Qualys

LAST UPDATED: 04/30/2024

Overview

Qualys Vulnerability Management scans identify and remediate vulnerabilities, protecting IT assets on-premises, in the cloud, and at mobile endpoints.

D3 Security's integration with the Qualys VM REST API provides scan vulnerability operation and gets the reports.

D3 SOAR is providing REST operations to function with Qualys.

Qualys is available for use in:

D3 SOAR	V12.7.241+
Category	Vulnerability Management
Deployment Options	Option II, Option IV

Known Limitations

Please refer to Qualys API Limits for the API limits.

Connection

To connect to Qualys from D3 SOAR, please follow this part to collect the required information below:output

Parameter	Description	Example
Server URL	The Server URL of the Qualys Vulnerability Management integration.	https://<Replace_Me>
Username	The Username of the integration.	********
Password	The Password of the integration.	********
API Version	The version of API.	2.0

Configuring D3 SOAR to Work with Qualys

Log in to D3 SOAR.
Find the Qualys integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type Qualys in the search box to find the integration, then click it to select it.
4. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Qualys.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Configure User Permissions: Defines which users have access to the connection.
8. Active: Check the tick box to ensure the connection is available for use.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input your domain level Server URL.
  2. Input your Username.
  3. Input your Password.
  4. Input your API Version. The default value is 2.0.

j. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

k. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

Qualys includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Qualys API, please refer to the Qualys API reference.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.

Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Add IP To Subscription

Adds IP addresses to the user's subscription.

Input

Input Parameter	Required/Optional	Description	Example
IP Addresses	Required	The IP Address list of the hosts is to be added to the subscription.	[ "*...*" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "SIMPLE_RETURN": {
        "RESPONSE": {
            "DATETIME": "2021-10-27T23:27:58Z",
            "TEXT": "IPs successfully added to Vulnerability Management/Compliance Management"
        }
    }
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

DATETIME	2021-10-27T23:27:58Z
TEXT	IPs successfully added to Vulnerability Management/Compliance Management

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add IP To Subscription failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Invalid IP Addresses.

Error Sample Data

Add IP To Subscription failed.

Status Code: 400.

Message: Invalid IP Addresses.

Fetch Report

Retrieves a saved report based on its ID(s).

READER NOTE

The parameter IDs is required to run this command.

Run the List Reports command to obtain IDs. IDs is referring to report IDs which can be found in the returned raw data at the path $.RESPONSE.REPORT_LIST[*].ID.

ALERT

Please note that different user roles will result in different access levels for fetching reports:

Managers can fetch any report.
Unit Managers can fetch reports within their own business unit (reports launched by users in their own business unit).
Scanners and Readers can fetch their own reports.

Input

Input Parameter	Required/Optional	Description	Example
IDs	Required	The list of saved report IDs to be retrieved. IDs can be obtained using the List Reports command.	[ "*****" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "fileId": "*****",
        "fileName": "Scan_Report_Executive_Report_dsecu3ps_20200814.csv",
        "md5": "*****",
        "sha1": "*****",
        "sha256": "*****"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "FileIDs": [*****]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

fileId	fileName	md5	sha1	sha256
****	Scan_Report_Executive_Report_dsecu3ps_20200814.csv	*****	*****	*****

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Report failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: IDs not found.

Error Sample Data

Fetch Report failed.

Status Code: 404.

Message: IDs not found.

Fetch Scan Result

Retrieves scan results based on scan references.

READER NOTE

The parameter Scan References is required to run this command.

Run the List Vulnerability Scan command to obtain Scan References. Scan References can be found in the returned raw data at the path $.RESPONSE.SCAN_LIST[*].REF.

Input

Input Parameter	Required/Optional	Description	Example
Scan References	Required	The scan reference ID. Scan references can be obtained using the List Vulnerability Scan command.	[ "scan/1597273353.78095" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "ip": "***.***.***.***",
        "dns": "win-*****",
        "netbios": "WIN-*****",
        "qid": 6,
        "instance": null,
        "result": "IP address\tHost name\n***.***.***.***\tNo registered hostname"
    },
    {
        "ip": "***.***.***.***",
        "dns": "win-*****",
        "netbios": "WIN-*****",
        "qid": 82040,
        "instance": null,
        "result": "ICMP Reply Type\tTriggered By\tAdditional Information\nEcho (type=0 code=0)\tEcho Request\tEcho Reply\nUnreachable (type=3 code=3)\tUDP Port 12345\tPort Unreachable\nTime Stamp (type=14 code=0)\tTime Stamp Request\t23:04:22 GMT\nUnreachable (type=3 code=3)\tUDP Port 1011\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 1812\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 4156\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 1032\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 31337\tPort Unreachable\nUnreachable (type=3 code=2)\tIP with High Protocol\tProtocol Unreachable\nUnreachable (type=3 code=3)\tUDP Port 1999\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 1194\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 1600\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 43714\tPort Unreachable"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ip	dns	netbios	qid	instance	result
*...*	win-*****	WIN-*****	6	None	IP address Host name *...* No registered hostname
*...*	win-*****	WIN-*****	82040	None	ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply Unreachable (type=3 code=3) UDP Port 12345 Port Unreachable Time Stamp (type=14 code=0) Time Stamp Request 23:04:22 GMT Unreachable (type=3 code=3) UDP Port 1011 Port Unreachable Unreachable (type=3 code=3) UDP Port 1812 Port Unreachable Unreachable (type=3 code=3) UDP Port 4156 Port Unreachable Unreachable (type=3 code=3) UDP Port 1032 Port Unreachable Unreachable (type=3 code=3) UDP Port 31337 Port Unreachable Unreachable (type=3 code=2) IP with High Protocol Protocol Unreachable Unreachable (type=3 code=3) UDP Port 1999 Port Unreachable Unreachable (type=3 code=3) UDP Port 1194 Port Unreachable Unreachable (type=3 code=3) UDP Port 1600 Port Unreachable Unreachable (type=3 code=3) UDP Port 43714 Port Unreachable

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Scan Result failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Scan References Not Found.

