Some tips for setting up reporting

1. Make sure your Reporting setup is aligning with what is defined in your
security policy.
2. Scheduling – Your report frequency should align with your scanning routing.
If you scan weekly, report weekly.
3. Try to keep a reporting practice that is ongoing for good trending data. If you
change often, this will be hard to measure.
4. Purging – More on this later. If you aren’t purging, you have stale data.
5. Keep engaged with your audience – Talk to consumers of reports so you
know they are getting what they need.
6. Focused Host Based reports are much more efficient than Scan Based
reports.
7. Use dashboards - Dashboards are interactive reports…so there's no need to
change the approach between reporting and dashboarding schemas.
8. API – Use API for having a report archive program.

2
2
This section covers the different data collection mechanisms used by Qualys.
Qualys has various sensor types that collect data for you.

Scanner Appliances: Intranet and internal scanners, physical or virtual, used to scan
on-prem or cloud assets.
Cloud Agent: lightweight agents that can be installed on clients and servers for real-
time visibility. Ideal for assets with dynamic IP, remote/roaming users, ephemeral
cloud instances, and systems sensitive to external scanning.
Cloud Connectors: collect metadata from cloud platforms such as Amazon Web
Services, Microsoft Azure and Google Cloud Platform.
Passive Sensor: Available as physical or virtual appliance, continuously monitors all
network traffic, profiles devices and flags any asset activity.
Container Sensor: Available as an image for Docker-based containers, designed to
discover, track and continuously secure containers – from build to runtime.
Out-of-band Sensor: Out-of-band configuration assessment helps you extract IT,
configuration, and vulnerability data for assets deployed on disconnected (air-
gapped) networks.

4
The Qualys Sensors are all populating the the platform with your inventory,
vulnerability, threat, compliance, cloud, and web app data. This gives you your data in
one place.

This is where the conversation on reporting starts. We are taking data that is already
in the Qualys platform, and we are viewing it in different ways.

5
6
6
This section provides an overview of the basic concepts and components needed to
build custom reports in the Qualys Vulnerability Management application.
Some tips for setting up reporting
1. Make sure your Reporting setup is aligning with what is defined in your
security policy.
2. Scheduling – Your report frequency should align with your scanning routing.
If you scan weekly, report weekly.
3. Try to keep a reporting practice that is ongoing for good trending data. If you
change often, this will be hard to measure.
4. Purging – More on this later. If you aren’t purging, you have stale data.
5. Keep engaged with your audience – Talk to consumers of reports so you
know they are getting what they need.
6. Focused Host Based reports are much more efficient than Scan Based
reports.
7. Use dashboards - Dashboards are interactive reports…so there's no need to
change the approach between reporting and dashboarding schemas.
8. API – Use API for having a report archive program.

8
8
There are various ways by which vulnerabilities may be ranked and prioritized.
This includes CVSS scores, Qualys severity levels and Real-time Threat Indicators
(aka RTI’s).
It is important that you align your corporate severity ranking mechanism to one
of these methods. This will allow you to have a consistent, org-wide security
policy for dealing with vulns.
One way to do this using CVSS scores.
For example, CVSS score 8.0 and above may be classified as Level 5 (Critical).
Similarly Levels 4 (High), 3 (Medium) , 2 (Low) and 1 (Minimal) are mapped to
the corresponding CVSS scores, as shown in the slide.
Alternatively, you may also map your corporate severity rankings to Qualys
severity ratings.
For example, Qualys Severity rating 4 and 5 corresponds to High, 3 corresponds
to Medium, and, 1 and 2 corresponds to Low.

9
9
It’s important that organizations set standards for driving remediation. Severity
and threat to organization play a part.

Remediation for certain types of vulnerabilities should be prioritized. This is

based on highest attack surface and severity.

Your external assets with high severity vulnerabilities is going to have a high
priority. We are using Level 5 here as the highest severity, but this could also
include your threat protection RTIs.

Your endpoint systems may also have a high priority as they can be “on an
island all by themselves.”

10
10
You want to align your Corporate Policy with what you are doing in Qualys. In
the example above, let’s say you are ranking your vulnerabilities by severity and
CVSS. Maybe you are using base scores for external and temporal scores for
internal because they depend on environment. You then want to build your
search lists that are relevant for the types of reports you are creating for each
type of asset, internal vs external vs endpoint.

You could also do this using Threat Protection RTIs.

11
11
When planning your reports in Qualys VM, first make sure you understand
which levels of the organization need to see reports and what they need to see.
For example, does a C-level need to see the specific patch needed for all of your
Windows workstations? Or do they want to better understand the overall risk
posture.

Next, consider lines of business. Should they have their own separate reports?

Infrastructure/Network Segments: Separate Cloud assets from On-Prem assets.

You might also separate by device type to gain an understand how a certain
type of asset has a risk associate with it.

12
12
There are multiple ways to get data with Qualys – queries, widgets and
dashboards, VM reports, and API.
Queries – this is the fastest way to get data and is best-suited when you’re
looking for quick answers, typically to one-time questions. Examples include –
how many of my assets are vuln to a specific QID, how many vulns of severity 5
exist, how many hosts have not been scanned in the past 30 days, how many
hosts with a specific operating system or software exist.

Widgets and dashboards – this allows for visual representation of data. This
includes count, bar, table and pie graph widgets. Use widgets for data needs to
be constantly monitored. Examples include – assets taking long to scan, assets
not rebooted, count of vulns, distributions of operating systems etc.

