[Qualys VMDR] Initial release for the Qualys VMDR

.github/CODEOWNERS

@@ -179,6 +179,7 @@
 /packages/proofpoint @elastic/security-external-integrations
 /packages/proofpoint_tap @elastic/security-external-integrations
 /packages/pulse_connect_secure @elastic/security-external-integrations
+/packages/qualys_vmdr @elastic/security-external-integrations
 /packages/qnap_nas @elastic/security-external-integrations
 /packages/rabbitmq @elastic/obs-infraobs-integrations
 /packages/radware @elastic/security-external-integrations

packages/qualys_vmdr/_dev/build/build.yml

@@ -0,0 +1,6 @@
+dependencies:
+  ecs:
+    # For now, we have put it as 8.8.0 because the elastic package check command will not run as the 8.9.0 has not released yet.
+    # will have to change it to 8.9.0 when the ecs 8.9.0 will be released.
+    reference: git@v8.8.0
+    import_mappings: true

packages/qualys_vmdr/_dev/build/docs/README.md

@@ -0,0 +1,99 @@
+# Qualys Vulnerability Management, Detection and Response (VMDR)
+
+This [Qualys VMDR](https://www.qualys.com/apps/vulnerability-management-detection-response/) integration is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.
+
+The Qualys VMDR integration uses REST API mode to collect data. Elastic Agent fetches data via API endpoints.
+
+## Compatibility
+
+This module has been tested against the latest Qualys VMDR version **v2**.
+
+## Data streams
+
+The Qualys VMDR integration collects logs for the following two events:
+
+| Event Type                    |
+|-------------------------------|
+| Asset Host Detection          |
+| Knowledge Base                |
+
+Reference for [Rest APIs](https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/api_doc/index.htm) of Qualys VMDR.
+
+## Requirements
+
+- Elastic Agent must be installed.
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data through the REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+The minimum **kibana.version** required is **8.9.0**.
+
+## Setup
+
+### To collect data through REST API, follow the below steps:
+
+- Considering you already have a Qualys user account, to identify your Qualys platform and get the API URL, refer this [link](https://www.qualys.com/platform-identification/).
+- Alternative way to get the API URL is to log in to your Qualys account and go to Help > About. You’ll find your URL under Security Operations Center (SOC).
+
+### Enabling the integration in Elastic:
+
+1. In Kibana go to Management > Integrations
+2. In "Search for integrations" search bar, type Qualys VMDR
+3. Click on the "Qualys VMDR" integration from the search results.
+4. Click on the Add Qualys VMDR Integration button to add the integration.
+5. While adding the integration, if you want to collect Asset Host Detection logs via REST API, then you have to put the following details:
+   - username
+   - password
+   - url
+   - interval
+   - input parameters
+   - batch size
+
+   or if you want to collect Knowledge Base logs via REST API, then you have to put the following details:
+   - username
+   - password
+   - url
+   - initial interval
+   - interval
+   - input parameters
+
+**NOTE**: By default, the input parameter is set to "action=list".
+
+## Logs reference
+
+### Asset Host Detection
+
+This is the `Asset Host Detection` dataset.
+
+#### Example
+
+{{event "asset_host_detection"}}
+
+{{fields "asset_host_detection"}}
+
+### Knowledge Base
+
+This is the `Knowledge Base` dataset.
+
+#### Example
+
+{{event "knowledge_base"}}
+
+{{fields "knowledge_base"}}

packages/qualys_vmdr/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2.3'
+services:
+  qualys_vmdr:
+    image: docker.elastic.co/observability/stream:v0.10.0
+    hostname: qualys_vmdr
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config.yml

