Qualys Vulnerability Management, Detection and Response (VMDR)
| Version | 6.8.0 (View all) |
| Compatible Kibana version(s) | 8.19.0 or higher 9.1.0 or higher |
| Supported Serverless project types What's this? |
Security Observability |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
This Qualys VMDR integration is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.
The Qualys VMDR integration uses REST API mode to collect data. Elastic Agent fetches data via API endpoints.
This module has been tested against the latest Qualys VMDR version v2.
The Qualys VMDR integration collects data for the following three events:
| Event Type |
|---|
| Asset Host Detection |
| Knowledge Base |
| User Activity Log |
Reference for Rest APIs of Qualys VMDR.
Starting from Qualys VMDR integration version 6.0, the Asset Host Detection data stream includes enriched vulnerabilities data from Qualys Knowledge Base API.
Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ. Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.
| Role | Permission |
|---|---|
| Managers | All VM scanned hosts in subscription |
| Unit Managers | VM scanned hosts in user’s business unit |
| Scanners | VM scanned hosts in user’s account |
| Readers | VM scanned hosts in user’s account |
Managers, Unit Managers, Scanners, Readers have permission to download vulnerability data from the KnowledgeBase.
| Role | Permission |
|---|---|
| Managers | All actions taken by all users |
| Unit Managers | Actions taken by users in their business unit |
| Scanners | Own actions only |
| Readers | Own actions only |
Assuming that you already have a Qualys user account, to identify your Qualys platform and get the API URL, check the Qualys documentation. Alternatively, to get the API URL log in to your Qualys account and go to Help > About. You’ll find your URL under Security Operations Center (SOC).
In Kibana navigate to Management > Integrations.
In the search top bar, type Qualys VMDR.
Select the Qualys VMDR integration and add it.
While adding the integration, if you want to collect Asset Host Detection data via REST API, then you have to put the following details:
- username
- password
- url
- interval
- input parameters
- batch size
or if you want to collect Knowledge Base data via REST API, then you have to put the following details:
- username
- password
- url
- initial interval
- interval
- input parameters
or if you want to collect User Activity log data via REST API, then you have to put the following details:
- username
- password
- url
- initial interval
- interval
Save the integration.
Note
By default, the input parameter is set to action=list.
This is the Asset Host Detection dataset.
Example
{
"@timestamp": "2025-06-06T07:05:24.052Z",
"agent": {
"ephemeral_id": "cfed7d76-3f24-45b8-8ebe-2975c2ce33f5",
"id": "7a08760a-c972-4143-a43c-960e301c294e",
"name": "elastic-agent-89453",
"type": "filebeat",
"version": "8.19.0"
},
"cloud": {
"instance": {
"name": "adfssrvr"
}
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
"namespace": "98699",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "7a08760a-c972-4143-a43c-960e301c294e",
"snapshot": true,
"version": "8.19.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"dataset": "qualys_vmdr.asset_host_detection",
"id": "11111111",
"ingested": "2025-06-06T07:05:26Z",
"kind": "alert",
"original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"79023675-8d15-45e7-b97a-7674599ac2ff\",\"interval_start\":\"2025-06-06T07:05:24.044972383Z\"}",
"type": [
"info"
]
},
"host": {
"domain": "ADFSSRVR",
"hostname": "adfssrvr",
"id": "1",
"ip": [
"10.50.2.111"
],
"name": "adfssrvr.adfs.local",
"os": {
"full": "Windows 2016/2019/10",
"platform": "windows",
"type": "windows"
}
},
"input": {
"type": "cel"
},
"observer": {
"vendor": "Qualys VMDR"
},
"package": {
"fixed_version": [
"1092",
"1092",
"1092",
"1092",
"1092"
],
"name": [
"linux-cloud-tools-4.4.0",
"linux-aws-tools-4.4.0",
"linux-aws-headers-4.4.0",
"linux-tools-4.4.0",
"linux-aws-cloud-tools-4.4.0"
],
"version": [
"1074-aws_4.4.0-1074.84",
"1074_4.4.0-1074.84",
"1074_4.15.0-1126.135",
"1074-aws_4.4.0-1074.84",
"1074_4.4.0-1074.84"
]
},
"qualys_vmdr": {
"asset_host_detection": {
"dns": "adfssrvr.adfs.local",
"dns_data": {
"domain": "adfs.local",
"fqdn": "adfssrvr.adfs.local",
"hostname": "adfssrvr"
},
"id": "1",
"interval_id": "79023675-8d15-45e7-b97a-7674599ac2ff",
"interval_start": "2025-06-06T07:05:24.044Z",
"ip": "10.50.2.111",
"knowledge_base": {
"category": "CGI",
"consequence": {
"value": "Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks."