Error Sample Data

Fetch Scan Result failed.

Status Code: 404.

Message: Scan References Not Found.

Get Scanned Hosts

Retrieves a list of scanned hosts in the user's account.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "HOST_LIST_OUTPUT": {
        "RESPONSE": {
            "DATETIME": "2022-04-25T23:35:50Z",
            "HOST_LIST": {
                "HOST": [
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "OS": {
                            "__cdata": "Ubuntu/Linux"
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "OS": {
                            "__cdata": "Ubuntu/Linux"
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "DNS": {
                            "__cdata": "log7_8"
                        },
                        "DNS_DATA": {
                            "HOSTNAME": {
                                "__cdata": "log7_8"
                            },
                            "DOMAIN": "",
                            "FQDN": ""
                        },
                        "NETBIOS": {
                            "__cdata": "LOG7_8"
                        },
                        "OS": {
                            "__cdata": "Windows 2016"
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP"
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "OS": {
                            "__cdata": "EulerOS / Ubuntu / Fedora / Tiny Core Linux / Linux 3.x / IBM / FortiSOAR"
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "DNS": {
                            "__cdata": "one.one.one.one"
                        },
                        "DNS_DATA": {
                            "HOSTNAME": {
                                "__cdata": "one"
                            },
                            "DOMAIN": {
                                "__cdata": "one.one.one"
                            },
                            "FQDN": {
                                "__cdata": "one.one.one.one"
                            }
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "DNS": {
                            "__cdata": "dns.google"
                        },
                        "DNS_DATA": {
                            "HOSTNAME": {
                                "__cdata": "dns"
                            },
                            "DOMAIN": {
                                "__cdata": "google"
                            },
                            "FQDN": {
                                "__cdata": "dns.google"
                            }
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "OS": {
                            "__cdata": "Ubuntu / Tiny Core Linux / Linux 2.6.x / IBM ASM / HP StoreOnce / F5 Networks Big-IP"
                        }
                    },
                    {
                        "ID": *****,
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "DNS": {
                            "__cdata": "desktop-fk2l73g"
                        },
                        "DNS_DATA": {
                            "HOSTNAME": {
                                "__cdata": "desktop-fk2l73g"
                            },
                            "DOMAIN": "",
                            "FQDN": ""
                        },
                        "NETBIOS": {
                            "__cdata": "WIN-I6N635PLHNS"
                        },
                        "OS": {
                            "__cdata": "Windows 2016/2019/10"
                        }
                    }
                ]
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "IPs": [
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***"
  ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	IP	TRACKING_METHOD	OS	DNS	DNS_DATA	NETBIOS
*****	*...*	IP	{'__cdata': 'Ubuntu/Linux'}
*****	*...*	IP	{'__cdata': 'Ubuntu/Linux'}
*****	*...*	IP	{'__cdata': 'Windows 2016'}	{'__cdata': 'log7_8'}	{'HOSTNAME': {'__cdata': 'log7_8'}, 'DOMAIN': '', 'FQDN': ''}	{'__cdata': 'LOG7_8'}
*****	*...*	IP
*****	*...*	IP	{'__cdata': 'EulerOS / Ubuntu / Fedora / Tiny Core Linux / Linux 3.x / IBM / FortiSOAR'}
*****	*...*	IP		{'__cdata': 'one.one.one.one'}	{'HOSTNAME': {'__cdata': 'one'}, 'DOMAIN': {'__cdata': 'one.one.one'}, 'FQDN': {'__cdata': 'one.one.one.one'}}
*****	*...*	IP		{'__cdata': 'dns.google'}	{'HOSTNAME': {'__cdata': 'dns'}, 'DOMAIN': {'__cdata': 'google'}, 'FQDN': {'__cdata': 'dns.google'}}
*****	*...*	IP	{'__cdata': 'Ubuntu / Tiny Core Linux / Linux 2.6.x / IBM ASM / HP StoreOnce / F5 Networks Big-IP'}
*****	*...*	IP	{'__cdata': 'Windows 2016/2019/10'}	{'__cdata': 'desktop-fk2l73g'}	{'HOSTNAME': {'__cdata': 'desktop-fk2l73g'}, 'DOMAIN': '', 'FQDN': ''}	{'__cdata': 'WIN-I6N635PLHNS'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Scanned Hosts failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

Get Scanned Hosts failed.

Status Code: 404.

Message: Page Not Found.

Launch Scorecard Reports

Launches a vulnerability scorecard report in the user's Report Share. Please note that it is not possible to launch any compliance scorecard reports or Web Application Security (WAS) scorecard reports using this API at this time.

ALERT

Please note that different user roles will result in different access levels for launching scorecard reports:

Managers and Auditors can launch scorecard reports on all assets in the subscription
Unit Managers can launch scorecard reports on assets in their own business unit
Scanners and Readers can launch scorecard reports on assets in their own account.