13
13
VM Reports – this should be used when you want detailed technical reports.
These reports can be customized to show only specific data such as patches,
malware, threat, compliance etc. and can be shared with other teams. This
should also be used when you want to automate reports.

API – use this when you want to download large amounts of data. API’s are also
used when you’re trying to integrate Qualys with third-party applications like
ServiceNow.

14
14
This section will cover the use cases and best practices for Dashboards, widgets and
queries.
If you’re looking for an answer to a quick question, use a Query. This includes
examples like – how many devices have a specific port open, how many devices
have an SSL vulnerability, how many devices have a zero day vulnerability etc.

If you’d like to visually represent a query, use a Widget. Widgets can be pinned
on dashboards and tracked over a period of time.

Dashboards are made up of multiple widgets. Widgets having a common theme

are placed in a single dashboard. For example, a dashboard for SSL/TLS, a
dashboard for Cloud Agent health, a dashboard for WannaCry vulnerabilities
etc.

16
16
Queries, widgets and dashboards can be used across multiple apps in Qualys.
Knowing which app to use will help you get the required data fast.

AssetView – designed to give you a list of assets matching your search query. If
you’re building your query around vulnerabilities (like severity level, title,
category etc), it is important to know that it includes only NEW, ACTIVE and
REOPENED vulns.

VM Dashboard (Beta) – this has more powerful and flexible search options. It is
designed to give you a list of asses AND list of vulns matching your search query.
It includes NEW, ACTIVE, REOPENED, and FIXED vulnerabilities.

ThreatProtection – designed as an extension of AssetView, use this to search

assets matching specific threats.

Asset Inventory - use this to get a more granular picture of your assets. This
includes standard asset data collected in AssetView plus details such as
manufacturer name, product name, software version, hardware and software
product release dates, end-of-life dates and license categories.

17
17
The queries used to populate your dashboards should align with your security
policies and your scanning routines. For example, if you’re scanning every week,
use NOW-7D in your queries. For example, vulnerabilities.firstFound: now-7D.

The Qualys Community has a number of ready-to-import dashboards available.

To get these, visit community.qualys.com.

Trend graphs should be used when you need to monitor the variance of a
specific metric, such as, assets not scanned in the last 30 days, total vulns fixed
in the last 7 days etc.

Dashboards always collect the most recent scan results; therefore, purging
outdated host scan results data is critical.

18
18
This is an example of how you can align your corporate remediation SLA with
your dashboards.

19
19
The first query looks for all assets that have patchable, confirmed, severity 5
vulnerabilities that also match ANY ONE of the RTI’s (actively attacked, exploit
kit available, has a high data loss, has a high lateral movement, has a publicly
available exploit), and has been first found more than 15 days ago.

The first query looks for all assets that have patchable, confirmed, severity 5
vulnerabilities that also match ANY ONE of the RTI’s (actively attacked, exploit
kit available, has a high data loss, has a high lateral movement, has a publicly
available exploit), and has been first found more than 30 days ago.

20
20
This section explains how Threat Protection can be used to prioritize vulnerabilities
for remediation. It also introduces the Real-time Threat Indicators.

Threat Protection datasheet - https://www.qualys.com/docs/threatprotect-

datasheet.pdf

21
There are several parameters that you can use to determine which vulns to fix
first.

A common way of doing this is to use the Qualys severity ratings and start with
the high priority ones. This includes severity 4 and 5 vulns. You may also include
other factors such as an exploit being available, a malware associated with the
vulnerability, how important is the asset and whether it affects your overall
compliance posture.
Another way to prioritize is to look at CVSS scores.

Qualys Threat Protection provides real-time threat indicators that can also be
used to prioritize remediation. These RTI’s correlate your vulnerabilities to
external threat vectors such as zero day, denial

22
22
To prioritize remediation, at the most basic level, you need to be aware of all
the hardware and software in your organization. You must have a complete,
unobstructed view of your IT environment at all times, and be instantly aware
of its changes.

Just like you must have a clear and deep knowledge of your organization’s IT
assets, YOU ALSO NEED TO PLUG INTO THE FIREHOSE OF EXTERNAL
VULNERABILITY DISCLOSURES, SO YOU’RE AWARE OF THE LATEST THREATS OUT
IN THE WILD.

Once you have a comprehensive view of your IT asset landscape and

vulnerability disclosures, you need to correlate these, continuously. This will
give you a dynamic snapshot of all the vulnerabilities that exist in your IT
environment at any given moment.

Once you have correlated your internal and external threat data and identified
impacted IT assets, you must be able to drill down on the data, mine it for
patterns, slice and dice it, aggregate it in custom reports and represent it
graphically. You should be able to measure your progress and remediation
efforts with real-time trend analysis and generate scan and patch reports for
your stakeholders.

23
23
Finally, you should factor in various criteria for assessing how critical certain threat
scenarios are in your organization’s specific context using actionable intelligence.

23
A vulnerability management program starts with asset discovery.
Qualys has multiple ways by which you may discovered your assets – map scan,
light VM scans, passive sensor etc.
Once your assets have been discovered, the next step is to scan them for
vulnerabilities and report. When you have lots of assets that need to be
patched, or lots of patches that need to be applied, it becomes important to
prioritize. Which asset to patch first and which patch to deploy?
Threat Protection allows you focus on vulnerabilities that have threats
associated with them. Examples include zero day, denial of service, actively
attacked vulns etc.

