Qualys API - Host List and Asset Management with Python

Qualys Asset Management helps cybersecurity teams to find and manage cyber risks in their known and unknown IT assets. It continuously discovers and maintains a rich asset inventory of systems including desktops, servers, and other devices.

So, if you're trying to automate the launch scan, generate reports and search for assets, I've created some Python examples working with Qualys API to get you started.

Prerequisites

The API endpoints are different than your login URL so first, make sure to identify your platform endpoint here.

Introduction

This is a basic Python scripts collection for getting started with Qualys APIs.

Getting Started

STEP 1: Your Qualys subscription needs to have the API enabled (Note: this is a paid feature)

STEP 2: Check above prerequisites

STEP 3: Understand the API Limits

API Resources for more information:

1. Qualys documentation.
2. Qualys API Quick Reference for all APIs.

Examples

AUTHORIZATION (Basic Auth)

Authentication to your Qualys account with valid Qualys credentials is required for making Qualys API requests to the Qualys API servers.

Session based authentication Using this method, the user makes a sequence of API requests. APIs with request URL containing /2.0/ support session based authentication.

import requests
import json

headers = {
'X-Requested-With': 'From Python by Leo',
}

data = {
'action': 'login',
'username':'<USER_NAME>',
'password':'<PASSWORD>'
}

# Use the Qualys API session resource to make a login request.
response = requests.post('https://<QUALYS_API_ENDPOINT>/api/2.0/fo/session/', data=data, headers=headers)

# Upon success, the request returns a session ID in the Set-Cookie HTTP header.
QualysSession = response.cookies.get_dict()["QualysSession"]

Search for Vulnerabilities detections (Make resource requests)

The session cookie (QualysSession) was extracted from the “headers” file contents returned from the session login API call. Use the API resources to make API requests, and include the session ID in the cookie header for each request.

headers = {
"X-Requested-With": "From Python by Leo",
"Cookie": "QualysSession=" + QualysSession + "; path=/api; secure",
}

Search parameters example. This will generate a CSV Output (output_format is optional)

params = {
"action": "list",
"output_format": "CSV_NO_METADATA",
"max_days_since_last_vm_scan": 15,
"severities": "4-5",  #High, Critical
}

endpoint_url = "https://<QUALYS_API_ENDPOINT>/api/2.0/fo/asset/host/vm/detection/"
resVulns = requests.get(endpoint_url, params=params, headers=headers)
repVulns = resVulns.content

Obtain asset data from the ASSETS API by Host ID

headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'user': '<USER_NAME>',
'password': '<PASSWORD>',
}

# Result limits and filter criteria
data = '''
{
"ServiceRequest": {
"preferences": {
"limitResults": 100
},
"filters": {
"Criteria": {
"field": "qwebHostId",
"operator": "EQUALS",
"value": "<HOST_ID>"
}
}
}
}
}
'''

endpoint_url = "https://<QUALYS_API_ENDPOINT>/qps/rest/2.0/search/am/hostasset"
resAssets = requests.post(endpoint_url, headers=headers, data=data)
assets = resAssets.json()

Available Criteria fields: subnetId, ociTagNameSpace, resourceGroup, subnet, vmId, datacenterId, type, availabilityZone, netbiosNetworkId, trackingMethod, vmType, dnsHostName, instanceState, vnicId, networkGuid, cloudProviderType, id, state, image, imageId, shape, created, awsTagKey, compartmentName, activationKey, agentConfigurationId, lastVulnScan, publicDnsName, privateIpAddress,agentConfigurationName, accountId, launchTime, ociRegion, azureTagKey, lastComplianceScan, port,name, region, subscriptionId, updated, informationGatheredUpdated, awsTagValue, ociTagValue, hostName,vlanTag, tagId, subnetName, vcnName, ibmTagKey, ibmTagValue, instanceId, tenantName, ociTagKey, vpcId, imageOffer, ibmId, ociId, ociState, imageVersion, faultDomain, routerIP, subnetCidrBlock, lastCheckedIn, address, availabilityDomain, os, qwebHostId, publicIpAddress, instanceType, publicIp, tagName, installedSoftware, compartmentId, vcnId, azureTagValue, canonicalRegionName, netbiosName, vulnsUpdated, tenantId, agentVersion, privateDnsName, location, agentUuid, nicIndex.

Available Operators: CONTAINS, IN, EQUALS, NOT EQUALS, GREATER, LESSER, NONE, IS EMPTY

Hope this helps! 🐱‍👤