},
"cve_list": [
"CVE-2022-31629",
"CVE-2022-31628"
],
"diagnosis": {
"value": "This QID reports the absence of the following"
},
"discovery": {
"remote": 1
},
"last": {
"service_modification_datetime": "2023-06-29T12:20:46.000Z"
},
"patchable": false,
"pci_flag": true,
"published_datetime": "2017-06-05T21:34:49.000Z",
"qid": "101",
"severity_level": "Medium",
"software_list": [
{
"product": "None",
"vendor": "multi-vendor"
}
],
"solution": {
"value": "<B>Note:</B> To better debug the results of this QID"
},
"threat_intelligence": {
"intel": [
{
"id": "8"
}
]
},
"title": "HTTP Security Header Not Detected",
"vuln_type": "Vulnerability"
},
"last_pc_scanned_date": "2023-06-28T09:58:12.000Z",
"last_scan_datetime": "2023-07-03T06:25:17.000Z",
"last_vm_scanned_date": "2023-07-03T06:23:47.000Z",
"last_vm_scanned_duration": 1113,
"netbios": "ADFSSRVR",
"os": "Windows 2016/2019/10",
"package_nested": [
{
"fixed_version": "1092",
"name": "linux-cloud-tools-4.4.0",
"version": "1074-aws_4.4.0-1074.84"
},
{
"fixed_version": "1092",
"name": "linux-aws-tools-4.4.0",
"version": "1074_4.4.0-1074.84"
},
{
"fixed_version": "1092",
"name": "linux-aws-headers-4.4.0",
"version": "1074_4.15.0-1126.135"
},
{
"fixed_version": "1092",
"name": "linux-tools-4.4.0",
"version": "1074-aws_4.4.0-1074.84"
},
{
"fixed_version": "1092",
"name": "linux-aws-cloud-tools-4.4.0",
"version": "1074_4.4.0-1074.84"
}
],
"tracking_method": "IP",
"vulnerability": {
"affect_running_kernel": "0",
"first_found_datetime": "2021-02-05T04:50:45.000Z",
"is_disabled": false,
"is_ignored": false,
"last_fixed_datetime": "2022-12-14T06:52:57.000Z",
"last_found_datetime": "2024-03-08T20:15:41.000Z",
"last_processed_datetime": "2024-03-08T20:15:41.000Z",
"last_test_datetime": "2024-03-08T20:15:41.000Z",
"last_update_datetime": "2024-03-08T20:15:41.000Z",
"qds": {
"score": 35,
"severity": "LOW"
},
"qds_factors": [
{
"name": "CVSS",
"text": "7.7"
},
{
"name": "CVSS_version",
"text": "v3.x"
},
{
"name": "epss",
"text": "0.00232"
},
{
"name": "CVSS_vector",
"text": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"
}
],
"qid": 101,
"results": "Package||Installed Version||Required Version;;linux-cloud-tools-4.4.0||1074-aws_4.4.0-1074.84||1092;;linux-aws-tools-4.4.0||1074_4.4.0-1074.84||1092;;linux-aws-headers-4.4.0||1074_4.15.0-1126.135||1092;;linux-tools-4.4.0||1074-aws_4.4.0-1074.84||1092;;linux-aws-cloud-tools-4.4.0||1074_4.4.0-1074.84||1092",
"severity": 3,
"ssl": "0",
"status": "Active",
"times_found": 5393,
"type": "Confirmed",
"unique_vuln_id": "11111111"
}
}
},
"related": {
"hosts": [
"adfssrvr",
"adfssrvr.adfs.local",
"1",
"ADFSSRVR"
],
"ip": [
"10.50.2.111"
]
},
"resource": {
"id": "1",
"name": "adfssrvr.adfs.local"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"qualys_vmdr-asset_host_detection",
"provider_cloud_data"
],
"vulnerability": {
"category": [
"CGI"
],
"classification": "CVSS",
"description": "This QID reports the absence of the following",
"enumeration": "CVE",
"id": [
"CVE-2022-31629",
"CVE-2022-31628"
],
"package": {
"fixed_version": [
"1092",
"1092",
"1092",
"1092",
"1092"
],
"name": [
"linux-cloud-tools-4.4.0",
"linux-aws-tools-4.4.0",
"linux-aws-headers-4.4.0",
"linux-tools-4.4.0",
"linux-aws-cloud-tools-4.4.0"
],
"version": [
"1074-aws_4.4.0-1074.84",
"1074_4.4.0-1074.84",
"1074_4.15.0-1126.135",
"1074-aws_4.4.0-1074.84",
"1074_4.4.0-1074.84"
]
},
"reference": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628"
],
"scanner": {
"vendor": "Qualys"
},
"score": {
"base": 7.7
},
"severity": "high",
"title": "HTTP Security Header Not Detected"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. |
constant_keyword |
| input.type | Type of filebeat input. | keyword |
| log.offset | Log offset. | long |
| observer.vendor | Vendor name of the observer. | constant_keyword |
| package.fixed_version | keyword | |
| qualys_vmdr.asset_host_detection.asset_id | long | |
| qualys_vmdr.asset_host_detection.cloud_provider | keyword | |
| qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.last_success_date | date | |
| qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.name | keyword | |
| qualys_vmdr.asset_host_detection.cloud_provider_tags.cloud_tag.value | keyword | |
| qualys_vmdr.asset_host_detection.cloud_resource_id | keyword | |
| qualys_vmdr.asset_host_detection.cloud_service | keyword | |
| qualys_vmdr.asset_host_detection.dns | keyword | |
| qualys_vmdr.asset_host_detection.dns_data.domain | keyword | |
| qualys_vmdr.asset_host_detection.dns_data.fqdn | keyword | |
| qualys_vmdr.asset_host_detection.dns_data.hostname | keyword | |
| qualys_vmdr.asset_host_detection.ec2_instance_id | keyword | |
| qualys_vmdr.asset_host_detection.id | keyword | |
| qualys_vmdr.asset_host_detection.interval_id | The universally unique identifier (UUID) values will change with each interval of ingestion. | keyword |
| qualys_vmdr.asset_host_detection.interval_start | The start time of the interval of ingestion. | date |
| qualys_vmdr.asset_host_detection.ip | ip | |
| qualys_vmdr.asset_host_detection.ipv6 | ip | |
| qualys_vmdr.asset_host_detection.knowledge_base.automatic_pci_fail | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.bugtraq_list.id | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.bugtraq_list.url | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.category | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.changelog_list.info.change_date | date | |
