diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
index 8c86f8fc71f..2f4386aa94d 100644
--- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
+++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
@@ -391,7 +391,7 @@ rules:
body: "" # handling empty XML response
# Request knowledge_base with QID from Asset Host QID.
# QID: 101,102,103 (3 unique QIDs for host ID: 1,2)
- - path: /api/3.0/fo/knowledge_base/vuln/
+ - path: /api/4.0/fo/knowledge_base/vuln/
methods: ['GET']
query_params:
ids: 101,102,103
@@ -407,7 +407,7 @@ rules:
x-ratelimit-remaining: ["299"]
body: |-
-
+
2023-07-06T15:02:16Z
@@ -578,7 +578,7 @@ rules:
# Request knowledge_base with QID from Asset Host QID.
# QID: 102,103 (2 unique QIDs for host ID: 3)
- - path: /api/3.0/fo/knowledge_base/vuln/
+ - path: /api/4.0/fo/knowledge_base/vuln/
methods: ['GET']
query_params:
ids: 102,103
@@ -594,7 +594,7 @@ rules:
x-ratelimit-remaining: ["299"]
body: |-
-
+
2024-12-04T13:51:49Z
@@ -720,7 +720,7 @@ rules:
- - path: /api/3.0/fo/knowledge_base/vuln/
+ - path: /api/4.0/fo/knowledge_base/vuln/
methods: ['GET']
query_params:
ids: 123
@@ -736,7 +736,7 @@ rules:
x-ratelimit-remaining: ["299"]
body: |-
-
+
2023-07-06T15:02:16Z
@@ -797,7 +797,7 @@ rules:
# Two objects with:
# 1. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing multiple elements.
# 2. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing single elements.
- - path: /api/3.0/fo/knowledge_base/vuln/
+ - path: /api/4.0/fo/knowledge_base/vuln/
methods: ['GET']
query_params:
ids: 1,2
@@ -813,7 +813,7 @@ rules:
x-ratelimit-remaining: ["299"]
body: |-
-
+
2024-11-26T08:40:21Z
@@ -1001,7 +1001,7 @@ rules:
- - path: /api/3.0/fo/knowledge_base/vuln/
+ - path: /api/4.0/fo/knowledge_base/vuln/
methods: ['GET']
query_params:
last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
@@ -1016,7 +1016,7 @@ rules:
x-ratelimit-remaining: ["299"]
body: |-
-
+
2023-10-26T09:47:22Z
diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml
index 3051c6a4d08..bf3c1fb397c 100644
--- a/packages/qualys_vmdr/changelog.yml
+++ b/packages/qualys_vmdr/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "6.15.0"
+ changes:
+ - description: Update knowledge base API to v4 for asset_host_detection and knowledge_base data streams.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16727
- version: "6.14.1"
changes:
- description: Update XSD schema name to match Host Detection API v5.0 response.
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs
index bbf2fe5a767..d03f5d876d3 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs
@@ -178,7 +178,7 @@ program: |
).as(state, state.with(
!has(state.worklist) ? state :
has(state.worklist.HOST_QID_LIST) && size(state.worklist.HOST_QID_LIST) > 0 ?
- request("GET", state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/?" +
+ request("GET", state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/?" +
{
"ids": [front(state.worklist.HOST_QID_LIST, int(state.query_limit)).join(",")],
"action": ["list"],
@@ -189,7 +189,7 @@ program: |
"Authorization": ["Basic "+(state.user+":"+state.password).base64()],
}
}).do_request().as(resp, (resp.StatusCode == 200 ?
- resp.Body.as(xml, try(xml.decode_xml('qualys_api_3_0_kb'), "decode_xml_error_kb").as(kb_body,
+ resp.Body.as(xml, try(xml.decode_xml('qualys_api_4_0_kb'), "decode_xml_error_kb").as(kb_body,
!has(kb_body.decode_xml_error_kb)
?