24
24
The severity level of a vulnerability identifies the impact if the vulnerability is
exploited. Severity is not equal to threat.
For example, if a high severity vulnerability has a known threat associated with
it, then it is an immediate threat and needs to be fixed asap.
Threat Protection includes a live feed of known threats and correlates these to
your assets.

25
25
Threat Protection allows you to identify assets associated with threats, not just
having vulnerabilities. This way you can prioritize those assets that have a
higher risk and that have multiple threats associated with them.

26
26
Zero Day - Active attack has been observed in the wild and there is no patch
from the vendor. An active attack is a prerequisite for this RTI in addition to no
patch from the vendor. If a vulnerability is not actively attacked this RTI will not
be set (even if there is no patch from the vendor). If a patch becomes available
Qualys will remove the Zero Day RTI attribute which helps users to focus only on
vulnerabilities that are actively exploited and there is no official patch.

Exploit Public - Exploit knowledge is well known and a working exploitation

code is publicly available. Potential of active attacks is very high. This attribute is
set for example when PoC exploit code is available from Exploit-DB, Metasploit,
Core, Immunity or other exploit vendors. This RTI does not necessarily indicate
that active attacks have been observed in the wild.

Actively Attacked - Active attacks have been observed in the wild. This
information is derived from Malware, Exploit Kits, acknowledgment from
vendors, US-CERT and similar trusted sources. In addition, if there are no
patches available from the vendor, Qualys will also add the Zero Day RTI.

High Lateral Movement - After a successful compromise, attacker has high

potential to compromise other machines in the network.

Easy Exploit - The attack can be carried out easily and requires little skills or

27
27
does not require additional information.

High Data Loss - Successful exploitation will result in massive data loss on the host.

Denial of Service - Successful exploitation will result in denial of service.

No Patch - Vendor has not provided an official fix.

Malware - Malware has been associated with this vulnerability.

Exploit Kit - Exploit Kit has been associated with this vulnerability. Exploit Kits are
usually cloud based toolkits that help malware writers in identifying vulnerable
browsers/plugins and install malware. Users can also search on Exploit Kit name like
Angler, Nuclear, Rig and others.

27
28
28
This section outlines the use cases for AssetView and Asset Inventory.
AssetView is an application in the Qualys suite that allows you to view assets
from all other modules/applications in one common place. This includes assets
detected by scanner appliance, Cloud Agents, cloud connectors, passive sensors
etc.
AssetView also allows you to use queries to search assets matching specific
criteria. For example, windows assets having severity 5 patchable
vulnerabilities. It also allows you build widgets and dashboards using these
queries. It also allows you to build Asset Tags.

30
30
Asset inventory provide you a source of truth. It’s a central location where you can
view your data collected from all of your different sensors you’ve deployed.

Data collected from your sensors automatically populate into asset inventory. It is
also normalized and categorized. The data collected by your sensors is going to be
organized in this one place.

Because you’re getting an inventory, you are completing the first step of the security
and compliance teams which is visibility.

31
Qualys sensors continuously discover IT assets to provide 100% real-time visibility of
your global hybrid-IT environment. These assets could be on-prem(devices and
applications), mobile, endpoints, clouds, containers, OT and IoT.
The asset data is automatically normalized and classified - this maps the raw asset
data to the Qualys product catalog providing clean and reliable data. This includes
standardization of every manufacturer name, product name, model and software
version. Software classification separates applications from system software such as
OS patches and drivers.
The data is then enriched with asset metadata such as hardware and software
product release dates, end-of-life dates and license categories.
CMDB can be configured to be fed continuously with fresh, detailed data collected by
Qualys Asset Inventory eliminating the need to manually update with system, security
and compliance data.

32
The Qualys Sensors are all populating the the platform with your inventory,
vulnerability, threat, compliance, cloud, and web app data. This gives you your data in
one place.

This is where the conversation on reporting starts. We are taking data that is already
in the Qualys platform, and we are viewing it in different ways.

The Qualys Asset Inventory cloud app aggregates and correlates the data gathered by
all Qualys sensors – Qualys Passive Network Sensors, the Qualys network scanners
and the Qualys Cloud Agent – giving you a comprehensive, detailed inventory of all
your hardware and software, as well as a multi-dimensional view of your global,
hybrid IT environment.

33
Have some nested queries on this slide.

34
34
This section outlines the use cases and features of the new VM Dashboard (Beta).

Read more - https://discussions.qualys.com/docs/DOC-6446-dashboard-toolbox-new-

vulnerability-management-vm-dashboard-beta
The new VM Dashboard (Beta) allows you to query your assets and
vulnerabilities. It includes FIXED vulns, along with NEW, ACTIVE and REOPENED.
Unlike AssetView, where your query results are primarily in the form of assets,
VM Dashboard (Beta) allows you to view results in the form of assets or
vulnerabilities.

36
36
Dashboards can be created manually or they can be imported.
On the Qualys Community, you’ll find ready-to-import dashboards. Head over to
https://community.qualys.com/ and search for “dashboard” under the
Discussions section.

37
37
Have some nested queries on this slide.

38
38
This section describes at a high-level different types of reports that can be used and
major factors to keep in mind while generating reports.
Reports can be used to either drive remediation in your environment, or used
as an audit of your patching program to see how well things are going. The Scan
report template is the most popular report because it offers the most flexibility
for sorting the technical data it can include, and prioritization.

