Qualys Vulnerability Management Integration - 2025.04

Qualys Vulnerability Management is a cloud-based service that provides immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

With the Archer Exchange, the Archer team and our trusted partners have created a broad selection of supplemental, value-added offerings to help you get your unique risk management program on the right path, right from the start. You can leverage the Archer Exchange offerings to expand the use of Archer solutions into new business processes and address specific industry, geographic, regulatory, or technical requirements. The Archer Exchange features a fast and agile development cycle, enabling quick delivery of new and updated offerings for trending issues and connections to innovative technologies.

To learn more, see Qualys Vulnerability Management Integration the Archer Exchange.

 

Release notes

Release Version

Published Date

Notes

2025.04

July 2025

  • Added Real-time threat indicators, True Risk Scores, Qualys Asset IDs, Qualys Detection Scoring.

  • Optimized performance by making various mapping changes.

Archer 6.14

June 2024

Re-Signed JavaScript file.

Archer 6.14

January 2024

Pagination logic has been implemented for Qualys VM Knowledge Base data feed and data will be retrieved incrementally based on the "last modified before" and "last modified after" parameters

Archer 6.14

October 2023

Data Field Mapping has been added for all the data feeds.

Archer 6.13

August

2023

Offering updates to accommodate the CPE input decoding logic for escaped characters. The XSLT has been updated for the following data feeds:

  1. Archer 6.13 Qualys VM Hosts Extracted From Detections.dfx

  2. Archer 6.13 Qualys VM Detections.dfx

Archer 6.12

February 2023

Archer 6.12 Qualys VM Knowledge Base Data Mapping update

Archer 6.7

December 2021

Re-Signed JavaScript file.

Archer 6.7

May

2020

Offering updated to leverage the Application Managed Output Writer for JavaScript Transporter and notes to update required Archer version 6.7 use cases. Added note regarding network connectivity issues when extracting large amounts of data.

Archer 6.4 SP1

August

2018

Initial Release

Overview

Key features and benefits

The Qualys VM integration with the Archer IT & Security Vulnerabilities Program use case enables organizations to:

  • Catalog network devices on a corporate network

  • Discover network device vulnerabilities using scanning technology.

  • Supplement the Vulnerability Library with Qualys’ knowledge base.

Important: In the event your integration is attempting to extract large amounts data, the execution of the JavaScript code could take multiple hours.  In order to avoid a timeout of the session token, the Archer Services Parameter must be extended. Currently the Archer Services account timeout parameter is set by default to 30 minutes.  In the event the JavaScript code has not completed in the allotted time-frame, the data feed will fail.

Prerequisites

Components

Requirement

Archer Solution

IT Security Risk Management

Archer Use Case

IT & Security Vulnerabilities Program

Archer Applications

  • Devices

  • Vulnerability Library

  • Vulnerability Scan Results

Requires Archer On-Demand Application (ODA) License

No

Archer Requirements

Archer Platform Release 2025.04 and later

Supported Archer Environments

  • Archer SaaS

  • Archer On-Premises (see documentation for Qualys Vulnerability Management for Archer On-Premise)

Partner/Vendor Requirements

Valid Qualys license required.

Integration diagram

A diagram of a software issue  Description automatically generated

Installation and configuration

This section provides instructions for configuring the Qualys VM data feeds in the Archer Platform. This document is not intended to suggest optimum installations or configurations. 

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.

The Archer IT Security Vulnerability Program use case must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. 

The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes.  It may or may not meet the needs and use cases for your organization.  If additional customizations or enhancements are needed, it is recommended that customers contact Archer Professional Services for assistance.

Data feed configuration

Included data feeds

The following data feeds are provided with this integration.

Data Feed

Description     

Archer 2025.04 Qualys VM Knowledge Base

This JavaScript Transporter feed utilizes API calls to extract all exploitable vulnerabilities from a Qualys vulnerability database. Qualys data is imported and leveraged in the Vulnerability Library application. 

