« Pulse Connect Secure Integration QNAP NAS »
Elastic Docs Elastic integrations

Qualys Vulnerability Management, Detection and Response (VMDR)

edit

Qualys Vulnerability Management, Detection and Response (VMDR)

edit

Version

5.8.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

This Qualys VMDR integration is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

The Qualys VMDR integration uses REST API mode to collect data. Elastic Agent fetches data via API endpoints.

Compatibility

edit

This module has been tested against the latest Qualys VMDR version v2.

Data streams

edit

The Qualys VMDR integration collects data for the following two events:

Event Type

Asset Host Detection

Knowledge Base

User Activity Log

Reference for Rest APIs of Qualys VMDR.

Requirements

edit
  • Elastic Agent must be installed.
  • You can install only one Elastic Agent per host.
  • Elastic Agent is required to stream data through the REST API and ship the data to Elastic, where the events will then be processed via the integration’s ingest pipelines.

Installing and managing an Elastic Agent:

edit

You have a few options for installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

edit

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

edit

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

edit

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

Permissions

edit
Asset Host Detection
edit
Role Permission

Managers

All VM scanned hosts in subscription

Unit Managers

VM scanned hosts in user’s business unit

Scanners

VM scanned hosts in user’s account

Readers

VM scanned hosts in user’s account
Knowledge Base
edit

Managers, Unit Managers, Scanners, Readers have permission to download vulnerability data from the KnowledgeBase.

User Activity Log
edit
Role Permission

Managers

All actions taken by all users

Unit Managers

Actions taken by users in their business unit

Scanners

Own actions only

Readers

Own actions only

Setup

edit

To collect data through REST API, follow the below steps:

edit
  • Considering you already have a Qualys user account, to identify your Qualys platform and get the API URL, refer this link.
  • Alternative way to get the API URL is to log in to your Qualys account and go to Help > About. You’ll find your URL under Security Operations Center (SOC).

Enabling the integration in Elastic:

edit
  1. In Kibana go to Management > Integrations
  2. In "Search for integrations" search bar, type Qualys VMDR
  3. Click on the "Qualys VMDR" integration from the search results.
  4. Click on the Add Qualys VMDR Integration button to add the integration.

  5. While adding the integration, if you want to collect Asset Host Detection data via REST API, then you have to put the following details:

    • username
    • password
    • url
    • interval
    • input parameters

    • batch size

      or if you want to collect Knowledge Base data via REST API, then you have to put the following details:

    • username
    • password
    • url
    • initial interval
    • interval

    • input parameters

      or if you want to collect User Activity log data via REST API, then you have to put the following details:

    • username
    • password
    • url
    • initial interval
    • interval

By default, the input parameter is set to "action=list".

Data reference

edit

Asset Host Detection

edit

This is the Asset Host Detection dataset.

Example

An example event for asset_host_detection looks as following:

