Parag Baxi

How to report on vulnerabilities with a publish date older than X days

Discussion created by Parag Baxi on Sep 18, 2012

Often times Operations Teams will have a patching cycle in place. Hence, reporting on vulnerabilities within the same patching cycle may result in pushback. One solution is to create a report that excludes vulnerabilities that were published within that cycle.

 

With the recent release of QualysGuard 7.4, one can create a dynamic search list based on publish date:

Advanced Search Capabilities for Dates in the Vulnerability Knowledge Base and Search Lists: Now users can create search queries such as “past 60 days” or “past month” for the Published Date, Service Modified Date and User Modified Date, so it becomes easy to generate reports that only focus on a specific time frame such as the past month, without the need to manually edit the filters.

With this capability, we can also create a report to exclude the vulnerabilities published after a specific date, basically the inverse. So let's do an example together. We will create a technical report that excludes vulnerabilties older than 30 days.

 

First create the dynamic search list, and within the List Criteria, modify the Publish attribute to the number of days you wish to exclude from your report. Below is an example search list to find vulnerabilities published in the last thirty days:

Search Lists.png

 

Now we create a report template to exclude vulnerabilities found from this search list.

Report Templates - exclude.png

Note that bullet for Complete is enabled. This sets the base scope of vulnerabilities. From this set of vulnerabilities, we remove "Vulnerabilities published from the last 30 days". One can tweak this report (Save As... is great for this) to cater to the report audience. For example, create a report template for just MSFT vulnerabilities, and exclude any vulnerabilities that were published in the last thirty days--you do not need to create a separate search list for the Exclude QIDs.

Outcomes