Qualys Integration Guide

Overview

The Qualys integration connects NINA workflows to the Qualys Vulnerability Management, Detection and Response (VMDR) platform across 35 resources and 110 operations. Operations are organized by licensed module — the operation name prefix in the dropdown (e.g., [VMDR], [PC]) indicates which module is required.

VMDR Module (80 operations):

• Activity Log — Export the subscription audit trail
• Asset Group — Create, update, delete, and list logical groupings of IPs used for scan targeting
• Domain — List and manage DNS domains used for map scans
• Dynamic Search List — Manage QID search lists that auto-update based on KB filters
• Excluded IP — Manage the exclusion list for IPs that should never be scanned
• Host — List host inventory, retrieve vulnerability detections, update and purge host records
• Ignore Vulnerability — Ignore or restore specific vulnerabilities per host
• IP — Manage IP ranges in the subscription's scan scope
• IPv6 Mapping — List, add, and remove IPv6-to-IPv4 mapping records
• Knowledge Base — Query and manage the Qualys vulnerability knowledge base (QIDs)
• Network — Manage virtual networks for multi-network subscriptions
• Option Profile — Import option profile configurations
• Option Profile (VM) — Create, update, delete, and list VMDR scan option profiles
• Report — Launch, fetch, cancel, and delete VMDR vulnerability reports
• Report Template (Map) — Delete map report templates
• Report Template (Scan) — List and delete scan report templates
• Restricted IP — Manage IPs that require explicit permission before scanning
• Scan — Launch, pause, resume, cancel, fetch, and delete vulnerability scans
• Scanner Appliance — Manage scanner appliance records and network assignments
• Scheduled Report — Create, manage, and run scheduled report tasks
• Scheduled Scan — Create and manage recurring scan schedules
• Static Search List — Manage static QID lists
• Virtual Host — Manage virtual host records

Policy Compliance Module (17 operations):

• Option Profile (PC) — Manage PC scan option profiles
• PC Control — List compliance controls
• PC Exception — Create and manage compliance exceptions
• PC Policy — Export, import, merge, and manage asset group / tag assignments for policies
• PC Posture — List host compliance posture results
• PC Scan — List and fetch compliance scan results

PCI Module (5 operations):

• Option Profile (PCI) — Manage PCI scan option profiles
• Report Template (PCI Scan) — Delete PCI scan report templates

SCAP Module (4 operations):

• SCAP ARF — Fetch SCAP ARF (Asset Reporting Format) results
• SCAP Cyberscope — Fetch CyberScope-format SCAP results (scan, policy, global)

Patch Module (1 operation):

• Report Template (Patch) — Delete patch report templates

Remediation Module (3 operations):

• Remediation Ticket — List, edit, and list deleted remediation tickets

Authentication uses HTTP Basic auth (username + password + regional pod URL). All modules share the same credential.

---

Credential Configuration

Authentication

Field	Description	Default
Username	Qualys API username	—
Password	Qualys API password	—
Base URL	Full URL of your regional Qualys pod	https://qualysapi.qg2.apps.qualys.com

Regional Pod URLs

Your Qualys subscription is hosted on a specific regional pod. Use the URL that matches your subscription:

Region	Base URL
US (Platform 2)	https://qualysapi.qg2.apps.qualys.com
US (Platform 3)	https://qualysapi.qg3.apps.qualys.com
EU (Platform 1)	https://qualysapi.qg1.apps.qualys.eu
EU (Platform 2)	https://qualysapi.qg2.apps.qualys.eu
India	https://qualysapi.qg1.apps.qualys.in
UAE	https://qualysapi.qg1.apps.qualys.ae

You can find your pod URL in the Qualys UI under Help → About.

Required Account Permissions

• The API user must have API Access enabled in Qualys user settings
• Scan operations require Scanner or Manager role
• Report operations require appropriate report subscription
• PC/PCI operations require the corresponding module license

Creating a Credential in NINA

1. Navigate to Credentials → Add New Credential
2. Select integration service: Qualys
3. Auth type: Basic Authentication
4. Enter Username, Password, and Base URL for your regional pod
5. Click Test Connection then Save

---

Supported Resources and Operations

Activity Log

Export the user activity audit trail for the subscription.

Operation	Name	HTTP Path	Description
export	[VMDR] Export Activity Log	/api/2.0/fo/activity_log/?action=list	Export activity log to CSV with optional filters

Key parameters for export:

• user_action — filter by action type (e.g., login, launch, finished)
• username — filter by specific user (Managers see all users)
• since_datetime / until_datetime — date range in YYYY-MM-DD HH:ii:ss format
• truncation_limit — max records to return
• output_format — CSV (default)

---

Asset Group

Logical groupings of IP addresses used to target and organize vulnerability scans.

