elastic · moxarth-rathod · Jan 7, 2026 · Dec 30, 2025 · Dec 30, 2025
@@ -391,7 +391,7 @@ rules:
         body: "" # handling empty XML response
   # Request knowledge_base with QID from Asset Host QID.
   # QID: 101,102,103 (3 unique QIDs for host ID: 1,2)
-  - path: /api/3.0/fo/knowledge_base/vuln/
+  - path: /api/4.0/fo/knowledge_base/vuln/
     methods: ['GET']
     query_params:
       ids: 101,102,103
@@ -407,7 +407,7 @@ rules:
           x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
-          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/4.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
           <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
               <RESPONSE>
                   <DATETIME>2023-07-06T15:02:16Z</DATETIME>
@@ -578,7 +578,7 @@ rules:
           </KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
   # Request knowledge_base with QID from Asset Host QID.
   # QID: 102,103 (2 unique QIDs for host ID: 3)
-  - path: /api/3.0/fo/knowledge_base/vuln/
+  - path: /api/4.0/fo/knowledge_base/vuln/
     methods: ['GET']
     query_params:
       ids: 102,103
@@ -594,7 +594,7 @@ rules:
           x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
-          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/4.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
           <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
             <RESPONSE>
               <DATETIME>2024-12-04T13:51:49Z</DATETIME>
@@ -720,7 +720,7 @@ rules:
               </VULN_LIST>
             </RESPONSE>
           </KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
-  - path: /api/3.0/fo/knowledge_base/vuln/
+  - path: /api/4.0/fo/knowledge_base/vuln/
     methods: ['GET']
     query_params:
       ids: 123
@@ -736,7 +736,7 @@ rules:
           x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
-          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/4.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
           <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
               <RESPONSE>
                   <DATETIME>2023-07-06T15:02:16Z</DATETIME>
@@ -797,7 +797,7 @@ rules:
   # Two objects with:
   #  1. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing multiple elements.
   #  2. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing single elements.
-  - path: /api/3.0/fo/knowledge_base/vuln/
+  - path: /api/4.0/fo/knowledge_base/vuln/
     methods: ['GET']
     query_params:
       ids: 1,2
@@ -813,7 +813,7 @@ rules:
           x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
-          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/4.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
           <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
             <RESPONSE>
               <DATETIME>2024-11-26T08:40:21Z</DATETIME>
@@ -1001,7 +1001,7 @@ rules:
               </VULN_LIST>
             </RESPONSE>
           </KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
-  - path: /api/3.0/fo/knowledge_base/vuln/
+  - path: /api/4.0/fo/knowledge_base/vuln/
     methods: ['GET']
     query_params:
       last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
@@ -1016,7 +1016,7 @@ rules:
           x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
-          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg1.apps.qualys.in/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg1.apps.qualys.in/api/4.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
           <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
             <RESPONSE>
               <DATETIME>2023-10-26T09:47:22Z</DATETIME>

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "6.15.0"
+  changes:
+    - description: Update knowledge base API to v4 for asset_host_detection and knowledge_base data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16727
 - version: "6.14.1"
   changes:
     - description: Update XSD schema name to match Host Detection API v5.0 response. 

@@ -178,7 +178,7 @@ program: |
     ).as(state, state.with(
       !has(state.worklist) ? state :
         has(state.worklist.HOST_QID_LIST) && size(state.worklist.HOST_QID_LIST) > 0 ?
-          request("GET", state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/?" +
+          request("GET", state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/?" +
             {
               "ids": [front(state.worklist.HOST_QID_LIST, int(state.query_limit)).join(",")],
               "action": ["list"],
@@ -189,7 +189,7 @@ program: |
               "Authorization": ["Basic "+(state.user+":"+state.password).base64()],
             }
           }).do_request().as(resp, (resp.StatusCode == 200 ?
-            resp.Body.as(xml, try(xml.decode_xml('qualys_api_3_0_kb'), "decode_xml_error_kb").as(kb_body,
+            resp.Body.as(xml, try(xml.decode_xml('qualys_api_4_0_kb'), "decode_xml_error_kb").as(kb_body,
               !has(kb_body.decode_xml_error_kb)
               ?
                 (
@@ -280,7 +280,7 @@ program: |
                 "error": {
                   "code": string(resp.StatusCode),
                   "id": string(resp.Status),
-                  "message": "GET "+state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/: "+(
+                  "message": "GET "+state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/: "+(
                     size(resp.Body) != 0 ?
                       string(resp.Body)
                     :
@@ -879,7 +879,7 @@ xsd:
       </xsd:element>
       </xsd:schema>
 
