Log in to create and rate content, and to follow, bookmark, and share content with other members. Not a member? Join Now!

AnsweredAssumed Answered

Qualys API - List Assets by Vulnerability Title

Question asked by Robert Williams on Jun 24, 2018
Latest reply on Aug 12, 2019 by DMFezzaReed

Like • Show 2 Likes2
Comment • 16

Howdy all,

I've trawled through the API documentation and the community and can't seem to find an answer to what I thought would be something simple.

Currently when I want to see how many assets contain a vulnerability I can simply use the AssetView->Assets Search functionality. It's awesome, works very fast, helps build widgets that I can chuck onto my teams' boards to aid in those exceptional circumstances such as zero days. Classic example:

I'm currently building some services that have use-cases to do this programatically.

Some important pieces to note:

- Aside from some adhoc sysadmin work, do not use the VM->Reporting function at all. So we have no report IDs to reference. We entirely live in live-dashboard land with continuous scanning provided by host-based agents on every asset.

- Our continuous scanning means I won't have a reference to any scan IDs; scans do exist but they are limited to infrastructure not pertaining servers/workstations.

So my question/s are:

- Is there an API I can hit with the exact same syntax as the AssetView search functionality in the above image?

- Is there any API I can hit with vulnerability ID's, names, or is there any way to replicate the list in the image programatically?

Here's hoping I missed something obvious!

Kind Regards,

Robbie

Robert Williams Sep 16, 2018 8:07 AM

Correct Answer

GitHub - teknorob/qualys-elastic-search-POC: A proof of concept for using qualys elastic search API

As promised, here it is:

It's nothing amazing to look at but hopefully it helps someone out there.

See the reply in context

No one else had this question

Outcomes

16 Replies

Sam Friday Jun 25, 2018 6:04 AM

Have you tried "api/2.0/fo/report/asset" ?

Here is some Powershell

$vulnTitle = "TITLEOFVULN"
$url = 'https://'+$v2_server+"api/2.0/fo/report/asset/?action=search&echo_request=0&qid_with_text=$vulnTitle"

[xml]$status=Invoke-RestMethod -Uri $url -Method get -Headers $header -WebSession $websession

Logout of API

Here are some other API reference guides Documentation | Qualys, Inc.

I like the https://www.qualys.com/docs/qualys-api-quick-reference.pdf

1 person found this helpful

Actions

Robert Williams @ Sam Friday on Jun 25, 2018 9:27 PM

Hey Sam, thanks for the response.

Unfortunately this doesn't quite work well enough:

Request
https://{{base_url}}/api/2.0/fo/report/asset?action=search&echo_request=0&qid_with_text=flash&output_format=xml&use_tags=1&tag_set_by=name&tag_set_include=Cloud Agent

Response
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE SIMPLE_RETURN SYSTEM "https://qualysapi.qg1.apps.qualys.in/api/2.0/simple_return.dtd"> <SIMPLE_RETURN> <RESPONSE> <DATETIME>2018-06-26T04:13:19Z</DATETIME> <CODE>1901</CODE> <TEXT>Unrecognized parameter(s): qid_with_text</TEXT> </RESPONSE> </SIMPLE_RETURN>

As per the API documentation qid_with_text won't work without supplying the qids parameter. This means I'd need to enumerate all the QIDs related to a particular vulnerability, by name (if possible). And even then I can only use 20 at a time in the /report/asset API resource.

This particular API resource is close to what I'm after but unfortunately not flexible enough to use in my case.

1 person found this helpful

Actions

Sam Friday @ Robert Williams on Jun 26, 2018 7:01 AM
Mark Correct
Correct Answer
You are correct.
Its a bit crazy (and I may be wrong but it worked for me) but you would have to pull down the whole 'knowledge base' (NOTE: this takes like 5 to 10 min) then find the QIDs based on the search text in the title ('flash') and compile the list (I am doing CSV format do to the ease of handling it with powershell ). Hope this helps some.