(
@@ -280,7 +280,7 @@ program: |
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
- "message": "GET "+state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/: "+(
+ "message": "GET "+state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/: "+(
size(resp.Body) != 0 ?
string(resp.Body)
:
@@ -879,7 +879,7 @@ xsd:
- qualys_api_3_0_kb: |
+ qualys_api_4_0_kb: |
diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
index f055bced64d..947cb49fba8 100644
--- a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
+++ b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json
@@ -1,11 +1,11 @@
{
- "@timestamp": "2025-12-09T13:06:00.619Z",
+ "@timestamp": "2025-12-30T06:25:12.497Z",
"agent": {
- "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79",
- "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
- "name": "elastic-agent-11567",
+ "ephemeral_id": "83655e80-2729-4332-8ace-457dd3a0bcef",
+ "id": "12042b44-811d-4c3e-b827-11cfb8074c86",
+ "name": "elastic-agent-48916",
"type": "filebeat",
- "version": "8.19.4"
+ "version": "8.19.0"
},
"cloud": {
"instance": {
@@ -14,16 +14,16 @@
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
- "namespace": "88746",
+ "namespace": "83470",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
+ "id": "12042b44-811d-4c3e-b827-11cfb8074c86",
"snapshot": false,
- "version": "8.19.4"
+ "version": "8.19.0"
},
"event": {
"agent_id_status": "verified",
@@ -32,9 +32,9 @@
],
"dataset": "qualys_vmdr.asset_host_detection",
"id": "11111111",
- "ingested": "2025-12-09T13:06:03Z",
+ "ingested": "2025-12-30T06:25:15Z",
"kind": "alert",
- "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}",
+ "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8\",\"interval_start\":\"2025-12-30T06:25:12.491602751Z\"}",
"type": [
"info"
]
@@ -91,8 +91,8 @@
"hostname": "adfssrvr"
},
"id": "1",
- "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0",
- "interval_start": "2025-12-09T13:06:00.615Z",
+ "interval_id": "47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8",
+ "interval_start": "2025-12-30T06:25:12.491Z",
"ip": "10.50.2.111",
"knowledge_base": {
"category": "CGI",
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs
index cf619f6b279..7f14bd2aa58 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs
@@ -26,7 +26,7 @@ redact:
- password
program: |
state.with(
- request("GET", state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/?" +
+ request("GET", state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/?" +
state.?params.orValue("").parse_query().with({
"action": ["list"],
"last_modified_after": [state.?cursor.last_modified.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339))],
@@ -38,7 +38,7 @@ program: |
}
}).do_request().as(resp, (
resp.StatusCode == 200 ?
- resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_3_0').as(body, {
+ resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_4_0').as(body, {
"events": (
has(body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST)
?
@@ -138,7 +138,7 @@ processors:
{{processors}}
{{/if}}
xsd:
- qualys_api_3_0: |
+ qualys_api_4_0: |
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json b/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json
index 5eed5c6351b..ed0d0c2cccb 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json
@@ -1,24 +1,24 @@
{
"@timestamp": "2023-06-29T12:20:46.000Z",
"agent": {
- "ephemeral_id": "4e6d92f6-8a28-471c-a03f-8c2685171b7b",
- "id": "dc86e78e-6670-441f-acdd-99309474050f",
- "name": "elastic-agent-65730",
+ "ephemeral_id": "98b85997-99e2-41ee-bb02-6532fae2b357",
+ "id": "706ea693-7cbe-44f8-902f-ee169e228005",
+ "name": "elastic-agent-80703",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.19.0"
},
"data_stream": {
"dataset": "qualys_vmdr.knowledge_base",
- "namespace": "47901",
+ "namespace": "60071",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "dc86e78e-6670-441f-acdd-99309474050f",
+ "id": "706ea693-7cbe-44f8-902f-ee169e228005",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.19.0"
},
"event": {
"agent_id_status": "verified",
@@ -26,10 +26,10 @@
"vulnerability"
],
"dataset": "qualys_vmdr.knowledge_base",
- "id": "11830",
- "ingested": "2024-09-25T21:49:31Z",
+ "id": "2",
+ "ingested": "2025-12-29T10:51:56Z",
"kind": "alert",
- "original": "{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"11830\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"\",\"VENDOR\":\"\"}]},\"SOLUTION\":\"\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"\",\"VULN_TYPE\":\"Vulnerability\"}",
+ "original": "{\"BUGTRAQ_LIST\":{\"BUGTRAQ\":[{\"ID\":\"9821\",\"URL\":\"https://url.com/bid/9821\"}]},\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"2\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"fusion\",\"VENDOR\":\"vmware\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VENDOR_REFERENCE_LIST\":{\"VENDOR_REFERENCE\":[{\"ID\":\"VMSA-2024-0010\",\"URL\":\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\"}]},\"VULN_TYPE\":\"Vulnerability\"}",
"type": [
"info"
]
@@ -39,11 +39,23 @@
},
"qualys_vmdr": {
"knowledge_base": {
+ "bugtraq_list": [
+ {
+ "id": "9821",
+ "url": "https://url.com/bid/9821"
+ }
+ ],
"category": "CGI",
+ "consequence": {
+ "value": "Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks."