Operation	Name	HTTP Path	Description
list	[VMDR] List Asset Groups	/api/2.0/fo/asset/group/?action=list	List asset groups in the user's account
add	[VMDR] Add Asset Group	/api/2.0/fo/asset/group/?action=add	Create a new asset group
edit	[VMDR] Edit Asset Group	/api/2.0/fo/asset/group/?action=edit	Update an existing asset group
delete	[VMDR] Delete Asset Group	/api/2.0/fo/asset/group/?action=delete	Delete an asset group (deactivates associated scheduled scans)

Key parameters for list:

• ids — comma-separated asset group IDs to filter
• id_min / id_max — ID range filter
• title — exact title match filter
• network_ids — filter by network ID
• truncation_limit — records per page (default: 1000; use 0 for all)
• show_attributes — ALL or specific attribute names to include

Key parameters for add / edit:

• title (required for add) — unique asset group name
• id (required for edit/delete) — asset group ID
• network_id — assign to a specific network

---

Domain

DNS domain records associated with the subscription, used as targets for map scans.

Operation	Name	HTTP Path	Description
list	[VMDR] List Domains	/msp/asset_domain_list.php	List all asset domains in the account
manage	[VMDR] Manage Domain	/api/2.0/fo/asset/domain/	Add a domain and optional netblocks

Key parameters for manage:

• domain — domain to add
• netblock — optional netblock(s) for the domain
• network_id — assign to a specific network (default: GDN/0)

---

Dynamic Search List

QID search lists defined by KB attribute filters. Qualys automatically updates which QIDs match as the knowledge base evolves.

Operation	Name	HTTP Path	Description
list	[VMDR] List Dynamic Search Lists	/api/2.0/fo/qid/search_list/dynamic/?action=list	List all dynamic search lists
create	[VMDR] Create Dynamic Search List	/api/2.0/fo/qid/search_list/dynamic/?action=create	Create a new dynamic search list
update	[VMDR] Update Dynamic Search List	/api/2.0/fo/qid/search_list/dynamic/?action=update	Update an existing dynamic search list
delete	[VMDR] Delete Dynamic Search List	/api/2.0/fo/qid/search_list/dynamic/?action=delete	Delete a dynamic search list

Key filter parameters for create / update:

• title — search list title (max 256 chars)
• global — set to 1 to make globally visible
• confirmed_severities / potential_severities — severity levels 1–5, comma-separated
• categories — vulnerability category names
• cve_ids — filter by CVE IDs
• patch_available — 1 (yes) or 0 (no)
• exploitability — filter by exploitability vendor data
• discovery_methods — Remote, Authenticated, Remote_Authenticated

---

Excluded IP

IPs that are excluded from all scans in the subscription.

Operation	Name	HTTP Path	Description
list	[VMDR] List Excluded IPs	/api/2.0/fo/asset/excluded_ip/?action=list	List currently excluded IPs
list_history	[VMDR] List Excluded IP History	/api/2.0/fo/asset/excluded_ip/history/?action=list	List exclusion history
add	[VMDR] Add Excluded Hosts	/api/2.0/fo/asset/excluded_ip/?action=add	Add IPs to the exclusion list
remove	[VMDR] Remove Excluded Hosts	/api/2.0/fo/asset/excluded_ip/?action=remove	Remove IPs from the exclusion list

Key parameters:

• ips — IP addresses or CIDR ranges, comma-separated
• network_id — restrict to a specific network (multi-network subscriptions)

---

Host

Host asset inventory and vulnerability detection data. The list_detection operation is the primary way to retrieve vulnerability findings per host.

Operation	Name	HTTP Path	Description
list	[VMDR] List Hosts	/api/2.0/fo/asset/host/?action=list	List host assets with optional filters
list_detection	[VMDR] List Host Detections	/api/2.0/fo/asset/host/vm/detection/?action=list	List vulnerability detections per host
update	[VMDR] Update Host	/api/2.0/fo/asset/host/?action=update	Update host tracking method or owner
purge	[VMDR] Purge Hosts	/api/2.0/fo/asset/host/?action=purge	Remove hosts from the asset inventory

Key parameters for list:

• ips — specific IPs or CIDR ranges
• ag_ids / ag_titles — filter by asset group
• network_ids — filter by network
• os_pattern — regex filter on OS name
• truncation_limit — default 1000; use 0 with caution (very large outputs)

Key parameters for list_detection:

• ips / ag_ids / ag_titles — target scope
• ids (QIDs) — limit to specific vulnerability IDs
• severities — filter by severity 1–5
• filter_superseded — 0 to include superseded vulns, 1 to hide (default 1)
• status — Active, New, Fixed, Re-Opened
• include_ignored / include_disabled — 0 or 1
• qids — comma-separated QID list to fetch
• detection_updated_since / detection_updated_before — date range filters
• truncation_limit — page size (responses can be very large; consider streaming)

Note: list_detection responses can be multi-GB for large subscriptions. NINA streams the XML response through a JSON converter — avoid setting truncation_limit=0 without pagination logic.