| qualys_vmdr.asset_host_detection.knowledge_base.changelog_list.info.comments | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.compliance_list.description | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.compliance_list.section | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.compliance_list.type | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.consequence.comment | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.consequence.value | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.exploits.explt_src.list.explt.desc | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.exploits.explt_src.list.explt.link | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.exploits.explt_src.list.explt.ref | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.exploits.explt_src.name | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.list.info.alias | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.list.info.id | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.list.info.link | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.list.info.platform | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.list.info.rating | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.list.info.type | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.correlation.malware.src.name | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cve_list | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.access.complexity | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.access.vector | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.authentication | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.base | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.base_obj | flattened | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.exploitability | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.impact.availability | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.impact.confidentiality | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.impact.integrity | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.remediation_level | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.report_confidence | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.temporal | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss.vector_string | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.attack.complexity | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.attack.vector | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.base | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.exploit_code_maturity | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.impact.availability | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.impact.confidentiality | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.impact.integrity | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.privileges_required | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.remediation_level | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.report_confidence | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.scope | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.temporal | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.user_interaction | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.vector_string | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.cvss_v3.version | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.detection_info | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.diagnosis.comment | match_only_text | |
| qualys_vmdr.asset_host_detection.knowledge_base.diagnosis.value | match_only_text | |
| qualys_vmdr.asset_host_detection.knowledge_base.discovery.additional_info | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.discovery.auth_type_list.value | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.discovery.remote | long | |
| qualys_vmdr.asset_host_detection.knowledge_base.error | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.id_range | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.ids | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.is_disabled | boolean | |
| qualys_vmdr.asset_host_detection.knowledge_base.last.customization.datetime | date | |
| qualys_vmdr.asset_host_detection.knowledge_base.last.customization.user_login | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.last.service_modification_datetime | date | |
| qualys_vmdr.asset_host_detection.knowledge_base.patch_published_date | date | |
| qualys_vmdr.asset_host_detection.knowledge_base.patchable | boolean | |
| qualys_vmdr.asset_host_detection.knowledge_base.pci_flag | boolean | |
| qualys_vmdr.asset_host_detection.knowledge_base.pci_reasons.value | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.published_datetime | date | |
| qualys_vmdr.asset_host_detection.knowledge_base.qid | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.severity_level | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.software_list.product | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.software_list.vendor | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.solution.comment | match_only_text | |
| qualys_vmdr.asset_host_detection.knowledge_base.solution.value | match_only_text | |