packages/qualys_vmdr/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,118 @@
+rules:
+  - path: /asset/host/vm/detection/
+    methods: ['GET']
+    responses:
+      - status_code: 200
+        body: |-
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE HOST_LIST_VM_DETECTION_OUTPUT SYSTEM "https://qualysapi.qg1.apps.qualys.in/api/2.0/fo/asset/host/vm/detection/dtd/output.dtd">
+          <HOST_LIST_VM_DETECTION_OUTPUT>
+            <RESPONSE>
+              <DATETIME>2023-07-03T06:51:41Z</DATETIME>
+              <HOST_LIST>
+                <HOST>
+                  <ID>12048633</ID>
+                  <IP>10.50.2.111</IP>
+                  <TRACKING_METHOD>IP</TRACKING_METHOD>
+                  <OS>
+                    <![CDATA[Windows 2016/2019/10]]>
+                  </OS>
+                  <DNS>
+                    <![CDATA[adfssrvr.adfs.local]]>
+                  </DNS>
+                  <DNS_DATA>
+                    <HOSTNAME>
+                      <![CDATA[adfssrvr]]>
+                    </HOSTNAME>
+                    <DOMAIN>
+                      <![CDATA[adfs.local]]>
+                    </DOMAIN>
+                    <FQDN>
+                      <![CDATA[adfssrvr.adfs.local]]>
+                    </FQDN>
+                  </DNS_DATA>
+                  <NETBIOS>
+                    <![CDATA[ADFSSRVR]]>
+                  </NETBIOS>
+                  <LAST_SCAN_DATETIME>2023-07-03T06:25:17Z</LAST_SCAN_DATETIME>
+                  <LAST_VM_SCANNED_DATE>2023-07-03T06:23:47Z</LAST_VM_SCANNED_DATE>
+                  <LAST_VM_SCANNED_DURATION>1113</LAST_VM_SCANNED_DURATION>
+                  <LAST_PC_SCANNED_DATE>2023-06-28T09:58:12Z</LAST_PC_SCANNED_DATE>
+                  <DETECTION_LIST>
+                    <DETECTION>
+                      <QID>91681</QID>
+                      <TYPE>Confirmed</TYPE>
+                      <SEVERITY>5</SEVERITY>
+                      <SSL>0</SSL>
+                      <RESULTS>
+                        <![CDATA[Microsoft Windows Netlogon Elevation of Privilege Vulnerability detected after 208 attempts]]>
+                      </RESULTS>
+                      <STATUS>Active</STATUS>
+                      <FIRST_FOUND_DATETIME>2023-06-28T06:04:26Z</FIRST_FOUND_DATETIME>
+                      <LAST_FOUND_DATETIME>2023-07-03T06:23:47Z</LAST_FOUND_DATETIME>
+                      <TIMES_FOUND>11</TIMES_FOUND>
+                      <LAST_TEST_DATETIME>2023-07-03T06:23:47Z</LAST_TEST_DATETIME>
+                      <LAST_UPDATE_DATETIME>2023-07-03T06:25:17Z</LAST_UPDATE_DATETIME>
+                      <IS_IGNORED>0</IS_IGNORED>
+                      <IS_DISABLED>0</IS_DISABLED>
+                      <LAST_PROCESSED_DATETIME>2023-07-03T06:25:17Z</LAST_PROCESSED_DATETIME>
+                    </DETECTION>
+                  </DETECTION_LIST>
+                </HOST>
+              </HOST_LIST>
+            </RESPONSE>
+          </HOST_LIST_VM_DETECTION_OUTPUT>
+  - path: /knowledge_base/vuln/
+    methods: ['GET']
+    responses:
+      - status_code: 200
+        body: |-
+          <?xml version="1.0" encoding="UTF-8" ?>
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg1.apps.qualys.in/api/2.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
+              <RESPONSE>
+                  <DATETIME>2023-07-06T15:02:16Z</DATETIME>
+                  <VULN_LIST>
+                      <VULN>
+                          <QID>11830</QID>
+                          <VULN_TYPE>Vulnerability</VULN_TYPE>
+                          <SEVERITY_LEVEL>2</SEVERITY_LEVEL>
+                          <TITLE>
+                              <![CDATA[HTTP Security Header Not Detected]]>
+                          </TITLE>
+                          <CATEGORY>CGI</CATEGORY>
+                          <LAST_SERVICE_MODIFICATION_DATETIME>2023-06-29T12:20:46Z</LAST_SERVICE_MODIFICATION_DATETIME>
+                          <PUBLISHED_DATETIME>2017-06-05T21:34:49Z</PUBLISHED_DATETIME>
+                          <PATCHABLE>0</PATCHABLE>
+                          <SOFTWARE_LIST>
+                              <SOFTWARE>
+                                  <PRODUCT>
+                                      <![CDATA[None]]>
+                                  </PRODUCT>
+                                  <VENDOR>
+                                      <![CDATA[multi-vendor]]>
+                                  </VENDOR>
+                              </SOFTWARE>
+                          </SOFTWARE_LIST>
+                          <DIAGNOSIS>
+                              <![CDATA[This QID reports the absence of the following]]>
+                          </DIAGNOSIS>
+                          <CONSEQUENCE>
+                              <![CDATA[Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.]]>
+                          </CONSEQUENCE>
+                          <SOLUTION>
+                              <![CDATA[<B>Note:</B> To better debug the results of this QID]]>
+                          </SOLUTION>
+                          <PCI_FLAG>1</PCI_FLAG>
+                          <THREAT_INTELLIGENCE>
+                              <THREAT_INTEL id="8">
+                                  <![CDATA[No_Patch]]>
+                              </THREAT_INTEL>
+                          </THREAT_INTELLIGENCE>
+                          <DISCOVERY>
+                              <REMOTE>1</REMOTE>
+                          </DISCOVERY>
+                      </VULN>
+                  </VULN_LIST>
+              </RESPONSE>
+          </KNOWLEDGE_BASE_VULN_LIST_OUTPUT>

packages/qualys_vmdr/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial Release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6872