Input

Input Parameter	Required/Optional	Description	Example
User Created Scorecard Name	Optional	The user-created scorecard name for the vulnerability scorecard report that you want to launch with Report Share. Note that this parameter and Service Provided Scorecard Name cannot both be empty. When both parameters have a value, the value of Service Provided Scorecard Name will be omitted.	user (for user defined)
Service Provided Scorecard Name	Optional	The service-provided scorecard name for the vulnerability scorecard report that the user wants to launch with Report Share. Note that this parameter and the parameter User Created Scorecard Name cannot both be empty. When both parameters have values, the input value of this parameter will be omitted.	Asset Group Vulnerability Report
Report Title	Optional	The title of the report. Title may have a maximum of 128 characters. When unspecified, the report title will default to the scorecard name. If the title exceeds 128 characters, the exceeded part will be cut off.	Report 1234
Output Format	Optional	The output format of the report. The default value is XML.	XML
Source	Optional	The source asset groups for the report. This parameter is required when the Service Provided Scorecard Name parameter has a value. If the User Created Scorecard Name has a value and this parameter is unspecified, the source selection set in the scorecard attributes (as defined in the Qualys account) will be used. Please note that the Business Unit (Manager Only) option is available only for Managers role.	Asset Groups
Asset Groups	Optional	The titles of asset groups to be used as source asset groups for the scorecard report. If no input is provided for this parameter, all available asset groups in the account will be selected as the source asset groups for the scorecard report. This parameter is only valid when the Source parameter is set to "Asset Groups" and will be omitted when the Source parameter is set to "Business Unit (Manager Only)".	["group1", "group2"]
Business Unit	Optional	The business unit title or business info tag of each category associated with the asset group(s) included in the scorecard report. All asset groups within the specified business unit or tagged with the provided info tag will be included in the report source. This parameter is required when the Source parameter is set to "Business Unit (Manager Only)", and at least one field must have a value. This parameter will be omitted when the Source parameter is set to "Asset Groups". The possible value for the "business_unit" field could be the title of a business unit in the account, which was created by a Manager user, or "Unassigned" for unassigned business units. For the other fields ("division", "function", and "location"), a business info tag identifying each field could be used. The tag must be defined for an asset group in the account. The parameter schema is a JSON object with fixed keys: -"business_unit": Business Unit Title or "Unassigned", -"division": Business Info Tag Of Division, -"function": Business Info Tag Of Function, -"location": Business Info Tag Of Location.	{ "business_unit": "BusinessUnitTitle", "division": "BusinessInfoTagOfDivision", "function": "BusinessInfoTagOfFunction", "location": "BusinessInfoTagOfLocation" }
QIDs For Patch Report	Optional	The QIDs for vulnerabilities or potential vulnerabilities with available patches, and up to 2 QIDs for missing software. This parameter is required when the Service Provided Scorecard Name parameter is set to "Patch Report". At least one field must have a value. This parameter will be omitted when the Service Provided Scorecard Name is set to another scorecard report. The parameter schema is a JSON object with fixed keys: -"patch_qids": Up to 10 comma-separated QIDs of vulnerabilities or potential vulnerabilities, -"missing_qids": Up to 2 comma-separated QIDs of the missing software.	{ "patch_qids": "patch1,patch2,patch3", "missing_qids": "missing1,missing2" }

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "SIMPLE_RETURN": {
        "RESPONSE": {
            "DATETIME": "2017-10-30T22:32:15Z",
            "CODE": null,
            "TEXT": "Any text"
        }
    }
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

LaunchedScorecardReport

The scorecard report 'user (for user defined) - user (for user defined)' with format 'XML' has been launched.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Launch Scorecard Reports failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

Launch Scorecard Reports failed.

Status Code: 404.

Message: Page Not Found.

Launch Vulnerability Scan

Initiates a vulnerability scan in the user's account.

READER NOTE

Option Profile ID and Scanner Appliance ID are required parameters to run this command.

Run the List Option Profiles command to obtain Option Profile ID. Option Profile IDs can be found in the returned raw data at the path $.OPTION_PROFILE.BASIC_INFO.ID.
Run the List Scanner Appliances command to obtain Scanner Appliance ID. Scanner Appliance IDs can be found in the returned raw data at the path $.RESPONSE.APPLIANCE_LIST[*].ID.

The parameter Asset Group IDs is optional to run this command.

Run the List Asset Groups command to obtain Asset Group IDs. Asset Group IDs can be found in the returned raw data at the path $.RESPONSE.ASSET_GROUP_LIST[*].ID.

Input

Input Parameter	Required/Optional	Description	Example
Title	Optional	The title of the scan.	New Scan
Option Profile ID	Required	The option profile ID of the scan. Option Profile ID can be obtained using the List Option Profiles command.	*****
Scanner Appliance ID	Optional	The installed appliance ID. Scanner Appliance ID can be obtained using the List Scanner Appliances command.	*****
Asset Group IDs	Optional	The target asset group ID(s) to scan. Asset Group IDs can be obtained using the List Asset Groups command.	["***", "***"]
IPs/Ranges	Optional	The IP address(es) to scan.	*...*

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "SIMPLE_RETURN": {
        "RESPONSE": {
            "DATETIME": "2021-10-28T18:54:03Z",
            "TEXT": "New vm scan launched",
            "ITEM_LIST": {
                "ITEM": [
                    {
                        "KEY": "ID",
                        "VALUE": *****
                    },
                    {
                        "KEY": "REFERENCE",
                        "VALUE": "scan/*****.*****"
                    }
                ]
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "ScanID": *****,
  "ScanReference": scan/*****.*****
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

KEY	VALUE
ID	*****
REFERENCE	scan/***.***

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Launch Vulnerability Scan failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Option Profile ID Not Found.

Error Sample Data

Launch Vulnerability Scan failed.

Status Code: 404.

Message: Option Profile ID not found.

List Asset Groups

Lists asset groups in the user's account.

Input

Input Parameter	Required/Optional	Description	Example
Show Attributes	Optional	Displays attributes for each asset group along with the ID. Please specify either ALL or a comma-separated list of one or more of the following (without duplicates): ID, TITLE, OWNER_USER_ID, OWNER_UNIT_ID, LAST_UPDATE, IP_SET, APPLIANCE_LIST, DOMAIN_LIST, DNS_LIST, NETBIOS_LIST, EC2_ID_LIST, HOST_IDS, ASSIGNED_USER_IDS, ASSIGNED_UNIT_IDS, BUSINESS_IMPACT, COMMENTS, OWNER_USER_NAME.	ID, TITLE

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

No Sample Data

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs

SAMPLE DATA

CODE

No Sample Data

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Asset Groups failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Attributes Not Found.

Error Sample Data

List Asset Groups failed.