| qualys_vmdr.asset_host_detection.knowledge_base.supported_modules | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.threat_intelligence.intel.id | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.threat_intelligence.intel.text | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.title | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.vendor_reference_list.id | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.vendor_reference_list.url | keyword | |
| qualys_vmdr.asset_host_detection.knowledge_base.vuln_type | keyword | |
| qualys_vmdr.asset_host_detection.last_pc_scanned_date | date | |
| qualys_vmdr.asset_host_detection.last_scan_datetime | date | |
| qualys_vmdr.asset_host_detection.last_vm_auth_scanned_date | date | |
| qualys_vmdr.asset_host_detection.last_vm_auth_scanned_duration | long | |
| qualys_vmdr.asset_host_detection.last_vm_scanned_date | date | |
| qualys_vmdr.asset_host_detection.last_vm_scanned_duration | long | |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.date | date | |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.value | keyword | |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.status | keyword | |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.success_date | date | |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.name | keyword | |
| qualys_vmdr.asset_host_detection.metadata.azure.attribute.value | keyword | |
| qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.error.date | date | |
| qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.error.value | keyword | |
| qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.status | keyword | |
| qualys_vmdr.asset_host_detection.metadata.ec2.attribute.last.success_date | date | |
| qualys_vmdr.asset_host_detection.metadata.ec2.attribute.name | keyword | |
| qualys_vmdr.asset_host_detection.metadata.ec2.attribute.value | keyword | |
| qualys_vmdr.asset_host_detection.metadata.google.attribute.last.error.date | date | |
| qualys_vmdr.asset_host_detection.metadata.google.attribute.last.error.value | keyword | |
| qualys_vmdr.asset_host_detection.metadata.google.attribute.last.status | keyword | |
| qualys_vmdr.asset_host_detection.metadata.google.attribute.last.success_date | date | |
| qualys_vmdr.asset_host_detection.metadata.google.attribute.name | keyword | |
| qualys_vmdr.asset_host_detection.metadata.google.attribute.value | keyword | |
| qualys_vmdr.asset_host_detection.netbios | keyword | |
| qualys_vmdr.asset_host_detection.network_id | keyword | |
| qualys_vmdr.asset_host_detection.os | keyword | |
| qualys_vmdr.asset_host_detection.os_cpe | keyword | |
| qualys_vmdr.asset_host_detection.package_nested | nested | |
| qualys_vmdr.asset_host_detection.package_nested.fixed_version | keyword | |
| qualys_vmdr.asset_host_detection.package_nested.name | keyword | |
| qualys_vmdr.asset_host_detection.package_nested.version | keyword | |
| qualys_vmdr.asset_host_detection.qg_hostid | keyword | |
| qualys_vmdr.asset_host_detection.tags.background_color | keyword | |
| qualys_vmdr.asset_host_detection.tags.color | keyword | |
| qualys_vmdr.asset_host_detection.tags.id | keyword | |
| qualys_vmdr.asset_host_detection.tags.name | keyword | |
| qualys_vmdr.asset_host_detection.tracking_method | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.affect_exploitable_config | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.affect_running_kernel | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.affect_running_service | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.asset_cve | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.first_reopened_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.fqdn | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.instance | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.is_disabled | boolean | |
| qualys_vmdr.asset_host_detection.vulnerability.is_ignored | boolean | |
| qualys_vmdr.asset_host_detection.vulnerability.last_fixed_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.last_found_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.last_processed_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.last_reopened_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.last_test_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.last_update_datetime | date | |
| qualys_vmdr.asset_host_detection.vulnerability.port | long | |
| qualys_vmdr.asset_host_detection.vulnerability.protocol | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.qds.score | integer | |
| qualys_vmdr.asset_host_detection.vulnerability.qds.severity | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.qds_factors.name | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.qid | integer | |
| qualys_vmdr.asset_host_detection.vulnerability.results | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.service | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.severity | long | |
| qualys_vmdr.asset_host_detection.vulnerability.ssl | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.status | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.times_found | long | |
| qualys_vmdr.asset_host_detection.vulnerability.times_reopened | long | |
| qualys_vmdr.asset_host_detection.vulnerability.type | keyword | |
| qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id | keyword | |
| resource.id | keyword | |
| resource.name | keyword | |
| vulnerability.package.fixed_version | keyword | |
| vulnerability.package.name | keyword | |
| vulnerability.package.version | keyword | |
| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | constant_keyword |
| vulnerability.title | keyword |
This is the Knowledge Base dataset.