Archer 2025.04 Qualys VM Hosts

This JavaScript Transporter feed utilizes API calls to extract all the asset inventory discovered based on a client’s scanner configuration and implementation.  Qualys VM data is imported and leveraged in the Devices application.  

For data ingestion, Archer offers configurable settings that allow individual clients to define how to uniquely identify devices in their organization.

Archer 2025.04 Qualys VM Hosts Extracted From Detections

This JavaScript Transporter feed utilizes API calls to extract all the asset inventory from the hosts vulnerability detection data.  Qualys VM data is imported and leveraged in the Devices application.  

For data ingestion, Archer offers configurable settings that allow individual clients to define how to uniquely identify devices in their organization.

Archer 2025.04 Qualys VM Hosts Extracted From Detections - Fixed Detections Only

This feed works the same as the Qualys VM Hosts Extracted From Detections feed, but it only queries hosts that have a fixed vulnerability for the time frame requested.

Archer 2025.04 Qualys VM Detections

This JavaScript Transporter feed utilizes API calls to extract a list of hosts with the hosts latest vulnerability data.

For data ingestion, Archer offers configurable settings that allow individual clients to define how to uniquely identify vulnerability detections in their organization.

Archer 2025.04 Qualys VM Detections - Fixed Detections Only

This feed works the same as the Qualys VM Detections feed, but it only pulls detections in the "fixed" status. This is useful to optimize data feed performance

Important: You must install all package files before importing data feeds. Package files include the IT Security Vulnerabilities Program use case package, the Enterprise Catalog package, and the Issues Management prerequisite use case package. For more information, see the “Installing the Packages” section of the IT Security Vulnerabilities Program use case in the Archer Online Documentation.

Data feed import sequence

Import and run the data feeds in the following order:

  1. (Optional) NVD Data Feeds

  2. Note: For information on setting up the NVD data feeds, see the NIST National Vulnerability Database (NVD) Integration in the Archer Help Center.

    The Following Data Feeds can be setup to run as convoy. Schedule the Knowledge base feed and have each run after the last. It is important to run the KB, Hosts, and Detections in that order.

  3. Archer 2025.04 Qualys VM Knowledge Base.dfx5

  4. Archer 2025.04 Qualys VM Hosts.dfx5

  5. Archer 2025.04 Qualys VM Hosts Extracted From Detections.dfx5 (optional for certain fields OS information only)

  6. Archer 2025.04 Qualys VM Hosts Extracted From Detections - Fixed Detections Only.dfx5 (optional for certain fields OS information only)

  7. Archer 2025.04 Qualys VM Detections.dfx5

  8. Archer 2025.04 Qualys VM Detections - Fixed Detections Only.dfx5 (can be on a different schedule)

Note: After setting up the data feeds, you can schedule the feeds to run when you want to. The Archer 2025.04 Qualys VM feeds are designed in a way they can easily be decoupled and initiated on a more frequent schedule basis to fit your needs. For more information, see the Scheduling Data Feeds section.

Configure the JavaScript Transporter settings

Before you upload a JavaScript file, you must configure the JavaScript Transporter settings in the Archer Control Panel.

Configure JavaScript Transporter settings

  1. Open the Archer Control Panel.

  2. Go to Instance Management > All Instances.

  3. Select an instance.

  4. On the General tab, go to the JavaScript Transporter section.

  5. In the Max Memory Limit field, set the value to 2048 MB (2 GB).

  6. In the Script Timeout field, set the value to 120 minutes (2 hours).

  7. Require Signature is active by default on install. Signed Certificate Thumbprints are required for all Hosted clients.

    1. In the Signing Certificate Thumbprints section, add a thumbprint for each digitally signed JavaScript file.

      1. In the Signing Certificate Thumbprints section, double-click an empty cell.

      2. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file.

        Note: For more information on how to obtain digital thumbprints, see "Digital Thumbprints" below.

        Important: If you enable Require Signature and do not specify thumbprints, JavaScript files will not be accepted by the system.

