Reporting Strategies and Best

Practices
Lab Tutorial Supplement

1
Table of Contents

LAB: OPERATIONALIZE QUALYS TRURISK ..................................................................................................... 4

ASSIGN CRITICALITY SCORES TO ASSETS ................................................................................................................................. 4
Asset Criticality Score & Asset Tags ................................................................................................................................ 4
Update Existing Tags............................................................................................................................................................. 5
CMDB Sync To Set Asset Criticality ................................................................................................................................. 6
Asset Groups To Set Asset Criticality .............................................................................................................................. 6
Qualys APIs To Set Asset Criticality................................................................................................................................. 7
CREATE & IMPORT UNIFIED DASHBOARDS .............................................................................................................................. 8
Dashboard Template Library ............................................................................................................................................ 8
View Asset & Vulnerability Details .................................................................................................................................. 9
Qualys Community Dashboards ........................................................................................................................................ 9
Patch Tuesday Dashboards ............................................................................................................................................. 10
CREATE CUSTOM WIDGETS...................................................................................................................................................... 12
Widget Details ....................................................................................................................................................................... 12
Query Settings ....................................................................................................................................................................... 13
Advanced Settings................................................................................................................................................................ 14
Display Settings .................................................................................................................................................................... 15
Create Widget from Query ............................................................................................................................................... 15
VMDR PRIORITIZATION REPORT ........................................................................................................................................... 16
Classic Mode ........................................................................................................................................................................... 16
TruRisk Mode ......................................................................................................................................................................... 18
Remediation ........................................................................................................................................................................... 18
Report Distribution ............................................................................................................................................................. 19
UNDERSTANDING QUALYS TRURISK SCORES........................................................................................................................ 21
Asset Criticality Score......................................................................................................................................................... 21
Qualys Detection Score ...................................................................................................................................................... 21
Qualys TruRisk Score .......................................................................................................................................................... 23
LAB: SCAN REPORT TEMPLATE ...................................................................................................................... 24
SCAN REPORT TEMPLATE FINDINGS ...................................................................................................................................... 25
Host-Based vs. Scan-Based Findings ............................................................................................................................ 25
Host-Based Findings ........................................................................................................................................................... 26
Choose Host Targets ........................................................................................................................................................... 26
Scan Based Findings ........................................................................................................................................................... 27
Hosts With Cloud Agents................................................................................................................................................... 29
Unique Asset Identifiers..................................................................................................................................................... 29
Asset Merging ........................................................................................................................................................................ 31
Query Tokens for Scan Template Findings ............................................................................................................... 34
SCAN REPORT TEMPLATE DISPLAY ........................................................................................................................................ 35
Report Summary .................................................................................................................................................................. 35
Detailed Results .................................................................................................................................................................... 36
Sorting Data ........................................................................................................................................................................... 36
Display Host Details ............................................................................................................................................................ 37
Cloud Related Information .............................................................................................................................................. 38
SCAN REPORT TEMPLATE FILTER........................................................................................................................................... 39
Selective Vulnerability Reporting ................................................................................................................................. 39
Construct Widgets from Search List Criteria ........................................................................................................... 42
Vulnerability Filters ............................................................................................................................................................ 43

2
LAB: PATCH REPORT TEMPLATE ................................................................................................................... 44
PATCH TEMPLATE FINDINGS ................................................................................................................................................... 45
DON'T HAVE COMPLETE SCAN FINDINGS FOR THE TARGET HOSTS? CHOOSE "CLASSIC” PATCH EVALUATION. THE
“CLASSIC” PATCH EVALUATION OPTION DOES NOT PROVIDE PATCH SUPERSEDENCE AND IS A BETTER OPTION IF YOU
NEED TO INCLUDE FILTERING. .................................................................................................................................................. 45
Patch Supersedence ............................................................................................................................................................ 45
PATCH TEMPLATE DISPLAY ..................................................................................................................................................... 46
PATCH TEMPLATE FILTER ....................................................................................................................................................... 47
Selective Vulnerability Reporting ................................................................................................................................. 47
Selective Patch Reporting................................................................................................................................................. 47
ONLINE REPORT FORMAT ........................................................................................................................................................ 48
LAB: SCHEDULE & DISTRIBUTE REPORTS................................................................................................... 49
READER USER ROLE .................................................................................................................................................................. 49
DISTRIBUTION GROUPS............................................................................................................................................................. 49
ASSIGN USERS TO TEMPLATES ................................................................................................................................................ 50
SCHEDULE & DISTRIBUTE REPORTS ....................................................................................................................................... 51
DISTRIBUTION OPTIONS FOR SCHEDULED REPORTS ........................................................................................................... 51
LAB: FACTORS THAT IMPACT REPORT DATA ............................................................................................ 54
FAILED AUTHENTICATION ........................................................................................................................................................ 54
Qualys Subscription Health Dashboard ..................................................................................................................... 54
Authentication Report ....................................................................................................................................................... 54
Troubleshoot a Failed Authentication Attempt ...................................................................................................... 56
“HOST NOT ALIVE” STATUS ..................................................................................................................................................... 56
CHANGE IN HOST OS ................................................................................................................................................................. 57
CHANGE IN HOST NAME OR IP ADDRESS............................................................................................................................... 57
LAB: PURGING AND REMOVING ASSETS....................................................................................................... 58
PURGING ...................................................................................................................................................................................... 58
Identify Assets for Purging ............................................................................................................................................... 58
Purge an IP ............................................................................................................................................................................. 59
REMOVE/DELETE HOST ASSETS............................................................................................................................................. 60
RULE-BASED PURGE .................................................................................................................................................................. 61
LAB: IGNORE VULNERABILITIES..................................................................................................................... 62
CREATE REMEDIATION POLICY ............................................................................................................................................... 62
Search List Required ........................................................................................................................................................... 63
Conditions & Actions ........................................................................................................................................................... 63
Create Tickets - Set to Closed/Ignored ....................................................................................................................... 64
Expired Exceptions .............................................................................................................................................................. 64
Relaunch a Scan.................................................................................................................................................................... 64
MONITOR IGNORED VULNERABILITIES .................................................................................................................................. 65

3
LAB: Operationalize Qualys TruRisk
Qualys TruRisk helps organizations quantify cyber risk so that they can accurately
measure it, take steps to reduce exposure, track risk reduction trends over time, and
better measure the effectiveness of their cyber security program.
Qualys TruRisk™ prioritizes vulnerabilities and assets, based on the actual or “true” risk
posed to your organization.