Example
{
"@timestamp": "2023-06-29T12:20:46.000Z",
"agent": {
"ephemeral_id": "4e6d92f6-8a28-471c-a03f-8c2685171b7b",
"id": "dc86e78e-6670-441f-acdd-99309474050f",
"name": "elastic-agent-65730",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "qualys_vmdr.knowledge_base",
"namespace": "47901",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "dc86e78e-6670-441f-acdd-99309474050f",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"dataset": "qualys_vmdr.knowledge_base",
"id": "11830",
"ingested": "2024-09-25T21:49:31Z",
"kind": "alert",
"original": "{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"11830\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"\",\"VENDOR\":\"\"}]},\"SOLUTION\":\"\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"\",\"VULN_TYPE\":\"Vulnerability\"}",
"type": [
"info"
]
},
"input": {
"type": "cel"
},
"qualys_vmdr": {
"knowledge_base": {
"category": "CGI",
"cve_list": [
"CVE-2022-31629",
"CVE-2022-31628"
],
"discovery": {
"remote": 1
},
"last": {
"service_modification_datetime": "2023-06-29T12:20:46.000Z"
},
"patchable": false,
"pci_flag": true,
"published_datetime": "2017-06-05T21:34:49.000Z",
"qid": "11830",
"severity_level": "2",
"threat_intelligence": {
"intel": [
{
"id": "8"
}
]
},
"vuln_type": "Vulnerability"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"qualys_vmdr-knowledge_base"
],
"vulnerability": {
"category": [
"CGI"
],
"id": [
"CVE-2022-31629",
"CVE-2022-31628"
],
"severity": "Medium"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| input.type | Type of filebeat input. | keyword |
| log.offset | Log offset. | long |
| qualys_vmdr.knowledge_base.automatic_pci_fail | keyword | |
| qualys_vmdr.knowledge_base.bugtraq_list.id | keyword | |
| qualys_vmdr.knowledge_base.bugtraq_list.url | keyword | |
| qualys_vmdr.knowledge_base.category | keyword | |
| qualys_vmdr.knowledge_base.changelog_list.info.change_date | date | |
| qualys_vmdr.knowledge_base.changelog_list.info.comments | keyword | |
| qualys_vmdr.knowledge_base.compliance_list.description | keyword | |
| qualys_vmdr.knowledge_base.compliance_list.section | keyword | |
| qualys_vmdr.knowledge_base.compliance_list.type | keyword | |
| qualys_vmdr.knowledge_base.consequence.comment | keyword | |
| qualys_vmdr.knowledge_base.consequence.value | keyword | |
| qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.desc | keyword | |
| qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.link | keyword | |
| qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.ref | keyword | |
| qualys_vmdr.knowledge_base.correlation.exploits.explt_src.name | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.list.info.alias | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.list.info.id | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.list.info.link | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.list.info.platform | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.list.info.rating | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.list.info.type | keyword | |
| qualys_vmdr.knowledge_base.correlation.malware.src.name | keyword | |
| qualys_vmdr.knowledge_base.cve_list | keyword | |
| qualys_vmdr.knowledge_base.cvss.access.complexity | keyword | |
| qualys_vmdr.knowledge_base.cvss.access.vector | keyword | |
| qualys_vmdr.knowledge_base.cvss.authentication | keyword | |
| qualys_vmdr.knowledge_base.cvss.base | keyword | |
| qualys_vmdr.knowledge_base.cvss.base_obj | flattened | |
| qualys_vmdr.knowledge_base.cvss.exploitability | keyword | |
| qualys_vmdr.knowledge_base.cvss.impact.availability | keyword | |
| qualys_vmdr.knowledge_base.cvss.impact.confidentiality | keyword | |
| qualys_vmdr.knowledge_base.cvss.impact.integrity | keyword | |
| qualys_vmdr.knowledge_base.cvss.remediation_level | keyword | |
| qualys_vmdr.knowledge_base.cvss.report_confidence | keyword | |
| qualys_vmdr.knowledge_base.cvss.temporal | keyword | |