{
    "@timestamp": "2024-12-05T11:02:04.225Z",
    "agent": {
        "ephemeral_id": "9c04104d-1da0-4c98-b133-0aedefdc2680",
        "id": "dccf1148-df50-4c35-a3d7-633418e936ff",
        "name": "elastic-agent-88337",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "qualys_vmdr.asset_host_detection",
        "namespace": "85068",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "dccf1148-df50-4c35-a3d7-633418e936ff",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "host"
        ],
        "dataset": "qualys_vmdr.asset_host_detection",
        "ingested": "2024-12-05T11:02:07Z",
        "kind": "alert",
        "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"197595\",\"RESULTS\":\"Package Installed Version Required Version\\nlinux-cloud-tools-4.4.0 1074-aws_4.4.0-1074.84  1092\\nlinux-aws-tools-4.4.0 1074_4.4.0-1074.84  1092\\nlinux-aws-headers-4.4.0 1074_4.15.0-1126.135  1092\\nlinux-tools-4.4.0 1074-aws_4.4.0-1074.84  1092\\nlinux-aws-cloud-tools-4.4.0 1074_4.4.0-1074.84  1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"5555555555\"},\"DNS\":\"\",\"DNS_DATA\":{\"DOMAIN\":\"\",\"FQDN\":\"\",\"HOSTNAME\":\"\"},\"ID\":\"12048633\",\"IP\":\"10.50.2.111\",\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"\",\"OS\":\"\",\"TRACKING_METHOD\":\"IP\"}",
        "type": [
            "info"
        ]
    },
    "host": {
        "id": "12048633",
        "ip": [
            "10.50.2.111"
        ]
    },
    "input": {
        "type": "cel"
    },
    "qualys_vmdr": {
        "asset_host_detection": {
            "id": "12048633",
            "ip": "10.50.2.111",
            "last_pc_scanned_date": "2023-06-28T09:58:12.000Z",
            "last_scan_datetime": "2023-07-03T06:25:17.000Z",
            "last_vm_scanned_date": "2023-07-03T06:23:47.000Z",
            "last_vm_scanned_duration": 1113,
            "tracking_method": "IP",
            "vulnerability": {
                "affect_running_kernel": "0",
                "first_found_datetime": "2021-02-05T04:50:45.000Z",
                "is_disabled": false,
                "is_ignored": false,
                "last_fixed_datetime": "2022-12-14T06:52:57.000Z",
                "last_found_datetime": "2024-03-08T20:15:41.000Z",
                "last_processed_datetime": "2024-03-08T20:15:41.000Z",
                "last_test_datetime": "2024-03-08T20:15:41.000Z",
                "last_update_datetime": "2024-03-08T20:15:41.000Z",
                "qds": {
                    "score": 35,
                    "severity": "LOW"
                },
                "qds_factors": [
                    {
                        "name": "CVSS",
                        "text": "7.7"
                    },
                    {
                        "name": "CVSS_version",
                        "text": "v3.x"
                    },
                    {
                        "name": "epss",
                        "text": "0.00232"
                    },
                    {
                        "name": "CVSS_vector",
                        "text": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"
                    }
                ],
                "qid": 197595,
                "results": "Package Installed Version Required Version\nlinux-cloud-tools-4.4.0 1074-aws_4.4.0-1074.84  1092\nlinux-aws-tools-4.4.0 1074_4.4.0-1074.84  1092\nlinux-aws-headers-4.4.0 1074_4.15.0-1126.135  1092\nlinux-tools-4.4.0 1074-aws_4.4.0-1074.84  1092\nlinux-aws-cloud-tools-4.4.0 1074_4.4.0-1074.84  1092",
                "severity": 3,
                "ssl": "0",
                "status": "Active",
                "times_found": 5393,
                "type": "Confirmed",
                "unique_vuln_id": "5555555555"
            }
        }
    },
    "related": {
        "hosts": [
            "12048633"
        ],
        "ip": [
            "10.50.2.111"
        ]
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "qualys_vmdr-asset_host_detection",
        "provider_cloud_data"
    ],
    "vulnerability": {
        "classification": "CVSS",
        "scanner": {
            "vendor": "Qualys"
        },
        "score": {
            "base": 7.7
        },
        "severity": "high"
    }
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

input.type

Type of filebeat input.

keyword

log.offset

Log offset.

