The New Vulnerability Management (VM) Dashboard BETA program is not intended for production use, and its content is subject to modification without notice. If you have any questions regarding the content, please contact your Technical Account Manager (TAM) or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc.
The 'NOT' clause is proving to be little more complicated when it goes in elastic search in terms of results returned for vulnerability queries. Our DevOps team suggests using explicit includes vs excludes to improve accuracy. This issue is an example of why the dashboard is remaining in beta version.
We are still coming up with more searches and enhancing our New VM Dashboard to improve accuracy to match customer expectations and to give a more granular vision of their detections.
Try to avoid the use of the NOT clause in vulnerability queries specifically, and opt instead to using explicitincludes vs excludes to improve accuracy. Please note several examples below. Please comment if you would like additional examples.
- instead of: not vulnerabilities.status:FIXED
- please use: vulnerabilities.status:[NEW,ACTIVE,REOPENED]
- instead of: not vulnerabilities.typeDetected: Information
- please use: vulnerabilities.typeDetected:[Confirmed,Potential]
- instead of: not vulnerabilities.vulnerability.severity:[1,2]
- please use: vulnerabilities.vulnerability.severity:[3,4,5]