Integration · vulnerability

Qualys VMDR

Pulls QDS-scored detections, TruRisk scores, Microsoft-patch lag, container-image vulnerabilities, EOL/EOS OS findings, and cloud-agent coverage data from Qualys's Vulnerability Management, Detection & Response platform.

sourceType: vulnerability vendorId: qualys-vmdr auth: basic (service account) schedule: daily

At a glance

VendorQualys — VMDR platform. Works on any Qualys regional platform (US1, US2, US3, EU1, EU2, IN, CA, UK, UAE).
Source typevulnerability
Vendor ID (slug)qualys-vmdr
Base URLRegional — default https://qualysapi.qualys.com (US1). Override for other regions (see Setup step 1).
Auth methodHTTP Basic Auth with a service-account username:password, PLUS a mandatory X-Requested-With header Draxis sets automatically on every call.
Schedule defaultdaily — matches Qualys's natural scan-result update cadence. Hourly adds cost without new data.
LicensingCore KRIs (QDS exposure, Patch Tuesday lag, EOL OS, agent coverage) need only a base VM subscription. TruRisk score requires VMDR (not VM-only). Container critical vulns requires Qualys Container Security (CS). Unlicensed modules return 403/404 — the connector tolerates them, records 0 + warn log.
AvailabilityNew in 2026.04.

Required scopes & roles

Create a dedicated Qualys service-account user (not your personal admin):

  • User role: Reader. Restricts the account to read-only operations across VM, VMDR, and CS modules — exactly what the connector needs.
  • API Access: enabled on that user's permissions tab. Without this, API login returns HTTP 200 with an empty body (Qualys's idiosyncratic "silently denied" pattern).
  • 2FA exemption: if your Qualys tenant enforces MFA, the service account must be explicitly exempted (Users → Security → 2FA configuration → exempted users). API auth doesn't have a 2FA challenge path; with MFA enforced the login fails mysteriously.
  • Allowed IP list: Qualys supports per-user source-IP restriction. Optional but recommended — add the Draxis runner's egress range after first-run verification.

Do not use a Manager or Unit Manager role. Reader is sufficient for every endpoint this connector calls; anything higher grants write capabilities that can modify scans or policies if the credential leaks.

Setup steps

  1. Identify your Qualys platform. Log into the Qualys web UI and look at the URL. The API platform follows the pattern qualysapi.<...>:
    • qualysapi.qualys.com — US Platform 1 (most common)
    • qualysapi.qg2.apps.qualys.com — US Platform 2
    • qualysapi.qg3.apps.qualys.com — US Platform 3
    • qualysapi.qualys.eu — EU Platform 1
    • qualysapi.qg2.apps.qualys.eu — EU Platform 2
    • qualysapi.qg1.apps.qualys.in — India
    • qualysapi.qg1.apps.qualys.ca — Canada
    • qualysapi.qg1.apps.qualys.co.uk — UK
    • qualysapi.qg1.apps.qualys.ae — UAE
    A wrong platform returns 200 OK with empty results — it looks like "no data" rather than an error, which is frustrating to debug.
  2. Create the service-account user in the Qualys UI: Users → Users → New → User. Name: draxis-connector. Use a role-mailbox email your security team monitors. Assign User Role Reader. Complete the required first-login-acceptance-of-terms by logging in once as that user (Qualys blocks API access until the user has accepted the EULA).
  3. Enable API Access. On the user's permissions tab, check Allow the user to access the Qualys API. Save.
  4. Exempt from 2FA (only if your tenant enforces it). Go to Users → Setup → Security → 2FA Configuration → Exempted Users, add draxis-connector.
  5. Verify connectivity from a trusted client. Before wiring Draxis: 
    curl -sk -u 'draxis-connector:<password>' \
  -H 'X-Requested-With: DraxisCurl' \
  'https://qualysapi.qualys.com/msp/about.php' \
  | grep -E '<API-VERSION|<WEB-VERSION'
    You should see the API and web-service versions. If you get empty output or <USER_NOT_AUTHORIZED>, the user doesn't have API Access enabled or hasn't completed EULA acceptance.

Wire it into Draxis

  1. Open Settings → Integrations in your tenant.
  2. Click Add integration and pick Vulnerability Scanner as the source type.
  3. Pick Qualys VMDR from the vendor dropdown. Draxis pre-fills the US1 platform URL and Basic Auth method.
  4. In API Base URL, override to your regional platform if you're not on US1 (see step 1 of the setup).
  5. In Credentials, paste <username>:<password> as a single string (example: draxis-connector:SuperSecret123!). Draxis encrypts it server-side with encryption.key before storage.
  6. Click Test. Green means Draxis called /msp/about.php successfully — the message includes the API and web-service version numbers.
  7. Under KRIs to import, tick the KRIs you want Draxis to manage. All six qualys_* KRIs are checked by default; uncheck the TruRisk and Container KRIs if you don't have VMDR or CS subscriptions respectively (0 could be misread as a clean posture). Selected rows are created on save. Unchecking a previously-imported KRI deletes it on save.
  8. Save. The connector runs daily by default; use Run now from run history to trigger the first sync immediately.

KRIs produced

SlugMeaningDerivation
qualys_critical_asset_qds_exposure QDS ≥ 90 detections on critical-tagged hosts GET /api/2.0/fo/asset/host/vm/detection/?action=list&status=Active&qds_min=90&tags_include=Critical,business-critical. Count returned <DETECTION> elements.
qualys_trurisk_score Average per-host TruRisk score (requires VMDR) GET /api/2.0/fo/asset/host/vm/trurisk_score/?action=list. Sum <TRURISK_SCORE> values / count of hosts. 403 → 0 + warn (VM-only tenants).
qualys_patch_tuesday_lag_days Average age of open Microsoft-patch-category vulns GET /api/2.0/fo/asset/host/vm/detection/?action=list&status=Active&category=Windows. Avg of now - FIRST_FOUND_DATETIME across returned detections, in days.
qualys_container_critical_vulns Critical vulns in production container images (requires CS) GET /cs/api/v1/images?filter=tags.name:prod AND vulnerabilities.severity:5. Sum vulnerabilities.severity5 across returned images. 403 → 0 + warn (no-CS tenants).
qualys_eol_os_hosts Active hosts with open EOL/EOS OS detections GET /api/2.0/fo/asset/host/vm/detection/?action=list&status=Active&category=OS%20End%20of%20Life. Count distinct <HOST> elements.
qualys_cloud_agent_coverage_gap Active hosts not tracked by cloud agent GET /api/2.0/fo/asset/host/?action=list&details=Basic. Count hosts where <TRACKING_METHOD> is not AGENT.

Each row is a slug the connector writes to. Draxis creates the matching kri rows automatically when you check them in the KRIs to import section of the integration form — no manual API call or seed script needed. Thresholds shown in the table are the seeded defaults; you can edit them freely in the KRIs tab afterwards.

Vendor quirks

  • X-Requested-With header is mandatory. Qualys API rejects requests without it (returns HTTP 403 with cryptic X-Requested-With must be set in the error body). The connector sets X-Requested-With: Draxis-VMDR-Connector on every call — no configuration needed.
  • Wrong platform URL ≠ error. If you put the US2 username against the US1 platform URL, Qualys returns 200 OK with empty results. You'll see zeros across all KRIs rather than a failed Test. Match the platform URL to the one in your Qualys console URL (see Setup step 1).
  • EULA-block on first login. New Qualys users must log into the web UI once to accept the terms before API access works. If the service account has never logged in, API calls return success but with empty payloads. Log in once as that user, then retry.
  • 2FA enforcement breaks API auth without exemption. If your tenant enforces 2FA and the service account isn't exempted, Basic Auth from the API silently fails — again, empty-but-successful responses. Qualys's "silent deny" pattern is the cause of most integration frustration.
  • Response truncation warnings. Qualys caps responses at a configurable truncation_limit (default 1000 per page; we push to 10000). Very large environments will hit this cap — the connector logs response truncated warnings and the KRI value is a lower bound. Full pagination support is on the roadmap.
  • "By business unit" in Patch Tuesday KRI is averaged. The user spec asked for per-BU values; KRIs in Draxis are single numbers. The KRI averages across the org — use Qualys's own dashboards for per-BU views, or create separate Draxis integrations with tag-scoped service accounts for per-BU breakouts.
  • Tag names for "critical" vary by org. The QDS exposure KRI filters on tag names Critical or business-critical (exact match). If your organization uses a different tag convention (e.g., CriticalAsset, Tier0), the KRI reports 0. Edit tags_include= in the connector or rename tags in Qualys to match.
  • Container security tag taxonomy. The container-vulns KRI assumes you tag production images with environment=prod or an equivalent tag named prod. Different tag conventions need connector edits.
  • TruRisk vs QDS. QDS (Qualys Detection Score) is per-vulnerability; TruRisk is per-asset, blending QDS with asset criticality. The TruRisk KRI averages across hosts — a useful trend line but masks individual high-risk hosts. Pair with the QDS-exposure KRI for a clearer picture.
  • Qualys rate limits are tier-dependent. API rate limits vary by subscription tier (standard: 300/hour; enterprise: higher). The connector makes ~6 calls per run, so rate-limiting is essentially never a concern at daily schedule.
  • Credential rotation is manual. Qualys doesn't auto-expire passwords for service accounts (check your org's password policy; it might). When rotating, update the password in the Qualys UI, then update the username:password string in Draxis. Brief overlap impossible — Qualys has one password per user.

Troubleshooting

  • Test returns "unexpected response" with an empty or near-empty body — three common causes: (1) wrong regional platform URL, (2) API access not enabled on the user, (3) service account hasn't accepted the EULA via a web login. Check in that order.
  • HTTP 401 on Test — username or password is wrong. Qualys doesn't distinguish "wrong password" from "user not found" in the API — both return 401. Verify by logging into the web UI as the service account.
  • HTTP 403 with X-Requested-With must be set — should not happen (the connector always sends it); if it does, the header got stripped by a proxy between Draxis and Qualys. Check network path.
  • qualys_trurisk_score is 0 with "tolerated non-ok" warn — you don't have a VMDR subscription, only VM. Uncheck the KRI in Draxis, or upgrade Qualys.
  • qualys_container_critical_vulns is 0 — either you don't have CS, or you don't tag production images with prod. Check your image-tagging convention.
  • qualys_critical_asset_qds_exposure is 0 but you know you have exposed critical assets — your tag taxonomy doesn't match the connector's filter. Check your asset tag names against Critical or business-critical.
  • response truncated warnings repeatedly — your environment is larger than the 10000-row page size. Current KRI values are lower bounds. Open a support request for full-pagination support.
  • rowsSkipped > 0 and rowsWritten = 0 — your tenant hasn't imported any KRIs for this integration yet. Open the integration in Settings → Integrations, tick the KRIs under KRIs to import, and save.
  • Still stuck? Open a support ticket with the run ID (from Run history) and we'll dig in.