-  qualys_api_3_0_kb: |
+  qualys_api_4_0_kb: |
     <xsd:schema xmlns:xsd='http://www.w3.org/2001/XMLSchema'>
 
       <xsd:element name='KNOWLEDGE_BASE_VULN_LIST_OUTPUT'>

@@ -1,11 +1,11 @@
 {
-    "@timestamp": "2025-12-09T13:06:00.619Z",
+    "@timestamp": "2025-12-30T06:25:12.497Z",
     "agent": {
-        "ephemeral_id": "5eb4618e-1fb2-4db3-a80a-a1c9d60ddf79",
-        "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
-        "name": "elastic-agent-11567",
+        "ephemeral_id": "83655e80-2729-4332-8ace-457dd3a0bcef",
+        "id": "12042b44-811d-4c3e-b827-11cfb8074c86",
+        "name": "elastic-agent-48916",
         "type": "filebeat",
-        "version": "8.19.4"
+        "version": "8.19.0"
     },
     "cloud": {
         "instance": {
@@ -14,16 +14,16 @@
     },
     "data_stream": {
         "dataset": "qualys_vmdr.asset_host_detection",
-        "namespace": "88746",
+        "namespace": "83470",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "c25772f1-99b1-43d4-9ac3-8941538fa406",
+        "id": "12042b44-811d-4c3e-b827-11cfb8074c86",
         "snapshot": false,
-        "version": "8.19.4"
+        "version": "8.19.0"
     },
     "event": {
         "agent_id_status": "verified",
@@ -32,9 +32,9 @@
         ],
         "dataset": "qualys_vmdr.asset_host_detection",
         "id": "11111111",
-        "ingested": "2025-12-09T13:06:03Z",
+        "ingested": "2025-12-30T06:25:15Z",
         "kind": "alert",
-        "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"040d4ccd-718d-43bb-8f0e-92a685dcd3e0\",\"interval_start\":\"2025-12-09T13:06:00.615439086Z\"}",
+        "original": "{\"DETECTION_LIST\":{\"AFFECT_RUNNING_KERNEL\":\"0\",\"CVE\":\"CVE-2023-48161,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235\",\"FIRST_FOUND_DATETIME\":\"2021-02-05T04:50:45Z\",\"IS_DISABLED\":\"0\",\"IS_IGNORED\":\"0\",\"LAST_FIXED_DATETIME\":\"2022-12-14T06:52:57Z\",\"LAST_FOUND_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_PROCESSED_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_TEST_DATETIME\":\"2024-03-08T20:15:41Z\",\"LAST_UPDATE_DATETIME\":\"2024-03-08T20:15:41Z\",\"LATEST_VULNERABILITY_DETECTION_SOURCE\":\"Cloud Agent\",\"MITRE_TACTIC_ID\":\"TA0008, TA0004\",\"MITRE_TACTIC_NAME\":\"lateral-movement, privilege-escalation\",\"MITRE_TECHNIQUE_ID\":\"T1210, T1068\",\"MITRE_TECHNIQUE_NAME\":\"Exploitation of Remote Services, Exploitation for Privilege Escalation\",\"QDS\":{\"#text\":\"35\",\"severity\":\"LOW\"},\"QDS_FACTORS\":{\"QDS_FACTOR\":[{\"#text\":\"7.7\",\"name\":\"CVSS\"},{\"#text\":\"v3.x\",\"name\":\"CVSS_version\"},{\"#text\":\"0.00232\",\"name\":\"epss\"},{\"#text\":\"AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"name\":\"CVSS_vector\"}]},\"QID\":\"101\",\"RESULTS\":\"Package\\tInstalled Version\\tRequired Version\\nlinux-cloud-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\\nlinux-aws-headers-4.4.0\\t1074_4.15.0-1126.135\\t1092\\nlinux-tools-4.4.0\\t1074-aws_4.4.0-1074.84\\t1092\\nlinux-aws-cloud-tools-4.4.0\\t1074_4.4.0-1074.84\\t1092\",\"SEVERITY\":\"3\",\"SSL\":\"0\",\"STATUS\":\"Active\",\"TIMES_FOUND\":\"5393\",\"TRURISK_ELIMINATION_STATUS\":\"FIXED\",\"TYPE\":\"Confirmed\",\"UNIQUE_VULN_ID\":\"11111111\",\"VULNERABILITY_DETECTION_SOURCES\":\"Cloud Agent,Internal Scanner\"},\"DNS\":\"adfssrvr.adfs.local\",\"DNS_DATA\":{\"DOMAIN\":\"adfs.local\",\"FQDN\":\"adfssrvr.adfs.local\",\"HOSTNAME\":\"adfssrvr\"},\"ID\":\"1\",\"IP\":\"10.50.2.111\",\"KNOWLEDGE_BASE\":{\"CATEGORY\":\"CGI\",\"CONSEQUENCE\":\"Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.