Assign Criticality Scores To Assets

Asset Tags and their "Asset Criticality Score" settings are fundamental components to
operationalizing Qualys TruRisk™. Asset criticality plays a key role in identifying the
vulnerabilities that really count.
Navigate to the following URL to view the "Asset Criticality Score & Asset Tags"
tutorial:

LAB 1 - https://ior.ad/9cm8

Asset Criticality Score & Asset Tags

As assets change and evolve over time, so does their associated risk. Dynamic Asset
Tags are designed to adjust to host changes (Hardware, Software, OS) and update
the risk accordingly.
Let’s use “server-based” assets as an example. The “Asset Inventory” rule engine
leverages the power and flexibility of the Qualys Query Language (QQL) to create tags
based on different asset categories:
operatingSystem.category2:Server or hardware.category2:Server
In the query above, the “operating system” and “hardware” category tokens effectively
assign the Asset Tag to “Server” assets. The Asset Criticality Score component of the
same tag (when enabled) applies your specified criticality score to these assets.

4
This next example adds another condition to the Asset Tag rule that also impacts the
criticality of assets:
(operatingSystem.category2:Server or hardware.category2:Server)
and operatingSystem.lifecycle.stage:EOL/EOS
With the “Operating System Lifecycle Stage” token added, the query now identifies
server-based assets that are potentially no longer receiving security patches or updates
(i.e., EOL/EOS).

In this case, a higher Asset Criticality Score is assigned to servers no longer receiving
security patches or updates.

Update Existing Tags

It is important to identify assets that do not have an “assigned” criticality score.
Because the TruRisk calculation requires an Asset Criticality Score, a default score of “2”
will be used for these assets. Use the following query to find assets in your account that
do not have an assigned criticality score:
criticalityScore is null
Assets that appear in the query result set may potentially already have one or more
Asset Tags; however, not all tags have the ACS setting enabled.

To assign a specific score, you can enable the ACS setting for any of the asset’s existing
tags or assign a new tag with ACS already enabled.

5
CMDB Sync To Set Asset Criticality
When integrated with ServiceNow CMDB, Qualys VMDR automatically imports business
criticality for assets.
If you have a CMDB and you are defining the asset criticality based on the business
aspect then you can sync the defined criticality from the CMDB to Qualys to add more
criticality context.

Asset Groups To Set Asset Criticality

The Asset Group "Business Impact" setting contributes to the overall Asset Criticality
Score (ACS) of each of its member hosts.

The “Business Impact” settings from Asset Groups are converted to Asset
Criticality Scores (i.e., when matching Asset Tags are automatically created for each
Asset Group added to your account).

6
Qualys APIs To Set Asset Criticality
Create and update Asset Tags via the “Asset Management & Tagging” API.

Leverage the Qualys API (above) to create tags with a specified criticality score.

Leverage the Qualys API to update the criticality score of existing tags.

7
Create & Import Unified Dashboards
Combine Widgets from multiple Qualys Unified Platform applications into a single
“unified” dashboard. Dashboards reveal high-risk remediation targets (just click to view
vulnerability and asset details). Dashboards also provide widgets to audit your patching
and remediation efforts.
Navigate to the following URL to view the "Create & Import TruRisk Unified
Dashboards" tutorial:

LAB 2 - https://ior.ad/9cLi

Dashboard Template Library

Qualys provides ready to use Dashboard Templates that are quickly added to your
account. New templates are added to the library, regularly.
The “Unified Dashboard” icon (in the upper-left corner of the DASHBOARD section of
your application) provides a list of your account dashboards.

To import dashboards from the template library, click the “plus-sign” icon to “Create
New Dashboard.”

8
View Asset & Vulnerability Details
While Dashboard Widgets initially display high-level asset and vulnerability data, you
can drill-down into asset and vulnerability details with a single mouse click.

Use Dashboards to distinguish and single out high priority remediation targets (both
vulnerabilities and assets). Use Dashboards to assess and validate the progress of your
vulnerability remediation efforts.

Qualys Community Dashboards

While most community dashboards are eventually added to the Qualys Template
Library, some dashboards are available exclusively on the Qualys Community.

The “Unified Dashboard” icon (in the upper-left corner of the DASHBOARD section of
your application) provides a list of your account dashboards. To import dashboards
from the Qualys Community, click the “gear-shaped” icon to “Manage Dashboards.”

9
In the 2023 TruRisk Threat Research Report, Qualys explores the most common ways
adversaries exploit vulnerabilities and render attacks, while providing security teams
with data-backed insights and analysis.
Key Report Findings:
1. Speed is the key to outmaneuvering adversaries
2. Automation is the difference between success and failure
3. Initial Access Brokers (IABs) attack what organizations ignore
4. Misconfigurations in web apps are the biggest source of PII exposure.
5. Infrastructure misconfigurations open the door to ransomware.

Qualys TruRisk Research Report

https://success.qualys.com/support/s/article/000007190

Unified Dashboards & Reporting Resources - Start Here

https://success.qualys.com/discussions/s/article/000005975

Patch Tuesday Dashboards

Patch Tuesday generally refers to the second Tuesday of each month, when Microsoft,
Adobe, Oracle and others regularly release software patches. Sometimes patches are
released on the fourth, Tuesday of each month and minor updates are also occasionally
released outside of Patch Tuesday.
Qualys Vulnerability R&D Lab releases new vulnerability checks in the Qualys Cloud to
protect organizations against vulnerabilities that are fixed in the security bulletins
announced by Microsoft as a part of the Patch Tuesday release each month. Details of
these vulnerabilities are published regularly as a part of the Qualys Security Alerts and
can be viewed here: https://www.qualys.com/research/security-alerts/.

Qualys provides dashboards and widgets for each Patch Tuesday release:
https://success.qualys.com/discussions/s/article/000007031#UPDATES
Widget queries are created from the monthly Qualys Security Alert posts, including the
QIDs released for the monthly Patch Tuesday cycle.

10
New queries are provided each month to construct widgets to add to your existing
dashboard.

While updating the Query Settings for “Numerical” widgets, consider enabling the
“Trending” option (under Advanced Settings).
Also, an adjustment is required for widgets that use a “reference” query.

In the example above, a “Numerical” widget type is updated with the “June” Patch
Tuesday QIDs and a “reference” query is provided to compare the “June” Patch Tuesday
vulnerabilities to ALL “June” vulnerabilities.