| qualys_vmdr.knowledge_base.cvss.vector_string | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.attack.complexity | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.attack.vector | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.base | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.exploit_code_maturity | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.impact.availability | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.impact.confidentiality | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.impact.integrity | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.privileges_required | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.remediation_level | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.report_confidence | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.scope | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.temporal | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.user_interaction | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.vector_string | keyword | |
| qualys_vmdr.knowledge_base.cvss_v3.version | keyword | |
| qualys_vmdr.knowledge_base.detection_info | keyword | |
| qualys_vmdr.knowledge_base.diagnosis.comment | match_only_text | |
| qualys_vmdr.knowledge_base.diagnosis.value | match_only_text | |
| qualys_vmdr.knowledge_base.discovery.additional_info | keyword | |
| qualys_vmdr.knowledge_base.discovery.auth_type_list.value | keyword | |
| qualys_vmdr.knowledge_base.discovery.remote | long | |
| qualys_vmdr.knowledge_base.error | keyword | |
| qualys_vmdr.knowledge_base.id_range | keyword | |
| qualys_vmdr.knowledge_base.ids | keyword | |
| qualys_vmdr.knowledge_base.is_disabled | boolean | |
| qualys_vmdr.knowledge_base.last.customization.datetime | date | |
| qualys_vmdr.knowledge_base.last.customization.user_login | keyword | |
| qualys_vmdr.knowledge_base.last.service_modification_datetime | date | |
| qualys_vmdr.knowledge_base.patch_published_date | date | |
| qualys_vmdr.knowledge_base.patchable | boolean | |
| qualys_vmdr.knowledge_base.pci_flag | boolean | |
| qualys_vmdr.knowledge_base.pci_reasons.value | keyword | |
| qualys_vmdr.knowledge_base.published_datetime | date | |
| qualys_vmdr.knowledge_base.qid | keyword | |
| qualys_vmdr.knowledge_base.severity_level | keyword | |
| qualys_vmdr.knowledge_base.software_list.product | keyword | |
| qualys_vmdr.knowledge_base.software_list.vendor | keyword | |
| qualys_vmdr.knowledge_base.solution.comment | match_only_text | |
| qualys_vmdr.knowledge_base.solution.value | match_only_text | |
| qualys_vmdr.knowledge_base.supported_modules | keyword | |
| qualys_vmdr.knowledge_base.threat_intelligence.intel.id | keyword | |
| qualys_vmdr.knowledge_base.threat_intelligence.intel.text | keyword | |
| qualys_vmdr.knowledge_base.title | keyword | |
| qualys_vmdr.knowledge_base.vendor_reference_list.id | keyword | |
| qualys_vmdr.knowledge_base.vendor_reference_list.url | keyword | |
| qualys_vmdr.knowledge_base.vuln_type | keyword |
This is the User Activity dataset. It connects to an API
that exports the user activity log.
Example
{
"@timestamp": "2024-01-18T12:45:24.000Z",
"agent": {
"ephemeral_id": "8541dd66-de0a-4e54-a66e-3f9dc02867df",
"id": "3acf31e6-1468-482c-b38b-d3b7397270dd",
"name": "elastic-agent-32349",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "qualys_vmdr.user_activity",
"namespace": "28709",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "3acf31e6-1468-482c-b38b-d3b7397270dd",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "request",
"agent_id_status": "verified",
"category": [
"api"
],
"dataset": "qualys_vmdr.user_activity",
"ingested": "2024-09-25T21:52:05Z",
"kind": "event",
"original": "{\"Action\":\"request\",\"Date\":\"2024-01-18T12:45:24Z\",\"Details\":\"API: /api/2.0/fo/activity_log/index.php\",\"Module\":\"auth\",\"User IP\":\"10.113.195.136\",\"User Name\":\"john\",\"User Role\":\"Reader\"}",
"provider": "auth",
"type": [
"info"
]
},
"input": {
"type": "cel"
},
"message": "API: /api/2.0/fo/activity_log/index.php",
"qualys_vmdr": {
"user_activity": {
"Action": "request",
"Date": "2024-01-18T12:45:24Z",
"Details": "API: /api/2.0/fo/activity_log/index.php",
"Module": "auth",
"User_IP": "10.113.195.136",
"User_Name": "john",
"User_Role": "Reader"
}
},
"related": {
"ip": [
"10.113.195.136"
],
"user": [
"john"
]
},
"source": {
"ip": "10.113.195.136"
},
"tags": [
"preserve_duplicate_custom_fields",
"preserve_original_event",
