
Added as a label with key "Detection status". |
DETECTION.TYPE |
extensions.vulns.vulnerabilities.about.labels |
Added as a label with key "Detection type". |
DNS |
principal.hostname |
Directly maps to principal.hostname. |
DNSData.DOMAIN |
principal.domain.name |
Directly maps to principal.domain.name. |
HOST.ASSET_ID |
principal.asset_id |
Concatenates "QUALYS:" with the value of HOST.ASSET_ID. |
HOST.DNS |
principal.hostname |
Directly maps to principal.hostname if DNS is empty. |
HOST.DNS_DATA.DOMAIN |
principal.domain.name |
Directly maps to principal.domain.name if DNSData.DOMAIN is empty. |
HOST.ID |
metadata.product_log_id |
Directly maps to metadata.product_log_id. |
HOST.IP |
principal.ip |
Directly maps to principal.ip if IP is empty. |
HOST.LAST_SCAN_DATETIME |
extensions.vulns.vulnerabilities.scan_start_time |
Parsed from HOST.LAST_SCAN_DATETIME field, converting the string value to a timestamp. |
HOST.LAST_VM_SCANNED_DATE |
extensions.vulns.vulnerabilities.scan_end_time |
Parsed from HOST.LAST_VM_SCANNED_DATE field, converting the string value to a timestamp. |
HOST.NETBIOS |
additional.fields |
Added as a label with key "HOST NETBIOS". |
HOST.OS |
principal.platform_version |
Directly maps to principal.platform_version if OS is empty. |
HOST.QG_HOSTID |
additional.fields |
Added as a label with key "HOST QG_HOSTID". |
HOST.TRACKING_METHOD |
additional.fields |
Added as a label with key "HOST TRACKING_METHOD". |
HOST_ID |
principal.asset_id |
Concatenates "QUALYS:" with the value of HOST_ID. |
ID |
metadata.product_log_id |
Directly maps to metadata.product_log_id. |
IP |
principal.ip |
Directly maps to principal.ip. |
LastScanDateTime |
extensions.vulns.vulnerabilities.scan_start_time |
Parsed from LastScanDateTime field, converting the string value to a timestamp. |
LastVMAuthScanDuration |
additional.fields |
Added as a label with key "LastVMAuthScanDuration". |
LastVMScanDate |
extensions.vulns.vulnerabilities.scan_end_time |
Parsed from LastVMScanDate field, converting the string value to a timestamp. |
LastVMScanDuration |
additional.fields |
Added as a label with key "LastVMScanDuration". |
LAST_FOUND_DATETIME |
extensions.vulns.vulnerabilities.last_found |
Parsed from LAST_FOUND_DATETIME field, converting the string value to a timestamp. |
LAST_SCAN_DATETIME |
extensions.vulns.vulnerabilities.scan_start_time |
Parsed from LAST_SCAN_DATETIME field, converting the string value to a timestamp. |
LAST_VM_SCANNED_DATE |
extensions.vulns.vulnerabilities.scan_end_time |
Parsed from LAST_VM_SCANNED_DATE field, converting the string value to a timestamp. |
NETBIOS |
additional.fields |
Added as a label with key "NETBIOS". |
NetworkID |
additional.fields |
Added as a label with key "NetworkID". |
NETWORK_ID |
additional.fields |
Added as a label with key "NetworkID". |
OS |
principal.platform_version |
Directly maps to principal.platform_version. |
Os |
principal.platform_version |
Directly maps to principal.platform_version if OS is empty. |
QID |
extensions.vulns.vulnerabilities.name |
Concatenates "QID: " with the value of QID. |
QgHostID |
principal.asset_id |
Sets principal.asset_id to "Host Id:%{QgHostID}". |
SEVERITY |
extensions.vulns.vulnerabilities.severity |
Mapped from SEVERITY. Values 0, 1, 2 become "LOW"; 3, 4 become "MEDIUM"; 5, 6, 7 become "HIGH". |
TRACKING_METHOD |
additional.fields |
Added as a label with key "TRACKING_METHOD". |
TrackingMethod |
additional.fields |
Added as a label with key "TRACKING_METHOD". |
| N/A | metadata.vendor_name |
Hardcoded to "Qualys". |
| N/A | metadata.product_name |
Hardcoded to "Vulnerability Management". |
| N/A | metadata.event_type |
Set to "SCAN_VULN_HOST" if _vulns is not empty, "STATUS_UPDATE" if either prin_host or IP are not empty, and "GENERIC_EVENT" otherwise. |
| N/A | metadata.log_type |
Taken from the raw log's log_type field. |
| N/A | principal.platform |
Determined from OS, Os, or HOST.OS. If any of these contain "Linux", the platform is set to "LINUX". If any contain "Windows", the platform is set to "WINDOWS". If any contain "mac" or "IOS", the platform is set to "MAC". |
detection.DType |
extensions.vulns.vulnerabilities.about.resource.attribute.labels |
Added as a label with key "Detection Type" within the vulnerabilities array for events parsed from the DetectionList field. |
detection.FirstFoundTime |
extensions.vulns.vulnerabilities.first_found |
Parsed from detection.FirstFoundTime field, converting the string value to a timestamp within the vulnerabilities array for events parsed from the DetectionList field. |
detection.LastFoundTime |
extensions.vulns.vulnerabilities.last_found |
Parsed from detection.LastFoundTime field, converting the string value to a timestamp within the vulnerabilities array for events parsed from the DetectionList field. |
detection.LastProcessedDatetime |