  8. On the toolbar, click Save.

Digital thumbprints

When running JavaScript data feeds, you can set the system to only allow digitally signed JavaScript files from trusted sources for security considerations.

For a certificate to be trusted, all certificates in the chain, including the Root CA Certificate and Intermediate CA certificates, must be trusted on both the Web Server and Services Server machines.

Archer Technologies LLC certificate in the Trusted Root CA Store 

By default, the Archer Technologies Security LLC certificate is not present on every machine’s root.

  1. On the JavaScript file, right-click and select Properties.

    1. Click the Digital Signatures tab.

    2. From the Signature List window, select Archer Technologies Security LLC.

    3. Click the Details button.

    4. Click View Certificate.

    5. Click Install Certificate.

    6. Select Local Machine.

    7. Click Next.

    8. Select Place all certificates in the following store, and click Browse.

      1. Select Trusted Root Certification Authorities, and click OK.

      2. Click Next.

      3. Click Finish.

  2. Upon successful import, click OK.

Obtain a certificate thumbprint 

  1. On the Web Server and Services Server machines, open the Manage User Certificates program.

    1. From the Windows Start menu, launch certmgr. (Manage User Certificates).

    2. Navigate to Certificates – Local Computer > Trusted Root Certification Authorities > Certificates.

    3. Ensure the following certificates are in the Certificates sub-folder of the Trust Root Certification Authorities folder:

      • Archer Technologies Security LLC.

      • Archer Technologies Security 2048 V3 (Standard certificate).

  2. Verify that the certificate is trusted.

    1. Double-click the Archer Technologies Security LLC certificate.

    2. In the Certificate window, click the Certification Path tab.

    3. Ensure that the Certificate Status window displays the following message: “This certificate is OK.”

      Note: If the Certificate Status window displays a different message, follow the onscreen instructions.

  3. Obtain the trusted certificate thumbprint.

    1. In the Certificate window, click the Details tab.

    2. Scroll to and select the Thumbprint field.

      The certificate's digital thumbprint appears in the window.

    3. Copy the thumbprint.

      Note: For information on adding digital thumbprints, see Step 7a of "Configuring the JavaScript Transporter Settings" above.

Set up the Archer 2025.04 Qualys VM Knowledge Base data feed

The integration leverages the API (/api/2.0/fo/knowledge_base/vuln/?action=list) to obtain vulnerability data, such as the vulnerability description, threat, and impact. The feed initiates the request to download the vulnerabilities from Qualys’ Knowledge Base by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

Important: Due to high volume of Knowledge Base content, the data feed will retrieve the content for the last 10 years only. For the initial base load of data, the data feed should be executed with the last_modified_after parameter set to <LastRunTime> (default setting) and the Last Run Time at the Run Configuration setting should be blank. On subsequent data feed executions since the Last Run Time token will be populated by after the initial data feed execution, the data feed will update incremental content.

Due to inconsistent high volume of data, the data feed should be executed with the following parameter values. 

  1. requestsPerMin = 5 for Qualys Standard Level Subscription(default), 12 for Enterprise Level Subscription and 33 for premium level subscription.

  2. last_modified_after = The default value is <LastRunTime> token. The first run of the data feed will be for initial data population as the token is empty. For subsequent runs, the data feed will take the Last Run Token value and update the incremental data. In case of specific requirements, provide the value of the required date in YYYY-MM-DD format.

  3. last_modified_before= The default value of the parameter is Current Date. In case of specific requirements, provide the value of the required date in YYYY-MM-DD format.

  4. daysToBeIncremented= The default value has been set to 45 days. The maximum value that can be set is 50 days.

  5. The Max Memory Limit (MB) in the JavaScript Transporter settings of Archer Control Panel was increased to 2048 MB (default 1024 MB).

The data feed executed successfully during the testing with the above set of parameters. In case the script fails due to high volume of data, apply the following configurations and execute the data feed again.

  • Decrease the `daysToBeIncremented` parameter values.

