Qualys Asset Discovery - SaaS

Qualys is a cloud-based solution for IT, security, and compliance. The Qualys Cloud Platform provides complete, real-time inventory of IT assets, continuous assessment of security and compliance posture, vulnerability identification and compromised assets. Qualys helps to automatically patch and quarantine assets while consolidating security and compliance stacks to reduce spend.

The Qualys Asset Discovery integration with Archer enables organizations to catalog network devices on a corporate network. Organizations can document the devices discovered on the network and track them in the Devices application using specific Archer use cases. Qualys Asset Discovery enables organizations to leverage the discovered devices and catalog those network devices within Archer.

Archer Exchange: With the Archer Exchange, the Archer team has created a broad selection of supplemental, value-added offerings to help you get your unique risk management program on the right path, right from the start. You can leverage the Archer Exchange offerings to expand the use of Archer solutions into new business processes and address specific industry, geographic, regulatory, or technical requirements.

To learn more, see Qualys Asset Discovery Integration on the Archer Exchange.

On this page

Release notes

Release Version	Published Date	Notes
Archer 2025.08	February 2026	The JavaScript Transporter in Data Feed Manager has been updated to use Fetch instead of Request. Fetch is a modern JavaScript API for making HTTP requests, offering a simpler and more powerful alternative to the older Request library. For more information, see the following blog post: Data Feed Manager JavaScript Transporter Scripts Require Update.

Previous releases

Release Version	Published Date	Notes
Archer 2025.04	July 2025	Added TruRisk Score and removed mappings to EC2 attributes in the Devices application.
Archer 6.14	June 2024	Re-Signed JavaScript file.
Archer 6.14	January 2024	Pagination logic has been implemented for Qualys VM Knowledge Base data feed and data will be retrieved incrementally based on the “last modified before” and “last modified after” parameters.
Archer 6.14	October 2023	Data Field Mapping has been added for all the data feeds.
Archer 6.13	August 2023	Offering updates to accommodate the CPE input decoding logic for escaped characters. The XSLT has been updated for the following data feeds: Archer 6.13 Qualys VM Hosts Extracted from Detections.dfx Archer 6.13 Qualys VM Detections.dfx
Archer 6.12	February 2023	Archer 6.12 Qualys VM Knowledge Base Data Mapping update
Archer 6.7	December 2021	Re-signed JavaScript file
Archer 6.4 P1	November 2019	Initial Release

Requirements

Components	Requirement
Archer Solution	Audit Management IT & Security Risk Management Regulatory & Corporate Compliance Management Third Party Management
Archer Use Case(s)	The following use cases can take advantage of the information provided by the Qualys integration: Archer Audit Engagements & Workpapers Archer Third Party Governance Archer Business Continuity & Disaster Recovery Planning Archer IT Controls Assurance Archer IT Security Vulnerability Program Archer IT Risk Management Archer Cyber Incident & Breach Response Archer PCI Management Archer Information Security Management System (ISMS) Archer Data Governance
Archer Applications	Leverages the Devices application
Uses Custom Objects	No
Requires Archer On-Demand License	No
Archer requirements	Archer Platform Release 2025.08 and later
Supported Archer Environments	Archer SaaS Archer On-Premises
Qualys Requirements	Valid Qualys license is required.

Integration diagram

The following diagram provides an overview of the interaction between Qualys and the Archer Qualys integration offering.

Configure the Archer Qualys VM Hosts data feed

The Qualys Hosts data feed is a JavaScript transporter data feed that retrieves device related data from the Qualys URL and creates and updates the records in the Archer Devices application.

The data feed must be configured. After setting up the data feed, you can schedule it to run as needed per your organization’s requirements. For more information on scheduling the data feed, see the Scheduling Data Feed section.

Configure the JavaScript Transporter settings

Before you upload a JavaScript file, you must configure the JavaScript Transporter settings in the Archer Control Panel.

