[Qualys VMDR] qualys_vmdr.asset_host_detection.list.is_disabled does not Exist

[NikoCosmico01]

As the title the field qualys_vmdr.asset_host_detection.list.is_disabled (used in the default Dashboard [Logs Qualys VMDR] Asset Host Detection) is not available in integration v. 3.0.0 causing a visualization error.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@NikoCosmico01 Can you show what you see in the visualisation and provide a redacted document to compare with? If you can also provide a corresponding (redacted) XML document from the Qualys API that would be extremely helpful.

[NikoCosmico01]

However I can see many other fields are no more supported, I suggest reproducing the issue and checking out the [Logs Qualys VMDR] Asset Host Detection dashboard. These fields are not even written inside the Qualys integration documentation.

[efd6]

The fields are defined in the DTD which is the source of truth. We generate an XSD from that and the fields that are expected to exist are taken from that set. The DTD says that IS_DISABLED does not have to exist

<!ELEMENT DETECTION (UNIQUE_VULN_ID, QID, TYPE, SEVERITY?, PORT?, PROTOCOL?, FQDN?, SSL?, INSTANCE?, RESULT_INSTANCE?,
                     RESULTS?, STATUS?,
                     FIRST_FOUND_DATETIME?, LAST_FOUND_DATETIME?, SOURCE?, QDS?, QDS_FACTORS?, TIMES_FOUND?,
                     LAST_TEST_DATETIME?,
                     LAST_UPDATE_DATETIME?,
                     LAST_FIXED_DATETIME?,
                     FIRST_REOPENED_DATETIME?, LAST_REOPENED_DATETIME?, TIMES_REOPENED?,
                     SERVICE?, IS_IGNORED?, IS_DISABLED?, AFFECT_RUNNING_KERNEL?, AFFECT_RUNNING_SERVICE?, AFFECT_EXPLOITABLE_CONFIG?, LAST_PROCESSED_DATETIME?, ASSET_CVE?)>

so presumably in the documents that you are collecting from the API it doesn't.

Full Qualys doc for reference.