Qualys Asset Discovery - SaaS

Qualys is a cloud-based solution for IT, security, and compliance. The Qualys Cloud Platform provides complete, real-time inventory of IT assets, continuous assessment of security and compliance posture, vulnerability identification and compromised assets. Qualys helps to automatically patch and quarantine assets while consolidating security and compliance stacks to reduce spend.

The Qualys Asset Discovery integration with Archer enables organizations to catalog network devices on a corporate network. Organizations can document the devices discovered on the network and track them in the Devices application using specific Archer use cases. Qualys Asset Discovery enables organizations to leverage the discovered devices and catalog those network devices within Archer.

Archer Exchange: With the Archer Exchange, the Archer team and our trusted partners have created a broad selection of supplemental, value-added offerings to help you get your unique risk management program on the right path, right from the start. You can leverage the Archer Exchange offerings to expand the use of Archer solutions into new business processes and address specific industry, geographic, regulatory, or technical requirements. The Archer Exchange features a fast and agile development cycle, enabling quick delivery of new and updated offerings for trending issues and connections to innovative technologies.

To learn more, see Qualys Asset Discovery Integration on the Archer Exchange.

On this page

Release notes

Release Version

Published Date

Notes

Archer 2025.08 February 2026 The JavaScript Transporter in Data Feed Manager has been updated to use Fetch instead of Request. Fetch is a modern JavaScript API for making HTTP requests, offering a simpler and more powerful alternative to the older Request library.

For more information, see the following blog post: Data Feed Manager JavaScript Transporter Scripts Require Update.

Release Version

Published Date

Notes

Archer 2025.04

July 2025

 Added TruRisk Score and removed mappings to EC2 attributes in the Devices application.

Archer 6.14

June 2024

Re-Signed JavaScript file.

Archer 6.14

January 2024

Pagination logic has been implemented for Qualys VM Knowledge Base data feed and data will be retrieved incrementally based on the “last modified before” and “last modified after” parameters.

Archer 6.14

October 2023

Data Field Mapping has been added for all the data feeds.

Archer 6.13

August 2023

Offering updates to accommodate the CPE input decoding logic for escaped characters. The XSLT has been updated for the following data feeds:

  • Archer 6.13 Qualys VM Hosts Extracted from Detections.dfx

  • Archer 6.13 Qualys VM Detections.dfx

Archer 6.12

February 2023

Archer 6.12 Qualys VM Knowledge Base Data Mapping update

Archer 6.7

December 2021

Re-signed JavaScript file

Archer 6.4 P1

November 2019

Initial Release

Requirements

Components

Requirement

Archer Solution

  • Audit Management

  • IT & Security Risk Management

  • Regulatory & Corporate Compliance Management

  • Third Party Management

Archer Use Case(s)

The following use cases can take advantage of the information provided by the Qualys integration:

  • Archer Audit Engagements & Workpapers

  • Archer Third Party Governance

  • Archer Business Continuity & Disaster Recovery Planning

  • Archer IT Controls Assurance

  • Archer IT Security Vulnerability Program

  • Archer IT Risk Management

  • Archer Cyber Incident & Breach Response

  • Archer PCI Management

  • Archer Information Security Management System (ISMS)

  • Archer Data Governance

Archer Applications

Leverages the Devices application

Uses Custom Objects

No

Requires Archer On-Demand License

No

Archer Requirements

Archer Platform Release 2025.08 and later

Supported Archer Environments

  • Archer SaaS

  • Archer On-Premises

Qualys Requirements

Valid Qualys license is required.

Integration diagram

The following diagram provides an overview of the interaction between Qualys and the Archer Qualys integration offering.

Configure the Archer Qualys VM Hosts data feed

The Qualys Hosts data feed is a JavaScript transporter data feed that retrieves device related data from the Qualys URL and creates and updates the records in the Archer Devices application.

The data feed must be configured. After setting up the data feed, you can schedule it to run as needed per your organization’s requirements. For more information on scheduling the data feed, see the Scheduling Data Feed section.

Configure the JavaScript Transporter settings

Before you upload a JavaScript file, you must configure the JavaScript Transporter settings in the Archer Control Panel.

Configure JavaScript Transporter settings

  1. Open the Archer Control Panel.

  2. Go to Instance Management > All Instances.

  3. Select an instance.

  4. On the General tab, go to the JavaScript Transporter section.

  5. In the Max Memory Limit field, set the value to 2048 MB (2 GB).

  6. In the Script Timeout field, set the value to 120 minutes (2 hours).

  7. Require Signature is active by default on install. Signed Certificate Thumbprints are required for all Hosted clients.

    1. In the Signing Certificate Thumbprints section, add a thumbprint for each digitally signed JavaScript file.

      1. In the Signing Certificate Thumbprints section, double-click an empty cell.

      2. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file.

        Note: For more information on how to obtain digital thumbprints, see "Digital Thumbprints" below.

        Important: If you enable Require Signature and do not specify thumbprints, JavaScript files will not be accepted by the system.

  8. On the toolbar, click Save.

Digital thumbprints

When running JavaScript data feeds, you can set the system to only allow digitally signed JavaScript files from trusted sources for security considerations.

For a certificate to be trusted, all certificates in the chain, including the Root CA Certificate and Intermediate CA certificates, must be trusted on both the Web Server and Services Server machines.

Archer Technologies LLC certificate in the Trusted Root CA Store 

By default, the Archer Technology LLC certificate is not present on every machine’s root.