Status Code: 404.

Message: Attributes Not Found.

List Host Detections

Retrieves a list of hosts with the latest vulnerability data, based on the host scan data available in the user's account.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Optional	The start time of a vulnerability scan end date after the certain date time, in UTC time.	2022-04-01 00:00
End Time	Optional	The end time of a vulnerability scan end date before the certain date time, in UTC time.	2022-04-02 00:00
Status	Optional	Filters the hosts by one or more of these status values: New, Active, Re-Opened, Fixed. Separate each value with commas, without duplicates.	New, Active, Re-Opened, Fixed
Select Host By Tag	Optional	Chooses option "ID" to select a tag set by providing tag IDs. Chooses option "Name" to select a tag set by providing tag names. This field is required when Tag Set Values have a value.	Name
Tag Set Values	Optional	The tag IDs or tag Names to return the hosts. This field is required when the Select Host By Tag parameter has value.	TagName
Limit	Optional	The maximum number of host records processed per request. The default value is 20, max value is 100.	2
Additional Settings	Optional	The additional settings to filter the host detections. If the fields in the parameter will replace the request parameter with the same field name. Please check the link from page 457 for the available field details. <https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf>	{ "vm_scan_since": "2022-03-06", "no_vm_scan_since": "2022-04-06T23:12:00Z" }

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "HOST_LIST_VM_DETECTION_OUTPUT": {
        "RESPONSE": {
            "DATETIME": "2022-04-08T22:57:27Z",
            "HOST_LIST": {
                "HOST": [
                    {
                        "ID": "*****",
                        "IP": "***.***.***.***",
                        "TRACKING_METHOD": "IP",
                        "OS": "Ubuntu/Linux",
                        "LAST_SCAN_DATETIME": "2022-03-17T20:52:55Z",
                        "LAST_VM_SCANNED_DATE": "2022-03-31T07:14:51Z",
                        "LAST_VM_SCANNED_DURATION": "1295",
                        "TAGS": {
                            "TAG": {
                                "TAG_ID": "9510864",
                                "NAME": "D3Test"
                            }
                        },
                        "DETECTION_LIST": {
                            "DETECTION": [
                                {
                                    "QID": "*****",
                                    "TYPE": "Confirmed",
                                    "SEVERITY": "2",
                                    "PORT": "5601",
                                    "PROTOCOL": "tcp",
                                    "SSL": "0",
                                    "RESULTS": "Strict-Transport-Security HTTP Header missing on port 5601.\n\nGET / HTTP/1.0\nHost: ***.***.***.***:5601\n\n\n\nHTTP/1.1 200 OK\ncontent-security-policy: script-src &apos;unsafe-eval&apos; &apos;self&apos;; worker-src blob: &apos;self&apos;; style-src &apos;unsafe-inline&apos; &apos;self&apos;\nx-content-type-options: nosniff\nreferrer-policy: no-referrer-when-downgrade\nkbn-name: elasticStack\nkbn-license-sig: *****\ncontent-type: text/html; charset=utf-8\ncache-control: private, no-cache, no-store, must-revalidate\ncontent-length: 144871\nvary: accept-encoding\naccept-ranges: bytes\nDate: Thu, 17 Mar 2022 20:38:22 GMT\nConnection: keep-alive\nKeep-Alive: timeout=120",
                                    "STATUS": "New",
                                    "FIRST_FOUND_DATETIME": "2022-03-17T20:52:36Z",
                                    "LAST_FOUND_DATETIME": "2022-03-17T20:52:36Z",
                                    "TIMES_FOUND": "1",
                                    "LAST_TEST_DATETIME": "2022-03-17T20:52:36Z",
                                    "LAST_UPDATE_DATETIME": "2022-03-17T20:52:55Z",
                                    "IS_IGNORED": "0",
                                    "IS_DISABLED": "0",
                                    "LAST_PROCESSED_DATETIME": "2022-03-17T20:52:55Z"
                                },
                                {
                                    "QID": "*****",
                                    "TYPE": "Confirmed",
                                    "SEVERITY": "2",
                                    "PORT": "5601",
                                    "PROTOCOL": "tcp",
                                    "SSL": "1",
                                    "RESULTS": "Certificate #1 CN=Elastic_Certificate_Tool_Autogenerated_CA  is a self signed certificate.",
                                    "STATUS": "New",
                                    "FIRST_FOUND_DATETIME": "2022-03-17T20:52:36Z",
                                    "LAST_FOUND_DATETIME": "2022-03-17T20:52:36Z",
                                    "TIMES_FOUND": "1",
                                    "LAST_TEST_DATETIME": "2022-03-17T20:52:36Z",
                                    "LAST_UPDATE_DATETIME": "2022-03-17T20:52:55Z",
                                    "IS_IGNORED": "0",
                                    "IS_DISABLED": "0",
                                    "LAST_PROCESSED_DATETIME": "2022-03-17T20:52:55Z"
                                }
                            ]
                        }
                    }
                ]
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "HostIDs": [*****],
  "HostIPs": ["***.***.***.***"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	IP	TRACKING_METHOD	OS	LAST_SCAN_DATETIME	LAST_VM_SCANNED_DATE	LAST_VM_SCANNED_DURATION	TAGS	DETECTION_LIST
*****	*...*	IP	Ubuntu/Linux	2022-03-17T20:52:55Z	2022-03-31T07:14:51Z	1295	{'TAG': {'TAG_ID': '9510864', 'NAME': 'D3Test'}}	{'DETECTION': [{'QID': '***', 'TYPE': 'Confirmed', 'SEVERITY': '2', 'PORT': '5601', 'PROTOCOL': 'tcp', 'SSL': '0', 'RESULTS': 'Strict-Transport-Security HTTP Header missing on port 5601.\n\nGET / HTTP/1.0\nHost: ...:5601\n\n\n\nHTTP/1.1 200 OK\ncontent-security-policy: script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'\nx-content-type-options: nosniff\nreferrer-policy: no-referrer-when-downgrade\nkbn-name: elasticStack\nkbn-license-sig: *\ncontent-type: text/html; charset=utf-8\ncache-control: private, no-cache, no-store, must-revalidate\ncontent-length: 144871\nvary: accept-encoding\naccept-ranges: bytes\nDate: Thu, 17 Mar 2022 20:38:22 GMT\nConnection: keep-alive\nKeep-Alive: timeout=120', 'STATUS': 'New', 'FIRST_FOUND_DATETIME': '2022-03-17T20:52:36Z', 'LAST_FOUND_DATETIME': '2022-03-17T20:52:36Z', 'TIMES_FOUND': '1', 'LAST_TEST_DATETIME': '2022-03-17T20:52:36Z', 'LAST_UPDATE_DATETIME': '2022-03-17T20:52:55Z', 'IS_IGNORED': '0', 'IS_DISABLED': '0', 'LAST_PROCESSED_DATETIME': '2022-03-17T20:52:55Z'}, {'QID': '***', 'TYPE': 'Confirmed', 'SEVERITY': '2', 'PORT': '5601', 'PROTOCOL': 'tcp', 'SSL': '1', 'RESULTS': 'Certificate #1 CN=Elastic_Certificate_Tool_Autogenerated_CA is a self signed certificate.', 'STATUS': 'New', 'FIRST_FOUND_DATETIME': '2022-03-17T20:52:36Z', 'LAST_FOUND_DATETIME': '2022-03-17T20:52:36Z', 'TIMES_FOUND': '1', 'LAST_TEST_DATETIME': '2022-03-17T20:52:36Z', 'LAST_UPDATE_DATETIME': '2022-03-17T20:52:55Z', 'IS_IGNORED': '0', 'IS_DISABLED': '0', 'LAST_PROCESSED_DATETIME': '2022-03-17T20:52:55Z'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Host Detections failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