#If you need to specify the TLS version
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$header = @{"X-Requested-With"="powershell"}
#Base URLs
$v1_server = "qualysapi.qualys.com/msp/"
$v2_server = "qualysapi.qualys.com"
$url = 'https://'+$v2_server+"/api/2.0/fo/session/?action=login&username=$username&password=$password"
$method = 'POST'
$return =''

#SignIn
[xml]$return = Invoke-RestMethod -Uri $url -Method $method -Headers $header -SessionVariable session
$websession = $session
$return.SIMPLE_RETURN.RESPONSE.TEXT | Out-String
$url = 'https://'+$v2_server+"/api/2.0/fo/knowledge_base/vuln/?action=list&echo_request=0"
$methodGET='GET'

#Get Knowlagebase and sort by Titles that contain 'flash'
[xml]$knowBase = Invoke-RestMethod -Uri $url -Method $methodGET -Headers $header -WebSession $websession
$flashvulns = $knowBase.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN | where {$_.TITLE.'#cdata-section' -match 'flash'}
$totalCount = $flashvulns.QID.count
$count = 20
$totalList=@()

#Loop through found QIDs to complile full list
do {
   if ($totalCount -ge $count) {
      $totalCount = $totalCount - $count
   } else {$totalCount = $totalCount - $totalCount}

   try {
      $QID = ($flashvulns.QID | select -Last $totalCount | select -First $count) -join ','
   } Catch {$QID = ($flashvulns.QID | select -Last $totalCount | select -First $totalCount) -join ','}
   #write-host "Qids are: "$QID
   #write-host "Qids Left: "$totalCount
   $url = 'https://'+$v2_server+"/api/2.0/fo/report/asset/?action=search&echo_request=0&output_format=csv&asset_groups=All&qids=$QID"
   $methodGET='GET'
   $assetList = Invoke-RestMethod -Uri $url -Method $methodGET -Headers $header -WebSession $websession
   $totalList = $totalList + $assetList
} Until ($totalCount -lt 20)
$totalList | Export-Csv -Path "file/path/to.csv" -NoTypeInformation
#View as array in powershell
$arraylist = $totalList | ConvertFrom-Csv
#Signout
$url = 'https://'+$v2_server+"/api/2.0/fo/session/?action=logout"
[xml]$return2=Invoke-RestMethod -Uri $url -Method $method -Headers $header -WebSession $websession
2 people found this helpful
Like • Show 1 Like1
Actions
- Robert Williams @ Sam Friday on Jun 26, 2018 11:07 PM
  Mark Correct
  Correct Answer
  Holy guacamole,
  I very much appreciate your help; That's definitely going to achieve the outcome however won't quite work in a Function as a Service (AWS Lambdas) based application without building a script that persists the data your script is extracting. Essentially I'd be building my own little Qualys, without the scanner component.
  I'm looking for a way to just pull the list based on a search; like is there a method of applying the same syntax query string from the asset view search to the API.
  Although your method will work, the difference is between that script taking 5-10 minutes versus the search box taking about 2-5 seconds.
  
  Robbie.
  1 person found this helpful
  Like • Show 2 Likes2
  Actions
  - DMFezzaReed @ Robert Williams on Jun 27, 2018 5:42 PM
    Mark Correct
    Correct Answer
    There is no API access for Elastic Search, the engine behind AssetView. But you should be able to query based on title [I believe] through the host detection API. As I have noted in previous posts, I use cURL to test my queries, and I think this query has just about everything you might need to accomplish your task. I keep this command stored, as-is, color-coded (and all) by logical segment, and am happy to share. This command should help you visualize what you are asking for in the query. Please see prabhasgupte note below for additional reference materials on the parameters.
    
    BLACK - PRIMARY CMD STRING
    RED - ASSETS
    BLUE - TIMEFRAME
    YELLOW - OUTPUT FORMAT
    GREY - DETECTION SELECTION
    
    curl -u “USERID:PASSWORD" -H "X-Requested-With: Curl” -X "POST" "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/?
    action=list&
    use_tags=1&
    tag_set_include=ASSETTAG&
    tag_set_exclude= ASSETTAG, ASSETTAG, ASSETTAG&
    show_tags=1&
    max_days_since_last_vm_scan=45&
    show_results=1&
    show_reopened_info=1&
    output_format=CSV&
    suppress_duplicated_data_from_csv=0&
    truncation_limit=0&
    status=New,Active,Re-Opened,Fixed&
    include_search_list_titles=SEARCH_LIST&
    exclude_search_list_titles=SEARCH_LIST&
    active_kernels_only=0”
    Like • Show 1 Like1
    Actions
    - Robert Williams @ DMFezzaReed on Jun 27, 2018 9:03 PM
      Mark Correct
      Correct Answer
      This presents an interesting idea; programatically building a search list and applying it to the host vm detection endpoint.
      I'll look into it and get back to you, thanks for the suggestion.
      1 person found this helpful
      Like • Show 1 Like1
      Actions
      - DMFezzaReed @ Robert Williams on Jun 28, 2018 9:55 AM
        Mark Correct
        Correct Answer
        Robert,
        
        Please do keep me posted. I want to make sure you can be successful. Let me know how I can help.
        