You can also build a patch report to show the necessary patches required in
your environment. Best practice is to sort by patch.

Using dashboards in the Threat Protection and vulnerability management

applications can help show high level data on vulnerabilities you want to track.
They also allow you to query you data quickly.

Run a fixed Vulnerabilities report. There is an importable template already

available to you in the report templates section. Remediation reports can help
you measure open tickets and how long they’ve been open. You can use trend
reports in your scan report template to see Business risk by asset group over
time.

Vulnerability Scorecard reports can help you define a goal for remediation and
see how you are doing it.

40
40
Let's consider this report example:
Say you'd like to create a Report including a Trending Graph. The graph in the
report does not increase the size of the output file by much, but the amount of
transitional data for each detection for each asset the Qualys platform has to
process to build that Trending Graph increases by many folds. Further, if
detections have a long history with high volume of transitions, the Qualys
platform now has to process a lot more data for the same number of
detections. This could severely impact the success rate for report generation.

Suggestion: Reduce the trending period and/or apply vulnerability filtering

and/or apply asset filtering. All these actions will reduce the data the Qualys
platform has to process and increase the success rate.

41
41
This section describes the Authentication report.
When running an authentication report you must first define the report format.
The PDF file format is commonly used, with "scheduled" authentication reports.
Other options include: HTML, CSV, and XML.

Next, select the assets to report on. This can be either Business Units, Asset
Groups, IP, or Asset Tags. The option you select here determines how the report
data will be grouped.

Host assets from the target you select will be listed along with the status
(PASS/FAIL) of the last authentication attempt.

43
43
Have some nested queries on this slide.

44
44
This section outlines the steps to create a vulnerability report and the different types
of findings that can be included in a report.
Before you can create a custom vulnerability report, you'll first need to perform
an assessment of targeted host assets, to collect the host data that will
ultimately produce various findings. Presently, Qualys provides two different
ways for you to perform a host assessment:
•You can launch a scan using a Qualys Scanner Appliance, or
•You can deploy Qualys Cloud Agent directly onto your host assets

Once you have used scanners or agents to collect your host data, you'll then
build or create a Report Template that contains your custom reporting
preferences.

When you have a Report Template that satisfies your needs, you'll use it to
generate a report for host assets you target.

It's important to note that data collection via scanner appliance or agent must
be completed first before generating a report.

46
46
You can view all of your SCAN data within the Vulnerability Management
application by clicking the "Scans" menu, followed by the "Scans" tab. These
are your scan-based findings.

Each and every vulnerability scan performed within your Qualys account is
listed here; not counting, of course, any scans that have been deleted.

If you want to create a report that focuses on data and findings collected at a
specific time--on a specific date--your report should use scan-based findings.

47
47
Scan-based findings are only generated for assets that have been scanned with the
Qualys scanner appliance. Since the Qualys Cloud Agent is in an automated
continuous scan mode, it only generates host-based findings.
Scan-based findings include point in time snapshots of the assets. As a result,
vulnerability status is not displayed.
Most of the time you’ll be using host-based findings – this focusses on the latest
posture of the asset.
Scan-based findings are occasionally used to view a past-dated posture of the asset or
for troubleshooting purposes – like how did it take to scan a host on a day, did
authentication pass or fail, which auth protocol as used, how many hops were
detected etc.

48
All scan based findings are poured into another bucket known as the host-based
findings.

The host-based findings database collects data from completed scans and indexes
each detected vulnerability according to the "tracking method" you have selected for
each host asset.

Host-based findings will allow you to view the vulnerability history of any host asset,
and unlike scan-based findings; host-based findings allow you to create vulnerability
"trend" reports that track the status of any vulnerability (from new, to active, fixed, or
reopened) on any host.

49
When working with host-based findings, be aware of the impact made by: 1) Changes
in authentication mode, 2)Changes in the targeted service ports, and 3) Changes in
host "LIVE/DEAD" status

Another factor to consider when working with host-based findings are changes in
host name or IP address. If a host is configured to use its host name or IP address to
track its detected vulnerabilities, any changes to the host name or IP address could
potentially result in vulnerabilities being associated with the wrong host. Purging the
host-based findings immediatly following a host name change or IP address change, is
a commonly used practice.

Keep in-mind that discreapencies in your vulnerbility findings (perhaps a finding is

displayed as ACTIVE, and you were expecting to see FIXED) can be resolved by
performing an additional scan.

When analyzing such discreapencies, compare the "last detected" date of the suspect
finding to the date of your report. Wide gaps between the last detected date and the
report date could be an indicator that an additional scan is required.
Tags can be used as targets for your reports. Tags allow you to target hosts
without worrying about hosts changing IP addresses.

51
51
At the bottom of the findings section, you'll find special options for agent host
assets or host assets running the Qualys cloud agent.

These host assets are sometimes the source of both SCAN data as well as
AGENT data.

The options provided here will allow you to distinguish between data types
(that is: agent data, scan data, and all data, which includes both scan and agent
data together in the same report.)

52
52
In this section, we’ll focus on Cloud Agent hosts that are also scanned with a scanner
appliance.
When you use a Qualys scanner appliance to scan a cloud agent host, the scan
data in your account is kept separate from the agent data.

In this example a Windows host (IP address 192.168.1.242) is the source of

both AGENT data as well as SCAN data.

