I’m struggling with the right settings for a Report Template, and as what I’m looking to do seems like it would be pretty common, I’m hoping that I’m just doing something wrong and that you guys can help point me in the right direction...
I want to see current defects for all devices scanned within the last 30 days. This should therefore cover only active hosts, and give me the underlying data to generate patching metrics and analysis from.
To achieve this, I’ve previously gone into the “Scan Results Section” of the template, and set it to “Status with Trend”, set to a 30 day period and “Only use Scan Results for the specified period”. This seemed to do what I wanted, but I’ve now realised that this report is including defects which were detected at some point in the last 30 days, but which have since been patched. That’s not much use to me in understanding the current status.
I've looked at the underlying asset data to confirm that Qualys had indeed scanned the host since the patch was applied and was no longer seeing it as an issue, but its still showing up in reports when I use the above settings.
I then changed the template to “Use current vulnerability information”. This did correctly exclude defects that have since not been detected, except that isn’t not constrained in terms of timing, and I’m seeing devices last seen over a year ago in there. I was able to use the “Last Detected Date” to calculate when the device was last seen (in Excel), and in that way I could exclude old hosts, but its hardly elegant.
So, what am I doing wrong? Surely its pretty common to want to see the current status of vulnerabilities on “active” hosts?
Any help or guidance would be greatly appreciated.