  • Increase the Max Memory Limit (MB) in the JavaScript Transporter settings of Archer Control Panel

Important: No truncation_limit is available for Knowledge Base data. Ultimately without the availability of a truncation_limit, we are unable to fully leverage our output writer and therefore not able to write portions of the data to file. We are storing the entirety of the data in memory which requires a temporary increase in the Max Memory Limit in the Archer Control Panel. The data feed will pull data for the last 10 years only. This limit has been set due to high volume of data.

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer 2025.04 Qualys VM Knowledge Base.dfx5 file.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the signed-QualysAPI_V1_0_8.js file and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.

    Key 

    Value 

    Description 

    dataSource 

    kb

    Must be 'kb' to pull knowledge base

    kbUrl

    https://<Insert platform API Server>
    /api/2.0/fo/knowledge_base/vuln/
    ?action=list&details=All
    &last_modified_after=<LastRunTime>

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide (https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf). For initial data loads, Archer recommends using parameters that chunk the data into consumable sizes to avoid memory constraint failures.

    LastRunTime is a token captured in by Archer in the data feed execution. 
    Logic:

    • Use LastRunTime token if valid date supplied, and if requested in the kbURL.

    • If the LastRunTime token is not supplied but requested in the kbURL, default LastRunTime = 1970-01-10.

    A lastRunTimeOffset of -1 is added to the LastRunTime date in the form of days.

    username 

    Requires valid value.

    Default = [empty] 

    Qualys user name

    password 

    Requires valid value.

    Default = [empty] 

    Qualys password

    requestsPerMin

    Requires valid value.

    Default=60

    Please follow the Qualys API Limits document for determining the API limits for your Qualys Service.

    https://cdn2.qualys.com/docs/qualys-api-limits.pdf

    Standard API Service: 300 calls per hours/ 5 calls per minute

    Enterprise API Service: 750 calls per Hour/12 calls per minute

    Premium API Service: 2000 calls per Hour/ 33 calls per minute

    Note: The API limit of the data feed by default has been set to 5. Please check your Qualys Service Level before setting the value. This field should not be left blank.

    last_modified_after

    Optional

    Default= Current Date-10 years

    Format= YYYY-MM-DD

    This parameter has been set to <LastRunTime> by default. For the first run of the data feed, as the LastRunTime token is empty this parameter will be set to Current Day-10 years.

    For the subsequent data feed runs, the field will take the <LastRunTime> token and update the incremental data.

    last_modified_before

    Optional

    Default = Current Date 

    Format=YYYY-MM-DD

    The parameter if blank will be set to current date.

    daysToBeIncremented

    Requires valid value.

    Default =50

    The default value for the Data Feed has been set to 45 days. Due to the high volume of data, the parameter if required can be decreased.

    lastRunTimeOffset

    -1

     

    Important: The keys and values are case-sensitive and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file.

  12. Key  

    Value  

    Description 

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the number of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, like browser level validation.

  13. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  14. Click the Source Definition tab. Click the Tokens sub-tab, and verify token values.

  15. The following table describes token values to verify.

    Token

    Value

    LastRunTime

    (Populated by feed)

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Online Documentation.

  16. Verify that key field values are not missing from the data feed setup window.

  17. Click Save.

Set up the Archer 2025.04 Qualys VM Hosts data feed

The integration leverages the API (/api/2.0/fo/asset/host/?action=list) to obtain a list of scanned hosts in the user’s account. The feed initiates the request to download the hosts by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

Important: Archer implements with a unique key on DNS identification. However, we understand that environment configurations are unique across an organization’s infrastructure, therefore the unique key to identify if a Device already exists inside Archer, is configurable to each client. And where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer 2025.04 Qualys VM Hosts.dfx5 file for the data feed.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the Signed-QualysAPI_V1_0_8.1.js file, and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.    