By default, when you run a report on this host you will see two records for the
same host. One record contains data collected by the scanner appliance, and
another contains data collected by the Cloud Agent.

54
54
By default, within your reports, scan data and agent data for the host will be
shown in different sections.
Using the Unified View feature, this can be merged to show one record.
For the data to be merged, the hosts should be scanned with authentication
and should have the Agentless Tracking feature enabled.
Steps to enable agentless tracking -
https://qualysguard.qualys.com/qwebhelp/fo_portal/scans/agentless_tracking.
htm

55
55
When the same asset has been scanned by the appliance and the agent, you
have a choice to only show scan data, agent data or both, when running a
report. The data that will be shown also depends on whether Unified View is
enabled or not.

56
56
Have some nested queries on this slide.

57
57
In this section, we’ll breakdown the various “Display” options in a Scan Report
Template.
A common theme you’ll find when building reports is considering the audience.
Whenever building a report, ask the question, for whom am I building this report?

Are you sharing this report with a high level executive, or are you sharing it with a sys
admin who is going to be part of the patching program? Obviously that will dictate
what goes in your report.

The next question you should ask is, what do they need to see?

The point is to make your reports as succinct at possible. You can always add more
information to your template if requested. Best practice is to ensure you’re building
your reports as efficiently as possible.
The next item we come to in the display section is graphics. Does the person viewing
the report care to see a graphic in the report that provides a breakdown what you’ve
checked?

A quick note on a couple of these options. If using the top two graphic options, you
have to be using trending host based findings over a period of time, otherwise these
options will be greyed out.

The custom footer allows you to put information at the bottom of your report. Maybe
you are distributing the report, and you want people know that it’s confidential.

60
Select Host Details for information about Cloud Agent hosts.

Specifically, it will give us the Asset ID for the Agent host. This is the unique identifier
associated with all cloud agents assets.

For reports that target AWS EC2 assets, select the “EC2 Related Information” check
box.

This is going to provide important information on any EC2 host. If it has a public DNS,
it will show here. It will show the hosts AMI. This is important because when you go
to patch, you can patch at the AMI level, and any host spun up off that AMI will not
have that vulnerability. You can find the VPC location. The state of each instance is
listed (e.g., running, stopped or terminated?). You can find the private DNS, and
instance type.

61
If you’ve taken the Qualys vulnerability management course, you know that all
vulnerabilities or QIDs include A LOT of information.

Checking all boxes will increase the amount of detail, as well as the report size and
the amount of time required to generate the report.

When selecting included details ask: “What does the target audience need to see?”
What information is required to meet the objective at hand?

62
Have some nested queries on this slide.

63
63
In this section we will breakdown the filter options within the Scan Report Template.
With the filter options you can start to filter down on the number and type of QIDs
along with the specific operating systems, giving you the ability to create specific
reports for the different teams in your organization.
Search lists can be used to focus on specific vulns like patchable vulns, high
severity vulns, vulns with exploits etc. It can also be used to exclude specific
vulns from the report. Combined with Tags, it can be used to create very
targeted reports.

Example: EOL search list?

66
66
This is an example of how you can align your corporate severity rankings using
search lists.
This example uses CVSS Base Score to create a search list of external facing
vulns and CVSS Temporal score for internal facing vulns. The assets have been
identified using Tags.

67
67
Threat Protection RTI’s can also be used to build search lists. Multiple RTI’s can
be selected in a single search list./
These search lists can then be used with Option Profiles to limit your scan, and
in your reporting templates.

68
68
Vulnerability Filters allows you to define the status of the vulnerabilities you
wish to see in the report. A vulnerability can one of four statuses:

The first time a vulnerability is detected on an asset it’s status will be new. For
any vulnerabilities that have been detected more than once it’s status will be
active. When a vulnerability is no longer detected then it’s status will be fixed.
For any vulnerabilities that have been fixed and are rediscovered then the status
is re-opened. Please note that if you want to report on fixed vulnerabilities you
need to have the trending option in the findings enabled.

Along with the its status a vulnerability also has a state, with the default state
being active. Meaning that it actively scanned for and reported on. A
vulnerability can also be disabled via the knowledge base. Meaning it is globally
filtered out from all hosts in the scan report

For specific reasons sometimes, a vulnerability may be disabled or ignored for a

period of time. If you wish to report on these then you will need to relevant state
option.

An ignored vulnerability is a specific vulnerability that is ignored on a specific

asset.

69
69
By default, we report all vulnerabilities on all Linux kernels (the running kernel
and non-running kernels). Choose the display option to add a new section to
your report listing vulnerabilities on non-running kernels or choose the exclude
option to filter them out.

70
70
Select filters to exclude certain vulnerabilities from your reports like
vulnerabilities found on non-running ports/services and vulnerabilities that
can’t be exploited because of a host configuration. These filters apply to certain
QIDs only.

71
71
The exclude superseded patches when enabled will exclude any superseded
patches that fix a vulnerability. For example, if patch A and patch B both are
needed on an asset and if patch A is superseded by patch B, then with this
option checked, the report will only show patch B related QID and not have any
information related to patch A related QID. With this option unchecked,
the report will list both the patches.

Patch superseding only works for operating system vulnerabilities

72
72
In this example on the left you can see the list of severity 5 vulnerabilities on a
Windows asset with patch supercedence turned off. On the right we have the same
asset but this time with patch supercedence turn on.

