Skip to content

qualys_vmdr: Add support for Host Detection API v5.0 #16436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kcreddy wants to merge 3 commits into
base: main
Choose a base branch
from
Open

qualys_vmdr: Add support for Host Detection API v5.0 #16436

kcreddy wants to merge 3 commits into from

Conversation

@kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Dec 9, 2025
edited
Loading

Proposed commit message

qualys_vmdr: Add support for Host Detection API v5.0

With v3.0 being deprecated, this PR adds support for 
v5.0 version of Host Detection API. Other Qualys APIs 
are still at their latest versions.

v5.0 Host Detection API adds following elements under 
DETECTION list:
- CVE
- VULNERABILITY_DETECTION_SOURCES
- LATEST_VULNERABILITY_DETECTION_SOURCE
- MITRE_TACTIC_NAME
- MITRE_TECHNIQUE_NAME
- MITRE_TACTIC_ID
- MITRE_TECHNIQUE_ID
- TRURISK_ELIMINATION_STATUS

v5.0 Host Detection API also adds ALICLOUD element 
under METADATA similar to GOOGLE and AZURE.

The values of these fields inside new test data is taken 
from the live Qualys API data and documentation here [1] 
and here [2].

Diff between current v3.0 API and new v5.0 API is here [3].

[1] https://blog.qualys.com/product-tech/2025/05/27/eliminate-risk-with-precision-introducing-vulnerability-detection-sources-in-vmdr 
[2] https://cdn2.qualys.com/docs/qualys-enterprise-trurisk-platform-10.36-lcr-support-kernel-live-patch-linux.pdf
[3] https://github.com/elastic/integrations/issues/15968#issuecomment-3597587300

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Pipeline and system tests pass

Pipeline Tests:

--- Test results for package: qualys_vmdr - START ---
╭─────────────┬──────────────────────┬───────────┬──────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE     │ DATA STREAM          │ TEST TYPE │ TEST NAME                                                        │ RESULT │ TIME ELAPSED │
├─────────────┼──────────────────────┼───────────┼──────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ qualys_vmdr │ asset_host_detection │ pipeline  │ (ingest pipeline warnings test-asset-host-detection-events.json) │ PASS   │ 582.362042ms │
│ qualys_vmdr │ asset_host_detection │ pipeline  │ (ingest pipeline warnings test-asset-host-detection.log)         │ PASS   │ 578.550125ms │
│ qualys_vmdr │ asset_host_detection │ pipeline  │ test-asset-host-detection-events.json                            │ PASS   │  62.849833ms │
│ qualys_vmdr │ asset_host_detection │ pipeline  │ test-asset-host-detection.log                                    │ PASS   │ 256.747667ms │
╰─────────────┴──────────────────────┴───────────┴──────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: qualys_vmdr - END   ---
Done

System Tests:

--- Test results for package: qualys_vmdr - START ---
╭─────────────┬──────────────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE     │ DATA STREAM          │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────────┼──────────────────────┼───────────┼───────────┼────────┼───────────────┤
│ qualys_vmdr │ asset_host_detection │ system    │ ahd-kb    │ PASS   │ 40.058051167s │
╰─────────────┴──────────────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: qualys_vmdr - END   ---
Done

Related issues

kcreddy
kcreddy commented Dec 9, 2025
View reviewed changes
packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
Comment on lines +854 to +858
- rename:
field: json.METADATA.ALICLOUD.ATTRIBUTE
tag: rename_METADATA_ALICLOUD_ATTRIBUTE
target_field: qualys_vmdr.asset_host_detection.metadata.alicloud.attribute
ignore_missing: true
Copy link
Contributor Author

@kcreddy kcreddy Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was no live data or documentation available for ALICLOUD element. I applied the mapping according to corresponding GOOGLE and AZURE elements of METADATA (they are exactly similar)

kcreddy
kcreddy commented Dec 9, 2025
View reviewed changes
packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
<MITRE_TECHNIQUE_NAME>Exploitation of Remote Services, Exploitation for Privilege Escalation</MITRE_TECHNIQUE_NAME>
<MITRE_TACTIC_ID>TA0008, TA0004</MITRE_TACTIC_ID>
<MITRE_TECHNIQUE_ID>T1210, T1068</MITRE_TECHNIQUE_ID>
<TRURISK_ELIMINATION_STATUS>FIXED</TRURISK_ELIMINATION_STATUS>
Copy link
Contributor Author

@kcreddy kcreddy Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find possible values for TRURISK_ELIMINATION_STATUS in live data or documentation.
@clement-fouque, can you confirm if this value makes sense?

kcreddy
kcreddy commented Dec 9, 2025
View reviewed changes
packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
Comment on lines +63 to +64
<VULNERABILITY_DETECTION_SOURCES>Cloud Agent,Internal Scanner</VULNERABILITY_DETECTION_SOURCES>
<LATEST_VULNERABILITY_DETECTION_SOURCE>Cloud Agent</LATEST_VULNERABILITY_DETECTION_SOURCE>
Copy link
Contributor Author

@kcreddy kcreddy Dec 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Samples values taken from documentation here, as I couldn't get them from live data.
cc: @clement-fouque

@kcreddy kcreddy marked this pull request as ready for review December 9, 2025 13:38
@kcreddy kcreddy requested a review from a team as a code owner December 9, 2025 13:38
@kcreddy kcreddy self-assigned this Dec 9, 2025
@kcreddy kcreddy added enhancement New feature or request Integration:qualys_vmdr Qualys VMDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Dec 9, 2025
@elasticmachine
Copy link

elasticmachine commented Dec 9, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elasticmachine
Copy link

elasticmachine commented Dec 9, 2025

💚 Build Succeeded

cc @kcreddy

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Dec 9, 2025
@efd6 efd6 requested a review from clement-fouque December 9, 2025 22:36
efd6
efd6 approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but please wait for @clement-fouque.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

@clement-fouque clement-fouque Awaiting requested review from clement-fouque

Assignees

@kcreddy kcreddy

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:qualys_vmdr Qualys VMDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[qualys_vmdr] Deprecation of API 2.0/3.0/4.0 for Asset Host Detection

4 participants

@kcreddy @elasticmachine @efd6 @andrewkroh