long

qualys_vmdr.asset_host_detection.asset_id

long

qualys_vmdr.asset_host_detection.cloud_provider

keyword

qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.last_success_date

date

qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.name

keyword

qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.value

keyword

qualys_vmdr.asset_host_detection.cloud_resource_id

keyword

qualys_vmdr.asset_host_detection.cloud_service

keyword

qualys_vmdr.asset_host_detection.dns

keyword

qualys_vmdr.asset_host_detection.dns_data.domain

keyword

qualys_vmdr.asset_host_detection.dns_data.fqdn

keyword

qualys_vmdr.asset_host_detection.dns_data.hostname

keyword

qualys_vmdr.asset_host_detection.ec2_instance_id

keyword

qualys_vmdr.asset_host_detection.id

keyword

qualys_vmdr.asset_host_detection.ip

ip

qualys_vmdr.asset_host_detection.ipv6

ip

qualys_vmdr.asset_host_detection.last_pc_scanned_date

date

qualys_vmdr.asset_host_detection.last_scan_datetime

date

qualys_vmdr.asset_host_detection.last_vm_auth_scanned_date

date

qualys_vmdr.asset_host_detection.last_vm_auth_scanned_duration

long

qualys_vmdr.asset_host_detection.last_vm_scanned_date

date

qualys_vmdr.asset_host_detection.last_vm_scanned_duration

long

qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.date

date

qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.value

keyword

qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.status

keyword

qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.success_date

date

qualys_vmdr.asset_host_detection.metadata.azure.attribute.name

keyword

qualys_vmdr.asset_host_detection.metadata.azure.attribute.value

keyword

qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.error.date

date

qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.error.value

keyword

qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.status

keyword

qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.success_date

date

qualys_vmdr.asset_host_detection.metadata.ec2.attribute.name

keyword

qualys_vmdr.asset_host_detection.metadata.ec2.attribute.value

keyword

qualys_vmdr.asset_host_detection.metadata.google.attribute.last.error.date

date

qualys_vmdr.asset_host_detection.metadata.google.attribute.last.error.value

keyword

qualys_vmdr.asset_host_detection.metadata.google.attribute.last.status

keyword

qualys_vmdr.asset_host_detection.metadata.google.attribute.last.success_date

date

qualys_vmdr.asset_host_detection.metadata.google.attribute.name

keyword

qualys_vmdr.asset_host_detection.metadata.google.attribute.value

keyword

qualys_vmdr.asset_host_detection.netbios

keyword

qualys_vmdr.asset_host_detection.network_id

keyword

qualys_vmdr.asset_host_detection.os

keyword

qualys_vmdr.asset_host_detection.os_cpe

keyword

qualys_vmdr.asset_host_detection.qg_hostid

keyword

qualys_vmdr.asset_host_detection.tags.background_color

keyword

qualys_vmdr.asset_host_detection.tags.color

keyword

qualys_vmdr.asset_host_detection.tags.id

keyword

qualys_vmdr.asset_host_detection.tags.name

keyword

qualys_vmdr.asset_host_detection.tracking_method

keyword

qualys_vmdr.asset_host_detection.vulnerability.affect_exploitable_config

keyword

qualys_vmdr.asset_host_detection.vulnerability.affect_running_kernel

keyword

qualys_vmdr.asset_host_detection.vulnerability.affect_running_service

keyword

qualys_vmdr.asset_host_detection.vulnerability.asset_cve

keyword

qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.first_reopened_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.fqdn

keyword

qualys_vmdr.asset_host_detection.vulnerability.instance

keyword

qualys_vmdr.asset_host_detection.vulnerability.is_disabled

boolean

qualys_vmdr.asset_host_detection.vulnerability.is_ignored

boolean

qualys_vmdr.asset_host_detection.vulnerability.last_fixed_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.last_found_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.last_processed_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.last_reopened_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.last_test_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.last_update_datetime

date

qualys_vmdr.asset_host_detection.vulnerability.port

long

qualys_vmdr.asset_host_detection.vulnerability.protocol

keyword

qualys_vmdr.asset_host_detection.vulnerability.qds.score

integer

qualys_vmdr.asset_host_detection.vulnerability.qds.severity

keyword

qualys_vmdr.asset_host_detection.vulnerability.qds_factors.name

keyword

qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text

keyword

qualys_vmdr.asset_host_detection.vulnerability.qid

integer

qualys_vmdr.asset_host_detection.vulnerability.results

keyword

qualys_vmdr.asset_host_detection.vulnerability.service

keyword

qualys_vmdr.asset_host_detection.vulnerability.severity

long

qualys_vmdr.asset_host_detection.vulnerability.ssl

keyword

qualys_vmdr.asset_host_detection.vulnerability.status

keyword

qualys_vmdr.asset_host_detection.vulnerability.times_found

long

qualys_vmdr.asset_host_detection.vulnerability.times_reopened

long

qualys_vmdr.asset_host_detection.vulnerability.type

keyword

qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id

keyword

Knowledge Base

edit

This is the Knowledge Base dataset.

Example

An example event for knowledge_base looks as following:

{
    "@timestamp": "2023-06-29T12:20:46.000Z",
    "agent": {
        "ephemeral_id": "4e6d92f6-8a28-471c-a03f-8c2685171b7b",
        "id": "dc86e78e-6670-441f-acdd-99309474050f",
        "name": "elastic-agent-65730",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "qualys_vmdr.knowledge_base",
        "namespace": "47901",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "dc86e78e-6670-441f-acdd-99309474050f",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "vulnerability"
        ],
        "dataset": "qualys_vmdr.knowledge_base",
        "id": "11830",
        "ingested": "2024-09-25T21:49:31Z",
        "kind": "alert",
        "original": "{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"11830\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"\",\"VENDOR\":\"\"}]},\"SOLUTION\":\"\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"\",\"VULN_TYPE\":\"Vulnerability\"}",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "cel"
    },
    "qualys_vmdr": {
        "knowledge_base": {
            "category": "CGI",
            "cve_list": [
                "CVE-2022-31629",
                "CVE-2022-31628"
            ],
            "discovery": {
                "remote": 1
            },
            "last": {
                "service_modification_datetime": "2023-06-29T12:20:46.000Z"
            },
            "patchable": false,
            "pci_flag": true,
            "published_datetime": "2017-06-05T21:34:49.000Z",
            "qid": "11830",
            "severity_level": "2",
            "threat_intelligence": {
                "intel": [
                    {
                        "id": "8"
                    }
                ]
            },
            "vuln_type": "Vulnerability"
        }
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "qualys_vmdr-knowledge_base"
    ],
    "vulnerability": {
        "category": [
            "CGI"
        ],
        "id": [
            "CVE-2022-31629",
            "CVE-2022-31628"
        ],
        "severity": "Medium"
    }
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

input.type

Type of filebeat input.