    Key

    Value

    Description

    dataSource 

    hosts

    Must be "hosts".

    hostsUrl

    {URL}/api/2.0/fo/asset/host/?action=list&details=All&show_tags=1&show_trurisk=1

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide (https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).

    username 

    Requires valid value

    Default = [empty] 

    Qualys username

    password 

    Requires valid value

    Default = [empty] 

    Qualys password

    Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. (Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file.

  1. Key 

    Value 

    Description 

    batchSize

    Default = 500 (records at a time)

    [Configurable] 

    Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the amount of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, similar to browser level validation.

  2. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  3. Click the Source Definition tab.

    1. Click the Tokens sub-tab.

    2. Verify token values.

    The following table describes token values to verify.

  4. Token Value

    LastRunTime

    (Populated by feed)

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Online Documentation.

  5. Verify that key field values are not missing from the data feed setup window.

  6. Click Save.

Set up the Archer 2025.04 Qualys VM Hosts Extracted From Detections data feed (optional - extracts certain OS fields)

The integration leverages the API (/api/2.0/fo/asset/host/vm/detection/) to obtain a list of hosts with the hosts latest vulnerability data, based on the host based scan data available in the user’s account. From this data, we specifically capture additional information regarding hosts identified as part of the vulnerability data extraction. The feed initiates the request to download the host detection data by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

Important: Archer implements with a unique key on DNS identification. However, we understand that environment configurations are unique across an organization’s infrastructure, therefore the unique key to identify if a Device already exists inside Archer, is configurable to each client. And where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer 2025.04 Qualys VM Hosts Extracted From Detections.dfx5 file for the data feed.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the Signed-QualysAPI_V1_0_8.1.js file and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.

    Key 

    Value 

    Description 

    dataSource 

    hostDetections

    Must be "hostDetections".

    detectionUrl

    {URL}/api/2.0/fo/asset/host/vm/detection/?action=list&detection_updated_since=<LastRunTime>&show_tags=1

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).

    If the status parameter is not passed to the API, by default, the output only contains detections with New, Active, or Re-Opened.

     

    LastRunTime is a token captured in by Archer in the data feed execution. 
    Logic:

    • Use LastRunTime token if valid date supplied, and if requested in the detectionURL.

    • If the LastRunTime token is not supplied but requested in the detectionURL, default LastRunTime = 1970-01-10, in specified batches.

    • A lastRunTimeOffset of -1 is added to the LastRunTime date in the form of days.

     

    username 

    Requires valid value

    Default = [empty] 

    Qualys username

    password 

    Requires valid value

    Default = [empty] 

    Qualys password

    Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. (Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file. 

  12. Key 

    Value 

    Description 

    batchSize

    Default = 500 (records at a time)

    [Configurable] 

    Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The

    limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the number of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, similar to browser level validation.

  13. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  14. Click the Source Definition tab.

    1. Click the Tokens sub-tab.

    2. Verify token values.

    The following table describes token values to verify.

  15. Token Value

    LastRunTime

    (Populated by feed)

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Help.

  16. Verify that key field values are not missing from the data feed setup window.

  17. Click Save.

Set up the Archer 2025.04 Qualys VM Hosts Extracted From Detections - Fixed Detections Only data feed (optional)

This feed works the same as the Qualys VM Hosts Extracted From Detections feed, but it only queries hosts that have a fixed vulnerability for the time frame requested.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

Important: Archer implements with a unique key on DNS identification. However, we understand that environment configurations are unique across an organization’s infrastructure, therefore the unique key to identify if a Device already exists inside Archer, is configurable to each client. And where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer 2025.04 Qualys VM Hosts Extracted From Detections.dfx5 file for the data feed.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the Signed-QualysAPI_V1_0_8.1.js file and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.

    Key 

    Value 

    Description 

    dataSource 

    hostDetections

     

    detectionUrl

    {URL}/api/2.0/fo/asset/host/vm/detection/?action=list&detection_updated_since=<LastRunTime>&show_tags=1

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).

    If the status parameter is not passed to the API, by default, the output only contains detections with New, Active, or Re-Opened.