        Deb
        Like • Show 0 Likes0
        Actions
        Robert Williams @ DMFezzaReed on Jul 1, 2018 6:28 AM
        Mark Correct
        Correct Answer
        Hey Deb just an update,
        
        I've played around with the API semi successfully creating and deleting the search lists and applying them to the vm detection api. Unfortunately there's only one caveat that is a serious killer; time. Creating a search list takes about a second, deleting takes a bit less than that, but the host/vm/detection API with a search list takes between 49 seconds and 90 seconds to run. Far too slow and there's no means of further optimising.
        I have one last ace up my sleeve before I start to get desperate;
        
        /portal-front/dwr/call/plaincall/_svc_asset_AssetQueryService.downloadXMLReport.dwr
        
        params:
        c0-scriptName=_svc_asset_AssetQueryService
        c0-methodName=downloadXMLReport
        c0-id=0
        c0-param0=string:XML
        c0-param1=string:{"filters":[{"field":"query","type":"string","value":"vulnerabilities.vulnerability.title: flash"}],"sortInfo":{"field":"updated","dir":"DESC"}}
        
        fyi c0-param1 needs to be URL encoded.
        
        I assume this is very unsupported but it appears to be the only way I can leverage the elastic search that Qualys is not providing in the API. In the meantime I've put a feature request in through my TAM.
        
        Will keep you posted.
        1 person found this helpful
        Like • Show 1 Like1
        Actions

Prabhas Gupte Jun 26, 2018 1:36 AM
Mark Correct
Correct Answer
If you have list of QIDs, you can use Host List Detection API.
Param tag_set_include will allow you to set Asset Tags of your interest, and param qids will allow you to filter for specific QIDs.

Please refer to https://www.qualys.com/docs/qualys-api-v2-user-guide.pdf page 164 for more params.

Sample curl call could be:
```
curl -X GET \
 'https://{your API server}/api/2.0/fo/asset/host/vm/detection/?action=list&status=New,Active,Re-Opened&output_format=XML&use_tags=1&tag_set_by=name&tag_set_include={Tags of your interest}&show_results=0&qids={QIDs of your interest}' \
 -H 'Authorization: Basic {your Auth token}'
```
This won't give you fields like last logged-in user, but it can tell you when the host was last scanned, when each of those QIDs was found on each of those hosts, and how many time etc.
2 people found this helpful
Like • Show 1 Like1
Actions
DMFezzaReed Jun 28, 2018 2:39 PM
Mark Correct
Correct Answer
If you are participating in the Dashboard Toolbox - Vulnerability Management (PVM) Dashboard BETA in your subscription, I have attached a zip file containing a dashboard focusing on Adobe Product Vulnerabilities, Type: Confirmed, Status: New, Active, Reopened, and detected within the last 6 months (today - 6M). Based on the results in the chart, I customized each widget to focus on a specific Adobe Product.

For example, to grab Shockwave detections, I used:
vulnerabilities.vulnerability.vendors.productName: shock and vulnerabilities.vulnerability.vendors.vendorName: adobe and vulnerabilities.status:[NEW,ACTIVE,REOPENED] and vulnerabilities.typeDetected:Confirmed

If you import this dashboard and find a different set of Top 10 Adobe Product Results, you will need to edit the tables (as shown above) and the widget title, to match your findings.

dashboard_toolbox
Attachments
- Adobe_-_OPEN_-_Confirmed_-_Within_6_Months_BETA_dashboard.zip3.5 KB
1 person found this helpful
Like • Show 0 Likes0
Actions
- Robert Williams @ DMFezzaReed on Jun 27, 2018 5:27 PM
  Mark Correct
  Correct Answer
  Thanks for sharing, Debra. I had no idea that the VM was undergoing a new 'skinning', looks much nicer than the existing theme.
  Unfortunately this doesn't solve my problem as it needs to be an API based solution for programmatic access.
  1 person found this helpful
  Like • Show 1 Like1
  Actions
  - DMFezzaReed @ Robert Williams on Jul 13, 2018 11:02 PM
    Mark Correct
    Correct Answer
    I added an API command string in line with the other API related responses. Let me know if it works for you.
    
    dashboard_ideation
    vmdb_beta
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
- DMFezzaReed @ DMFezzaReed on Aug 12, 2019 8:42 PM
  Mark Correct
  Correct Answer
  dashboard_vm, vmdashboard_json
  Like • Show 0 Likes0
  Actions
Busby Jul 2, 2018 5:05 AM
Mark Correct
Correct Answer
Robert,

It may be faster to break some of this up. I have some criteria done in Powershell similar to what you may be doing and I download one or more scan results then run the scan data through this routine and it identifys the assets meeting my criteria including QID, PORTS etc.. and what ever else I want at the moment.

