_This _API Best Practices Series is designed for Qualys customer programmers or stakeholders with a general knowledge of programming who want to implement best practices for improving the development, design, and performance of their programs that use the Qualys API. For non-customers, the Qualys API demonstrates our commitment to interoperability with the enterprise IT security stack.
Qualys Policy Compliance (PC) automates the assessment of thousands of technical security controls. It also centralizes the documentation of evidence where misconfigurations and lapses have been discovered or fixed. Policy Compliance provides proof of compliance across industry standards, regulations, benchmarks, frameworks, and mandates that help harden and secure host systems against existing threats.
In this blog post, let’s discuss how to obtain Policy Compliance Data via Posture Streaming (PCRS) API. Discover Policy List, Host IDs, and Posture Information data in compressed JavaScript Object Notation (JSON) form and into the latest timestamped, point-in-time SQLite database.
To help programmers realize this goal, we are providing a blueprint of example code called QualysETL that is open-sourced under the Apache 2 License for your organization.
Before we proceed further, here’s a list of benefits from Policy Compliance.
The Qualys application programming interface (API) allows programmers to derive maximum benefit from Policy Compliance data. Your enterprise will benefit from the step-by-step instructions provided in this post, along with live examples to help you effectively extract, transform, load, and distribute Qualys PCRS data to your database in the cloud.
The Qualys API is a key component in the API-first model. Since the founding of Qualys in 1999, a rich set of Qualys APIs has been available and continues to improve. As a result, programmers at Qualys customer organizations have been able to automate processing Qualys in new ways, increasing their return on investment (ROI) and improving overall mean-time-to-remediate (MTTR).
In the diagram below, QualysETL is depicted as a workflow from which you can use the resulting compressed JSON or SQLite database for analysis on your desktop as part of a continuous live data feed to update your corporate data store in the cloud or your local data center.
Even with all these advances, some customers continue to experience suboptimal performance in automation.
So, let’s take a look at what are the inherent automation challenges to Extract, Transform, and Load (ETL) Qualys data?
And what do we mean by ETL?
With any API, there are inherent automation challenges. Some of these are:
In the Example JSON Output image below, we have noted some key fields, including:
You should transform JSON data for transfer or prepare the data for ingestion into a database for future correlations with other corporate data sources. The QualysETL blueprint of example code can help you here.
For more information about our JSON Fields in Qualys PCRS, please refer to the Compliance Section of the VM/PC API Guide.
QualysETL is a blueprint that can be used by your organization as a starting point to develop your ETL automation. In the image below, you can see the QualysETL workflow, which includes the following processes:
In the diagram, we show the base schema for the following tables:
These tables are automatically created through QualysETL of PCRS and will grow over time as Qualys adds new capabilities to PCRS. See the Compliance Section - Posture Streaming API (PCRS) for a complete list of fields available in PCRS API.
With PCRS data prepared for use, you want to distribute it for usage by your corporation. For example, you can distribute a timestamped version of the SQLite Database into an Amazon Web Services Relational Database Service or an AWS (Amazon Web Services) S3 Bucket. Further, you can make the SQLite database available locally for analysts so they process and report on vulnerabilities in your organization using their desktop tool of choice. Data usage flexibility is achieved at this point.
Contact your Qualys Technical Account Manager and arrange a meeting with David Gregory, Principal Solutions Architect of API, if you are interested in automation to inject data directly into your downstream database from QualysETL.
The PCRS Activity Diagram below depicts QualysETL pagination to obtain Qualys PCRS data along with the simultaneous loading of PCRS data into an SQL Database. The activities include:
API Call Recommendations:****
To authorize Postman API Calls, a Bearer Token will be used. Take a look at the following infographic using your credentials to obtain the Bearer Token. It should be saved for reuse and will expire in 4 hours.
Use your bearer token in the following examples:
In the first example, we use Postman to extract policies that have been evaluated with a “lastEvaluationDate” of epoch using the “/pcrs/1.0/posture/policy/list” endpoint.
The "https://{{base_url}}/"_ _is your subscription Gateway Server URL from Platform Identification.
If you are new to Postman, see the Qualys API Fundamentals Training to learn more about Postman and how it can be developed with Qualys API.
In the second example, the “/pcrs/1.0/posture/hostids” endpoint extracts a specific policy with all hosts scanned since epoch. You will use the resulting list of hosts in your next API call to get the posture information for each policy.
In the third example, the “/pcrs/1.0/posture/postureInfo” endpoint is used to extract specific policies posture information for the group of Host IDs passed to the API Call in the payload body of the request.
You can develop your integration with the PCRS API or leverage the QualysETL Blueprint of open-source Python code to download all your PCRS Data with a single command!
To install QualysETL, we recommend you provision a secure, patched, up-to-date virtual machine instance of Ubuntu 22.04 that has connectivity to the internet. When that step is completed, you can log into your Ubuntu instance and follow along with the accompanying video to install the application and run your first ETL.
The instructions are located on pypi.org at: <https://pypi.org/project/qualysetl/>
Next, you can run your own SQL queries to analyze the data and tune the application to meet your needs.
At this point, you should be able to query your PCRS SQLite database. Below is an example SQL query to find all the policies with a keyword in the title “DISA” and retrieve all corresponding records.
Leverage QualysETL as a blueprint of example code to produce a current PCRS SQLite Database, ready for analysis or distribution.
For questions, existing Qualys customers can schedule time through their Technical Account Manager to meet with our solutions architects for help. Non-customers can request access to the Qualys API or QualysETL as a free trial of Qualys Policy Compliance to learn more about their full capabilities.
The Qualys Security Blog’s API Best Practices series helps programmers at Qualys customer organizations create a unified view of Qualys data across our cloud services, including Qualys VMDR (Vulnerability Management, Detection, and Response), CSAM (Cyber Security Asset Management), WAS (Web Application Scanning) and PCRS (Policy Compliance – Posture Streaming API).
The API Best Practices Series will continue to expand over the coming months to cover other key aspects of the Qualys API, with each presentation building on the previous one and, in the aggregate, providing an overall best practice view of the Qualys API.