keyword

log.offset

Log offset.

long

qualys_vmdr.knowledge_base.automatic_pci_fail

keyword

qualys_vmdr.knowledge_base.bugtraq_list.id

keyword

qualys_vmdr.knowledge_base.bugtraq_list.url

keyword

qualys_vmdr.knowledge_base.category

keyword

qualys_vmdr.knowledge_base.changelog_list.info.change_date

date

qualys_vmdr.knowledge_base.changelog_list.info.comments

keyword

qualys_vmdr.knowledge_base.compliance_list.description

keyword

qualys_vmdr.knowledge_base.compliance_list.section

keyword

qualys_vmdr.knowledge_base.compliance_list.type

keyword

qualys_vmdr.knowledge_base.consequence.comment

keyword

qualys_vmdr.knowledge_base.consequence.value

keyword

qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.desc

keyword

qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.link

keyword

qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.ref

keyword

qualys_vmdr.knowledge_base.correlation.exploits.explt_src.name

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.list.info.alias

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.list.info.id

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.list.info.link

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.list.info.platform

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.list.info.rating

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.list.info.type

keyword

qualys_vmdr.knowledge_base.correlation.malware.src.name

keyword

qualys_vmdr.knowledge_base.cve_list

keyword

qualys_vmdr.knowledge_base.cvss.access.complexity

keyword

qualys_vmdr.knowledge_base.cvss.access.vector

keyword

qualys_vmdr.knowledge_base.cvss.authentication

keyword

qualys_vmdr.knowledge_base.cvss.base

keyword

qualys_vmdr.knowledge_base.cvss.base_obj

flattened

qualys_vmdr.knowledge_base.cvss.exploitability

keyword

qualys_vmdr.knowledge_base.cvss.impact.availability

keyword

qualys_vmdr.knowledge_base.cvss.impact.confidentiality

keyword

qualys_vmdr.knowledge_base.cvss.impact.integrity

keyword

qualys_vmdr.knowledge_base.cvss.remediation_level

keyword

qualys_vmdr.knowledge_base.cvss.report_confidence

keyword

qualys_vmdr.knowledge_base.cvss.temporal

keyword

qualys_vmdr.knowledge_base.cvss.vector_string

keyword

qualys_vmdr.knowledge_base.cvss_v3.attack.complexity

keyword

qualys_vmdr.knowledge_base.cvss_v3.attack.vector

keyword

qualys_vmdr.knowledge_base.cvss_v3.base

keyword

qualys_vmdr.knowledge_base.cvss_v3.exploit_code_maturity

keyword

qualys_vmdr.knowledge_base.cvss_v3.impact.availability

keyword

qualys_vmdr.knowledge_base.cvss_v3.impact.confidentiality

keyword

qualys_vmdr.knowledge_base.cvss_v3.impact.integrity

keyword

qualys_vmdr.knowledge_base.cvss_v3.privileges_required

keyword

qualys_vmdr.knowledge_base.cvss_v3.remediation_level

keyword

qualys_vmdr.knowledge_base.cvss_v3.report_confidence

keyword

qualys_vmdr.knowledge_base.cvss_v3.scope

keyword

qualys_vmdr.knowledge_base.cvss_v3.temporal

keyword

qualys_vmdr.knowledge_base.cvss_v3.user_interaction

keyword

qualys_vmdr.knowledge_base.cvss_v3.vector_string

keyword

qualys_vmdr.knowledge_base.cvss_v3.version

keyword

qualys_vmdr.knowledge_base.detection_info

keyword

qualys_vmdr.knowledge_base.diagnosis.comment

match_only_text

qualys_vmdr.knowledge_base.diagnosis.value

match_only_text

qualys_vmdr.knowledge_base.discovery.additional_info

keyword

qualys_vmdr.knowledge_base.discovery.auth_type_list.value

keyword

qualys_vmdr.knowledge_base.discovery.remote

long

qualys_vmdr.knowledge_base.error

keyword

qualys_vmdr.knowledge_base.id_range

keyword

qualys_vmdr.knowledge_base.ids

keyword

qualys_vmdr.knowledge_base.is_disabled

boolean

qualys_vmdr.knowledge_base.last.customization.datetime

date

qualys_vmdr.knowledge_base.last.customization.user_login

keyword

qualys_vmdr.knowledge_base.last.service_modification_datetime

date

qualys_vmdr.knowledge_base.patchable