List Host Detections failed.

Status Code: 404.

Message: Page Not Found.

List Option Profiles

Exports one option profile or all option profiles in the subscription to an XML file.

Input

Input Parameter	Required/Optional	Description	Example
Option Profile Type	Optional	The profile group type. The available options are User defined, Compliance profile, and PCI vulnerabilities profile.	User defined
Include System Option Profiles	Optional	Whether the output includes the system option profile.	0

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "OPTION_PROFILES": {
        "OPTION_PROFILE": {
            "BASIC_INFO": {
                "ID": *****,
                "GROUP_NAME": {
                    "__cdata": "D3-Porfile"
                },
                "GROUP_TYPE": "user",
                "USER_ID": {
                    "__cdata": "Tony Fu (*****)"
                },
                "UNIT_ID": 0,
                "SUBSCRIPTION_ID": *****,
                "IS_DEFAULT": 0,
                "IS_GLOBAL": 0,
                "IS_OFFLINE_SYNCABLE": 0,
                "UPDATE_DATE": "2022-04-08T16:28:12Z"
            },
            "SCAN": {
                "PORTS": {
                    "TCP_PORTS": {
                        "TCP_PORTS_TYPE": "full",
                        "THREE_WAY_HANDSHAKE": 0
                    },
                    "UDP_PORTS": {
                        "UDP_PORTS_TYPE": "standard"
                    },
                    "AUTHORITATIVE_OPTION": 0
                },
                "SCAN_DEAD_HOSTS": 0,
                "PURGE_OLD_HOST_OS_CHANGED": 0,
                "PERFORMANCE": {
                    "PARALLEL_SCALING": 0,
                    "OVERALL_PERFORMANCE": "Normal",
                    "HOSTS_TO_SCAN": {
                        "EXTERNAL_SCANNERS": 15,
                        "SCANNER_APPLIANCES": 30
                    },
                    "PROCESSES_TO_RUN": {
                        "TOTAL_PROCESSES": 10,
                        "HTTP_PROCESSES": 10
                    },
                    "PACKET_DELAY": "Medium",
                    "PORT_SCANNING_AND_HOST_DISCOVERY": "Normal"
                },
                "LOAD_BALANCER_DETECTION": 0,
                "VULNERABILITY_DETECTION": {
                    "COMPLETE": {
                        "__cdata": "complete"
                    },
                    "DETECTION_INCLUDE": {
                        "BASIC_HOST_INFO_CHECKS": 0,
                        "OVAL_CHECKS": 0
                    }
                },
                "ADDL_CERT_DETECTION": 0
            },
            "MAP": {
                "BASIC_INFO_GATHERING_ON": "all",
                "TCP_PORTS": {
                    "TCP_PORTS_STANDARD_SCAN": 1
                },
                "MAP_OPTIONS": {
                    "PERFORM_LIVE_HOST_SWEEP": 1,
                    "DISABLE_DNS_TRAFFIC": 0
                },
                "MAP_PERFORMANCE": {
                    "OVERALL_PERFORMANCE": "Normal",
                    "MAP_PARALLEL": {
                        "EXTERNAL_SCANNERS": 6,
                        "SCANNER_APPLIANCES": 8,
                        "NETBLOCK_SIZE": "16384 IPs"
                    },
                    "PACKET_DELAY": "Minimum"
                },
                "MAP_AUTHENTICATION": "none"
            },
            "ADDITIONAL": {
                "HOST_DISCOVERY": {
                    "TCP_PORTS": {
                        "STANDARD_SCAN": 1
                    },
                    "UDP_PORTS": {
                        "STANDARD_SCAN": 1
                    },
                    "ICMP": 1
                },
                "PACKET_OPTIONS": {
                    "IGNORE_FIREWALL_GENERATED_TCP_RST": 0,
                    "IGNORE_ALL_TCP_RST": 0,
                    "IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK": 0,
                    "NOT_SEND_TCP_ACK_OR_SYN_ACK_DURING_HOST_DISCOVERY": 0
                }
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "OptionFileIDs": [*****],
  "groupNames": ["D3-Profile"] 
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