\",\"CVE_LIST\":[\"CVE-2022-31629\",\"CVE-2022-31628\"],\"CVSS\":{\"BASE\":{\"#text\":\"7.7\",\"source\":\"service\"},\"TEMPORAL\":\"4.0\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\"},\"DIAGNOSIS\":\"This QID reports the absence of the following\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2023-06-29T12:20:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"1\",\"PUBLISHED_DATETIME\":\"2017-06-05T21:34:49Z\",\"QID\":\"101\",\"SEVERITY_LEVEL\":\"2\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"\\u003cB\\u003eNote:\\u003c/B\\u003e To better debug the results of this QID\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"id\":\"8\"}]},\"TITLE\":\"HTTP Security Header Not Detected\",\"VULN_TYPE\":\"Vulnerability\"},\"LAST_PC_SCANNED_DATE\":\"2023-06-28T09:58:12Z\",\"LAST_SCAN_DATETIME\":\"2023-07-03T06:25:17Z\",\"LAST_VM_SCANNED_DATE\":\"2023-07-03T06:23:47Z\",\"LAST_VM_SCANNED_DURATION\":\"1113\",\"NETBIOS\":\"ADFSSRVR\",\"OS\":\"Windows 2016/2019/10\",\"TRACKING_METHOD\":\"IP\",\"interval_id\":\"47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8\",\"interval_start\":\"2025-12-30T06:25:12.491602751Z\"}",
         "type": [
             "info"
         ]
@@ -91,8 +91,8 @@
                 "hostname": "adfssrvr"
             },
             "id": "1",
-            "interval_id": "040d4ccd-718d-43bb-8f0e-92a685dcd3e0",
-            "interval_start": "2025-12-09T13:06:00.615Z",
+            "interval_id": "47a80f3f-ccfb-45ac-b90e-c0a618bb5bb8",
+            "interval_start": "2025-12-30T06:25:12.491Z",
             "ip": "10.50.2.111",
             "knowledge_base": {
                 "category": "CGI",

@@ -26,7 +26,7 @@ redact:
     - password
 program: |
   state.with(
-    request("GET", state.url.trim_right("/") + "/api/3.0/fo/knowledge_base/vuln/?" +
+    request("GET", state.url.trim_right("/") + "/api/4.0/fo/knowledge_base/vuln/?" +
       state.?params.orValue("").parse_query().with({
         "action": ["list"],
         "last_modified_after": [state.?cursor.last_modified.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339))],
@@ -38,7 +38,7 @@ program: |
       }
     }).do_request().as(resp, (
       resp.StatusCode == 200 ?
-        resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_3_0').as(body, {
+        resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_4_0').as(body, {
           "events": (
             has(body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST)
             ?
@@ -138,7 +138,7 @@ processors:
 {{processors}}
 {{/if}}
 xsd:
-  qualys_api_3_0: |
+  qualys_api_4_0: |
     <xsd:schema xmlns:xsd='http://www.w3.org/2001/XMLSchema'>
 
       <xsd:element name='KNOWLEDGE_BASE_VULN_LIST_OUTPUT'>