Let me know if I can help but thanks for filing the FR I fully support that the Elastic Search needs to have an API drive as well.

David
Like • Show 2 Likes2
Actions

Robert Williams Sep 15, 2018 1:34 AM

So I took a break from all this, apologies to anyone anxiously awaiting an answer but here it is;

I've successfully built a package in node to manage authentication, session, and to query the undocumented API that the Qualys GUI utilizes. It's important I note that the API I'm hitting is one that we all already use in the GUI, but isn't documented at all for programmatic use (i.e. it's pretty much tailored for the Qualys GUI)

The search button on the Asset View search page hits an endpoint called _svc_asset_AssetQueryService.findAs.dwr which returns a callback for the javascript to refresh the page without.. refreshing the page. The response also contains a JSON object for use by the callback.

It's typescript model look a little something like:

Header 1
declare module namespace { export interface MetaData { limit: number; root: string; start: number; totalProperty: string; } export interface Attributes { platform.entityClass: string; groupByFields: any[]; onlyFoundQid: boolean; tags: number[]; } export interface NicAddress { address: string; hostname: string; id: number; interfaceId?: any; interfaceName: string; macAddress: string; type: string; } export interface EC2 { agentVersion?: any; chirpStatus?: any; errorStatus: boolean; firstDiscovered: string; id: number; lastCheckedIn?: any; lastFullScan?: any; lastUpdated: string; platform?: any; source?: any; status?: any; type: string; } export interface QAGENT { agentVersion: string; chirpStatus: string; errorStatus: boolean; firstDiscovered?: any; id: number; lastCheckedIn: string; lastFullScan?: any; lastUpdated?: any; platform: string; source?: any; status: string; type: string; } export interface SourceInfo { EC2: EC2; QAGENT: QAGENT; } export interface List { hostName: string; nicAddresses: NicAddress[]; created: string; activationModulesNoProfileFound: any[]; lastVmScanDate: string; lastUserLoggedIn: string; operatingSystem: string; activationModulesPending: any[]; assetType: string; taglist?: any; activationModulesQueuedManifestGen: any[]; trackingMethod: string; sourceInfo: SourceInfo; name: string; showAllTags?: any; id: number; activationModules: string[]; updated: string; } export interface RootObject { metaData: MetaData; total: number; attributes: Attributes; list: List[]; } }

Header 1

declare module namespace {

export interface MetaData {
limit: number;
root: string;
start: number;
totalProperty: string;
}

export interface Attributes {
platform.entityClass: string;
groupByFields: any[];
onlyFoundQid: boolean;
tags: number[];
}

export interface NicAddress {
address: string;
hostname: string;
id: number;
interfaceId?: any;
interfaceName: string;
macAddress: string;
type: string;
}

export interface EC2 {
agentVersion?: any;
chirpStatus?: any;
errorStatus: boolean;
firstDiscovered: string;
id: number;
lastCheckedIn?: any;
lastFullScan?: any;
lastUpdated: string;
platform?: any;
source?: any;
status?: any;
type: string;
}

export interface QAGENT {
agentVersion: string;
chirpStatus: string;
errorStatus: boolean;
firstDiscovered?: any;
id: number;
lastCheckedIn: string;
lastFullScan?: any;
lastUpdated?: any;
platform: string;
source?: any;
status: string;
type: string;
}

export interface SourceInfo {
EC2: EC2;
QAGENT: QAGENT;
}

export interface List {
hostName: string;
nicAddresses: NicAddress[];
created: string;
activationModulesNoProfileFound: any[];
lastVmScanDate: string;
lastUserLoggedIn: string;
operatingSystem: string;
activationModulesPending: any[];
assetType: string;
taglist?: any;
activationModulesQueuedManifestGen: any[];
trackingMethod: string;
sourceInfo: SourceInfo;
name: string;
showAllTags?: any;
id: number;
activationModules: string[];
updated: string;
}

export interface RootObject {
metaData: MetaData;
total: number;
attributes: Attributes;
list: List[];
}

}

It has everything you could need to know about the assets.