11
Create Custom Widgets
While Qualys provides “out-of-box” dashboards for you to use, at some point you may
want to add custom adjustments or even build a custom widget from scratch. Widgets
from all Qualys Unified Dashboard applications can be combined together into a single
dashboard.
Widgets are comprised of four primary components: 1) Widget Details, 2) Query
Settings, 3) Advanced Settings, and 4) Display Settings.
The next tutorial demonstrates the steps to import a widget from the Widget Template
Library, as well as building a widget from scratch.
Navigate to the following URL to view the "Create & Import Widgets" tutorial:

LAB 3 - https://ior.ad/9eC9

Widget Details
Several widget types are provided to help you visualize asset and vulnerability data.

Not all Unified Dashboard applications support the same widget types. Select from the
list of Unified Dashboard applications, to define the widget types that are supported.
Qualys Unified Dashboard and “TruRisk Score” widgets provide the best way to visualize
risk across the organization. The “TruRisk Score” widget type provides the average
TruRisk score for any group of assets you target.

12
Query Settings
The Qualys Query Language (QQL) and one or more query tokens, drive the data to be
displayed in each widget.

Options are available to Display the query results as either assets or vulnerabilities.
Separate fields are provided for Asset and Vulnerability query tokens.
The “Filter” options within the Query Settings, function just as they do in the
VULNERABILITIES section of VMDR. Ensure that you adjust the filters to correctly display
the query results.
An option is provided for a second “reference” query. Reference queries provide ratios
and percentages that help to define important security thresholds.
Incorporate Qualys TruRisk into all widget types by using “TruRisk” query tokens:
§ Asset Criticality Score (ACS) .......................... criticalityScore:[1 .. 5]
§ Qualys Detection Score (QDS) ...................... detectionScore:[0 .. 100]
§ TruRisk Score ................................................ riskScore:[0 .. 1000]
The tokens depicted above, reflect their full range of values, which you can adjust to
target more specific asset or vulnerability ranges.

13
Advanced Settings
Certain widget types (i.e., Numerical and TruRisk Score), have a “Trending” option under
Advanced Settings.

Enable the “Trending” option to display a “90-day” trend line of the asset or
vulnerability findings displayed by a widget.
Options are available to specify the widget’s behavior, when it is clicked. A “Targeted
Search” displays asset or vulnerability details, within the widget’s associated application.
Other options allow you to open a specific dashboard or Qualys application.

Initially, no trending data is available when the “Trending” option if first enabled.
Trending data collection begins as soon as a widget is added to a dashboard. If a
widget’s query is modified or adjusted in the future, an option is provided to purge the
existing trend data and begin again with a clean slate.

14
Display Settings
The color tables provided by widgets can be customized within the Display Settings.

Numerical widgets have a special option to construct rules to determine if and when the
widget’s color will change.

Create Widget from Query

Any query that you build can be used to create a dashboard widget that displays useful
graphics and/or statistics.

Construct and tune the query within the “Search” field of VMDR or any other Unified
Dashboard application. When the query produces the required result, click on the
Query menu and select the “Create Widget from Query” option.

15
VMDR Prioritization Report
The VMDR Prioritization Report guides you to target and quickly patch your highest risk
vulnerabilities. It allows you to quickly identify and remediate the vulnerabilities that are
most likely to get exploited.

Prioritization Report creation always begins with Asset Tag selection to set the
appropriate asset context.

Classic Mode
By default, the VMDR Prioritization Report provides three types of prioritization options,
including Vulnerability Age, Real-Time Threat Indicators (RTIs), and Attack Surface
categories.

Navigate to the following URL to view the "VMDR Prioritization Report – Classic
Mode" tutorial:

LAB 4 - https://ior.ad/9frr

16
Vulnerability Age can be adjusted to focus on scan detection dates or KnowledgeBase
“published” dates.
When selecting Real-time Threat Indicators, improve the effectiveness of your report by
selecting a small but focused group of RTIs.

The RTI options provided by the Prioritization Report come from Qualys’ Malware Labs
and many other popular exploit and malware sources, including those listed above.

Click “BONUS” to view additional coverage of the VMDR Threat Feed

Attack Surface options are there to provide additional context to the targeted assets (i.e.,
Asset Tags).

17
TruRisk Mode
Enable “TruRisk” mode in the VMDR Prioritization Report and use one or more of the
TruRisk Score components to prioritize vulnerabilities and assets.

Navigate to the following URL to view the "VMDR Prioritization Report – TruRisk
Mode" tutorial:

LAB 5 - https://ior.ad/9eKZ

Asset Criticality Score represents the asset’s value to your organization and should reflect
the impact to your business operations, if the asset is lost or compromised.
Qualys Detection Score focuses on the individual impact of specific vulnerabilities.
Qualys TruRisk Score places detected vulnerabilities within the context their associated
assets. Greater emphasis is placed on vulnerabilities discovered on critical assets.

Remediation
With the Qualys Cloud Agent and Patch Management, you can go right to patching from
the VMDR Prioritization Report.

18
Qualys Patch Management provides Windows, Linux, Mac, and third-party software
patches for the riskiest vulnerabilities in your network and systems architecture.

Report Distribution
Prioritization Reports can be exported as Dashboard Widgets or downloaded and
distributed in CSV or PDF file formats.

When downloading a Prioritization Report, you can select to include vulnerabilities,

patches or assets.

Distribute vulnerabilities, patches, and assets to operational and remediation teams, in

CSV or PDF file format.

19
Prioritization Report widgets reproduce their originating report, when clicked.

20
LAB: Understanding Qualys TruRisk Scores
Qualys TruRisk is comprised of different elements:

Asset Criticality Score

As was demonstrated in the first lab tutorial of this course, asset value is specified through
the Asset Criticality Score (ACS), and should reflect the impact to your business
operations, if the asset is lost or compromised.
While Asset Tags provide an option to assign values to assets, an asset also obtains an
ACS from its Asset Group memberships (i.e., Business Impact setting). The Qualys CMDB
Sync App for ServiceNow will also allow assets to obtain an ACS from its associated
ServiceNow “Business Criticality” score.

Qualys Detection Score

Each Qualys Identifier (QID) in the KnowledgeBase is accompanied by CVSS scores and a
Qualys Detection Score (QDS). The QDS extends the CVSS score by taking into account
external threat intelligence including exploit code maturity, associated malware, active
threat actors, and vulnerabilities trending on the dark web.

21
QIDs that contain multiple vulnerabilities (CVEs), receive their QDS from the highest
ranked vulnerability (i.e., Qualys Vulnerability Score).

A new API has been introduced as part of the release of Qualys VMDR 2.0. This API is
CVE centric and helps users get details about each CVE and its corresponding Qualys
Vulnerability Score (QVS). Even if the CVE doesn’t have any associated QIDs, the API
helps users retrieve the QVS score and contributing factors to the score.
Users can search the Qualys knowledgebase for information on a CVE using this string:
https://<POD>/api/2.0/fo/knowledge_base/qvs/?action=list&details=All&cve=<CVE ID>

curl -H "X-Requested-With: secret" -u "$QUSER:$QPASS" -X "POST"

"https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/knowledge_base/qvs
/?action=list&details=All&cve=CVE-2000-0021"

Organizations can establish Service Level Agreements (SLAs) for the various combinations
of Asset Criticality Scores and Qualys Detection Scores.

22
Qualys TruRisk Score
The Qualys TruRisk Score for assets is calculated using the following formula:

In the formula (above), ACS is Asset Criticality Score, ”w” designates the adjusted weight
for each QDS level (critical, high, minor, and low), “f()” is a non-linear function that
adjusts for vulnerability counts, and “ I(External)” increases the overall score for
external facing assets and those discoverable by Shodan.

TruRisk Scores range from 0 to 1000.

Organizations can establish Service Level Agreements (SLAs) for the various combinations
of TruRisk Scores and Qualys Detection Scores.

23
LAB: Scan Report Template
The Scan Report Template is one of the most popular ways to prioritize vulnerability
findings and then distribute these findings to operational teams within your company.

A Patch Template will allow you to create reports that only contain vulnerability findings
that are patchable. The PCI Scan Template is designed for internal PCI scans and host
assets that are part your "internal" PCI scope. This template is based on the 11.2
requirement of the PCI DSS. A “Map” template is used exclusively with the VMDR
mapping feature and does not process vulnerability findings.

A Scan Report Template is comprised of various settings and options, separated into
different sections or categories.

In the lab exercises that follow, you will investigate the different functionality of the
Scan Report Template, starting first with the “Findings” options.

24
Scan Report Template Findings
The primary objective of the “Findings” section is to specify the data source for
subsequent reports. This is accomplished by selecting between “Host Based” or “Scan
Based” findings and then choosing your host targets. Host targets are identified by Asset
Groups, IP Addresses, or Asset Tags.
Alternatively, options are provided for “Host with Cloud Agents,” if your organization is
performing supplemental scans against agent hosts (i.e., using a Scanner Appliance
sensor).
Navigate to the following URL to view the "Scan Report Template Findings" tutorial:

LAB 6 - https://ior.ad/9gVe

Host-Based vs. Scan-Based Findings

You can view your account’s Scan Based Findings under the “Scans” tab within the
“Scans” section of Qualys VMDR. Each individual scan represents a “snapshot” in time
that is unaware of vulnerability status or history. However, these “snapshot” reports are
ideal for troubleshooting or analyzing host anomalies and scan performance.

As a “best practice,” most of the reports you build and distribute will use Host Based
Findings, which provide the most comprehensive and up to date view of your
vulnerability findings, comprised of the latest vulnerability data from all completed
scans.

25
Host-Based Findings
Host Based Findings gives you the most comprehensive and up to date picture of your
vulnerability status.

The option to “Include Trending” is only available with Host Base Findings. For best
results, avoid long or excessive trending time periods. Qualys recommends a ninety day
time frame.

Choose Host Targets

The host targets for a report can be specified using Asset Groups, IP addresses, or Asset
Tags. The target you select here, will become the “default” for all reports created with
this template.

While the GUI allows you to change the Report Source, reports that are generated
through Qualys’ Application Program Interface (API), often do not have the option to
26
select a different target. For this reason, Qualys recommends avoiding the use of the
Asset Group called “All” when creating a report template. Using more specific or focused
targets will help to improve performance.

Scan Based Findings

While most of your reporting tasks will leverage the comprehensive data provided by Host
Based Findings, reports that use Scan Based Findings are quite useful for troubleshooting
or investigating anomalies in your scan results. Scan Based Findings represent a
“snapshot” in time, because they do not reflect any “historical” or “future” vulnerability
findings.

When the “Scan Based Findings” radio button is selected, the option to “Choose Host
Targets” is removed from the “Findings” section.
Reports that use scan-based findings require user input to launch successfully (i.e.,
scheduling is not an option with scan-based findings).

27
End users are prompted to select from the available scan results. Alternatively, you can
narrow the report’s scope by specifying an IP address, to focus on a host of interest while
eliminating those that are irrelevant.

The “Storage” settings for your account, will determine the number and age of individual
scan results, available for selection.

28
Hosts With Cloud Agents
When a Qualys Scanner Appliance sensor is used to scan a Cloud Agent host, two
separate sets of scan results are stored in your account; SCANNER APPLIANCE data is
kept separate from AGENT data.

In the example above, a Windows host (IP address 192.168.1.242) is the source of both
AGENT data as well as SCAN data.
By default, when you run a report on this host you will see two records for the same
host. One record contains data collected by the Scanner Appliance, and another
contains data collected by the Cloud Agent.

The “Hosts with Cloud Agent” options (i.e., Scan Template Findings) only apply when
host scans are performed using both Cloud Agent and Scanner Appliance sensors (i.e.,
for the same asset).
The “Agent data” option displays Cloud Agent findings, exclusively. The “Scan data”
option displays Scanner Appliance findings, exclusively. The “All data” option (default)
displays both Cloud Agent and Scanner Appliance findings together in the same report.

Unique Asset Identifiers

Merging SCAN data and AGENT collections improves asset management, metrics and
understanding the overall risk for each asset.

29
To merge data from the Scanner Appliance and the Cloud Agent together, the
appropriate Asset Tracking and Data Merging options must be configured for your
Qualys account.