+ },
"cve_list": [
"CVE-2022-31629",
"CVE-2022-31628"
],
+ "diagnosis": {
+ "value": "This QID reports the absence of the following"
+ },
"discovery": {
"remote": 1
},
@@ -53,15 +65,32 @@
"patchable": false,
"pci_flag": true,
"published_datetime": "2017-06-05T21:34:49.000Z",
- "qid": "11830",
+ "qid": "2",
"severity_level": "2",
+ "software_list": [
+ {
+ "product": "fusion",
+ "vendor": "vmware"
+ }
+ ],
+ "solution": {
+ "value": "Note: To better debug the results of this QID"
+ },
"threat_intelligence": {
"intel": [
{
- "id": "8"
+ "id": "8",
+ "text": "No_Patch"
}
]
},
+ "title": "HTTP Security Header Not Detected",
+ "vendor_reference_list": [
+ {
+ "id": "VMSA-2024-0010",
+ "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280"
+ }
+ ],
"vuln_type": "Vulnerability"
}
},
@@ -81,4 +110,4 @@
],
"severity": "Medium"
}
-}
\ No newline at end of file
+}
diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md
index c6680e51a3b..ec6e2f5a3e0 100644
--- a/packages/qualys_vmdr/docs/README.md
+++ b/packages/qualys_vmdr/docs/README.md
@@ -107,13 +107,13 @@ An example event for `asset_host_detection` looks as following:
```json
{
- "@timestamp": "2025-12-09T13:06:00.619Z",
+ "@timestamp": "2025-12-30T06:25:12.497Z",
"agent": {
- "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79",
- "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
- "name": "elastic-agent-11567",
+ "ephemeral_id": "83655e80-2729-4332-8ace-457dd3a0bcef",
+ "id": "12042b44-811d-4c3e-b827-11cfb8074c86",
+ "name": "elastic-agent-48916",
"type": "filebeat",
- "version": "8.19.4"
+ "version": "8.19.0"
},
"cloud": {
"instance": {
@@ -122,16 +122,16 @@ An example event for `asset_host_detection` looks as following:
},
"data_stream": {
"dataset": "qualys_vmdr.asset_host_detection",
- "namespace": "88746",
+ "namespace": "83470",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
+ "id": "12042b44-811d-4c3e-b827-11cfb8074c86",
"snapshot": false,
- "version": "8.19.4"
+ "version": "8.19.0"
},
"event": {
"agent_id_status": "verified",
@@ -140,9 +140,9 @@ An example event for `asset_host_detection` looks as following:
],
"dataset": "qualys_vmdr.asset_host_detection",
"id": "11111111",
- "ingested": "2025-12-09T13:06:03Z",
+ "ingested": "2025-12-30T06:25:15Z",
"kind": "alert",
- "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}",
+ "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8\",\"interval_start\":\"2025-12-30T06:25:12.491602751Z\"}",
"type": [
"info"
]
@@ -199,8 +199,8 @@ An example event for `asset_host_detection` looks as following:
"hostname": "adfssrvr"
},
"id": "1",
- "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0",
- "interval_start": "2025-12-09T13:06:00.615Z",
+ "interval_id": "47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8",
+ "interval_start": "2025-12-30T06:25:12.491Z",
"ip": "10.50.2.111",
"knowledge_base": {
"category": "CGI",
@@ -649,24 +649,24 @@ An example event for `knowledge_base` looks as following:
{
"@timestamp": "2023-06-29T12:20:46.000Z",
"agent": {
- "ephemeral_id": "4e6d92f6-8a28-471c-a03f-8c2685171b7b",
- "id": "dc86e78e-6670-441f-acdd-99309474050f",
- "name": "elastic-agent-65730",
+ "ephemeral_id": "98b85997-99e2-41ee-bb02-6532fae2b357",
+ "id": "706ea693-7cbe-44f8-902f-ee169e228005",
+ "name": "elastic-agent-80703",
"type": "filebeat",
- "version": "8.13.0"
+ "version": "8.19.0"
},
"data_stream": {
"dataset": "qualys_vmdr.knowledge_base",
- "namespace": "47901",
+ "namespace": "60071",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "dc86e78e-6670-441f-acdd-99309474050f",
+ "id": "706ea693-7cbe-44f8-902f-ee169e228005",
"snapshot": false,
- "version": "8.13.0"
+ "version": "8.19.0"
},
"event": {