BASIC_INFO	{'ID': ***, 'GROUP_NAME': {'__cdata': 'D3-Porfile'}, 'GROUP_TYPE': 'user', 'USER_ID': {'__cdata': 'Tony Fu (*)'}, 'UNIT_ID': 0, 'SUBSCRIPTION_ID': ***, 'IS_DEFAULT': 0, 'IS_GLOBAL': 0, 'IS_OFFLINE_SYNCABLE': 0, 'UPDATE_DATE': '2022-04-08T16:28:12Z'}
SCAN	{'PORTS': {'TCP_PORTS': {'TCP_PORTS_TYPE': 'full', 'THREE_WAY_HANDSHAKE': 0}, 'UDP_PORTS': {'UDP_PORTS_TYPE': 'standard'}, 'AUTHORITATIVE_OPTION': 0}, 'SCAN_DEAD_HOSTS': 0, 'PURGE_OLD_HOST_OS_CHANGED': 0, 'PERFORMANCE': {'PARALLEL_SCALING': 0, 'OVERALL_PERFORMANCE': 'Normal', 'HOSTS_TO_SCAN': {'EXTERNAL_SCANNERS': 15, 'SCANNER_APPLIANCES': 30}, 'PROCESSES_TO_RUN': {'TOTAL_PROCESSES': 10, 'HTTP_PROCESSES': 10}, 'PACKET_DELAY': 'Medium', 'PORT_SCANNING_AND_HOST_DISCOVERY': 'Normal'}, 'LOAD_BALANCER_DETECTION': 0, 'VULNERABILITY_DETECTION': {'COMPLETE': {'__cdata': 'complete'}, 'DETECTION_INCLUDE': {'BASIC_HOST_INFO_CHECKS': 0, 'OVAL_CHECKS': 0}}, 'ADDL_CERT_DETECTION': 0}
MAP	{'BASIC_INFO_GATHERING_ON': 'all', 'TCP_PORTS': {'TCP_PORTS_STANDARD_SCAN': 1}, 'MAP_OPTIONS': {'PERFORM_LIVE_HOST_SWEEP': 1, 'DISABLE_DNS_TRAFFIC': 0}, 'MAP_PERFORMANCE': {'OVERALL_PERFORMANCE': 'Normal', 'MAP_PARALLEL': {'EXTERNAL_SCANNERS': 6, 'SCANNER_APPLIANCES': 8, 'NETBLOCK_SIZE': '16384 IPs'}, 'PACKET_DELAY': 'Minimum'}, 'MAP_AUTHENTICATION': 'none'}
ADDITIONAL	{'HOST_DISCOVERY': {'TCP_PORTS': {'STANDARD_SCAN': 1}, 'UDP_PORTS': {'STANDARD_SCAN': 1}, 'ICMP': 1}, 'PACKET_OPTIONS': {'IGNORE_FIREWALL_GENERATED_TCP_RST': 0, 'IGNORE_ALL_TCP_RST': 0, 'IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK': 0, 'NOT_SEND_TCP_ACK_OR_SYN_ACK_DURING_HOST_DISCOVERY': 0}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Option Profiles failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

List Option Profiles failed.

Status Code: 404.

Message: Page Not Found.

List Report

Retrieves a list of reports in the user's account.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "REPORT_LIST_OUTPUT": {
        "RESPONSE": {
            "DATETIME": "2021-10-27T22:14:07Z",
            "REPORT_LIST": {
                "REPORT": {
                    "ID": *****,
                    "TITLE": {
                        "__cdata": "Vulnerability Scorecard Report"
                    },
                    "TYPE": "Scorecard",
                    "USER_LOGIN": "dsecu9en",
                    "LAUNCH_DATETIME": "2021-10-27T22:13:32Z",
                    "OUTPUT_FORMAT": "HTML",
                    "SIZE": "216.91 KB",
                    "STATUS": {
                        "STATE": "Finished"
                    },
                    "EXPIRATION_DATETIME": "2021-11-03T22:13:34Z"
                }
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "ReportID":  ["*****","*****"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	TITLE	TYPE	USER_LOGIN	LAUNCH_DATETIME	OUTPUT_FORMAT	SIZE	STATUS	EXPIRATION_DATETIME
*****	{'__cdata': 'Vulnerability Scorecard Report'}	Scorecard	dsecu9en	2021-10-27T22:13:32Z	HTML	216.91 KB	{'STATE': 'Finished'}	2021-11-03T22:13:34Z

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Report failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

List Report failed.

Status Code: 404.

Message: Page Not Found.

List Scanner Appliances

Lists scanner appliances in your account with their configurations.

Input

Input Parameter	Required/Optional	Description	Example
Output Mode	Optional	The amount of detail provided for each scanner. The available options are Brief and Full.	brief

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "APPLIANCE_LIST_OUTPUT": {
        "RESPONSE": {
            "DATETIME": "2022-04-26T18:21:07Z",
            "APPLIANCE_LIST": {
                "APPLIANCE": {
                    "ID": *****,
                    "UUID": "*****",
                    "NAME": "D3VM",
                    "SOFTWARE_VERSION": 2.6,
                    "RUNNING_SLICES_COUNT": 0,
                    "RUNNING_SCAN_COUNT": 0,
                    "STATUS": "Online"
                }
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "ApplianceIDs": ["*****"],
  "ApplianceNames": ["D3VM"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID	UUID	NAME	SOFTWARE_VERSION	RUNNING_SLICES_COUNT	RUNNING_SCAN_COUNT	STATUS
*****	*****	D3VM	2.6	0	0	Online

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Scanner Appliances failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

List Scanner Appliances failed.

Status Code: 404.

Message: Page Not Found.

List Scheduled Reports

Lists the scheduled reports in the account or retrieve a specified report.