Use the Agentless Tracking Identifier feature to link “authenticated” vulnerability scan
results (i.e., Qualys Scanner Appliance) with Cloud Agent scan results, for the same
asset.
Use the Agent Correlation Identifier to merge either “authenticated” or
“unauthenticated” vulnerability scan results (i.e., Qualys Scanner Appliance) with Cloud
Agent scan results, for the same asset.
You can use one or both identifiers. Accepting both unique asset identifiers for your
account will maximize the probability of successful merges.
Please consult the following link for more information on Agent Correlation Identifier
and the Unauthenticated Scan Merge feature:
https://success.qualys.com/discussions/s/article/000006550

30
Asset Merging
Once a Unique Asset Identifier has been enabled, an Asset Merging option is required.

Select one of the following “Asset Merging” options:

1. Do not merge data - Data collected from agents are displayed separate from
data collected by scanner appliances. IP tracked assets will display separate
asset records for all scanned interfaces.
2. Merge data by scan method - When combined with a Unique Asset Identifier,
this option merges data collected from all scanned interfaces into a single asset
record. This option only applies to IP tracked assets. Cloud Agent assets merge
data for multiple interfaces, automatically.
3. Merge data for a single unified view - Data collected from Cloud Agents are
merged with data collected from Scanner Appliances, into a single unified view.
4. Enable smart merging - Option three will be automatically selected for hosts
with agents installed. Option one will be used for hosts without agents.
Option number three is the recommend option for Hosts with Cloud Agents.
Supplemental scan performed by Scanner Appliance sensors are merge with Cloud
Agent sensors, into a single unified view.

31
 Asset Merge Options Description

1. Do Not Merge Data Qualys Cloud Agent and remote scan records are stored and
displayed separately. Hosts with multiple IPs will display a
separate record for each interface.

2. Merge Data by Scan Method Remote scans must have Agentless Tracking or Agent
Correlation ID enabled. All IP scanned interfaces of an asset
will be merged into a single asset record (DNS and NetBIOS
tracking do this by default). This option does not merge scan
data with agent data.

3. Merge Data for a Single Unified Remote scans must have Agentless Tracking or Agent
View Correlation ID enabled. Results of all agent scans and results
of all scanned IP interfaces will be merged into a single unified
view of the asset.

4. Enable Smart Merging Automatically selects option 1 or 3, depending on presence of

agent.

The table above provides another perspective or breakdown of the Asset Merge
options.

32
After Asset Tracking and Data Merging have been enabled and configured to merge
SCAN data and AGENT data together (option 3), The “Hosts with Cloud Agent” options in
a Scan Template acquire new behaviors and descriptions.

Option Unified View Enabled

Scan Data Scan data before Agentless Tracking Identifier or Agent Correlation Identifier
were enabled

Agent Data Agent data PLUS Scan data after Agentless Tracking Identifier or Agent
Correlation Identifier were enabled

All Data Includes both Scan Data and Agent Data (as defined in the rows above).

When you have Unified View enabled for your subscription, and you select SCAN data,
the report will include scan data collected before any Unique Asset Identifiers were
enabled for your subscription. Purging is required to remove these older records.
Choosing the Agent data option, will include AGENT data and any SCAN data that was
generated after one or more Unique Asset Identifiers were enabled for the
subscription.
The “All Data” option includes all SCAN data (before and after Unique Asset Identifiers
were enabled), plus all agent data.
Data merging will occur from the time of configuration going forward and will not apply
retroactively.
Stale records can occur when unique asset identifiers and unified view are enabled, but
the Scanner Appliance is unable to retrieve entity IDs (e.g., Host ID, Asset ID, Qualys
Host ID, Agentless Tracking ID, Correlation ID, etc.) during a remote scan. This can be
caused by failed authentication attempts or blocked access to “Agent Correlation ID”
ports (QID 48143).
Please consult the following documents for more information:
Agent Scan Merge Cases
https://success.qualys.com/support/s/article/000006543
Understanding Entity IDs in VM
https://success.qualys.com/support/s/article/000006216
Identification of Stale Records with Agentless Identifier and Unified View Enabled
https://success.qualys.com/support/s/article/000006149

33
Query Tokens for Scan Template Findings
Many report template settings have an associated QQL query token. If you attempt to
model a Dashboard Widget after a specific Report Template setting, it is important to
use the correct query token, otherwise template-based report counts will not match
your dashboard counts.

The example above demonstrates using the reserved word “now” to build a query for all
vulnerabilities found within the last thirty days.

The example above uses a specific date to accomplish a similar trending task.

The link below provides an expanded discussion of mapping settings from the Report
Template Findings, to QQL query tokens.
Dashboard Toolbox - Mapping of Scan Report Template Findings to QQL Query Tokens
https://success.qualys.com/discussions/s/article/000005934

34
Scan Report Template Display
This lab will now move to the “Display” options. You can use the various display options
within a Scan Report Template to add graphics and summary information to your reports,
as well as selecting the details that will be provided for each vulnerability.

You will typically want to adjust the display options for different user groups within your
organization.

Navigate to the following URL to view the "Scan Report Template Display" tutorial:

LAB 7 - https://ior.ad/9h8S

Report Summary
The text summary includes the total number of vulnerabilities detected, the overall
security risk, and the business risk (for reports sorted by asset group).

Graphics that show data over time (like ‘Business Risk by Asset Group over Time) can be
enabled only if “Include Trending” is enabled under the “Findings tab”.
Under Custom Footer you can add required information like a disclosure statement or
data classification (e.g. Public, Confidential).
35
Detailed Results
Vulnerabilities or QIDs include a much information. Checking all boxes under detailed
results will increase the amount of detail, as well as the report size and the amount of
time required to generate the report.

When selecting included details ask: “What does the target audience need to see?” What
information is required to meet the objective at hand?

Sorting Data
You can sort report data in multiple ways as indicated below.

Sorting by vulnerability is useful when multiple hosts have the same vulnerability findings.
Doing so will help reduce the report size as each vulnerability finding will be listed only
once and the impacted hosts will be listed underneath the vulnerability.

36
Display Host Details
Checking the “Host Details” check box will include the Qualys Host ID (UUID) in your
reports , which is the unique identifier associated with its Cloud Agent host. (to use “Host
Details” you must change the “Sort by” field back to the “Host” option).

The Qualys Host ID for the agent host is visible in the report snippet as illustrated below:

Select the "Qualys System IDs" check box (under Display Host Details) to include host
identifiers such as Host ID, Asset ID.

37
Cloud Related Information
Select the "Cloud Related Information" check box (under Display Host Details) to include
metadata information at the host level for each of your cloud instance in Azure and AWS.
You must also select Host Based Findings and Sort by Host in the template.

The EC2 Scanning feature must be enabled for your subscription to use this setting in the
report template. Please contact your Technical Account Manager or Support if you would
like to have this feature turned on.

The report snippet (above) shows EC2 information.

