Qualys Cloud Platform 10.9 (VM/PC) API notification 2

Jeff Leggett

A new release of Qualys Cloud Platform 10.9 (VM/PC) includes an updated API which is targeted for release in March 2021. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the coming API, allowing you to identify use cases that can leverage this updated API.

What’s New

Control References Added to Compliance Posture Information API Output
/api/2.0/fo/compliance/posture/info/?action=list
We updated the Compliance Posture Information API output to include control references. You’ll see CIS references in CIS policies, STIG references in STIG policies, and user-defined references in custom policies. This feature allows you to easily parse data based on the reference value.

Change to DNS Data in XML Output for Compliance Posture Info API
/api/2.0/fo/compliance/posture/info/?action=list
For the Compliance Posture Info API, we changed the way DNS data is presented in the XML output. Previously, we had a single tag for where we showed either the DNS hostname (e.g. xpsp2-64-24-84) or the DNS hostname with the FQDN (e.g. xpsp2-64-24-84.sample.qualys.com). When scanning Windows hosts with both a scanner and an agent, the DNS value could switch between hostname only (from agent) and hostname with FQDN (from scanner). Note – There is no change to CSV output at this time.

Asset Tag Support in Windows and Unix Authentication Records
/api/2.0/fo/auth/windows/?action=create|update
/api/2.0/fo/auth/unix/?action=create|update
/api/2.0/fo/auth/windows/?action=list
/api/2.0/fo/auth/unix/?action=list

We’re excited to introduce asset tag support for Windows and Unix authentication records. With this support, you have the option to define target hosts in your authentication record using asset tags instead of adding IP addresses/ranges to the record. At scan time, we’ll resolve the asset tags in the record to IP addresses in your account and scan them using the login credentials defined in the record.

Configure Oracle Authentication Record for Multitenant Container Database
/api/2.0/fo/auth/oracle/?action=create|update
/api/2.0/fo/auth/oracle/?action=list

When you configure an Oracle authentication record, you can now specify that the record is for a Multitenant Container Database (CDB). Specify is_cdb=1 if the database is a CDB or is_cdb=0 if the database is not a CDB. Identifying the Oracle database as CDB ensures the right compliance checks are performed for multitenant technologies. Also, when the database is a CDB, we’ll auto discover all of the Pluggable Databases (PDBs) within the container environment, and scan them for compliance. This saves you from having to create separate, additional Oracle records for each PDB instance.

Support for Database Technology Data Collection by using Underlying OS Authentication Records
/api/2.0/fo/subscription/option_profile/pc/?action=update|create
/api/2.0/fo/subscription/option_profile/pc/?action=list
/api/2.0/fo/subscription/option_profile/?action=export
/api/2.0/fo/subscription/option_profile/?action=import

Now you have an option to enable database instance data collection by using the underlying OS authentication records without creating an authentication record for the database technology.

Support to Exclude Asset Tags from Compliance Policies
/api/2.0/fo/compliance/policy/?action=list
Users already have the option to include asset tags in their compliance policies by adding tags to the policy in the Policy Editor (in the UI). Starting with this release, users will also have the option to exclude asset tags from their policies in the Policy Editor. This gives users more control over which assets will be evaluated for the policy. When listing policies using the API, you’ll now see the excluded tags for each policy in the XML output.

Improvements in Host List, Update, and Purge APIs
/api/2.0/fo/asset/host/?action=update
/api/2.0/fo/asset/host/?action=list
/api/2.0/fo/asset/host/?action=purge

  • The Host Update API (/api/2.0/fo/asset/host/?action=update) is new in this release. This API allows you to make changes to certain host attributes. This API is similar to Update IPs (/api/2.0/fo/asset/ip/?action=update) except that you can specify the host you want to update by the host ID and this API has more host filter options. The DTD for this new API is /api/2.0/fo/asset/host/dtd/update/output.dtd.
  • The Host List API (/api/2.0/fo/asset/host/?action=list) was updated to show user defined attributes in the output. The DTD for the Host List API was updated and renamed. The DTD is now /api/2.0/fo/asset/host/dtd/list/output.dtd.
  • The DTD for the Host Purge API (/api/2.0/fo/asset/host/?action=purge) was renamed to follow the new naming convention. The DTD is now /api/2.0/fo/asset/host/dtd/purge/output.dtd.

Vault Support for Oracle Authentication Record Resumed
/api/2.0/fo/auth/oracle
We have resumed the vault support for Oracle Authentication Record which was discontinued after customers reported failure when creating Oracle authentication record using vault parameters. The issues are fixed in this release and now you can use respective vault parameters when creating Oracle Authentication records. Currently we support these ten vaults from API for retrieving passwords for Oracle database instances:
1) ARCON PAM
2) Azure Key
3) BeyondTrust PBPS
4) CA Access Control
5) CyberArk AIM
6) CyberArk PIM Suite
7) HashiCorp
8) Lieberman ERPM
9) Quest Vault
10) Thycotic Secret Server

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *

  1. Hopefully the asset tag support for authentication will eliminate the need to manually input IP address ranges into an authentication record. Does this feature currently exist in Qualys GUI? Because all I see presently is option to select asset group and not asset tag.