---

Ignore Vulnerability

Suppress or restore specific QID detections on a per-host basis, without affecting the knowledge base entry.

Operation	Name	HTTP Path	Description
ignore_or_restore	[VMDR] Ignore/Restore Vulnerability	/api/2.0/fo/ignore_vuln/index.php	Ignore or restore a vulnerability for specific hosts

Key parameters for ignore_or_restore:

• action — ignore or restore
• host_id — host to apply the rule to
• qids — comma-separated QIDs to ignore or restore
• comments — justification text

---

IP

IP address ranges in the subscription's scan scope.

Operation	Name	HTTP Path	Description
list	[VMDR] List IPs	/api/2.0/fo/asset/ip/?action=list	List IPs tracked in the subscription
add	[VMDR] Add IPs	/api/2.0/fo/asset/ip/?action=add	Add IPs or CIDR ranges to the subscription
update	[VMDR] Update IPs	/api/2.0/fo/asset/ip/?action=update	Update IP tracking or owner assignments

Key parameters:

• ips — IP addresses or CIDR ranges, comma-separated
• ag_title / ag_id — asset group to assign IPs to
• network_id — assign to a specific network
• tracking_method — IP, DNS, or NETBIOS
• host_dns / host_netbios — tracking value if using DNS or NetBIOS tracking

---

IPv6 Mapping

IPv4-to-IPv6 address mapping records used to track dual-stack hosts.

Operation	Name	HTTP Path	Description
list	[VMDR] List IPv6 Mapping Records	/api/2.0/fo/asset/ip/v4_v6/?action=list	List IPv4-to-IPv6 mapping records in the account
add	[VMDR] Add IPv6 Mapping Records	/api/2.0/fo/asset/ip/v4_v6/?action=add	Add IPv4-to-IPv6 address mapping records
remove	[VMDR] Remove IPv6 Mapping Records	/api/2.0/fo/asset/ip/v4_v6/?action=remove	Remove IPv4-to-IPv6 address mapping records

---

Knowledge Base

The Qualys vulnerability knowledge base (KBase). Query QID metadata, CVSS scores, CVE associations, and detection logic.

Operation	Name	HTTP Path	Description
list	[VMDR] List Knowledge Base	/api/2.0/fo/knowledge_base/vuln/?action=list	Fetch vulnerability details from the KBase
edit	[VMDR] Edit Knowledge Base Entry	/api/2.0/fo/knowledge_base/vuln/?action=edit	Edit a custom (user-defined) KBase entry
reset	[VMDR] Reset Knowledge Base Entry	/api/2.0/fo/knowledge_base/vuln/?action=reset	Reset a custom KBase entry to Qualys defaults
list_edited	[VMDR] List Edited Vulnerabilities	/api/2.0/fo/knowledge_base/vuln/?action=custom	List KBase entries that have been customized
list_qvs	[VMDR] List QVS Information	/api/2.0/fo/knowledge_base/qvs/?action=list	Fetch Qualys Vulnerability Score (QVS) data

Key parameters for list:

• ids — comma-separated QIDs to fetch
• id_min / id_max — QID range
• details — All, Basic, or None
• severity_levels — 1–5 severity filter
• published_before / published_after — publish date range
• modified_before / modified_after — last-modified date range
• is_patchable — 1 to limit to patchable vulnerabilities
• cve_ids — filter by CVE ID
• discovery_method — Remote, Authenticated, Remote_Authenticated

---

Network

Virtual networks that partition assets for multi-network subscriptions.

Operation	Name	HTTP Path	Description
list	[VMDR] List Networks	/api/2.0/fo/network/?action=list	List networks in the subscription
create	[VMDR] Create Network	/api/2.0/fo/network/?action=create	Create a new virtual network
update	[VMDR] Update Network	/api/2.0/fo/network/?action=update	Update an existing network

Key parameters:

• id (required for update) — network ID
• name — network name
• scanner_appliances — comma-separated appliance IDs to assign

---

Option Profile

Generic option profile management (not module-specific).

Operation	Name	HTTP Path	Description
import	[VMDR] Import Option Profile	/api/2.0/fo/subscription/option_profile/?action=import	Import an option profile from a previously exported file

---

Option Profile (VM)

VMDR scan option profiles define which QIDs are checked and how authentication is handled.