     

    LastRunTime is a token captured in by Archer in the data feed execution. 
    Logic:

    • Use LastRunTime token if valid date supplied, and if requested in the detectionURL.

    • If the LastRunTime token is not supplied but requested in the detectionURL, default LastRunTime = 1970-01-10, in specified batches.

    • A lastRunTimeOffset of -1 is added to the LastRunTime date in the form of days.

     

    username 

    Requires valid value

    Default = [empty] 

     

    password 

    Requires valid value

    Default = [empty] 

     

    Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. (Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file. 

  12. Key 

    Value 

    Description 

    batchSize

    Default = 500 (records at a time)

    [Configurable] 

    Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The

    limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the number of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, similar to browser level validation.

  13. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  14. Click the Source Definition tab.

    1. Click the Tokens sub-tab.

    2. Verify token values.

    The following table describes token values to verify.

  15. Token Value

    LastRunTime

    (Populated by feed)

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Help.

  16. Verify that key field values are not missing from the data feed setup window.

  17. Click Save.

Set up the Archer 2025.04 Qualys VM Detections data feed

The integration leverages the API (/api/2.0/fo/asset/host/vm/detection/) which provides a list of hosts with each hosts latest vulnerability data, based on the host-based scan data available in the user’s account. Vulnerability detection data includes the latest complete vulnerability status for the hosts (New, Active, Re-Opened) and the history information. The feed initiates the request to download the host detection data by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

For detections, Archer implements with a unique key concept to associate the detection to a host and a vulnerability definition. However, environment configurations are unique across an organization’s infrastructure, therefore the unique keys are configurable to each client, such as determining if a device already exists in your Archer environment. Where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

Unique key default values are as follows:

Identification of an object

Logic (configurable) 

Detection

If DNS exists, concatenate DNS + QID + Port + Protocol.

If DNS does not exist, concatenate the Host ID + QID + Port + Protocol + First Found.

Device (Link Only)

If a Qualys Host ID exists, create a match from the detection to the device.  Otherwise, use the DNS as the match on an active Device.  Assumption:  Qualys Host ID is only captured on a device record after initial host ingestion.  When defining the host infrastructure, we do not assume Qualys Host ID is a unique identifier by itself.

Vulnerability Library definition (Link Only)

If a QID exists, create a match from the detection to the vulnerability definition. 

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer 2025.04 Qualys VM Detections.dfx5 file for the data feed.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the Signed-QualysAPI_V1_0_8.1.js file and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.

    Key 

    Value 

    Description 

    dataSource 

    detections

    Must be "detections".

    detectionUrl

    {URL}/api/2.0/fo/assset/host/vm/detection/?list&detection_updated_since=<LastRunTime>&show_tags=1

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).

    If the status parameter is not passed to the API, by default, the output only contains detections with New, Active, or Re-Opened.

    LastRunTime is a token captured in by Archer in the data feed execution. 
    Logic:

    • Use LastRunTime token if valid date supplied, and if requested in the detectionURL.

    • If the LastRunTime token is not supplied but requested in the detectionURL, default LastRunTime = 1970-01-10, in specified batches.

    A lastRunTimeOffset of -1 is added to the LastRunTime date in the form of days.

    username 

    Requires valid value

    Default = [empty] 

    Qualys username

    password 

    Requires valid value

    Default = [empty] 

    Qualys password

    Important: The keys and values are case-sensitive and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. (Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file. 

  12. Key 

    Value 

    Description 

    batchSize

    Default = 500 (records at a time)

    [Configurable] 

    Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The

    limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the amount of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, similar to browser level validation.

  13. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  14. Click the Source Definition tab.

    1. Click the Tokens sub-tab.

    2. Verify token values.

    The following table describes token values to verify.

  15. Token

    Value

    LastRunTime

    (Populated by feed)

    CrossReferencesMode

    LinkOnly

    RelatedReferencesMode

    LinkOnly

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Help.