"agent_id_status": "verified",
@@ -674,10 +674,10 @@ An example event for `knowledge_base` looks as following:
"vulnerability"
],
"dataset": "qualys_vmdr.knowledge_base",
- "id": "11830",
- "ingested": "2024-09-25T21:49:31Z",
+ "id": "2",
+ "ingested": "2025-12-29T10:51:56Z",
"kind": "alert",
- "original": "{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"11830\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"\",\"VENDOR\":\"\"}]},\"SOLUTION\":\"\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"\",\"VULN_TYPE\":\"Vulnerability\"}",
+ "original": "{\"BUGTRAQ_LIST\":{\"BUGTRAQ\":[{\"ID\":\"9821\",\"URL\":\"https://url.com/bid/9821\"}]},\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"2\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"fusion\",\"VENDOR\":\"vmware\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VENDOR_REFERENCE_LIST\":{\"VENDOR_REFERENCE\":[{\"ID\":\"VMSA-2024-0010\",\"URL\":\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\"}]},\"VULN_TYPE\":\"Vulnerability\"}",
"type": [
"info"
]
@@ -687,11 +687,23 @@ An example event for `knowledge_base` looks as following:
},
"qualys_vmdr": {
"knowledge_base": {
+ "bugtraq_list": [
+ {
+ "id": "9821",
+ "url": "https://url.com/bid/9821"
+ }
+ ],
"category": "CGI",
+ "consequence": {
+ "value": "Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks."
+ },
"cve_list": [
"CVE-2022-31629",
"CVE-2022-31628"
],
+ "diagnosis": {
+ "value": "This QID reports the absence of the following"
+ },
"discovery": {
"remote": 1
},
@@ -701,15 +713,32 @@ An example event for `knowledge_base` looks as following:
"patchable": false,
"pci_flag": true,
"published_datetime": "2017-06-05T21:34:49.000Z",
- "qid": "11830",
+ "qid": "2",
"severity_level": "2",
+ "software_list": [
+ {
+ "product": "fusion",
+ "vendor": "vmware"
+ }
+ ],
+ "solution": {
+ "value": "Note: To better debug the results of this QID"
+ },
"threat_intelligence": {
"intel": [
{
- "id": "8"
+ "id": "8",
+ "text": "No_Patch"
}
]
},
+ "title": "HTTP Security Header Not Detected",
+ "vendor_reference_list": [
+ {
+ "id": "VMSA-2024-0010",
+ "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280"
+ }
+ ],
"vuln_type": "Vulnerability"
}
},
diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml
index 541a3d588bf..f2ec54bf13f 100644
--- a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml
+++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml
@@ -78,6 +78,16 @@
external: ecs
- name: tags
external: ecs
+- name: threat.framework
+ external: ecs
+- name: threat.tactic.id
+ external: ecs
+- name: threat.tactic.name
+ external: ecs
+- name: threat.technique.id
+ external: ecs
+- name: threat.technique.name
+ external: ecs
- name: vulnerability.category
external: ecs
- name: vulnerability.classification
diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml
index 8621c972fcb..d5224ca99ed 100644
--- a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml
+++ b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml
@@ -139,6 +139,8 @@
type: keyword
- name: severity
type: long
+ - name: source
+ type: keyword
- name: ssl
type: keyword
- name: status
@@ -147,6 +149,8 @@
type: long
- name: times_reopened
type: long
+ - name: trurisk_elimination_status
+ type: keyword
- name: type
type: keyword
- name: trurisk_elimination_status
diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml
index 900d6c2ab05..b23d1125b79 100644
--- a/packages/qualys_vmdr/manifest.yml
+++ b/packages/qualys_vmdr/manifest.yml
@@ -1,7 +1,7 @@
format_version: "3.4.0"
name: qualys_vmdr
title: Qualys VMDR
-version: "6.14.1"
+version: "6.15.0"
description: Collect data from Qualys VMDR platform with Elastic Agent.
type: integration
categories: