Qualys VM: CCF Connector Adds Vulnerability Intelligence Stream

What Changed

The Qualys VM Knowledge Base solution (v4.0.0) now includes a CCF-based Data Connector alongside the existing legacy connector infrastructure. The new connector provides automated ingestion of Qualys vulnerability database entries via the Qualys API v2.0.

Data Source

External System: Qualys Vulnerability Management API v2.0
Log Types: Knowledge Base vulnerability records (QIDs, CVEs, vendor advisories, patch status)
Event Categories: Vulnerability discovery records, software vendor advisories, patch availability data

Ingestion Mechanism

Type: CCF/DCR-based with REST API polling
Destination Table: QualysKnowledgeBase (new Microsoft-managed stream)
API Endpoint: /api/2.0/fo/knowledge_base/vuln/ with configurable filters
Polling Frequency: 10-minute query window with 10-hour delay

Parser Impact

The updated parser (v1.1.0) now supports both legacy (QualysKB_CL) and CCF streams (QualysKnowledgeBase) through a union query. Key improvements:

Fixed field name inconsistencies (Consquence → Consequence, Title → VulnTitle)
Standardized timestamp field references (removed trailing spaces)
Added SeverityLevel and PublishedDatetime field normalization
Enhanced compatibility for cross-source queries

Data Fidelity Impact: Queries referencing the corrected field names against the legacy parser previously returned inconsistent results due to typos — this is a data quality improvement for mixed-source environments.

Detection Surface Unlocked

The connector exposes Qualys vulnerability intelligence for threat hunting and asset risk assessment:

CVE Cross-Reference: Links vulnerability IDs to CVE numbers and vendor advisories
Patch Status Tracking: Identifies patchable vs. unpatchable vulnerabilities
Discovery Method Context: Remote vs. authenticated vulnerability detection metadata
Vendor Intelligence: Software vendor and product categorization for supply chain analysis

Affected Files

Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_ConnectorDefinition.json
Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_DCR.json
Solutions/Qualys VM Knowledgebase/Data Connectors/QualysKB_ccf/QualysKB_PollingConfig.json
Solutions/Qualys VM Knowledgebase/Package/testParameters.json
Solutions/Qualys VM Knowledgebase/Parsers/QualysKB.yaml
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
(packaging artefacts: 4.0.0.zip, ReleaseNotes.md, Solution_QualysKBtemplateSpec.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Ingestion Mechanism#

Parser Impact#

Detection Surface Unlocked#

Affected Files#