Blog |Follow Nick on Twitter| About
 

I'm finding the Qualys Cloud Platform an invaluable vulnerability management tool, a mass of near real-time data that shows the security posture/risk of the estate. The reporting systems is "ok" (not stunning) but what is lacklustre is automated-reporting-feature, basically you can schedule things to run, but the data is either in your inbox or a link away (i.e. something to click); I also find the dashboard system in the assetview module to be equally half backed and of limited use.

Fortunately the good guys at qualys must know their weaknesses and have developed a rather comprehensive API, allowing you to trigger reports and download load them at will.

Before reading on, I'm going to assume you know how to run a python script and the basics of Qualys such as how to create a report template, set the scope (i.e which tag or asset group you want to report against) and you have the privileges to create users.

Template ID

To trigger a report remotely you need a template, each template has an ID and we'll need it for the python script. In Vulnerability management -> Templates; get the info as shown...

Template Info

In the pop-up, at the very top of the page you will see the ID, write it down...

Template ID

API User

If you've followed best practice, your normal human user accounts have either SSO enabled or a Token, but automation bots can't do that, so you'll need to create a dedicated API account with a nice strong password, the screen shot below has the all important tick box highlighted:

API User

A quick note on roles: In the screenshot, Manager permissions might need to be assigned to work around a bug where the Scanner role can't view all the Vuln' data from CloudAgent; that should be fixed now and you should be able to get away with Scanner so test your setup.

The Script

The script I've written is hosted here: qualys_report_download.txt (rename to qualys_report_download.py). The script has been tested with Python3 and requires the requests module - maybe you want to run it in docker?

At the top, set your credentials...

# Qualys
apiuser = 'nick'
apipass = 'linickx'
apiurl = 'https://qualysguard.qg3.apps.qualys.com/api/2.0/fo/report/'

The API URL will depend on what qualys has issued you. The URLS are documented in the API User guide, but I'll save you a click...

  • Qualys US Platform 1 - https://qualysapi.qualys.com
  • Qualys US Platform 2 - https://qualysapi.qg2.apps.qualys.com
  • Qualys US Platform 3 - https://qualysapi.qg3.apps.qualys.com
  • Qualys EU Platform 1 - https://qualysapi.qualys.eu
  • Qualys EU Platform 2 - https://qualysapi.qg2.apps.qualys.eu
  • Qualys India Platform 1 - https://qualysapi.qg1.apps.qualys.in
  • Qualys Private Cloud Platform - https://qualysapi.

Next set the all important Template ID...

# Template ID, this is an array so you can have many!
apitemplateid = ["1712399"]

There are a few other settings you can play with, such as changing the download path or setting a proxy, but just the ID and credentials should be enough to get you going.

The script is has only been battled tested with Host Vulnerability Data exported in CSV format. If you're doing the same thing and are also immensely irritated by the garbage at the top of every CSV export then take a look at line 280 -> line 306 there's a little bodge in there that you can un-comment to clean the top of the files.

What Next

Test the script manually, once you know it's working then the real power is schedule tasks (or cron), I then use this fresh data to create PowerBI reports, this approach really does help make the Qualys data useful!

I've cross-posted the script on github for if you want to comment or make changes :-)

rgds,

Nick

 
Nick Bettison ©