Operation	Name	HTTP Path	Description
list	[VMDR] List Option Profiles	/api/2.0/fo/subscription/option_profile/vm/?action=list	List VMDR option profiles
create	[VMDR] Create Option Profile	/api/2.0/fo/subscription/option_profile/vm/?action=create	Create a new VMDR option profile
update	[VMDR] Update Option Profile	/api/2.0/fo/subscription/option_profile/vm/?action=update	Update a VMDR option profile
delete	[VMDR] Delete Option Profile	/api/2.0/fo/subscription/option_profile/vm/?action=delete	Delete a VMDR option profile

Key parameters for list:

• id — fetch a specific profile by ID
• show_global — 1 to include globally visible profiles

---

Report

Generate and retrieve VMDR vulnerability reports.

Operation	Name	HTTP Path	Description
list	[VMDR] List Reports	/api/2.0/fo/report/?action=list	List reports in the user's account
launch	[VMDR] Launch Report	/api/2.0/fo/report/?action=launch	Launch a new vulnerability report
fetch	[VMDR] Fetch Report	/api/2.0/fo/report/?action=fetch	Download a completed report
cancel	[VMDR] Cancel Report	/api/2.0/fo/report/?action=cancel	Cancel a running report
delete	[VMDR] Delete Report	/api/2.0/fo/report/?action=delete	Delete a report
launch_scorecard	[VMDR] Launch Scorecard Report	/api/2.0/fo/report/scorecard/?action=launch	Launch a patch report (scorecard format)
search_asset	[VMDR] Asset Search Report	/api/2.0/fo/report/asset/?action=search	Search the Asset Management asset report

Key parameters for launch:

• template_id (required) — report template ID (use Report Template operations to find IDs)
• report_title — custom title for the report
• output_format — pdf, html, mht, xml, csv
• ips / asset_group_ids — scope the report to specific assets
• hide_header — 0 or 1

Key parameters for fetch:

• id (required) — report ID (from launch response or list)

---

Report Template (Map)

Operation	Name	HTTP Path	Description
delete	[VMDR] Delete Map Report Template	/api/2.0/fo/report/template/map/?action=delete	Delete a map report template by ID

Required parameter: id — template ID to delete.

---

Report Template (Scan)

Operation	Name	HTTP Path	Description
list	[VMDR] List Scan Report Templates (via export)	/api/2.0/fo/report/template/scan/?action=export	List all scan report templates
delete	[VMDR] Delete Scan Report Template	/api/2.0/fo/report/template/scan/?action=delete	Delete a scan report template by ID

---

Restricted IP

IPs that require explicit Manager approval before they can be added to the scan scope.

Operation	Name	HTTP Path	Description
list	[VMDR] List Restricted IPs	/api/2.0/fo/asset/ip/restricted/?action=list	List all restricted IP addresses

---

Scan

Vulnerability scan lifecycle management — launch, monitor, and retrieve results.

Operation	Name	HTTP Path	Description
list	[VMDR] List Scans	/api/2.0/fo/scan/?action=list	List scans with optional filters
launch	[VMDR] Launch Scan	/api/2.0/fo/scan/?action=launch	Launch a new vulnerability scan
pause	[VMDR] Pause Scan	/api/2.0/fo/scan/?action=pause	Pause a running scan
resume	[VMDR] Resume Scan	/api/2.0/fo/scan/?action=resume	Resume a paused scan
cancel	[VMDR] Cancel Scan	/api/2.0/fo/scan/?action=cancel	Cancel a running or paused scan
delete	[VMDR] Delete Scan	/api/2.0/fo/scan/?action=delete	Delete a scan record
fetch	[VMDR] Fetch Scan Results	/api/2.0/fo/scan/?action=fetch	Fetch raw scan results
list_overall_summary	[VMDR] Scan Summary (Aggregated)	/api/2.0/fo/scan/summary/?action=list	Aggregated summary across all scans
list_summary	[VMDR] VM Scan Summary	/api/2.0/fo/scan/vm/summary/?action=list	Per-scan VM summary statistics
list_stats	[VMDR] Scan Stats	/api/2.0/fo/scan/stats/?action=list	Detailed scan statistics
list_scanner_details	[VMDR] List Scanner Details for Scans	/api/2.0/fo/scan/scanner/?action=list	Scanner appliance details for each scan
list_pci_share_status	[VMDR] PCI Scan Share Status	/api/2.0/fo/scan/pci/?action=status	Check PCI scan share status
share_pci	[VMDR] Share PCI Scan	/api/2.0/fo/scan/pci/?action=share	Share a PCI scan with the ASV