Configure JavaScript Transporter settings

Open the Archer Control Panel.
Go to Instance Management > All Instances.
Select an instance.
On the General tab, go to the JavaScript Transporter section.
In the Max Memory Limit field, set the value to 2048 MB (2 GB).
In the Script Timeout field, set the value to 120 minutes (2 hours).
Require Signature is active by default on install. Signed Certificate Thumbprints are required for all Hosted clients.
1. In the Signing Certificate Thumbprints section, add a thumbprint for each digitally signed JavaScript file.
  1. In the Signing Certificate Thumbprints section, double-click an empty cell.
  2. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file.
    
    Note: For more information on how to obtain digital thumbprints, see "Digital Thumbprints" below.
    
    Important: If you enable Require Signature and do not specify thumbprints, JavaScript files will not be accepted by the system.
On the toolbar, click Save.

Digital thumbprints

When running JavaScript data feeds, you can set the system to only allow digitally signed JavaScript files from trusted sources for security considerations.

For a certificate to be trusted, all certificates in the chain, including the Root CA Certificate and Intermediate CA certificates, must be trusted on both the Web Server and Services Server machines.

Archer Technologies LLC certificate in the Trusted Root CA Store

By default, the Archer Technology LLC certificate is not present on every machine’s root.

On the JavaScript file, right-click and select Properties.
1. Click the Digital Signatures tab.
2. From the Signature List window, select Archer Technologies LLC.
3. Click the Details button.
4. Click View Certificate.
5. Click Install Certificate.
6. Select Local Machine.
7. Click Next.
8. Select Place all certificates in the following store, and click Browse.
  1. Select Trusted Root Certification Authorities, and click OK.
  2. Click Next.
  3. Click Finish.
Click OK.

Obtain a certificate thumbprint

On the Web Server and Services Server machines, open the Manage User Certificates program.
1. From the Windows Start menu, launch certmgr. (Manage User Certificates).
2. Navigate to Certificates – Local Computer > Trusted Root Certification Authorities > Certificates.
3. Ensure the following certificates are in the Certificates sub-folder of the Trust Root Certification Authorities folder:
  - Archer Technologies LLC.
  - Archer Security 2048 V3 (Standard certificate).
Verify that the certificate is trusted.
1. Double-click the Archer Technologies LLC certificate.
2. In the Certificate window, click the Certification Path tab.
3. Ensure that the Certificate Status window displays the following message: “This certificate is OK.”
  
  Note: If the Certificate Status window displays a different message, follow the onscreen instructions.
Obtain the trusted certificate thumbprint.
1. In the Certificate window, click the Details tab.
2. Scroll to and select the Thumbprint field.
  
  The certificate's digital thumbprint appears in the window.
3. Copy the thumbprint.
  
  Note: For information on adding digital thumbprints, see Step 7a of "Configuring the JavaScript Transporter Settings".

Download the Qualys VM Hosts data feed

The Qualys Hosts data feed can be downloaded from the Qualys Asset Discovery Integration Exchange page.

Extract the zip file and copy the Archer Qualys VM Hosts.dfx5 file.
Copy the signed-QualysAPI_1.1.js JavaScript file.
Paste the file into the location from which they will be used in this integration.

Set up the Qualys VM Hosts data feed

The integration leverages the API (/api/2.0/fo/asset/host/?action=list) to obtain a list of scanned hosts in the user’s account. The feed initiates the request to download the hosts by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

Important: Archer implements with a unique key on DNS identification. However, we understand that environment configurations are unique across an organization’s infrastructure, therefore the unique key to identify if a Device already exists inside Archer, is configurable to each client. And where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

Go to the Manage Data Feeds page with the following steps:
1. From the menu bar, click the icon.
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the Archer Qualys VM Hosts.dfx5 file for the data feed.
Click Open.
In the General Information section, in the Status field, select Active.
In the Additional Properties section, enable Optimize Calculations.
Click the Transport tab.
In the Transport Configuration section, complete the following:
1. Click Upload.
2. From the Upload JavaScript File dialog, click Add New.
3. Locate and select the Signed-QualysAPI_1.1.js file, and click Open.
4. From the Upload JavaScript File dialog, click OK.
In the Custom Parameters section, enter key values.