Input

Input Parameter	Required/Optional	Description	Example
Status	Optional	The active status of the scheduled reports. If no selection is made, it defaults to returning both active and inactive reports. The available options are All, Active, and Inactive.	Active

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "SCHEDULE_REPORT_LIST_OUTPUT": {
        "RESPONSE": {
            "DATETIME": "2017-10-30T22:32:15Z",
            "SCHEDULE_REPORT_LIST": {
                "REPORT": [
                    {
                        "ID": "*****",
                        "TITLE": "Test 1 daily",
                        "OUTPUT_FORMAT": "PDF",
                        "TEMPLATE_TITLE": "tmp123",
                        "ACTIVE": "1",
                        "SCHEDULE": {
                            "DAILY": null
                        }
                    },
                    {
                        "ID": "*****",
                        "TITLE": "Test 2 daily",
                        "OUTPUT_FORMAT": "XML",
                        "TEMPLATE_TITLE": "tmp234",
                        "ACTIVE": "0",
                        "SCHEDULE": {
                            "DAILY": null
                        }
                    }
                ]
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "ScheduledReportIDs": ["*****","*****"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ScheduledReportsCount

1

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Scheduled Reports failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

List Scheduled Reports failed.

Status Code: 404.

Message: Page Not Found.

List Vulnerability Scan

Launches vulnerability scan in the user's account.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "SCAN_LIST_OUTPUT": {
        "RESPONSE": {
            "DATETIME": "2022-04-26T17:47:48Z",
            "SCAN_LIST": {
                "SCAN": [
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "API",
                        "TITLE": {
                            "__cdata": "test1"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-04-26T01:31:59Z",
                        "DURATION": "01:47:47",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***-***.***.***.***"
                        }
                    },
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "API",
                        "TITLE": {
                            "__cdata": "test"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-04-26T00:07:23Z",
                        "DURATION": "01:48:36",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***-***.***.***.***"
                        }
                    },
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "API",
                        "TITLE": {
                            "__cdata": "test"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-04-20T18:17:29Z",
                        "DURATION": "02:00:47",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***-***.***.***.***"
                        }
                    },
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "Scheduled",
                        "TITLE": {
                            "__cdata": "Daily Scan"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-03-31T07:00:39Z",
                        "DURATION": "00:09:10",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished",
                            "SUB_STATE": "No_Vuln"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***,***.***.***.***,***.***.***.***,***.***.***.***-***.***.***.***"
                        }
                    },
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "Scheduled",
                        "TITLE": {
                            "__cdata": "Daily Scan"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-03-30T07:00:41Z",
                        "DURATION": "00:09:22",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished",
                            "SUB_STATE": "No_Vuln"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***,***.***.***.***,***.***.***.***,***.***.***.***-***.***.***.***"
                        }
                    },
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "Scheduled",
                        "TITLE": {
                            "__cdata": "Daily Scan"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-03-29T07:00:27Z",
                        "DURATION": "00:09:42",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished",
                            "SUB_STATE": "No_Vuln"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***,***.***.***.***,***.***.***.***,***.***.***.***-***.***.***.***"
                        }
                    },
                    {
                        "REF": "scan/*****.*****",
                        "TYPE": "Scheduled",
                        "TITLE": {
                            "__cdata": "Daily Scan"
                        },
                        "USER_LOGIN": "*****",
                        "LAUNCH_DATETIME": "2022-03-28T07:03:21Z",
                        "DURATION": "00:09:38",
                        "PROCESSING_PRIORITY": "0 - No Priority",
                        "PROCESSED": 1,
                        "STATUS": {
                            "STATE": "Finished",
                            "SUB_STATE": "No_Vuln"
                        },
                        "TARGET": {
                            "__cdata": "***.***.***.***,***.***.***.***,***.***.***.***,***.***.***.***-***.***.***.***"
                        }
                    }
                ]
            }
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "ScanRef": ["scan/*****.*****"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

REF	TYPE	TITLE	USER_LOGIN	LAUNCH_DATETIME	DURATION	PROCESSING_PRIORITY	PROCESSED	STATUS	TARGET
scan/***.***	API	{'__cdata': 'test1'}	*****	2022-04-26T01:31:59Z	01:47:47	0 - No Priority	1	{'STATE': 'Finished'}	{'__cdata': '*...-...*'}
scan/***.***	API	{'__cdata': 'test'}	*****	2022-04-26T00:07:23Z	01:48:36	0 - No Priority	1	{'STATE': 'Finished'}	{'__cdata': '*...-...*'}
scan/***.***	API	{'__cdata': 'test'}	*****	2022-04-20T18:17:29Z	02:00:47	0 - No Priority	1	{'STATE': 'Finished'}	{'__cdata': '*...-...*'}
scan/***.***	Scheduled	{'__cdata': 'Daily Scan'}	*****	2022-03-31T07:00:39Z	00:09:10	0 - No Priority	1	{'STATE': 'Finished', 'SUB_STATE': 'No_Vuln'}	{'__cdata': '*...,...,...,...-...*'}
scan/***.***	Scheduled	{'__cdata': 'Daily Scan'}	*****	2022-03-30T07:00:41Z	00:09:22	0 - No Priority	1	{'STATE': 'Finished', 'SUB_STATE': 'No_Vuln'}	{'__cdata': '*...,...,...,...-...*'}
scan/***.***	Scheduled	{'__cdata': 'Daily Scan'}	*****	2022-03-29T07:00:27Z	00:09:42	0 - No Priority	1	{'STATE': 'Finished', 'SUB_STATE': 'No_Vuln'}	{'__cdata': '*...,...,...,...-...*'}
scan/***.***	Scheduled	{'__cdata': 'Daily Scan'}	*****	2022-03-28T07:03:21Z	00:09:38	0 - No Priority	1	{'STATE': 'Finished', 'SUB_STATE': 'No_Vuln'}	{'__cdata': '*...,...,...,...-...*'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Vulnerability Scan failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

List Vulnerability Scan failed.