38
Scan Report Template Filter
This lab will now explore more functionality of the “Filter” options within a Scan Report
Template. You can use the various filter options to narrow down the assets and
vulnerabilities on which to create reports.
Navigate to the following URL to view the "Scan Report Template Filter" tutorial:

LAB 8 - https://ior.ad/9hpT

Selective Vulnerability Reporting

A Search List is a powerful and versatile filtering tool. Adding a Search List to a Report
Template will allow your reports to focus on specific types and groups of vulnerabilities.
You will find a Search List tab within the “Scans,” “Reports,” and “KnowledgeBase”
sections of VMDR.
In your Scan Report Template, go to the Filter section and select Custom under Selective
Vulnerability Reporting. Then add custom search lists from your account or import search
lists from our Library.

Any vulnerability not included in the Search List(s) will not be included in the report

You can create your own custom Search Lists that allow your reports to focus (filter) on
different types of vulnerabilities, severity levels, or any other criteria found within the
Search List editor, including vulnerabilities impacted by known threats.

39
Add search lists to a Scan Report Template to filter the report to specific QIDs (static
search list) or to QIDs that match criteria that you specify (dynamic search list).

CVSS scores and Qualys Severity Levels are popular vulnerability filtering options, because
they can be easily aligned with different Service Level Agreements (SLAs) for remediating
detected vulnerabilities.

40
Real-Time Threat Indicators (RTIs) allow you to single-out vulnerabilities with known and
existing threats.

Create lists that combine the various CVSS or Severity rankings with different RTIs.

41
Construct Widgets from Search List Criteria
Many of the criteria provided in a Search List have an associated QQL query token that
can be used to construct a query and build a Dashboard Widget.

The link below provides an expanded discussion of this topic.

Dashboard Toolbox - Mapping of Search List Criteria to Query Tokens

https://success.qualys.com/discussions/s/article/000005978

The vulnerability filter option to “Exclude superseded patches” does not have an
associated QQL token and cannot be included in a Dashboard Widget.

42
Vulnerability Filters
Select one or more status options (New, Fixed, Re-Opened, Active) to filter the
vulnerabilities included in the report.

The first time a vulnerability is detected on an asset it’s status will be new. For any
vulnerabilities that have been detected more than once it’s status will be active. When a
vulnerability is no longer detected then it’s status will be fixed. For any vulnerabilities that
have been fixed and are rediscovered then the status is re-opened.
Please note that if you want to report on fixed vulnerabilities you need to have the
trending option in the findings enabled.

By default, all Linux kernels (both running and non-running) are included in vulnerability
reports, unless you specify otherwise. The options provided will allow you to display or
exclude non-running kernels.
Please consult https://qualys-secure.force.com/discussions/s/article/000006209 for
more information on using reporting by Running and Non-Running Kernels when using
VM APIs for reporting.

43
LAB: Patch Report Template
In this section you will use the Patch Report template to create a Patch Report. Patch
reports provide current patch information for fixing vulnerabilities and prioritizing
remediation tasks. A patch report identifies the most recent fixes for detected
vulnerabilities in your account, so you can apply the fewest patches necessary to fix your
vulnerabilities. Note that a patch report includes only vulnerabilities that have available
patches and excludes vulnerabilities that cannot be patched.

Launch patch reports to find out about the patches you need to apply to fix your current
vulnerabilities. You'll be able to use the links in this report to quickly download and install
missing patches.
Navigate to the following URL to view the "Patch Report Template" tutorial:

LAB 9 - https://ior.ad/9htJ

44
Patch Template Findings
Qualys recommends "QID based” patch evaluation. This method works when you have
complete scan findings for your target hosts. When multiple patches are required to fix
a vulnerability, you’ll see multiple patches recommended in your report.
Accurate calculation of Patch Supersedence, requires “complete” scan findings (all
applicable QIDs), from the targeted assets.

Don't have complete scan findings for the target hosts? Choose "Classic” patch
evaluation. The “Classic” patch evaluation option does not provide Patch Supersedence
and is a better option if you need to include filtering.

Patch Supersedence
Patch Supersedence logic is performed by traversing a tree of patches (based on
operating system and detected QIDs) to find the highest lead node that satisfies the OS
and QID criteria.
When QIDs are filtered out, either from vulnerability scanning (i.e. custom rather than
complete vulnerability scanning) in the Option Profile, or by using custom Search Lists to
filter reporting, this can lead to gaps in the tree structure and break the supersedence
logic.
Note that Scorecards reports and VM/VMDR dashboards do not currently support Patch
Supersedence.

Please consult the following links for more information on Patch Supersedence:
Patch Supersedence: How it works in detail
https://success.qualys.com/discussions/s/article/000006214

How does QualysGuard deals with superseded Microsoft patches?

https://success.qualys.com/discussions/s/article/000003506

45
Patch Template Display
You can choose how patch severity level are displayed. Patch severity rankings are
derived from the severity levels assigned to their associated vulnerability QIDs.

The “Assigned Severity” option uses the Qualys severity ranking of a single, detected
QID to establish the Patch Severity (i.e., the patch severity in the report will match the
severity assigned to the detected QID). If a single QID (Severity 3) associated with Patch
MS09-015 is detected on a host, the patch severity is 3.

Assigned Severity Highest Severity

QID’s Detected QID 90492 – Severity 3 QID 90492 – Severity 3

QID 90397 – Severity 4
QID 90342 – Severity 5

Patch Severity MS09-015 MS09-015

Patch Severity 3 Patch Severity 5

In cases where patches address and fix multiple QIDs, the “Highest Severity” option is
designed to select Patch Severity based on the highest QID severity rankings from all
associated QID detections on a host. For example, let’s say patch MS09-015 fixes three
QID’s at severity levels 3, 4, and 5. If all three QIDs are detected on the host, then the
patch severity is 5. If QID at severity 5 is not detected on the host but the other QIDs
are, then the patch severity is 4.

46
Patch Template Filter
Like the scan report template, the patch template provides a filtering option for
Selective Vulnerability Reporting, but It also provides a second filtering option called
Selective Patch Reporting, which is used to single-out specific types of recommended
patches.

Selective Vulnerability Reporting

Specify a list of vulnerabilities (QIDs). For those vulnerabilities detected on host assets in
your Qualys subscription, a Patch Report will provide the list of patches available, to fix
the targeted vulnerabilities.

Selective Patch Reporting

Use these options to specify which vulnerabilities (QIDs) you'd like to include in the
report as recommended patches. If you select "Exclude QIDs" we'll remove these QIDs
from your patch report and suggest an alternative patch QID, if possible.