The number of displayed vulnerabilities is less because the system is only displaying
those QIDs that have the required patches to fix all of the discovered vulnerabilities.
Each the QID’s in the Knowledge base are assigned a category. If you wish can filter
down the QID’s listed in the reporting by their category. For example. If you just
wanted to report on vulnerabilities in the TCP/IP category.

Qualys would normally recommend that you have all categories selected therefore
reducing the chances of some vulnerabilities not appearing in the report. If you want
to see a list of the vulnerabilities in a category this can be done using the search
feature in the knowledge base.
75
75
This section describes how to detect required and unauthorized services and ports by
configuring these in the report template.

76
Services and Ports allows you to define a list of services or ports that should or should
not be running on the assets in the report. Using the Add and Remove buttons you
can select which are the required or unauthorised services.

For ports you will need to enter in the port numbers for the required or unauthorised
ports. When using these features along with search lists then you will need to make
sure that the following QID’s are include in the search list .

To use the Services and Ports feature, ensure the following QID are included (i.e., via
Search List) in the report template:
§ Required Service Not Detected QID38228,
§ Unauthorized Service Detected QID38175.
§ Required Port Not Detected QID82051,
§ Unauthorised port detected QID82043
This section outlines four scenarios commonly found in organizations
- Assets that have been patched but continue to be flagged as vulnerable
- Assets that fail authentication resulting in the vulnerability status not being
updated
- Scans that don’t target all the ports resulting in the vulnerability status not being
updated
- Assets that show up as dead resulting in the vulnerability status not being updated

78
At times, you’ll find patched vulnerabilities still appearing in your scan results.
This happens for various reasons, like old registry keys, DLL or temp files,
pending reboot etc.
To investigate why the vulnerability is still being flagged, open your Scan
Results, and look at the Results section of the QID.

79
79
QID’s that have the blue key icon on them are ones that need authentication for
detection.
If a scan is unable to authenticate, this QID cannot be tested and will continue
to retains its previous status.

80
80
The example shown here outlines the important of targeting the required ports
in a scan.
If a port is not targeted on a scan, or cannot be tested for reasons like firewall
filters, the QID associated with this port number will continue to retain its
previous status.

81
81
For a host to be tested for vulnerabilities, it should be found alive. The host alive
checks used by Qualys can be configured under Scans > Option Profiles >
Additional section.
If a previously scanned host is found to be dead on the latest scan, the QID’s
detected earlier will continue to retain their status.

82
82
In this section, we'll discuss the lifecycle of identifying the QID's associated with a
major vulnerability, building the required search lists, scanning for the vulnerabilities
and creating specific and targeted reports.
 In some cases, organizations are required to address certain high severity or high-
threat vulnerabilities immediately. These types of vulnerabilities are in the “address
now, not later” category.

Example: Spectre and Meltdown.

The first step is to detect the vulnerability. A normal VM scan will target all QID’s.
Instead, we can use a search list that only includes the required QID’s. This results in a
faster and efficient scan.
Once a Search List has been created, it can be used within an Option Profile to limit
the QID’s tested on the scan.
The Search List created for scanning purposes can also be used for reporting – this
will result in the Report only including the QIDs found in the Search List.
To do this, edit your Report Template and include the Search List.
In this section we’ll explore the different types of Scorecard Reports.

87
The scorecard reports are designed to be high level reports. In that they do not
contain any technical details on the vulnerabilities or patches. Instead they are there
to give you the overall security status of your assets.

This can help you get quick answers to questions like:

-Which are the most vulnerable assets
-Which are the most commonly found vulnerabilities
-How many assets are missing a critical patch or software

The scorecard report has a set of predefined templates that can be customized or
used as is to run reports. These reports can also be scheduled to run automatically so
stakeholders regularly get high-level reports that help them understand the overall
security posture.
It is recommended to have a naming convention for your scorecard reports. Since
these are high-level reports, they’re likely to be used for targeting specific set of
assets or specific segments of your network.
Having a standard naming convention will help you quickly understand what type of
information is contained in a report, and which segment and devices in your network
are included.
These templates are, the Vulnerability scorecard report which shows the latest
vulnerability status of the selected assets.

The Ignored Vulnerability report, will list the ignored vulnerabilities on the selected
assets.

The most prevalent vulnerability report will list the top 10 most prevalent
vulnerabilities and the affected assets.

Most vulnerable hosts, will list the top vulnerable hosts with the number of
vulnerabilities at the defined severity.

The patch report will list assets that are missing specific patches and software.
This section explains the different options that can be configured in a Patch Report
Template.
The patch report is designed to list patches that need to be installed to fix the current
discovered vulnerabilities.

The patch report is most commonly used as online report which means that a person
viewing the report can navigate through the report content.

In this online format the report cannot be downloaded, but there are options to
download the report content in a PDF, XML, or CSV format.

Anyone who wishes to view this repot in its online format must have an account in
your subscription.

92
When you use the patch report, the Qualys platform will automatically use the patch
supersedence. This means that any patches displayed in report will be latest patches
required to fix the QID. That patch may also be used to fix other QID’s and in that
case all those QID’s will be group together.
With the Display patch severity setting you can define how the severity level for each
patch is displayed. The default of Assigned Severity means the patch severity in the
report will match the severity assigned to the QID for the recommended patch. For
example, if the KnowledgeBase has a QID for MS09-015 with severity 3, then the
patch for MS09-015 is listed with severity 3, even if other vulnerabilities fixed by the
patch have a higher severity.

