AnsweredAssumed Answered

Can I export comments in Remediation Tickets and/or add Comments in reports?

Question asked by ds0101 on Nov 20, 2017
Latest reply on Jan 26, 2018 by DMFezzaReed

Is it possible to export or extract the comments under the Remediation Tickets in any way? On the example below, I'd like to generate a Remediation report for "Tickets per vulnerability" report and I'd like to include the comment that was added in the ticket.


So basically when I run the Remediation Report - Tickets per vulnerability I would be able to have something like the below



Is this possible through the API? If it is not possible through the portal or API what is the process for submitted a features request and how long will it take?.


It would be beneficial to actually be able to export the comments and use that field to track what is being done for the specific vulnerability or what needs to be done for the vulnerability. 


Many of the  vulnerabilities don't have simple remediation steps where you install a patch and you are done. Many vulnerabilities require configuration testing, EOL software requires planning that affect not only one area but the entire business. Without the ability to "link" or associate a  project or a plan with the specific vulnerability from a Qualys Report then the reports are useless. 


We need to be able to have the comments in the tickets exported/extract in reports so we can see what is being done to resolve the vulnerability. Isn't that the whole purpose of having the remediation process within Qualys as closed loop anyway? In the example above If we have to create a plan for vulnerability 1234 I need to know that next time I generate a report I can see that there is a plan for it under the comments and "Say ok we have opened project "Project1234" for this vulnerability, move to the next one"


The way it is now, I would have to open a project plan for QID 1234 and reference the action steps to resolve it, however if after a week I go to Qualys and generate a report I wont be able to tell if I actually have a project for QID 1234. I would need to then go to our project management system and start looking if there's actually a project created for this vulnerability. If the comments were available though, I would be able to tell right way.


Anyway, I hope I've articulated the question/issue as simply as I can. So, is there a method to currently do this in any way? Through some type of reports or API or some other way.