Key parameters for launch:

• scan_title — title for the scan
• option_profile (required) — option profile name or ID
• iscanner_name — scanner appliance name; use External for external scanners
• ip — target IPs or CIDR ranges
• asset_groups — comma-separated asset group titles
• target_from — tags or assets (asset tag targeting)
• tag_include_selector / tag_exclude_selector — any or all for tag-based targeting
• scanners_in_ag — 0 or 1; use scanners assigned to the asset group

Key parameters for list:

• scan_ref — filter by scan reference ID
• state — Running, Finished, Canceled, Queued, Error, Paused
• launched_after_datetime / launched_before_datetime — date range filter
• type — On-Demand, API, Scheduled

---

Scanner Appliance

Scanner appliance records in the subscription.

Operation	Name	HTTP Path	Description
list	[VMDR] List Scanner Appliances	/api/2.0/fo/appliance/?action=list	List scanner appliances
create	[VMDR] Create Virtual Scanner Appliance	/api/2.0/fo/appliance/?action=create	Add a virtual scanner appliance record
update	[VMDR] Update Scanner Appliance	/api/2.0/fo/appliance/?action=update	Update a scanner appliance
delete	[VMDR] Delete Virtual Scanner Appliance	/api/2.0/fo/appliance/?action=delete	Remove a virtual scanner appliance
assign_network	[VMDR] Assign Scanner Appliance to Network	/api/2.0/fo/network/?action=assign_network_id	Assign a scanner to a virtual network

Key parameters for list:

• ids — comma-separated scanner IDs
• show_tags — 1 to include asset tags
• platform_provider — ec2, azure, google, etc.

---

Scheduled Report

Automatically generated reports on a recurring schedule.

Operation	Name	HTTP Path	Description
list	[VMDR] List Scheduled Reports	/api/2.0/fo/schedule/report/?action=list	List scheduled report tasks
create	[VMDR] Create Scheduled Report	/api/2.0/fo/schedule/report/?action=create	Create a new scheduled report
update	[VMDR] Update Scheduled Report	/api/2.0/fo/schedule/report/?action=update	Update an existing scheduled report
delete	[VMDR] Delete Scheduled Report	/api/2.0/fo/schedule/report/?action=delete	Delete a scheduled report
launch_now	[VMDR] Launch Scheduled Report Now	/api/2.0/fo/schedule/report/?action=launch_now	Immediately run a scheduled report outside its schedule

Key parameters for create:

• template_id (required) — report template ID
• schedule_datetime (required) — start date/time
• recurrence — once, daily, weekly, monthly
• output_format — pdf, html, xml, csv
• recipients — comma-separated email addresses

---

Scheduled Scan

Recurring vulnerability scans on a defined schedule.

Operation	Name	HTTP Path	Description
list	[VMDR] List Scheduled Scans	/api/2.0/fo/schedule/scan/?action=list	List scheduled scans
create	[VMDR] Create Scheduled Scan	/api/2.0/fo/schedule/scan/?action=create	Create a new scheduled scan
update	[VMDR] Update Scheduled Scan	/api/2.0/fo/schedule/scan/?action=update	Update an existing scheduled scan
delete	[VMDR] Delete Scheduled Scan	/api/2.0/fo/schedule/scan/?action=delete	Delete a scheduled scan

Key parameters for create:

• scan_title (required) — scan title
• option_profile (required) — option profile name or ID
• iscanner_name (required) — scanner appliance name
• ip / asset_groups — target scope
• start_datetime (required) — first run date/time
• recurrence_type — Once, Daily, Weekly, Monthly
• active — 1 (active) or 0 (paused)

---

Static Search List

Fixed lists of QIDs used to target specific vulnerabilities in option profiles.

Operation	Name	HTTP Path	Description
list	[VMDR] List Static Search Lists	/api/2.0/fo/qid/search_list/static/?action=list	List all static search lists
create	[VMDR] Create Static Search List	/api/2.0/fo/qid/search_list/static/?action=create	Create a new static search list
update	[VMDR] Update Static Search List	/api/2.0/fo/qid/search_list/static/?action=update	Update an existing static search list
delete	[VMDR] Delete Static Search List	/api/2.0/fo/qid/search_list/static/?action=delete	Delete a static search list

Key parameters for create / update:

• title — list title
• qids — comma-separated QIDs
• global — 1 to make globally visible

---

Virtual Host

Virtual host DNS-to-IP mappings used to associate domain names with scan targets.