In this example, Microsoft Vulnerabilities are included, and Service Pack QIDs are being
excluded from the patch recommendations, to keep them off the patch list of the
regular patching and remediation teams. Because of their greater impact, Service Pack
updates were typically assigned to separate project teams.
To generate a patch report of Microsoft vulnerabilities, but filter out service pack QIDs,
you will need two search lists. The first search list contains vulnerabilities associated
with the vendor Microsoft. The second search list contains all vulnerabilities with
“Service Pack” in the vulnerability title.

47
Online Report Format
When running or scheduling a Patch Report, The “Online” report format provides a
graphical, interactive user interface, with different ways to navigate throughout the Patch
Report results. HTML content is displayed in your browser using Ext, a client-side Java
framework.

The patch report identifies the patches available for current vulnerabilities on selected
hosts based on a patch template selected by the user at run time. These are the
vulnerabilities detected by the most recent scan of each selected host.

48
LAB: Schedule & Distribute Reports
You can schedule your reports to run automatically - daily, weekly, monthly. Also, you can
schedule reports to run at important milestones, like the last day of the quarter, without
logging in to do it. This lab will walk you through the process of creating a user and
distributing reports in different ways.

Reader User Role

Each user is assigned a pre-defined user role (Manager, Unit Manager, Scanner, Reader,
etc…) which determines the actions the user can take; for example, the Reader role allows
users to create reports.

When you create a new user, the user appears on the user accounts list with a status of
"Pending Activation". The user will automatically receive a registration email with a
secure one-time-only link to the credentials for their new account and login instructions.
The registration email is sent to the email address defined in the user's account. The user's
status changes to "Active" after logging in for the first time.

Distribution Groups
Use distribution groups for different types of email notifications, including scan
notifications, report notifications and the vulnerability notification.
You can include email addresses for users in the subscription (simply select users from
the list) and include email addresses for users outside of the subscription by typing them
into the field provided.

49
Assign Users to Templates
A good way to build a scalable reporting solution is to assign the right users to the right
templates. This ensures a couple things. As a manager user, you can standardize your
reporting, meaning you know what data people are using. You’ll be able to control who is
seeing what.
Assigning users to templates is easy. You’ll go to the template, and you will simply find
the user who should be able to see the vulnerability data for the assets in this template.
This is important, because now, when you schedule a report to run with this template,
this user will automatically see it in their account under the reports tab. They will not have
to generate the report themselves.

50
Schedule & Distribute Reports
You can schedule reports to run on a recurring basis. There are several report types that
can be scheduled. You can schedule template-based scan reports (set to Auto source
selection), scorecard reports, patch reports, template-based compliance reports and
remediation reports.

The illustration above outlines the steps to schedule a “Template-based” Scan Report.
Under Scheduling, specify when and how often your report should run. You can also set
options to notify select distribution groups when a report is complete and ready for
viewing.
This very next lab tutorial reviews all of the tasks required to successfully schedule and
distribute reports. A “Reader” level user is created at the start, to help illustrate different
ways a report can be distributed to users.
Navigate to the following URL to view the "Schedule & Distribute Reports" tutorial:

LAB 10 - https://ior.ad/9htH

Distribution Options for Scheduled Reports

You need to configure global settings for the subscription to determine if scheduled
reports will be distributed with report notifications, and whether they will be sent as
attachments or report links. This configuration is done under Reports-> Setup.

51
There are four options to distribute scheduled reports:
• Attachment or Link - As noted, if the report is under 5 MB, it will be sent as an
attachment. If it’s over 5 MB, a link will be sent. The person receiving the report
does not have to have a Qualys user account, they will still receive the report.
Note, when sent as an attachment, a copy of that report (possibly containing host
vulnerability information) is on your email server.
• Attachment Only - If the report is under 5 MB, it will be sent to the user.
Otherwise, the user will have to log in to Qualys. Be sure the users you are
distributing the report to *can* log in to the Qualys UI, otherwise you will create
a manual process for yourself to get them the report.
• Link Only - This is a good way to distribute a report to non-Qualys users. You can
send an email to them with a link for them to download the report. It is
recommended that you password protect the report you send them.
• Don’t Send the Report - Only use this if sending the report to people who have a
Qualys account. They need to log in to get the report. This makes users
authenticate.

52
Note that when a report is sent as a link recipients must download the report from the link
as soon as possible as the report is deleted from the report share after 7 days or earlier (if
the user share limit reaches the maximum allocated size).

53
LAB: Factors that Impact Report Data
Changes in an asset’s environment can potentially lead to stale and orphaned
vulnerability records that create data inconsistencies in your reports. Vulnerability
records left open for the foreseeable future, impact remediation SLAs and report results.

Failed Authentication
Most of the QIDs in the Qualys KnowledgeBase need authentication for accurate
detection. If a scan is unable to authenticate, these QIDs are not tested and open
vulnerabilities will continue to retain their previous status.

Qualys Subscription Health Dashboard

Import the Qualys Subscription Health Dashboard from the Dashboard Template library.
Navigate to the following URL to view the "Qualys Subscription Health Dashboard"
tutorial:

LAB 11 - https://ior.ad/9igs

Authentication Report
You can create an Authentication Report to identify authentication PASS/FAIL results
and troubleshoot authentication issues.

54
Best Practice – Distribute this report to support and operational teams frequently, to
help manage and address authentication issues.
For each IP, business unit, asset group or asset tag included in the report, you'll see the
total number of hosts at each authentication status level.

Authentication Status:
Passed – Authentication was successful.
Failed – Authentication failed. Review the “Cause” column.
Passed* - Authentication was successful but with insufficient privileges (applies to
the Qualys Policy Compliance application only)
Not Attempted – The scanner appliance was unable to locate an authentication
record for the asset or authentication was not turned on in the Option Profile.
You'll see Last Auth and Last Success dates in your report when "Additional Host Info" was
selected at run time.

Last Auth - The last time each host was scanned using authentication - this is when the
status was last updated to Passed or Failed.
Last Success - The last time authentication was successful for each host. N/A indicates
that the host has been scanned with authentication enabled but it has not been
successful.

55
Troubleshoot a Failed Authentication Attempt
Check out the Cause column to get the login ID used during the authentication attempt.
Review your authentication record for the host/type and the account privileges to
troubleshoot the issue.

“Host Not Alive” Status

Assessments are not performed and host findings are not updated when the “Host Not
Alive” status is returned. A “Host Not Alive” status may be the result of network routing
changes or temporary asset maintenance downtime.