  16. Verify that key field values are not missing from the data feed setup window.

  17. Click Save.

Set up the Archer 2025.04 Qualys VM Detections - Fixed Detections Only data feed

The integration leverages the API (/api/2.0/fo/asset/host/vm/detection/) which provides a list of hosts with each hosts latest vulnerability data, based on the host-based scan data available in the user’s account. Vulnerability detection data includes the latest complete vulnerability status for the hosts (Fixed) and the history information. The feed initiates the request to download the host detection data by targeting the Qualys platform where your account is located, along with the availability to pass additional API parameters.

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Important: Except for the parameters specified in this procedure, changes to the JavaScript file can only be achieved with a Professional Services engagement. For more information, contact your account representative.

For detections, Archer implements with a unique key concept to associate the detection to a host and a vulnerability definition. However, environment configurations are unique across an organization’s infrastructure, therefore the unique keys are configurable to each client, such as determining if a device already exists in your Archer environment. Where clients have multiple scanners scanning the same set of devices or IP ranges, the unique key should be altered to a matching algorithm that identifies the device, regardless of the source.

Unique key default values are as follows:

Identification of an object

Logic (configurable) 

Detection

If DNS exists, concatenate DNS + QID + Port + Protocol.

If DNS does not exist, concatenate the Host ID + QID + Port + Protocol + First Found.

Device (Link Only)

If a Qualys Host ID exists, create a match from the detection to the device.  Otherwise, use the DNS as the match on an active Device.  Assumption:  Qualys Host ID is only captured on a device record after initial host ingestion.  When defining the host infrastructure, we do not assume Qualys Host ID is a unique identifier by itself.

Vulnerability Library definition (Link Only)

If a QID exists, create a match from the detection to the vulnerability definition. 

  1. Go to the Manage Data Feeds page with the following steps:

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

  2. In the Manage Data Feeds section, click Import.

  3. Locate and select the Archer 2025.04 Qualys VM Detections.dfx5 file for the data feed.

  4. Click Open.

  5. In the General Information section, in the Status field, select Active.

  6. In the Additional Properties section, enable Optimize Calculations.

  7. Click the Transport tab.

  8. In the Transport Configuration section, complete the following:

    1. Click Upload.

    2. From the Upload JavaScript File dialog, click Add New.

    3. Locate and select the Signed-QualysAPI_V1_0_8.1.js file and click Open.

    4. From the Upload JavaScript File dialog, click OK.

  9. In the Custom Parameters section, enter key values.

  10. The following table describes the value to enter for each key in Custom Parameters.

    Key 

    Value 

    Description 

    dataSource 

    detections

    Must be "detections".

    detectionUrl

    {URL}/api/2.0/fo/assset/host/vm/detection/?action=list&status=Fixed&detection_updated_since=<LastRunTime>&show_tags=1

    Note: For a complete list of supported parameters for this URL call and their explanations, see the Qualys API 2.0 Reference Guide https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).

    If the status parameter is not passed to the API, by default, the output only contains detections with New, Active, or Re-Opened.

    LastRunTime is a token captured in by Archer in the data feed execution. 
    Logic:

    • Use LastRunTime token if valid date supplied, and if requested in the detectionURL.

    • If the LastRunTime token is not supplied but requested in the detectionURL, default LastRunTime = 1970-01-10, in specified batches.

    A lastRunTimeOffset of -1 is added to the LastRunTime date in the form of days.

    username 

    Requires valid value

    Default = [empty] 

    Qualys username

    password 

    Requires valid value

    Default = [empty] 

    Qualys password

    Important: The keys and values are case-sensitive and cannot include extra spaces at the end of the strings.

    Note: The listed values are in place by default. They can be configured to suit your environment.

  11. (Optional) The following additional parameters are valid options for the Custom Parameters section for the current JavaScript file. 