The request to the API looks a little something like:

Header 1
var request = require("request"); var options = { method: 'POST', url: 'https://qualysguard.qg1.apps.qualys.in/portal-front/dwr/call/plaincall/_svc_asset_AssetQueryService.findAs.dwr', headers: { 'Postman-Token': OMITTED, 'Cache-Control': 'no-cache', Cookie: 'QualysSession=OMITTED', 'Accept-Language': 'en-US,en;q=0.9', 'Accept-Encoding': 'gzip, deflate, br', Referer: 'https://qualysguard.qg1.apps.qualys.in/portal-front/module/asset/', Accept: '/', 'Content-Type': 'text/plain', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36', Origin: 'https://qualysguard.qg1.apps.qualys.in' }, body: 'callCount=1\nwindowName=\nc0-scriptName=_svc_asset_AssetQueryService\nc0-methodName=findAs\nc0-id=0\nc0-e1=string:vulnerabilities.vulnerability.title%3A%20%22meltdown%22\nc0-e2=number:0\nc0-e3=number:50\nc0-e4=string:updated\nc0-e5=boolean:false\nc0-param0=Object_Object:{query:reference:c0-e1, offset:reference:c0-e2, limit:reference:c0-e3, sort:reference:c0-e4, sortAsc:reference:c0-e5}\nrequest-template-0={"$RT$":true,"rt":["id","name","assetType","taglist","hostName","operatingSystem","lastVmScanDate","created","updated","showAllTags","nicAddresses","lastUserLoggedIn","trackingMethod","activationModules","activationModulesPending","activationModulesNoProfileFound","activationModulesQueuedManifestGen","sourceInfo"],"ct":{}}\nbatchId=53\ninstanceId=0\npage=%2Fportal-front%2Fmodule%2Fasset%2F\nscriptSessionId=OMITTED\n' }; request(options, function (error, response, body) { if (error) throw new Error(error); console.log(body); });

Header 1

var request = require("request");

var options = { method: 'POST',
url: 'https://qualysguard.qg1.apps.qualys.in/portal-front/dwr/call/plaincall/_svc_asset_AssetQueryService.findAs.dwr',
headers:
{ 'Postman-Token': OMITTED,
'Cache-Control': 'no-cache',
Cookie: 'QualysSession=OMITTED',
'Accept-Language': 'en-US,en;q=0.9',
'Accept-Encoding': 'gzip, deflate, br',
Referer: 'https://qualysguard.qg1.apps.qualys.in/portal-front/module/asset/',
Accept: '*/*',
'Content-Type': 'text/plain',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36',
Origin: 'https://qualysguard.qg1.apps.qualys.in' },
body: 'callCount=1\nwindowName=\nc0-scriptName=_svc_asset_AssetQueryService\nc0-methodName=findAs\nc0-id=0\nc0-e1=string:vulnerabilities.vulnerability.title%3A%20%22meltdown%22\nc0-e2=number:0\nc0-e3=number:50\nc0-e4=string:updated\nc0-e5=boolean:false\nc0-param0=Object_Object:{query:reference:c0-e1, offset:reference:c0-e2, limit:reference:c0-e3, sort:reference:c0-e4, sortAsc:reference:c0-e5}\nrequest-template-0={"$RT$":true,"rt":["id","name","assetType","taglist","hostName","operatingSystem","lastVmScanDate","created","updated","showAllTags","nicAddresses","lastUserLoggedIn","trackingMethod","activationModules","activationModulesPending","activationModulesNoProfileFound","activationModulesQueuedManifestGen","sourceInfo"],"ct":{}}\nbatchId=53\ninstanceId=0\npage=%2Fportal-front%2Fmodule%2Fasset%2F\nscriptSessionId=OMITTED\n' };

request(options, function (error, response, body) {
if (error) throw new Error(error);

console.log(body);
});

The QualysSession cookie in the above is obtainable from the /api/2.0/fo/session/ resource, so I built a helper to manage the session around that also.

The result: instead of waiting up to 80 seconds I now wait a mere 1-2 seconds. A totally user-friendly waiting period.

Once I finish integrating with my Alexa app I'll generalise this package and make it available for others to use. I'd like to put out a thanks to all who tried to help here, unfortunately we were all constrained to only recommend answers involving the documented API's, but the answer actually lay somewhere less 'supported'.

Actions

Robert Williams @ Robert Williams on Sep 16, 2018 8:07 AM
Unmark Correct
Correct Answer
GitHub - teknorob/qualys-elastic-search-POC: A proof of concept for using qualys elastic search API

As promised, here it is:

It's nothing amazing to look at but hopefully it helps someone out there.
2 people found this helpful
Like • Show 3 Likes3
Actions

Qualys API - List Assets by Vulnerability Title

Outcomes

Attachments

Related Content

Recommended Content

Incoming Links