If you wish to see the patch severity in the report to match the highest severity across
all QIDs detected on the host that can be fixed by the patch, then select Highest
Severity. For example, let’s say patch MS09-015 fixes three QID’s at severity levels 3,
4, and 5. If all three QIDs are detected on the host, then the patch severity is 5. If QID
at severity 5 is not detected on the host but the other QIDs are, then the patch
severity is 4.

QID 90492 (severity 3), QID 90397 (severity 4) and QID 90342 (severity 5). If all three
QIDs are detected on the host, then the patch severity is 5. If QID 90342 is not
detected on the host but the other QIDs are, then the patch severity is 4.

94
By default, all available patches are included in the report. The filter option “Selective
Patch Reporting” allows you to identify patch QIDs to include or exclude from the
report. select Complete to show all known patch QIDs, select Custom to show only
specific patch QIDs, and select Exclude Patch QIDs to filter out certain patch QIDs
from the report.

For example, if you want to generate a patch report of Microsoft vulnerabilities but
you want to filter out service pack QIDs. In this case, you need 2 search lists. The first
search list includes vulnerabilities associated with the vendor Microsoft. The second
search list includes all vulnerabilities with “Service Pack” in the vulnerability title.

Use the “Selective Vulnerability Reporting” and select “Custom” and then add the
Microsoft Vulnerabilities search list. Only vulnerabilities associated with the vendor
Microsoft will be included in the report. Next use “Selective Patch Reporting” to
identify the patch QIDs you want to filter out of the report. Select “Exclude Patch
QIDs” and then add the Service Pack search list. Any QID associated with a Service
Pack will be filtered out of the report. Patch reports generated with this template will
include all Microsoft vulnerabilities that are not associated with service packs.

95
Have some nested queries on this slide.

96
96
In this section, we will discuss configuring Qualys in a scalable way to distribute
reports.

97
When planning your reports in Qualys VM, first make sure you understand
which levels of the organization need to see reports and what they need to see.
For example, does a C-level need to see the specific patch needed for all of your
Windows workstations? Or do they want to better understand the overall risk
posture.

Next, consider lines of business. Should they have their own separate reports?

Infrastructure/Network Segments: Separate Cloud assets from On-Prem assets.

You might also separate by device type to gain an understand how a certain
type of asset has a risk associate with it.

98
98
Reporting Rollout. This means:

What types of reports should be run? You have a lot of scan data and cloud agent
data to chew through. What kinds of reports need to be run to ensure you are
prioritizing and remediating effectively and providing the right high level data to
internal stakeholders?

Who is supposed to get them? Which users in the organization need to receive
reports in order to do their jobs effectively, and, how can you ensure accountability?
Which users need to see high level reports to ensure the vulnerability management
program is working and which users need reports that help drive and/or verify
remediation.

When are they supposed to receive them? This is the process of scheduling reports
and automating as much of the vulnerability management process as possible.

99
There are two scenarios for report distribution:

1. Distributing reports to Qualys users

- These users have an account on the Qualys tool.
- The Manager user builds a report template that will be used to generate the
reports.
- The Manager user then assigns users to the Report Template.
- Now when this template is used to run a report, the users assigned to the
Template will be able to view it even if they do not have access to the assets
included in the template.

2. Distributing reports to non-Qualys users

- These users do not have an account on the Qualys tool.
- The Manager user builds a report template.
- The Manager user creates a distribution group containing the email addresses to
which the report needs to be distributed.
- The Manager user schedules a report and includes the distribution group.
- When the report runs at the scheduled time, the users in the distribution group
will receive an attachment or link (depending on the configuration) to access the
report.

100
This section explains how to assign users to a reporting template.

101
A good way to build a scalable reporting solution is to assign the right users to the
right templates.

This ensures a couple things. You will standardize your reporting meaning you know
what data people are using. You’ll be able to control who is seeing what.

Assigning users to templates is easy. You’ll go to the template, and you will simply
find the user who should be able to see the vulnerability data for the assets in this
template. This is important, because now, when you schedule a report to run with
this template, this user will automatically see it in their account under the reports
tab. They will not have to generate the report themselves.

102
This section explains how to assign assets to users. This will allow the user to run
reports on the assets for which they’ve been granted access.

103
One way you can set up reporting is to allow your users to build their own reports. To
do this, you have to ensure the user building the reports is assigned access to the
assets for which they are responsible. Users can have reader, scanner, business unit
manager or manager role to build reports.

To assign a user to assets, go to the users section and edit the user. Assign them the
assets they should be able to act upon. Their role will dictate what they can do with
these assets.

104
This section outlines the process of scheduling reports.

105
Scheduled Reporting

Like with mapping and scanning, users can schedule reports to run automatically at a
scheduled time, on a recurring basis. Users can also set options to notify select
distribution groups when a report is complete and ready for viewing.

Schedule a Report
There are several report types that can be scheduled. You can schedule template-
based scan reports (set to Auto source selection), scorecard reports, patch reports,
template-based compliance reports and remediation reports.

To create a new report schedule, go to Reports > Schedules and select the type of
report you’re interested in from the New menu. In the example below, a new
template-based scan report will be scheduled.

106
When configuring scheduled reports, there are four options to distribute them:
Attachment or Link – with this option, the report is sent as an attachment if it’s under
5MB in size, else a link is sent.
Attachment Only – with this option, the report is sent an an attachment if it’s under
5MB in size, else no report is sent.
Link Only – with this option, a report link is always sent
Don’t Send the Report – with this option, the report is not sent as an attachment or
link. The user will need to login to the Qualys console to view the report.