"forwarded",
"qualys_vmdr-user_activity"
],
"user": {
"name": "john",
"roles": [
"Reader"
]
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters |
constant_keyword |
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. |
constant_keyword |
| input.type | Type of filebeat input. | keyword |
| qualys_vmdr.user_activity.Action | keyword | |
| qualys_vmdr.user_activity.Date | date | |
| qualys_vmdr.user_activity.Details | keyword | |
| qualys_vmdr.user_activity.Module | keyword | |
| qualys_vmdr.user_activity.User_IP | keyword | |
| qualys_vmdr.user_activity.User_Name | keyword | |
| qualys_vmdr.user_activity.User_Role | keyword |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 6.8.0 | Enhancement (View pull request) Use terminate processor instead of fail processor to handle agent errors. |
8.19.0 or higher 9.1.0 or higher |
| 6.7.3 | Enhancement (View pull request) Remove duplicated installation instructions from the documentation. |
8.19.0 or higher 9.1.0 or higher |
| 6.7.2 | Bug fix (View pull request) Add temporary processor to remove the fields added by the Agentless policy. |
8.19.0 or higher 9.1.0 or higher |
| 6.7.1 | Bug fix (View pull request) Prevent sending requests with an empty ids parameter to the knowledge_base API in asset_host_detection datastream. |
8.19.0 or higher 9.1.0 or higher |
| 6.7.0 | Enhancement (View pull request) Enhance the data collection of the asset_host_detection data stream to generate unique identifiers for each interval of ingestion. |
8.19.0 or higher 9.1.0 or higher |
| 6.6.1 | Bug fix (View pull request) Fix default request trace enabled behavior. |
8.19.0 or higher 9.1.0 or higher |
| 6.6.0 | Enhancement (View pull request) Add latest transform for Host Detections. |
8.19.0 or higher 9.1.0 or higher |
| 6.5.0 | Enhancement (View pull request) Update to v3 API for asset and knowledge_base data streams. |
8.18.0 or higher 9.0.0 or higher |
| 6.4.0 | Enhancement (View pull request) Add agentless deployment. |
8.18.0 or higher 9.0.0 or higher |
| 6.3.1 | Bug fix (View pull request) Fix event.category for Qualys vulnerabilities. |
8.16.0 or higher 9.0.0 or higher |
| 6.3.0 | Enhancement (View pull request) Enable request trace log removal. |
8.16.0 or higher 9.0.0 or higher |
| 6.2.2 | Bug fix (View pull request) Added description to ssl nodes in package manifest.yml file to including links to documentation. |
8.16.0 or higher 9.0.0 or higher |
| 6.2.1 | Bug fix (View pull request) Fix package_nested field in asset data stream. |
8.16.0 or higher 9.0.0 or higher |
| 6.2.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
8.16.0 or higher 9.0.0 or higher |
| 6.1.0 | Enhancement (View pull request) Tolerate missing version details in asset_host_detection vulnerability results. |
8.16.0 or higher |
| 6.0.0 | Enhancement (View pull request) Mapping changes in asset_host_detection for Cloud Detection and Response (CDR) workflows. |
8.16.0 or higher |
| 5.9.0 | Enhancement (View pull request) Add "show_igs" UI option that allows users to fetch detections records with Information Gathered.Bug fix (View pull request) Added fingerprint processor to avoid duplicate detections from same host, same QID, and scan datetime. |
8.13.0 or higher |
| 5.8.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind manually set to "pipeline_error". |
8.13.0 or higher |
| 5.7.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 5.6.1 | Bug fix (View pull request) Handle empty XML responses in Qualys asset_host_detection. |
8.13.0 or higher |
| 5.6.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 5.5.0 | Enhancement (View pull request) Capture error with decode_xml. |
8.13.0 or higher |
| 5.4.0 | Enhancement (View pull request) Truncate very long field values. |
8.13.0 or higher |
| 5.3.0 | Enhancement (View pull request) Document required user role permissions to each API. Bug fix (View pull request) Cleanup duplicate processors in asset host detection. Bug fix (View pull request) Remove stale kibana.version requirement from README |
8.13.0 or higher |
| 5.2.2 | Bug fix (View pull request) Handle _LIST fields as array in knowledge_base data-stream. |
8.13.0 or higher |