Operation	Name	HTTP Path	Description
list	[VMDR] List Virtual Hosts	/api/2.0/fo/asset/vhost/?action=list	List virtual host records
create	[VMDR] Create Virtual Host	/api/2.0/fo/asset/vhost/?action=create	Add a virtual host record
update	[VMDR] Update Virtual Host	/api/2.0/fo/asset/vhost/?action=update	Update a virtual host record
delete	[VMDR] Delete Virtual Host	/api/2.0/fo/asset/vhost/?action=delete	Delete a virtual host record

---

Option Profile (PC)

Policy Compliance scan option profiles.

Operation	Name	HTTP Path	Description
list	[PC] List PC Option Profiles	/api/2.0/fo/subscription/option_profile/pc/?action=list	List PC option profiles
create	[PC] Create PC Option Profile	/api/2.0/fo/subscription/option_profile/pc/?action=create	Create a PC option profile
update	[PC] Update PC Option Profile	/api/2.0/fo/subscription/option_profile/pc/?action=update	Update a PC option profile
delete	[PC] Delete PC Option Profile	/api/2.0/fo/subscription/option_profile/pc/?action=delete	Delete a PC option profile

---

PC Control

Policy Compliance control library.

Operation	Name	HTTP Path	Description
list	[PC] List Controls	/api/2.0/fo/compliance/control/?action=list	List compliance controls with optional filters

Key parameters for list:

• ids — comma-separated control IDs
• policy_id — filter by policy ID
• show_qids — 1 to include associated QIDs in output

---

PC Exception

Compliance exceptions suppress control failures for specific hosts or groups.

Operation	Name	HTTP Path	Description
list	[PC] List Compliance Exceptions	/api/2.0/fo/compliance/exception/?action=list	List compliance exceptions
request	[PC] Request Compliance Exception	/api/2.0/fo/compliance/exception/?action=request	Submit a new compliance exception request
update	[PC] Update Compliance Exception	/api/2.0/fo/compliance/exception/?action=update	Update an existing compliance exception
delete	[PC] Delete Compliance Exception	/api/2.0/fo/compliance/exception/?action=delete	Delete a compliance exception

Key parameters for request:

• policy_id (required) — policy to create exception for
• control_id (required) — control to exempt
• host_id — specific host (omit for policy-wide exception)
• expiry_date — exception expiry date
• comments — justification text

---

PC Policy

Manage compliance policies — export/import for portability, merge for consolidation, and manage targeting via asset groups and tags.

Operation	Name	HTTP Path	Description
export	[PC] Export Policy	/api/2.0/fo/compliance/policy/?action=export	Export a policy definition
import	[PC] Import Policy	/api/2.0/fo/compliance/policy/?action=import	Import a policy from a file
merge	[PC] Merge Policy	/api/2.0/fo/compliance/policy/?action=merge	Merge one policy into another
manage_asset_groups	[PC] Manage Policy Asset Groups	/api/2.0/fo/compliance/policy/?action=manage_asset_groups	Assign or remove asset groups from a policy
manage_asset_tags	[PC] Manage Policy Asset Tags	/api/2.0/fo/compliance/policy/?action=manage_asset_tags	Assign or remove asset tags from a policy

Key parameters:

• id (required) — policy ID
• source_policy_id (for merge) — policy to merge into id
• add_asset_groups / remove_asset_groups — comma-separated group IDs
• add_asset_tags / remove_asset_tags — comma-separated tag IDs

---

PC Posture

Host compliance posture results — pass/fail status per control per host.

Operation	Name	HTTP Path	Description
list	[PC] List PC Posture	/api/2.0/fo/compliance/posture/info/?action=list	List host compliance posture results

Key parameters for list:

• policy_id (required) — policy to retrieve results for
• host_id — filter to a specific host
• control_id — filter to a specific control
• status — Pass, Fail, Error, Exception
• truncation_limit — page size

---

PC Scan

Policy Compliance scan results.

Operation	Name	HTTP Path	Description
list	[PC] List PC Scans	/api/2.0/fo/compliance/scan/?action=list	List PC scans
fetch	[PC] Fetch PC Scan Results	/api/2.0/fo/compliance/scan/?action=fetch	Fetch raw results for a completed PC scan

Key parameters for list:

• scan_ref — filter by scan reference
• state — Running, Finished, Canceled, Error
• launched_after_datetime / launched_before_datetime — date range

Key parameters for fetch:

• scan_ref (required) — scan reference from list
• output_format — csv or xml

---

Option Profile (PCI)

PCI compliance scan option profiles.