107
To create a new report schedule, go to Reports > Schedules and select the type of
report you’re interested in from the New menu. The New Scan Report page appears.
SCHEDULING
Define a start date and time for your scheduled report, and how often you’d like the
report to run. You can schedule the report to run daily, weekly or monthly on the days
that you specify.
REPORT NOTIFICATION
Define who should be notified when the report is complete and ready for viewing.
The report notification will be sent to all email addresses listed in the selected
distribution groups, including users with QualysGuard accounts and those who do not
have accounts. You may customize these attributes of the email: the sender (you or
Qualys Support), the subject line, and the body of the email. If the generated report is
less than 5MB it will be sent as an attachment to the email in the format in which it
was generated. If greater than 5MB a link will be provided in the email instead for
accessing the report. Scheduled reports will appear on the Schedules list and your
report will run at its scheduled time.

108
By default every Qualys user has 200 MB for report storage. A Manager user can
increase this to up to 500 MB per user.
Secure PDF distribution can be enabled to encrypt the PDF reports.
These settings can be found under Reports > Setup > Report Share.

109
This is an example of how your reporting activities can be scheduled over a week.
Vulnerability scans are scheduled to occur over the weekend. These scans are
authenticated scans.
The first thing to do post an authenticated scan is to verify authentication status. If
authentication fails, all QID’s cannot be tested. So it is important to first verify that
authentication was successful, this is achieved using Authentication Reports – these
are scheduled to be distributed automatically on Monday.
Patch reports are scheduled to occur on Tuesday, and these are automatically
distributed to the patching teams.
Scans, authentication and patch reports are repeatable tasks and can be scheduled to
occur automatically.
When there’s a major vulnerability release (e.g. high severity exploitable
vulnerability), it will need to be fixed immediately. We’ll need to scan and report on
this vulnerability everyday, until it is no longer found on the network.
One-off reports can be generated manually to check for assets that are missing a
critical software, check remediation metrics, look for scan-based findings etc.
Reports like fixed vulnerability report and executive summary can help you measure
progress. These reports can be scheduled to occur monthly and configured to be
distributed to stakeholders.
Additionally Dashboards can also be included as part of regular reviews – they help
you get an overall high-level picture of your infrastructure and can also be used to
drilldown into specific asset and vulnerability information.

110
111
111
This section describes the use cases for purging, differences between purging and
removing an IP, how to identify hosts for purging, and how to purge.

112
Purging refers to the removal of stale asset data. Purging is required when a
host is being decommissioned or used in a completely new role - new operating
system, new applications, new purpose.
Purging becomes very important in highly dynamic and ephemeral
environments where assets are replaced or deleted very frequently. Cloud
provider environments are a good example.

113
113
When assets have been replaced in your environment but not purged from your
Qualys account, it results in inconsistent data. Vulnerability tickets of the stale
asset will continue to remain open affecting your risk calculation and SLA
metrics. Remediation performance will be impacted too.
Moreover, if the stale asset continues to remain in your subscription and the
associated IP has been assigned to another asset, when new findings come in, it
will result in inconsistent scan reports.

114
114
When a host is purged in the Vulnerability Management application, it causes
inventory, vulnerability, and remediation information to be removed.

When a host is purged in the Policy Compliance application, it causes

authentication, compliance and exception history information to be removed.

115
115
When a host is purged, it causes inventory, vulnerability and remediation ticket
information to be deleted. All other information is retained.
When a host is removed, it causes scheduled scans and reports to be retained
and the IP continues to remain in the Global Exclusion list. All other information
is deleted.

116
116
Before you start purging, consider the size of your environment and how many
IP’s you intend to purge. Purging a large number of IP’s can take time. If you
need to purge on a regular basis, it’s a good idea to automate this using APIs.

117
117
While purging allows you to retain the IP in your subscription and delete the
associated data from your subscription, removing the IP causes the IP and
associated data to be deleted from your subscription.
Purging is recommended when the IP has been reassigned to another asset or
has taken up another role. Removing is recommended when you no longer to
the scan the IP.

118
118
There could be several criterial used to identify hosts for purging. Common ones
include assets that haven’t been scanned in X days, EC2 instances in a
stopped/terminated state, assets that have been decommissioned etc.

119
119
From the VM application, you’ll be able to purge assets that are IP, DNS and
NetBIOS tracked. These are assets that are scanned with an appliance.

To purge a single host, navigate to Assets > Host Assets, and click on the “i”
symbol to view host information, and click the Purge button.

To purge multiple hosts, navigate to Asset Search and search for the required
assets. Select all that you want to purge, and use the Actions menu to Purge.

Use these options to purge your traditional hosts, added to the Host Assets tab.

120
120
From the VM application, you’ll be able to purge assets that are IP, DNS and
NetBIOS tracked. These are assets that are scanned with an appliance.

To purge a single host, navigate to Assets > Host Assets, and click on the “i”
symbol to view host information, and click the Purge button.

To purge multiple hosts, navigate to Asset Search and search for the required
assets. Select all that you want to purge, and use the Actions menu to Purge.

Reference -
https://qualysguard.qualys.com/qwebhelp/fo_portal/host_assets/win_add_hos
ts.htm#purge

121
121
122
122
123