Keep security reports organized without manual work. This setup collects finished scan reports from Qualys and files them into TheHive as cases with the report attached. It suits SOC teams that need steady tracking, audit trails, and clear ownership.

Here is how it runs. A schedule kicks off every hour, and you can also test by hand. Global settings load the Qualys base URL and pull the last saved timestamp from a small helper workflow. The flow calls the Qualys API to list finished reports, converts XML to JSON, and splits the list into single items. A filter checks each report date against the saved timestamp to avoid duplicates. If new items exist, the loop pauses briefly to avoid rate limits, creates a case in TheHive with the report details, downloads the PDF, and attaches it to the case. The timestamp gets updated so the next run only picks up newer items.

You will need credentials for Qualys, TheHive, and the n8n API. Set the base URL to match your Qualys platform and confirm the helper workflow used for timestamp storage is connected. Expect faster handoffs, fewer missed reports, and a clean record of scans for audits and compliance across your security team.

• Hourly schedule plus manual test trigger for safe testing
• Global variables store the Qualys base URL and current timestamp
• Helper workflow retrieves and updates the last processed timestamp
• Qualys API call lists finished reports using HTTP Request
• XML to JSON conversion for easy parsing of the report list
• Split Out processes each report record independently
• Date filter only passes reports newer than the saved timestamp
• Short wait between items helps prevent rate limit issues
• TheHive case creation with dynamic title, tags, and description
• Report PDF is downloaded and attached directly to the case

• Reduce manual report filing from hours to minutes per day
• Eliminate duplicate cases by using a saved timestamp
• Connect Qualys and TheHive so teams work from one place
• Handle dozens of new reports each hour with steady throughput
• Create a clear audit trail with reports attached to each case

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Qualys, TheHive and n8n. See the Tools Required section above for links to create accounts with these services.
3. Open the Global Variables node and set the base_url to your Qualys platform URL. Use the correct Qualys pod URL provided by your account.
4. Set up Qualys credentials: double click the Fetch Reports from Qualys node, choose Credential to connect with, click Create new credential, then follow the on screen instructions to connect your Qualys account.
5. Set up TheHive credentials: double click the Create Case node, create a new TheHive credential with your server URL and API key. Repeat the same for the Add Report As Attachment node.
6. Set up n8n API credentials: double click the Update Timestamp node, create a new n8n credential. In n8n Cloud, generate an API key and set the base URL, then save.
7. Confirm the helper workflow link: in Get Last Timestamp and Update Timestamp, verify the workflow ID points to the included timestamp storage workflow. If not, select it from the list.
8. Check the HTTP Request node for Qualys: action is list and state is Finished. Keep these as is to pull completed reports only.
9. Verify the XML to JSON and Split Out nodes are connected so the report list becomes individual items.
10. Open the filter node and confirm it compares the report creation date to the stored timestamp. This prevents duplicates.
11. In TheHive Create Case, review the title, tags, and description mappings. Adjust fields to match your case naming rules.
12. Run a manual test: click Test workflow. You should see finished reports listed, cases created, and attachments added in TheHive.
13. Troubleshoot common issues: if no items appear, check Qualys permissions and base URL. If you get 401 errors, recheck credentials. If rate limits occur, increase the Wait duration. If attachments fail, confirm the case ID mapping in the attachment node.