The following table describes the value to enter for each key in Custom Parameters.

Key	Value	Description
dataSource	hosts	Must be "hosts".
hostsUrl	{URL}/api/2.0/fo/asset/host/?action=list&details=All&show_tags=1&show_trurisk=1	Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide (https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).
username	Requires valid value Default = [empty]	Qualys username
password	Requires valid value Default = [empty]	Qualys password

Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings.

Note: The listed values are in place by default. They can be configured to suit your environment.

(Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file.

Key	Value	Description
batchSize	Default = 500 (records at a time) [Configurable]	Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.
requestsPerMin	Default = 60 [Configurable value]	A parameter to allow clients to govern the number of API requests made by Archer to the external integration. Qualys Cloud Platform enforces limits on the API calls subscription users can make. The limits apply to the use of all APIs, except “session” API (session login/logout).
socketLimit	Default = 10 [Configurable value of 1-25]	Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.
maxRetry	Default = 1 [Configurable value of 0-2]	Indicates the amount of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.
proxy	Optional Default = [empty]
verifyCerts	Default = False [Configurable value of True / False]	Validates the website address matches the address on the certificate, similar to browser level validation.

For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.
Click the Source Definition tab.
1. Click the Tokens sub-tab.
2. Verify token values.
The following table describes token values to verify.

Token	Value
LastRunTime	(Populated by feed)

Note: For more information about tokens, see "Data Feed Tokens" in the Archer Online Documentation.

Verify that key field values are not missing from the data feed setup window.
Click Save.

Schedule data feeds

When you schedule a data feed, the Data Feed Manager validates the information. If any information is invalid, an error message will display. You can save the data feed and correct the errors later, but that data feed is not processed until the errors are rectified.

Important: A data feed must be active and valid to successfully run.

Go to the Schedule tab of the data feed that you want to modify.
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
3. Select the data feed that you want to modify.
4. Click the Schedule tab.
In the Recurrences section, enter the frequency, start and stop times, and time zone for the data feed.

The following table describes the fields in the Recurrences section.
Field	Description
Frequency	Specifies the interval in which the data feed runs, for example, Minutely, Hourly, Daily, Weekly, Monthly, or Reference. Minutely. Runs the data feed by the interval set. For example, if you specify 45 in the Every list, the data feed executes every 45 minutes. Hourly. Runs the data feed by the interval set, for example, every hour (1), every other hour (2) and so forth. Daily. Runs the data feed by the interval set, for example, every day (1), every other day (2) and, so forth. Weekly. Runs the data feed based on a specified day of the week, for example, every Monday of the first week (1), every other Monday (2), and so forth. Monthly. Runs the data feed based on a specified week of the month, for example, 1st, 2nd, 3rd, 4th, or Last. Recurrence. Runs a specified data feed as runs before the current one. This option indicates to the Data Feed Service that this data feed starts as soon as the referenced data feed completes successfully. For example, you can select to have a Threats data feed run immediately after your Assets data feed finishes. From the Reference Feed list, select after which existing data feed the current data feed starts. A reference data feed will not run when immediately running a data feed. The Run Data Feed Now option only runs the current data feed.
Every	Specifies the interval of the frequency in which the data feed runs.
Start Time	Specifies the time the data feed starts running.
Start Date	Specifies the date on which the data feed schedule begins.
Time Zone	Specifies the time zone in of the server that runs the data feed.

(Optional) In the Run Data Feed Now section, click Start to override the data feed schedule and run the data feed immediately.
Click Save.
Test the data feed to ensure that all device details from Qualys were imported into the Devices application. If testing fails, try verifying the data feed and re-run the data feed. If you experience multiple failures, contact your Archer Partner.

Certification environment

Date Tested: February 2026

Product Name	Version Information	Operating System
Archer Suite	2025.08	Virtual Appliance
Qualys	NA	NA