Something I find my self doing a lot lately is correlating CVE-ID's to QID's to SearchLists to Reports to measure exposure to the Risks they represent. I know Qualys has some automatic exploit pack correlation and assume all the non-specifc one's are under the generic 'Exploitpacks' correlation but sometimes I need something very specifc to determine exposure to a specific Threat. I also understand the challenege with including them all but am wondering if their is a better way to keep my reports up to date than contininuously adding more/new CVE-ID's to existing Static Search Lists.
Maybe a Semi-Static Search list that allows you to add a list of CVE-ID's and Qualys will automatically update with QID's as more are correlated?
Current Dynamic Lists appear to only let you have a single/limited CVE-ID in it else you get an error when attempting a comma separated list.