What's the best way to find out all the New vulnerabilities for a month? We are running the agent on both Servers and Workstations.
Please let me know.
Thanks in advance
Well, I'd say there are some options...
The first and simplest one only applies if you're using some Remediation Ticketing policy. If so, in the Remediation Tickets table you are able to search only for tickets which were opened in the current month (or whatever month you want).
This is an easy option but the results are kinda messy if you want to generate nice reports (this implies that you'll have to extract a CSV sheet and manage it in Excel-like softwares). You can also generate Remediation Reports and they may or may not give you the information you need.
The second option is to use a report template with the Trending option enabled. When you enable trending, you're able to show in your reports only vulnerabilities detected within the time-frame you've set.
With this, you can see how many Active vulnerabilities (those ones which were detected more than one time) and the new ones.
The third option you'll only be able to use if you have the ThreatPROTECT module in your subscription. This module, from what I know, enables you to create several kinds of dashboards with intelligence information and they can show you new vulnerabilities over the past days, weeks, months etc...
If I remember any other option you might have, I'll update this answer
Thanks Abner. I have tried both of these with no really good results. Totally agree with you about the ticket piece and being messy. It is way too much effort for something that should very simple. The Trending report I really don't believe works like it should. We run a lot of agents and our theory is we can't get an accurate count of the "new" vulnerabilities in a month, because once an agent checks in twice, that "new" vulnerability is no longer new, it goes to active.
Also, we have tried running a Tredning report over a month with New and Active and do not get close to the number we were tracking manually. For example, if the Trending report is correct and let's say it told us over the month of June we had 1,700 new/active vulnerabilities. However if we have 5,000 workstations and one vulnerability on each, then we would have at least 5,000 vulnerabilities and not 1,700.
It is just frustrating that for what this product costs, the granularity of the reporting would be better. What we think the simplest report to produce would be very easy, seems to be difficult to produce. I would love to see Qualys improve their reporting.
I totally agree with you on everything you've said. The "problem" with the information of "New" vulnerabilities is that Qualys considers a vulnerability as "New" only when they were detected once. From the moment a vulnerability is detected 2 or more times on, this vulnerability gets the status of "Active". So, their definition of "New" kinda conflicts with our definition of "New".
So yeah, it's kinda frustrating that something that should be so simple is so hard to achieve.
Here in my work we also wish we could generate reports on the amount of pending, new and fixed vulnerabilities over the months and get charts for that (e.g: January: 500 pending, 50 new, 300 Fixed | February: 450 pending, 30 new, 100 fixed | and get a line or bar chart for that).
These are things we're not able to achieve with Qualys itself, so, I've developed a web application which integrates to Qualys via Qualys API and retrieves all data to out database, where I can perform all queries I want and create reports the way I need, for example:
Wow, that is awesome. Is it hard to develop? Could you give me any insight on how to set this up?
Well, it's not easy, but it ain't that hard either.
This is a good place to start from.
You can also take a look at the API 2.0 Docs here:
Qualys API license is sold separately, and I suppose you haven't purchased it, so I'd advise you to have a talk with your Technical Account Manager and get more information on it.
Another option you might consider, if you're not willing to buy an API license at the moment, is to extract XML or CSV reports from Qualys and, by using some PHP, Java, or python, for example, you can process this file and get exactly the information you need (You could insert it to a database, for example, or generate charts online or in PDF or Excel... it's all on you).
Unfortunately, I can't help much you your primary question (about "New vulnerabilities for a month"), but, as I said, if you really need this info and you feel like you wanna face some challenges, don't wait for Qualys to develop a new feature (we never know when (or IF) something like this is ever coming out: do it yourself, and it'll work the way you need it to.
Thank you very much Abner. You gave me a great place to start.
I do something similar you can download the data as CSV then you have several DATES such as first found and last found so you can use this to give you data points on when things are found.
If you need any assistance with some of the CURL/API commands let us know.
Any assistance would be great.
Did you also try AssetView with trending within a widget?
Retrieving data ...