  1. On the JavaScript file, right-click and select Properties.

    1. Click the Digital Signatures tab.

    2. From the Signature List window, select Archer Technologies LLC.

    3. Click the Details button.

    4. Click View Certificate.

    5. Click Install Certificate.

    6. Select Local Machine.

    7. Click Next.

    8. Select Place all certificates in the following store, and click Browse.

      1. Select Trusted Root Certification Authorities, and click OK.

      2. Click Next.

      3. Click Finish.

  2. Click OK.

Obtain a certificate thumbprint 

  1. On the Web Server and Services Server machines, open the Manage User Certificates program.

    1. From the Windows Start menu, launch certmgr. (Manage User Certificates).

    2. Navigate to Certificates – Local Computer > Trusted Root Certification Authorities > Certificates.

    3. Ensure the following certificates are in the Certificates sub-folder of the Trust Root Certification Authorities folder:

      • Archer Technologies LLC.

      • Archer Security 2048 V3 (Standard certificate).

  2. Verify that the certificate is trusted.

    1. Double-click the Archer Technologies LLC certificate.

    2. In the Certificate window, click the Certification Path tab.

    3. Ensure that the Certificate Status window displays the following message: “This certificate is OK.”

      Note: If the Certificate Status window displays a different message, follow the onscreen instructions.

  3. Obtain the trusted certificate thumbprint.

    1. In the Certificate window, click the Details tab.

    2. Scroll to and select the Thumbprint field.

      The certificate's digital thumbprint appears in the window.

    3. Copy the thumbprint.

      Note: For information on adding digital thumbprints, see Step 7a of "Configuring the JavaScript Transporter Settings".

Download the Qualys VM Hosts data feed

The Qualys Hosts data feed can be downloaded from the Qualys Asset Discovery Integration Exchange page.

  1. Extract the zip file and copy the Archer Qualys VM Hosts.dfx5 file.

  2. Copy the signed-QualysAPI_1.1.js JavaScript file.

  3. Paste the file into the location from which they will be used in this integration.

Set up the Qualys VM Hosts data feed

The integration leverages the API (/api/2.0/fo/asset/host/?action=list) to obtain a list of scanned hosts in the user’s account. The feed initiates the request to download the hosts by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

Important: Archer implements with a unique key on DNS identification. However, we understand that environment configurations are unique across an organization’s infrastructure, therefore the unique key to identify if a Device already exists inside Archer, is configurable to each client. And where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer Qualys VM Hosts.dfx5 file for the data feed.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the Signed-QualysAPI_1.1.js file, and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.    

    Key

    Value

    Description

    dataSource 

    hosts

    Must be "hosts".

    hostsUrl

    {URL}/api/2.0/fo/asset/host/?action=list&details=All&show_tags=1&show_trurisk=1

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide (https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).

    username 

    Requires valid value

    Default = [empty] 

    Qualys username

    password 

    Requires valid value

    Default = [empty] 

    Qualys password

    Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. (Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file.

  12. Key 

    Value 

    Description 

    batchSize

    Default = 500 (records at a time)

    [Configurable] 

    Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the amount of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, similar to browser level validation.

  13. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  14. Click the Source Definition tab.

    1. Click the Tokens sub-tab.

    2. Verify token values.

    The following table describes token values to verify.

  15. Token Value

    LastRunTime

    (Populated by feed)

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Online Documentation.

  16. Verify that key field values are not missing from the data feed setup window.

  17. Click Save.

Schedule data feeds

When you schedule a data feed, the Data Feed Manager validates the information. If any information is invalid, an error message will display. You can save the data feed and correct the errors later, but that data feed is not processed until the errors are rectified.

Important: A data feed must be active and valid to successfully run.

  1. Go to the Schedule tab of the data feed that you want to modify.

    1. From the menu bar, click .

    2. Under Integration, click Data Feeds.

    3. Select the data feed that you want to modify.

    4. Click the Schedule tab.

  2. In the Recurrences section, enter the frequency, start and stop times, and time zone for the data feed.

  3. The following table describes the fields in the Recurrences section.

    Field

    Description

    Frequency

    Specifies the interval in which the data feed runs, for example, Minutely, Hourly, Daily, Weekly, Monthly, or Reference.

    • Minutely. Runs the data feed by the interval set.

    For example, if you specify 45 in the Every list, the data feed executes every 45 minutes.

    • Hourly. Runs the data feed by the interval set, for example, every hour (1), every other hour (2) and so forth.

    • Daily. Runs the data feed by the interval set, for example, every day (1), every other day (2) and, so forth.

    • Weekly. Runs the data feed based on a specified day of the week, for example, every Monday of the first week (1), every other Monday (2), and so forth.

    • Monthly. Runs the data feed based on a specified week of the month, for example, 1st, 2nd, 3rd, 4th, or Last.

    • Recurrence. Runs a specified data feed as runs before the current one. This option indicates to the Data Feed Service that this data feed starts as soon as the referenced data feed completes successfully. For example, you can select to have a Threats data feed run immediately after your Assets data feed finishes. From the Reference Feed list, select after which existing data feed the current data feed starts.

    A reference data feed will not run when immediately running a data feed. The Run Data Feed Now option only runs the current data feed.

    Every

    Specifies the interval of the frequency in which the data feed runs.

    Start Time

    Specifies the time the data feed starts running.

    Start Date

    Specifies the date on which the data feed schedule begins.

    Time Zone

    Specifies the time zone in of the server that runs the data feed.

  4. (Optional) In the Run Data Feed Now section, click Start to override the data feed schedule and run the data feed immediately. 

  5. Click Save.

  6. Test the data feed to ensure that all device details from Qualys were imported into the Devices application. If testing fails, try verifying the data feed and re-run the data feed. If you experience multiple failures, contact your Archer Partner.

Certification environment

Date Tested: February 2026

Product Name Version Information Operating System

Archer Suite

2025.08

Virtual Appliance

Qualys

NA

NA