  12. Key 

    Value 

    Description 

    batchSize

    Default = 500 (records at a time)

    [Configurable] 

    Truncation_limit is a supported parameter to specify a maximum number of hosts records to process in a single call. JavaScript makes incremental calls to pull the next batch of data. If the requested list identifies more host records than the truncation limit, then the XML output includes the element and the URL for making another request for the next batch of host records.

    requestsPerMin

    Default = 60

    [Configurable value]  

    A parameter to allow clients to govern the number of API requests made by Archer to the external integration.

    Qualys Cloud Platform enforces limits on the API calls subscription users can make. The

    limits apply to the use of all APIs, except “session” API (session login/logout).

    socketLimit

    Default = 10

    [Configurable value of 1-25]      

    Indicates the maximum number of open socket channels to an endpoint to be used for TCP connections.

    maxRetry

    Default = 1

    [Configurable value of 0-2] 

    Indicates the amount of times a retry will occur where an "ECONNRESET" error is encountered. If a retry is unsuccessful and the maxRetry is exceeded, the data feed will fail.

    proxy 

    Optional

    Default = [empty]  

     

    verifyCerts 

    Default = False 

    [Configurable value of True / False] 

    Validates the website address matches the address on the certificate, similar to browser level validation.

  13. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log.

  14. Click the Source Definition tab.

    1. Click the Tokens sub-tab.

    2. Verify token values.

    The following table describes token values to verify.

  15. Token

    Value

    LastRunTime

    (Populated by feed)

    CrossReferencesMode

    LinkOnly

    RelatedReferencesMode

    LinkOnly

    Note: For more information about tokens, see "Data Feed Tokens" in the Archer Help.

  16. Verify that key field values are not missing from the data feed setup window.

  17. Click Save.

Schedule the data feeds

Important: A data feed must be active and valid to successfully run.

As you schedule your data feed, the Data Feed Manager validates the information. If any information is invalid, an error message displays. You can save the data feed and correct the errors later, but the data feed does not process until you make corrections.

Note: All IT Security Vulnerabilities Program data feeds are set to run daily by default.

  1. From the menu bar, click the  icon.

  2. Go to the Schedule tab of the data feed that you want to modify.

    1. From the menu bar, click the icon.

    2. Under Integration, click Data Feeds.

    3. Select the data feed.

    4. Click the Schedule tab.

  3. Go to the Recurrences section and complete frequency, start and stop times, and time zone.

  4. The following table describes the fields in the Recurrences section.

    Field

    Description

    Frequency

    Specifies the interval in which the data feed runs, for example, Minutely, Hourly, Daily, Weekly, Monthly, or Reference.

    • Minutely. Runs the data feed by the interval set.

    For example, if you specify 45 in the Every list, the data feed executes every 45 minutes.

    • Hourly. Runs the data feed by the interval set, for example, every hour (1), every other hour (2) and so forth.

    • Daily. Runs the data feed by the interval set, for example, every day (1), every other day (2) and, so forth.

    • Weekly. Runs the data feed based on a specified day of the week, for example, every Monday of the first week (1), every other Monday (2), and so forth.

    • Monthly. Runs the data feed based on a specified week of the month, for example, 1st, 2nd, 3rd, 4th, or Last.

    • Recurrence. Runs a specified data feed as runs before the current one. This option indicates to the Data Feed Service that this data feed starts as soon as the referenced data feed completes successfully. For example, you can select to have a Threats data feed run immediately after your Assets data feed finishes. From the Reference Feed list, select after which existing data feed the current data feed starts.

    A reference data feed will not run when immediately running a data feed. The Run Data Feed Now option only runs the current data feed.

    Every

    Specifies the interval of the frequency in which the data feed runs.

    Start Time

    Specifies the time the data feed starts running.

    Start Date

    Specifies the date on which the data feed schedule begins.

    Time Zone

    Specifies the time zone in of the server that runs the data feed.

  1. (Optional) To override the data feed schedule and immediately run your data feed, in the Run Data Feed Now section, click Start.

  2. Click Save.

Certification environment

Date Tested: July 2025

Product Name

Version Information

Operating System

Archer

2025.04

Virtual Appliance

Qualys Vulnerability Management (VM)

NA

NA