Hi,
I have a question about the Scan Reports.
I would like to create reports where i have the opportunity to change the Vulnerability score with regard to the location of the find.
For example, there is a vulnerability in a browser. The client often uses the browser, so the vulnerability is important. On a server the browser isn't used, so the vulnerability is less important. Is there a possibility to change the score according to certain properties?
If I change a vulnerability in KnowledgeBase, it's for the whole system and not just for client or server.
The environmental metric in the asset groups doesn't solve this, because they are not for a specific vulnerability. Maybe someone can help me and give me an idea how to solve this.
PS: Why is the environmental metric in every report, also if you didn't set them? This makes reports unnecessarily long...
Best regards
Qualys allows you to set a business impact rating per asset group. That's designed to allow you to use local knowledge to promote or demote the seriousness of a vulnerability if it occurs on an asset in that group. It multiplies your setting of business impact by the technical security score of the QID to give you a risk figure which is then added up for the host. It then reports the average or maximum risk for the whole group.
I'm not sure that a browser vuln on a server is less of a risk than on a desktop. If the server can browse to anything malicious then it's at risk, but that's your call based on your knowledge of your environment.
Anyhow - perhaps you could use tags to group your critical assets and report on them as critical or non-critical, depending on whether they have the tag. Any sev 4/5 in the critical report needs remediating faster.