Operation	Name	HTTP Path	Description
list	[PCI] List PCI Option Profiles	/api/2.0/fo/subscription/option_profile/pci/?action=list	List PCI option profiles
create	[PCI] Create PCI Option Profile	/api/2.0/fo/subscription/option_profile/pci/?action=create	Create a PCI option profile
update	[PCI] Update PCI Option Profile	/api/2.0/fo/subscription/option_profile/pci/?action=update	Update a PCI option profile
delete	[PCI] Delete PCI Option Profile	/api/2.0/fo/subscription/option_profile/pci/?action=delete	Delete a PCI option profile

---

Report Template (PCI Scan)

Operation	Name	HTTP Path	Description
delete	[PCI] Delete PCI Scan Report Template	/api/2.0/fo/report/template/pciscan/?action=delete	Delete a PCI scan report template

Required parameter: id — template ID to delete.

---

SCAP ARF

SCAP Asset Reporting Format results from SCAP scans.

Operation	Name	HTTP Path	Description
fetch	[SCAP] Fetch SCAP ARF Report	/api/2.0/fo/compliance/scap/arf/	Fetch SCAP ARF results for a completed SCAP scan

Key parameters for fetch:

• scan_ref (required) — SCAP scan reference

---

SCAP Cyberscope

SCAP results in CyberScope XML format for US government compliance reporting.

Operation	Name	HTTP Path	Description
fetch_scan	[SCAP] Fetch Cyberscope SCAP Scan Report	/api/2.0/fo/asset/host/cyberscope/fdcc/scan/	Fetch CyberScope results for a specific SCAP scan
fetch_policy	[SCAP] Fetch Cyberscope SCAP Policy Report	/api/2.0/fo/asset/host/cyberscope/fdcc/policy/	Fetch CyberScope results for a specific policy
fetch_global	[SCAP] Fetch Cyberscope SCAP Global Report	/api/2.0/fo/asset/host/cyberscope/	Fetch global CyberScope report

---

Report Template (Patch)

Operation	Name	HTTP Path	Description
delete	[Patch] Delete Patch Report Template	/api/2.0/fo/report/template/patch/?action=delete	Delete a patch report template

Required parameter: id — template ID to delete.

---

Remediation Ticket

Remediation workflow tickets created when vulnerabilities are detected.

Operation	Name	HTTP Path	Description
list	[Remediation] List Remediation Tickets	/msp/ticket_list.php	List remediation tickets
edit	[Remediation] Edit Remediation Tickets	/msp/ticket_edit.php	Update ticket status or assignee
list_deleted	[Remediation] List Deleted Remediation Tickets	/msp/ticket_list_deleted.php	List deleted remediation tickets

Key parameters for list:

• id — specific ticket ID
• vuln_qids — filter by QID
• status — Open, Closed, Ignored
• assigned_to_user_id — filter by assignee
• since_ticket_number / until_ticket_number — ticket number range

Key parameters for edit:

• id (required) — ticket ID to update
• status — new status: Open, Closed, Ignored
• comments — update comment text

---

Examples

Launch a Vulnerability Scan

{
  "integration_service": "qualys",
  "resource": "scan",
  "operation": "launch",
  "parameters": {
    "scan_title": "Weekly Internal Scan",
    "option_profile": "My Option Profile",
    "iscanner_name": "Corporate Scanner",
    "ip": "10.0.0.0/24,192.168.1.0/24"
  }
}

List Host Vulnerability Detections

{
  "integration_service": "qualys",
  "resource": "host",
  "operation": "list_detection",
  "parameters": {
    "ips": "10.0.0.0/24",
    "severities": "4,5",
    "status": "Active",
    "filter_superseded": "1",
    "truncation_limit": "500"
  }
}

Query the Knowledge Base for Critical Vulnerabilities

{
  "integration_service": "qualys",
  "resource": "knowledge_base",
  "operation": "list",
  "parameters": {
    "severity_levels": "5",
    "is_patchable": "1",
    "details": "All",
    "modified_after": "2025-01-01"
  }
}

List Active Scans

{
  "integration_service": "qualys",
  "resource": "scan",
  "operation": "list",
  "parameters": {
    "state": "Running"
  }
}

Create a Scheduled Weekly Scan

{
  "integration_service": "qualys",
  "resource": "scheduled_scan",
  "operation": "create",
  "parameters": {
    "scan_title": "Weekly Web Servers",
    "option_profile": "Network Discovery Profile",
    "iscanner_name": "External",
    "asset_groups": "Web Servers",
    "start_datetime": "2026-05-05T02:00:00Z",
    "recurrence_type": "Weekly",
    "active": "1"
  }
}

Fetch Compliance Posture for a Policy

{
  "integration_service": "qualys",
  "resource": "pc_posture",
  "operation": "list",
  "parameters": {
    "policy_id": "12345",
    "status": "Fail",
    "truncation_limit": "1000"
  }
}