boolean

qualys_vmdr.knowledge_base.pci_flag

boolean

qualys_vmdr.knowledge_base.pci_reasons.value

keyword

qualys_vmdr.knowledge_base.published_datetime

date

qualys_vmdr.knowledge_base.qid

keyword

qualys_vmdr.knowledge_base.severity_level

keyword

qualys_vmdr.knowledge_base.software_list.product

keyword

qualys_vmdr.knowledge_base.software_list.vendor

keyword

qualys_vmdr.knowledge_base.solution.comment

match_only_text

qualys_vmdr.knowledge_base.solution.value

match_only_text

qualys_vmdr.knowledge_base.supported_modules

keyword

qualys_vmdr.knowledge_base.threat_intelligence.intel.id

keyword

qualys_vmdr.knowledge_base.threat_intelligence.intel.text

keyword

qualys_vmdr.knowledge_base.title

keyword

qualys_vmdr.knowledge_base.vendor_reference_list.id

keyword

qualys_vmdr.knowledge_base.vendor_reference_list.url

keyword

qualys_vmdr.knowledge_base.vuln_type

keyword

User Activity

edit

This is the User Activity dataset. It connects to an API that exports the user activity log.

Example

An example event for user_activity looks as following:

{
    "@timestamp": "2024-01-18T12:45:24.000Z",
    "agent": {
        "ephemeral_id": "8541dd66-de0a-4e54-a66e-3f9dc02867df",
        "id": "3acf31e6-1468-482c-b38b-d3b7397270dd",
        "name": "elastic-agent-32349",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "qualys_vmdr.user_activity",
        "namespace": "28709",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "3acf31e6-1468-482c-b38b-d3b7397270dd",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "request",
        "agent_id_status": "verified",
        "category": [
            "api"
        ],
        "dataset": "qualys_vmdr.user_activity",
        "ingested": "2024-09-25T21:52:05Z",
        "kind": "event",
        "original": "{\"Action\":\"request\",\"Date\":\"2024-01-18T12:45:24Z\",\"Details\":\"API: /api/2.0/fo/activity_log/index.php\",\"Module\":\"auth\",\"User IP\":\"10.113.195.136\",\"User Name\":\"john\",\"User Role\":\"Reader\"}",
        "provider": "auth",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "cel"
    },
    "message": "API: /api/2.0/fo/activity_log/index.php",
    "qualys_vmdr": {
        "user_activity": {
            "Action": "request",
            "Date": "2024-01-18T12:45:24Z",
            "Details": "API: /api/2.0/fo/activity_log/index.php",
            "Module": "auth",
            "User_IP": "10.113.195.136",
            "User_Name": "john",
            "User_Role": "Reader"
        }
    },
    "related": {
        "ip": [
            "10.113.195.136"
        ],
        "user": [
            "john"
        ]
    },
    "source": {
        "ip": "10.113.195.136"
    },
    "tags": [
        "preserve_duplicate_custom_fields",
        "preserve_original_event",
        "forwarded",
        "qualys_vmdr-user_activity"
    ],
    "user": {
        "name": "john",
        "roles": [
            "Reader"
        ]
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

event.dataset

Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.

constant_keyword

event.module

Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.

constant_keyword

input.type

Type of filebeat input.

keyword

qualys_vmdr.user_activity.Action

keyword

qualys_vmdr.user_activity.Date

date

qualys_vmdr.user_activity.Details

keyword

qualys_vmdr.user_activity.Module

keyword

qualys_vmdr.user_activity.User_IP

keyword

qualys_vmdr.user_activity.User_Name

keyword

qualys_vmdr.user_activity.User_Role

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

5.8.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind manually set to "pipeline_error".

8.13.0 or higher

5.7.0

Enhancement (View pull request)
Do not remove event.original in main ingest pipeline.

8.13.0 or higher

5.6.1

Bug fix (View pull request)
Handle empty XML responses in Qualys asset_host_detection.