extensions.vulns.vulnerabilities.about.resource.attribute.labels |
Added as a label with key "LastProcessedDatetime" within the vulnerabilities array for events parsed from the DetectionList field. |
detection.LastTestDateTime |
extensions.vulns.vulnerabilities.about.resource.attribute.labels |
Added as a label with key "LastTestDateTime" within the vulnerabilities array for events parsed from the DetectionList field. |
detection.LastUpdateDateTime |
extensions.vulns.vulnerabilities.about.resource.attribute.labels |
Added as a label with key "LastUpdateDateTime" within the vulnerabilities array for events parsed from the DetectionList field. |
detection.Qid |
extensions.vulns.vulnerabilities.name |
Concatenates "QID: " with the value of detection.Qid within the vulnerabilities array for events parsed from the DetectionList field. |
detection.Results |
extensions.vulns.vulnerabilities.description |
Directly maps to the description field within the vulnerabilities array for events parsed from the DetectionList field. Tabs and newlines are replaced with spaces. |
detection.Severity |
extensions.vulns.vulnerabilities.severity |
Mapped from detection.Severity. Values 0, 1, 2 become "LOW"; 3, 4 become "MEDIUM"; 5, 6, 7 become "HIGH" within the vulnerabilities array for events parsed from the DetectionList field. |
detection.Status |
extensions.vulns.vulnerabilities.about.resource.attribute.labels |
Added as a label with key "Detection status" within the vulnerabilities array for events parsed from the DetectionList field. |
detection.TimesFound |
extensions.vulns.vulnerabilities.about.resource.attribute.labels |
Added as a label with key "TimesFound" within the vulnerabilities array for events parsed from the DetectionList field. |
timestamp |
metadata.event_timestamp, timestamp |
The raw log's timestamp field is used for both the event timestamp and the top-level timestamp. |
Changes
2023-10-27
- Added a "for" loop to split the events when there are multiple "QIDs".
2023-04-25
- Mapped "DetectionList.FirstFoundTime" to "extensions.vulns.vulnerabilities.first_found".
- Mapped "DetectionList.LastFoundTime" to "extensions.vulns.vulnerabilities.last_found".
- Mapped "DetectionList.TimesFound" to "extensions.vulns.vulnerabilities.about.resource.attribute.labels".
- Mapped "DetectionList.LastTestDateTime" to "extensions.vulns.vulnerabilities.about.resource.attribute.labels".
- Mapped "DetectionList.LastUpdateDateTime" to "extensions.vulns.vulnerabilities.about.resource.attribute.labels".
- Mapped "DetectionList.LastProcessedDatetime" to "extensions.vulns.vulnerabilities.about.resource.attribute.labels".
2023-01-23
- Mapped "DetectionList" array details to "extensions.vulns.vulnerabilities".
- Mapped "DetectionList.Qid" to "extensions.vulns.vulnerabilities.name".
- Mapped "DetectionList.Severity" to "extensions.vulns.vulnerabilities.severity".
- Mapped "DetectionList.Results" to "extensions.vulns.vulnerabilities.description".
- Mapped "DetectionList.Status", "DetectionList.DType" to "extensions.vulns.vulnerabilities.about.resource.attribute.labels".
2022-09-29
- Mapped "ID" to "metadata.product_log_id".
- Mapped "Netbios","TrackingMethod","NetworkID" to "additional.fields".
- Mapped "QgHostID" to "principal.asset_id".
- Mapped "Os" to "principal.platform_version".
- Added conditional check for "vulns".
2022-07-20
- added mapping for following fields:
- "DETECTION.FIRST_FOUND_DATETIME" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.first_found".
- "DETECTION.LAST_FOUND_DATETIME" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.last_found".
- "HOST.LAST_VM_SCANNED_DATE" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.scan_end_time".
- "HOST.LAST_SCAN_DATETIME" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.scan_start_time".
- "DETECTION.QID" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.name".
- "DETECTION.SEVERITY" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.severity".
- "DETECTION.TYPE" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.about.labels".
- "DETECTION.STATUS" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.labels".
- "DETECTION.RESULTS" mapped to "event.idm.read_only_udm.extensions.vulns.vulnerabilities.description".
- "HOST.DNS_DATA.DOMAIN" mapped to "event.idm.read_only_udm.principal.domain.name".
- "HOST.ASSET_ID" mapped to "event.idm.read_only_udm.principal.asset_id".
- "HOST.IP" mapped to "event.idm.read_only_udm.principal.ip".
- "HOST.OS" mapped to "event.idm.read_only_udm.principal.platform_version".
- "HOST.DNS" mapped to "event.idm.read_only_udm.principal.hostname".
- "HOST.QG_HOSTID" mapped to "event.idm.read_only_udm.additional.fields".
- "HOST.NETBIOS" mapped to "event.idm.read_only_udm.additional.fields".
- "HOST.TRACKING_METHOD" mapped to "event.idm.read_only_udm.additional.fields".
Need more help? Get answers from Community members and Google SecOps professionals.