Export Activity Log for a Date Range

{
  "integration_service": "qualys",
  "resource": "activity_log",
  "operation": "export",
  "parameters": {
    "since_datetime": "2026-05-01 00:00:00",
    "until_datetime": "2026-05-04 23:59:59",
    "user_action": "launch"
  }
}

List Open Remediation Tickets for Critical Vulns

{
  "integration_service": "qualys",
  "resource": "remediation_ticket",
  "operation": "list",
  "parameters": {
    "status": "Open",
    "vuln_qids": "90882,105169"
  }
}

---

Common Workflow Patterns

Vulnerability Detection Pipeline

1. launch (scan) — launch a targeted vulnerability scan
2. list (scan) — poll until scan state is Finished
3. list_detection (host) — retrieve findings scoped to scan targets
4. list (knowledge_base) — enrich QIDs with severity, CVE, and remediation details
5. launch (report) — generate a formal report for stakeholders

Asset Inventory Review

1. list (host) — enumerate all tracked hosts
2. list (asset_group) — review current groupings
3. edit (asset_group) — reorganize assets as needed
4. list (ip) — verify IP scope is current

Compliance Assessment

1. list (pc_scan) — check for recent PC scan results
2. list (pc_posture) — retrieve failing controls across the policy
3. list (pc_control) — look up control definitions for context
4. create (pc_exception) — create time-bound exceptions with justification

Knowledge Base Vulnerability Triage

1. list (knowledge_base) — query new/updated QIDs in a date range
2. Filter by severity_levels=5 and is_patchable=1 to focus on actionable items
3. Create or update dynamic_search_list entries to track relevant QIDs
4. Update option_profile_vm to include new search lists in future scans

---

Best Practices

1. Use pagination: Most list operations default to 1000 records. Use truncation_limit and the id_min/id_max pattern (or the id_min cursor from truncation responses) to page through large datasets rather than setting truncation_limit=0.

2. Scope scan targets carefully: Always specify ip, ag_ids, or asset_groups when launching scans. Launching without a scope may trigger a full subscription scan.

3. Poll — don't assume: Scans and reports are asynchronous. After launch, poll list with state filter until status is Finished before calling fetch.

4. Module prefixes in operation names: The [VMDR], [PC], [PCI], [SCAP], [Patch], and [Remediation] prefixes in dropdown labels indicate which Qualys module license is required. Operations from unlicensed modules will return a 403 error.

5. Large list_detection responses: Host detection data can be very large. Use truncation_limit (default 1000) with pagination, and filter by severities, status, or detection_updated_since to reduce response size.

6. Regional pod URL: Using the wrong pod URL returns a 401 or connection error. Verify the correct URL from Help → About in the Qualys UI.

7. Store credentials securely: Never pass credentials in workflow parameters. Use NINA's credential manager exclusively.

---

Troubleshooting

Issue	Resolution
401 Unauthorized	Invalid username/password, or API access not enabled for the user account
400 Bad Request on list_detection	ips parameter may be malformed; verify CIDR notation and ensure IPs are in the subscription scope
Empty results from host.list_detection	No detections match the filters, or no scans have been run against the target IPs
Scan stuck in Running state	Check the Qualys UI for scanner appliance connectivity; call cancel if needed
403 Forbidden on PC/PCI/SCAP operations	Subscription does not include that module, or user lacks the required role
Report stays in Running state	Large reports can take minutes to hours; increase polling interval
fetch returns empty body	Report or scan may be in an error state; check list response for status field
Truncation response with id_min in output	Use the returned id_min value as the next page cursor in a subsequent request
Scanner appliance offline error on launch	Verify the scanner appliance is connected and the correct name is used
Wrong regional pod URL	Find the correct URL under Help → About in the Qualys console; update the credential's Base URL field
list_detection returns superseded vulns	Set filter_superseded=1 to hide vulnerabilities superseded by newer detections

---

Security Considerations

1. Protect API credentials: Store username and password exclusively through NINA credential management — never in workflow parameters or logs
2. Least privilege API user: Create a dedicated API-only Qualys user with the minimum role required (Reader for list/fetch, Scanner for scan operations, Manager for admin operations)
3. IP exclusion lists: Maintain the excluded_ip list to prevent scanning sensitive systems
4. Scan authorization: Ensure all target IPs are owned by your organization and authorized for scanning before launching scans
5. Credential rotation: Rotate API credentials regularly; the Qualys API does not support token-based auth

---

Additional Resources

• Qualys API Documentation
• Qualys API Quick Reference
• Finding Your Regional API Server URL
• Qualys VMDR User Guide

Updated: 2026-05-05