Qualys Connector (new revision)

Learn all about intergating Qualys into the Vulcan Platform

Updated over a week ago

Am I reading the right user guide?

Specific connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the relevant user guide to your environment, click on the "How to connect" button on the connector's setup page. Doing so will direct you to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.


About Qualys

Qualys provides cloud-based cybersecurity solutions designed to help organizations assess vulnerabilities, manage assets, enforce compliance, secure web applications, protect cloud environments, and automate security processes, enhancing their overall cybersecurity posture and resilience against cyber threats.

Why integrate Qualys into the Vulcan platform?

The Qualys Connector by Vulcan integrates with the Qualys platform to pull and ingest assets type host and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Qualys Details

Supported products


Vulnerability Assessment

Ingested asset type(s)


Integration type

UNI directional (data is transferred from the connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the connector, make sure you have the following:

  • Qualys user with Scanner role with the required access and asset groups.


Qualys user role and permissions

Under Qualys Administration, create a dedicated Qualys user with the following role and permissions.

Click on User Role, and assign the role Scanner to the user. Make sure to enable access to GUI and API.

Click on "Asset Groups", and assign the relevant asset groups to the user.

Click to Save the user. Once the user is created, Click on it on the users list and make sure Both API and GUI permissions are selected for the user under the scanner role -

Configuring the Qualys Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Qualys icon.

  4. Set up the connector as follows:

    • Enter the organizational API Server URL of Qualys (See API URLs - API Server URL), and the Username and password of the user you created earlier.

    • arf_kernel_filter: Qualys offers an option to filter vulnerabilities related to the kernel. This filter is helpful because it helps us weed out vulnerabilities that may have already been fixed but are still associated with an old kernel that remains installed. However, when Vulcan imports information about fixed vulnerabilities, by default, it disregards this filter. The reason is that Vulcan tracks when a vulnerability was resolved, even if it no longer poses a threat due to being removed from the active kernel.

      You can configure the "arf_kernel_filter" setting using one of the following settings:

      • "Vulnerabilities related to the kernel are not filtered based on kernel activity. This matches the default configuration in Qualys, meaning vulnerabilities related to the kernel are not filtered based on kernel activity.

      • Exclude kernel-related vulnerabilities that are not exploitable (found on non-running kernels).

      • Include only kernel-related vulnerabilities that are not exploitable (found on non-running kernels).

      • Include only kernel-related vulnerabilities that are exploitable (found on running kernels).

    • For Subscription type, select the type of subscription of your Qualys account.

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Qualys instance, then click Create (or Save Changes).

  6. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  7. Allow some time for the sync to complete. Then, you can review the sync status under Log on the connector's setup page.

  8. To confirm the sync is complete, navigate to the Connectors page. Once the Qualys icon shows Connected, the sync is complete.

Qualys in the Vulcan Platform

Viewing Qualys vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select Qualys from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing Qualys assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select connector from the drop-down selection.

  4. Select Qualys from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Qualys

To take remediation action on vulnerabilities and assets detected by Qualys:

  1. Go to the Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select connector from the drop-down selection.

  3. Locate the Qualys option to view all synced vulnerabilities/assets.

  4. Select the relevant Vulnerability out of the results list.

  5. Click Take Action.

Automating remediation actions on vulnerabilities detected by Qualys

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Qualys Connector.

From Qualys to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Qualys through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Host fields mapping

Qualys field

Vulcan field


Uniqueness criteria

vulcan_enrichment.host_search[0].data.name or DNS

Asset Name


Asset type



OS or vulcan_enrichment.host_search[0].data.os



Created date

LAST_VM_SCANNED_DATE or vulcan_enrichment.host_search[0].data.lastVulnScan

Last seen date

DNS_DATA.FQDN or vulcan_enrichment.host_search[0].data.fqdn



Multiple mac addresses

RESULTS (From detection)



Open ports


Asset Status


Asset Tags - Vendor's tags

Host ID




Vulnerability instance uniqueness criteria

First Found Datetime

Vulnerability instance first seen

Last Found Datetime

Vulnerability instance Last seen


Vulnerability instance score


Unique Vulnerability uniqueness criteria


Vulnerability title


Vulnerability score


Vulnerability description




Vulnerability status





Qualys fix for qid - {{ QID }}

Fix title


Fix description


Fix references

Vulnerability status mapping

Qualys Status

Vulcan Status

Any status that is not "Fixed", "Ignored", or "Disabled".





Ignored - false positive

Ignored, Disabled.

Ignored risk acknowledged

Vulnerability score mapping

CVSS v3 Score from Qualys is mapped into the Vulcan score field.

Qualys score

Vulcan score



Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.

The table below lists how the status update mechanism works in the Qualys connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not found on the connector's last sync

- Asset not seen for X days according to "Last Seen".

The vulnerability instance status changes to "Fixed"

- Vulnerability status on the connector's side changes to "Fixed"

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API version: 2.0


Use in Vulcan

Permissions required

{{ server_url }}/api/2.0/fo/asset/host/

Host IDS, Hosts

{{ server_url }}/api/2.0/fo/asset/host/

{{ server_url }}/qps/rest/2.0/search/am/hostasset

Host search (Enrichment)

{{ server_url }}/qps/rest/2.0/search/am/hostasset

{{ server_url }}/api/2.0/fo/asset/group/

Asset groups

{{ server_url }}/api/2.0/fo/asset/group/

{{ server_url }}/api/2.0/fo/asset/host/vm/detection/

Detections (Vulnerability instances)

{{ server_url }}/api/2.0/fo/asset/host/vm/detection/

Data Validation

The purpose of this "Data Validation" section is to provide a clear understanding of how data from Qualys is presented on the Vulcan Platform. By following the guidelines mentioned here, you will gain insights into matching unique vulnerabilities, assets, and vulnerability instances.

Assets Matching

To validate and compare assets between Vulcan and Qualys, we first retrieve assets from Vulcan using the API call: {{ server_url }}/api/2.0/fo/asset/host/.

However, in the Qualys UI, there isn't a direct filter to get all assets matching those from Vulcan's "hosts" endpoint.

Instead, we can validate a subset of assets from Qualys by navigating to the AssetView in Qualys. In Qualys AssetView, access "Assets" and search by the filter "activatedForModules:VM" to identify assets related to vulnerability management (VM).

In our example, Qualys reports 47 assets in this subset, while Vulcan indicates 55 assets. The gap arises from assets not included in the VM module in Qualys.

Vulnerabilities Instances Matching

We filter out supersedence vulnerabilities during the synchronization process; hence, these should not be ingested into Vulcan. In Qualys, navigate to AssetView, search for an asset name as it appears in Vulcan, and click on it. Go to the "Vulnerabilities" tab.

  • Ensure that all severities are selected.

  • The count of vulnerabilities in Qualys should match the count in Vulcan.

Unique Vulnerabilities Matching

In Qualys VMDR, navigate to "Vulnerabilities," view by "Vulnerability," group by "Vulnerability," and apply filters to exclude information, fixed, disabled, and ignored vulnerabilities. This will display only active Vulcan vulnerabilities.

In Qualys, we observe 1030 unique vulnerabilities, including supersedence vulnerabilities (which are filtered out in Vulcan).

Vulcan reports 1017 unique vulnerabilities. The discrepancy arises due to the exclusion of supersedence vulnerabilities in Vulcan.

Did this answer your question?