QualysVM CCF Connector: Restoring Vulnerability Data Ingestion After API Timeout Blind Spot

What Changed

The QualysVM CCF connector (v3.0.9 to v3.0.10) received targeted fixes to eliminate a production ingestion failure caused by API timeouts against the heavy /api/5.0/fo/asset/host/vm/detection/ endpoint.

Security Impact (Visibility & Fidelity)

Deployments running v3.0.9 or earlier were experiencing complete ingestion failures for Qualys host detection data in large environments. The timeoutInSeconds was set to 20 seconds – far too short for large Qualys tenants returning multi-megabyte XML payloads. Each API call timed out before completing, resulting in no vulnerability detection records populating QualysHostDetectionV3_CL. Any Analytic Rules or Hunting Queries built on this table were firing against a stale or empty dataset.

Per the PR discussion and linked IcM (Incident 51000001019511): customers were unable to connect the connector at all because the connectivity validation was firing against the same heavy endpoint and timing out before returning a success state.

Changes that restore visibility:

• timeoutInSeconds: 20 to 300 (platform-enforced maximum; cannot be raised further)
• queryWindowInMin: now capped at 10 minutes to limit per-call response size
• retryCount: 3 to 1 – reduced because Qualys enforces a concurrency limit; overlapping retries return HTTP 409 and compound the problem rather than recovering from it
• pagingType: LinkHeader to PersistentLinkHeader – ensures pagination state survives across the constrained query windows
• paginatedCallsPerSecond: 1.0 added to rate-limit paginated follow-up calls

Connectivity check added:

A checkConnectivityRequest block now uses the lightweight /msp/about.php endpoint (fast, low-overhead) for the Sentinel connector connectivity validation instead of the heavy detection endpoint. This decouples connector health-check success from the ability to handle full-scale data pulls.

UI clarification:

Truncation Limit option labels now communicate risk explicitly – e.g., 5000 is labelled “Not recommended (high risk of API timeout)” rather than “Maximum load, fastest collection”. The {{graphQueriesTableName}} tokens in graphQueries and dataTypes were replaced with the hardcoded table name QualysHostDetectionV3_CL.

Operational note: If your environment uses default or high truncation limits (2500/5000) and you are still seeing timeouts at 300s, lower the truncation limit to 500 or 1000 to reduce per-call response size. The 300s platform ceiling cannot be raised.

Affected Files

Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_ConnectorDefinition.json
Solutions/QualysVM/Data Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_PollingConfig.json
(packaging artefacts: 3.0.10.zip, ReleaseNotes.md, Solution_QualysVM.json, mainTemplate.json)