| 5.2.1 | Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 5.2.0 | Enhancement (View pull request) Retain event.original for asset_host_detection and knowledge_base as JSON. |
8.13.0 or higher |
| 5.1.0 | Enhancement (View pull request) Set vulnerability.score.base field based on the item CVSS item under field qualys_vmdr.asset_host_detection.vulnerability.qds_factorsEnhancement (View pull request) Set vulnerability.classification field to CVSSEnhancement (View pull request) Set vulnerability.severity field based on vulnerability.score.baseEnhancement (View pull request) Set vulnerability.scanner.vendor field to QualysEnhancement (View pull request) Set vulnerability.score.version field based on the item CVSS_vector item under field qualys_vmdr.asset_host_detection.vulnerability.qds_factors |
8.13.0 or higher |
| 5.0.0 | Enhancement (View pull request) Rename fields to match Qualys name. Enhancement (View pull request) Convert numeric fields to long/integer. Enhancement (View pull request) Lowercase cloud.provider field. |
8.13.0 or higher |
| 4.3.0 | Enhancement (View pull request) Allow user configuration of cloud metadata collection. |
8.13.0 or higher |
| 4.2.2 | Bug fix (View pull request) Ensure last_modified_after query parameter is in the correct format. |
8.13.0 or higher |
| 4.2.1 | Bug fix (View pull request) Fix CEL access to unset state.params in knowledge_base. |
8.13.0 or higher |
| 4.2.0 | Enhancement (View pull request) Map cloud provider metadata to cloud fields. |
8.13.0 or higher |
| 4.1.1 | Bug fix (View pull request) Fix handling of the activity_log API response body. |
8.13.0 or higher |
| 4.1.0 | Enhancement (View pull request) Check the HTTP status code before processing the response. |
8.13.0 or higher |
| 4.0.1 | Bug fix (View pull request) Reduce severity of error from documents lacking response IDs in knowledge base. |
8.13.0 or higher |
| 4.0.0 | Enhancement (View pull request) Use field names matching Qualys names. |
8.13.0 or higher |
| 3.4.0 | Enhancement (View pull request) Improve error reporting for API request failures. |
8.13.0 or higher |
| 3.3.0 | Enhancement (View pull request) Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 3.2.2 | Bug fix (View pull request) Fix date format to match user activity API behaviour. |
8.12.0 or higher |
| 3.2.1 | Bug fix (View pull request) Disable the new user activity data stream by default. Add a toggle to preserve original event to the user activity data stream. Format the since_datetime query parameter. |
8.12.0 or higher |
| 3.2.0 | Enhancement (View pull request) Add new data stream for collecting user activity logs. |
8.12.0 or higher |
| 3.1.0 | Enhancement (View pull request) Allow original event preservation. |
8.12.0 or higher |
| 3.0.0 | Enhancement (View pull request) Expand documents to map each CVS per vulnerability. |
8.12.0 or higher |
| 2.1.0 | Enhancement (View pull request) Increase request timeout default and document timeout length warning. |
8.12.0 or higher |
| 2.0.0 | Enhancement (View pull request) Expand documents to map each vulnerability per host. |
8.12.0 or higher |
| 1.1.0 | Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.0.1 | Enhancement (View pull request) Changed owners |
8.9.0 or higher |
| 1.0.0 | Enhancement (View pull request) Release package as GA. |
8.9.0 or higher |
| 0.8.1 | Bug fix (View pull request) Fix mapping of vulnerability type and severity. |
— |
| 0.8.0 | Enhancement (View pull request) Limit request tracer log count to five. |
— |
| 0.7.0 | Enhancement (View pull request) ECS version updated to 8.11.0. |
— |
| 0.6.0 | Enhancement (View pull request) Add request tracer logging to integration. |
— |
| 0.5.1 | Bug fix (View pull request) Handle invalid input parameter for Knowledge Base data stream. |
— |
| 0.5.0 | Enhancement (View pull request) ECS version updated to 8.10.0. |
— |
| 0.4.0 | Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest. |
— |
| 0.3.0 | Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
— |
| 0.2.0 | Bug fix (View pull request) Update data collection of knowledge base data stream to handle different log format. |
— |
| 0.1.0 | Enhancement (View pull request) Initial Release. |
— |