Status Code: 404.

Message: Page Not Found.

Search Asset Reports

Searches reports in the account. The Report Share feature must be enabled in the subscription.

READER NOTE

Asset Group IDs and Asset Groups are optional parameters to run this command.

Run the List Asset Groups command to obtain Asset Group IDs. Asset Group IDs can be found from the returned raw data at the path $.RESPONSE.ASSET_GROUP_LIST[*].ID.
Run the List Asset Groups command to obtain Asset Groups. Asset Groups can be found from the returned raw data at the path $.RESPONSE.ASSET_GROUP_LIST[*].TITLE.

Although all parameters in this command are optional to input, at least one of the parameters must have a value: "IPs", "Asset Group IDs", "Asset Groups", or "TagSet".

ALERT

Please note that different user roles will result in different access levels for searching asset reports:

Managers and Auditors can search reports on all assets in the subscription
Unit Managers can search reports on assets in their own business unit
Scanners and Readers can search reports on assets in their own account.

Input

Input Parameter	Required/Optional	Description	Example
Tracking Method	Optional	The output displays only IP addresses/ranges that have a specific tracking method.	EC2
IPs	Optional	The list of IPs or IP ranges which will be included in the report. An IP range is specified with a hyphen (for example, *...-...). At least one of the parameters must have a value: "IPs", "Asset Group IDs", "Asset Groups", or "TagSet*".	[ "*...", "...-...*" ]
Asset Group IDs	Optional	The list of IDs of asset groups containing the hosts to be included in the asset search report. At least one of the parameters must have a value: "IPs", "Asset Group IDs", "Asset Groups", or "TagSet". Asset Group IDs can be obtained using the List Asset Groups command.	[ "*", "*" ]
Asset Groups	Optional	The list of titles of asset groups containing the hosts to be included in the asset search report. At least one of the parameters must have a value: "IPs", "Asset Group IDs", "Asset Groups", or "TagSet". Asset Groups can be obtained using the List Asset Groups command.	[ "group1", "group2" ]
TagSet	Optional	The set of configuration for using tags to include the hosts to be included in the asset search report. At least one of the parameters must have a value: "IPs", "Asset Group IDs", "Asset Groups", or "TagSet". The parameter schema is a JSON object with fixed keys and must contain at least one of the fields "tag_set_exclude" or "tag_set_include". The field value The field keys not matching the requirement will be omitted. -"tag_set_by": "id" (default) or "name", -"tag_include_selector": "any" (default) or "all" to include the provided tags -"tag_set_include": comma separated "id" or "names" of the tags will be included. -"tag_exclude_selector": "any" (default) or "all" to exclude the provided tags -"tag_set_exclude": comma separated "id" or "names" of the tags will be excluded.	{ "tag_set_by": "name", "tag_include_selector": "any", "tag_set_include": "1,2,3", "tag_exclude_selector": "all", "tag_set_exclude": "6,7,8" }
Customized Filters	Optional	The JSON object contains any valid parameters for creating a detailed filter for the asset reports. Any other parameters with the same field names as the customized filters provided will be replaced. Refer to the documentation for more details on the valid parameters: Qualys API Documentation.	{ "ec2_instance_status": "PENDING", "ec2_instance_id": "ec2abcd", "ec2_instance_id_modifier": "containing", "azure_vm_state": "RUNNING", "azure_vm_id": "zurevmid123", "azure_vm_id_modifier": "ending with", "os_name": "Microsoft", "os_modifier": "beginning with" }

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "ASSET_SEARCH_REPORT": {
        "HEADER": {
            "REQUEST": {
                "DATETIME": "2018-06-03T20:21:13Z",
                "USER_LOGIN": "john_sm",
                "RESOURCE": "https://qualysapi.qualys.com/api/*****/",
                "PARAM_LIST": {
                    "PARAM": [
                        {
                            "KEY": "action",
                            "VALUE": "search"
                        },
                        {
                            "KEY": "output_format",
                            "VALUE": "xml"
                        },
                        {
                            "KEY": "echo_request",
                            "VALUE": "1"
                        },
                        {
                            "KEY": "ips",
                            "VALUE": "***.***.***.***-***.***.***.***"
                        }
                    ]
                }
            },
            "COMPANY": "Corsa",
            "USERNAME": "John Smith",
            "GENERATION_DATETIME": "2018-06-03T20:21:13Z",
            "TOTAL": "2",
            "FILTERS": {
                "IP_LIST": {
                    "RANGE": {
                        "START": "***.***.***.***",
                        "END": "***.***.***.***"
                    }
                }
            }
        },
        "HOST_LIST": {
            "HOST": [
                {
                    "IP": "***.***.***.***",
                    "TRACKING_METHOD": "IP address",
                    "OPERATING_SYSTEM": "Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP",
                    "LAST_SCAN_DATE": "2018-06-03T09:11:21Z",
                    "FIRST_FOUND_DATE": "2018-06-03T07:11:46Z"
                },
                {
                    "IP": "***.***.***.***",
                    "TRACKING_METHOD": "IP address",
                    "DNS": "10-10-10-11.bogus.tld",
                    "NETBIOS": "SYS_10_10_10_11",
                    "OPERATING_SYSTEM": "Windows 2000 Server Service Pack 4",
                    "LAST_SCAN_DATE": "2018-06-03T07:12:47Z",
                    "LAST_COMPLIANCE_SCAN_DATE": "20186-05-13T21:15:01Z",
                    "FIRST_FOUND_DATE": "2018-05-12T15:16:54Z"
                }
            ]
        }
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "HostIPs": ["***.***.***.***","***.***.***.***"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

HostsCount

1

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Search Asset Reports failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

Search Asset Reports failed.

Status Code: 404.

Message: Page Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration

The API returned an error message

No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Qualys portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Page Not Found.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 404.

Message: Page Not Found.