8.13.0 or higher

5.6.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

8.13.0 or higher

5.5.0

Enhancement (View pull request)
Capture error with decode_xml.

8.13.0 or higher

5.4.0

Enhancement (View pull request)
Truncate very long field values.

8.13.0 or higher

5.3.0

Enhancement (View pull request)
Document required user role permissions to each API.

Bug fix (View pull request)
Cleanup duplicate processors in asset host detection.

Bug fix (View pull request)
Remove stale kibana.version requirement from README

8.13.0 or higher

5.2.2

Bug fix (View pull request)
Handle _LIST fields as array in knowledge_base data-stream.

8.13.0 or higher

5.2.1

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

5.2.0

Enhancement (View pull request)
Retain event.original for asset_host_detection and knowledge_base as JSON.

8.13.0 or higher

5.1.0

Enhancement (View pull request)
Set vulnerability.score.base field based on the item CVSS item under field qualys_vmdr.asset_host_detection.vulnerability.qds_factors

Enhancement (View pull request)
Set vulnerability.classification field to CVSS

Enhancement (View pull request)
Set vulnerability.severity field based on vulnerability.score.base

Enhancement (View pull request)
Set vulnerability.scanner.vendor field to Qualys

Enhancement (View pull request)
Set vulnerability.score.version field based on the item CVSS_vector item under field qualys_vmdr.asset_host_detection.vulnerability.qds_factors

8.13.0 or higher

5.0.0

Enhancement (View pull request)
Rename fields to match Qualys name.

Enhancement (View pull request)
Convert numeric fields to long/integer.

Enhancement (View pull request)
Lowercase cloud.provider field.

8.13.0 or higher

4.3.0

Enhancement (View pull request)
Allow user configuration of cloud metadata collection.

8.13.0 or higher

4.2.2

Bug fix (View pull request)
Ensure last_modified_after query parameter is in the correct format.

8.13.0 or higher

4.2.1

Bug fix (View pull request)
Fix CEL access to unset state.params in knowledge_base.

8.13.0 or higher

4.2.0

Enhancement (View pull request)
Map cloud provider metadata to cloud fields.

8.13.0 or higher

4.1.1

Bug fix (View pull request)
Fix handling of the activity_log API response body.

8.13.0 or higher

4.1.0

Enhancement (View pull request)
Check the HTTP status code before processing the response.

8.13.0 or higher

4.0.1

Bug fix (View pull request)
Reduce severity of error from documents lacking response IDs in knowledge base.

8.13.0 or higher

4.0.0

Enhancement (View pull request)
Use field names matching Qualys names.

8.13.0 or higher

3.4.0

Enhancement (View pull request)
Improve error reporting for API request failures.

8.13.0 or higher

3.3.0

Enhancement (View pull request)
Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

3.2.2

Bug fix (View pull request)
Fix date format to match user activity API behaviour.

8.12.0 or higher

3.2.1

Bug fix (View pull request)
Disable the new user activity data stream by default. Add a toggle to preserve original event to the user activity data stream. Format the since_datetime query parameter.

8.12.0 or higher

3.2.0

Enhancement (View pull request)
Add new data stream for collecting user activity logs.

8.12.0 or higher

3.1.0

Enhancement (View pull request)
Allow original event preservation.

8.12.0 or higher

3.0.0

Enhancement (View pull request)
Expand documents to map each CVS per vulnerability.

8.12.0 or higher

2.1.0

Enhancement (View pull request)
Increase request timeout default and document timeout length warning.

8.12.0 or higher

2.0.0

Enhancement (View pull request)
Expand documents to map each vulnerability per host.

8.12.0 or higher

1.1.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

1.0.1

Enhancement (View pull request)
Changed owners

8.9.0 or higher

1.0.0

Enhancement (View pull request)
Release package as GA.

8.9.0 or higher

0.8.1

Bug fix (View pull request)
Fix mapping of vulnerability type and severity.

0.8.0

Enhancement (View pull request)
Limit request tracer log count to five.

0.7.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

0.6.0

Enhancement (View pull request)
Add request tracer logging to integration.

0.5.1

Bug fix (View pull request)
Handle invalid input parameter for Knowledge Base data stream.

0.5.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

0.4.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

0.3.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

0.2.0

Bug fix (View pull request)
Update data collection of knowledge base data stream to handle different log format.

0.1.0

Enhancement (View pull request)
Initial Release.

« Pulse Connect Secure Integration QNAP NAS »