This status is also returned when ephemeral, cloud-based instances are inactive or
dormant during scans.
When investigating these responses, check a host’s “last scan date” to potentially identify
decommissioned or retired assets and then purge or remove where necessary. The status
of all QID’s will remain unchanged, until another scan successfully finds a LIVE host.
Another potential solution is found in Qualys Cloud Agents, which synchronize scans with
host up-time. Cloud Agent communications are typically less susceptible to routing
changes, when compared to a scanner appliance.

56
Change in Host OS
While incremental OS updates are common, if a host unexpectedly changes from one OS
vendor to another, purge the impacted asset, to remove the previous OS vulnerability
findings.

An Option Profile setting is available to perform this task, automatically. Work with
support teams to verify suspected repurposed or retired assets.

Change in Host Name or IP Address

If a host’s IP address changes and the host is configured with IP tracking, purging is
required.
If a host’s name changes and the host is configured with either DNS Name or NetBIOS
Name tracking, purging is required.
When host IP addresses or host names change in environments where host address and
name changes are common or expected, enable and configure Unique Asset Identifiers
or deploy Qualys Cloud Agents.

57
LAB: Purging and Removing Assets
Purging a host is recommended when the host is decommissioned or used in a completely
new role. Removing a host is recommended when a specific IP is no longer scanned.

Purging
Purging becomes very important in highly dynamic and ephemeral environments where
assets are replaced or deleted very frequently.
Navigate to the following URL to view the "Purge Host Assets" tutorial:

LAB 12 - https://ior.ad/9hUe

For an extended discussion on this topic see, “Purging: What, why, when, how, what
happens to the data?” - https://success.qualys.com/discussions/s/article/000006221.

Identify Assets for Purging

It’s important to identify stale assets and orphaned asset records. Some common criteria
include assets that haven’t been scanned in multiple scanning cycles, EC2 instances in a
stopped/terminated state, assets not updated in weeks or months.

You can search for assets meeting purging criteria using Asset Search in VM/VMDR.

58
You can also use QQL search queries to search for stale records. You can build widgets
using QQL search queries to automatically identify assets for purging.

You can also use asset tag rules based on asset search queries, vulnerability QIDs or
groovy scriplets to automatically identify and tag assets for purging.

Purge an IP
Purging can take a while. View the host information again to confirm host vulnerability
information is removed.

After the purging operation completes, all host information such as hostname, operating
system, last scan date, tags, comments, vulnerabilities, and tickets will be removed.

59
Remove/Delete Host Assets
When an IP is removed, associated host-based scan data is permanently removed, and
the IP is no longer available for scanning and reporting.

Consider exporting host scan data for the concerned asset before purging or removing
the asset. We recommend using Qualys APIs for exporting this data as APIs are better
suited for bulk data export operations.
Navigate to the following URL to view the "Remove/Delete Host Assets" tutorial:

LAB 13 - https://ior.ad/9hY6

60
Rule-based Purge
Define purge rules in Qualys CSAM, to automatically purge host assets and
remove/delete them from your account. Cloud Agents are uninstalled, where
applicable.

Cloud Agent, Cloud Metadata, Scan-based, and Time-based criteria are provided to build
one or more rules.

Purge rules run once per day. This feature must be enabled for your subscription.

61
LAB: Ignore Vulnerabilities
This lab exercise demonstrates how to use Remediation Policies to ignore vulnerabilities
you do not plan to address or remediate.
Consider the following scenario:
"A policy was recently implemented to disable/remove Adobe Flash Player in all
web browsers and applications company-wide. All remediation or mitigation tasks
presently slated for “Flash Player” vulnerabilities, has been postponed until the
project to remove/delete these instances is completed. As a result of this decision,
the CyberSecurity Team would like to ignore “Flash Player” vulnerability findings
that are presently open, so that they do not appear in vulnerability reports. All
ignored vulnerabilities will need to be assigned to the asset owner, for review and
tracking.”
This tutorial demonstrates steps to create a Remediation policy to ignore vulnerabilities
for the above scenario.

Navigate to the following URL to view the "Ignore Vulns Remediation Policy" tutorial:

LAB 14 - https://ior.ad/9hZl

Create Remediation Policy

Remediation policy rules enable you to automate the process for ignoring and accepting
risk for select vulnerabilities.

Automation minimizes the risk of missing service level agreements and makes it easier to
manage multiple items, because you are eliminating manual intervention.

62
Search List Required
Configure Search Lists (static and/or dynamic) to filter specific vulnerabilities matching
your exception handling criteria and include them in remediation policies.
A Dynamic Search list is automatically updated by the Qualys Platform service. Create a
rule for vulnerabilities that can't be remediated or the ones that need to be deferred for
a specific period.
A Static Search list does not receive automatic updates. Typically, static lists are used to
collect vulnerabilities that do not have a common criteria.

Conditions & Actions

Remediation policies contain two basic components:
1. Conditions (that identify the asset and vulnerability scope of the policy) and
2. Actions (that identify the task to be performed, if the target conditions are met).
A policy includes a set of rules that tell us when to create tickets, who to assign them to,
and how quickly they should be resolved.

Remediation policy rules enable you to automate the process for ignoring or accepting
the risk for select vulnerabilities. Set up a rule for vulnerabilities that can't be
remediated or the ones that need to be deferred for a specific period. Create a global
policy for the subscription and one policy for each business unit.

63
Create Tickets - Set to Closed/Ignored
While multiple options are available in a policyto create a remediation ticket, “Exception
Handling” policies are designed to create tickets in a “Closed/Ignored” state.

Vulnerabilities included in an “Exception Handling” policy (via Search Lists), will be

ignored in vulnerability queries and reports, by default. Remove the “Ignored” filter in
queries and reports to view ignored vulnerabilities.

Expired Exceptions
Policies that ignore vulnerabilities can be configured with an “expiration date” to
effectively stop ignoring vulnerabilities. If an ignored vulnerability is eventually
remediated and no longer detected in future scans, the vulnerability status changes
to Fixed.

Relaunch a Scan
A vulnerability scan is required, to see the results of a Remediation Policy. Active
vulnerabilities (targeted in a Remediation Policy) are ignored with the successful
completion of a vulnerability scan.

64
Monitor Ignored Vulnerabilities
You can track ignored vulnerabilities by using the Ignored Vulnerabilities report. You can
also use dashboard widgets to track ignored vulnerabilities and also enable trending to
track these vulnerabilities over time.

Navigate to the following URL to view the "Ignored Vulnerabilities Scorecard Report"
tutorial:

LAB 15 - https://ior.ad/9hZo

65