Log in to create and rate content, and to follow, bookmark, and share content with other members. Not a member? Join Now!

QID To retrieve Ticket State

Discussion created by Michael Fennell on Oct 1, 2019
Latest reply on Oct 2, 2019 by Michael Fennell

Like • Show 0 Likes0
Comment • 6

Hi Community

I was wondering if you anyone can tell me if there is a QID for the Ticket State column as returned in a scan report ?
I am trying to tag assets with a ticket state of "Closed/Ignored" so i can ignore them in my reporting widgets but by using a tag if the ticket state changes and is no longer showing "Closed/Ignored" by using a tag like this they should update dynamically and appear on the widget once the state changes.

I am unable to tell if this variable is exposed via a QID or not ?

Regards, Mike Fennell.

Outcomes

6 Replies

Busby Oct 1, 2019 2:39 AM
Michael,

I think your talking about the tickets generated inside of Qualys. There is an API but I believe it is be deprecated and I am unaware of any new API for this feature.

If you are talking about the ignore/not on the Asset Detection then it should be in the API Documentation for Host Detection.

David
Like • Show 0 Likes0
Actions
Michael Fennell Oct 1, 2019 4:00 AM
Hey David

I am referring to the column "Ticket State" which is generated from remediation tickets, we use this internally to allow us to filter out vulnerabilities which have gone through our internal exception process.
My problem is I have for the last few months been going after things like default credentials active on assets etc, but I have come across one where we have done the remediation parts but the other fix is a full s/w upgrade to remove the vuln completely , this will not be possible so these devices will be handled by our current lifecycle management process, they currently have a remediation ticket attached hence the Ticket State = Closed/Ignored while our internal risk exception is running.
No my problem in qualys is I cannot ignore these on the widgets because quite annoyingly qualys does not allow you to query this metadata using the widget queries, basically I wanted to either directly on the widget use something like "Not TicketState = Closed/Ignored", or like I queried here if it had a QID attached to ticket state I could tag it using QID****** = Closed/Ignored, and then use a Not tag = ******
Hope that makes sense only way I could describe this was the long way
But unless someone else knows a dynamic way to do this it looks like this idea is a bit like the titanic...

Regards, Mike Fennell.
Like • Show 0 Likes0
Actions
- Busby @ Michael Fennell on Oct 1, 2019 6:06 AM
  Currently I don't think you can do that you may need to file an FR with your TAM. The other thing you could do is apply a TAG to the Asset and that you could have in a widget to at least indicate there is something more to look into.
  
  David
  Like • Show 0 Likes0
  Actions
  - Michael Fennell @ Busby on Oct 1, 2019 6:30 AM
    Hey David
    
    Pretty much guessed that would be the answer
    Have considered the just tagging the static assets but then it removes any form of dynamic approach which means I have to add a reminder to check then later which is just a bunch of hassle.
    Probably will end up going down the route though as it appears I am not going to be able to do this via QID , have a ticket open with support though so will possibly request it that way, from history though this takes ages to happen if it even will.
    
    Thanks for responding anyway much appreciated.
    Regards Mike.
    Like • Show 0 Likes0
    Actions
    - Busby @ Michael Fennell on Oct 1, 2019 8:52 AM
      Not necessarily. If you create a TAG for N number of IPs with the QIDs you have an issue with.
      
      For example given the Asset Search TAG below; this tag will get applied to any asset in the IP Range but this could also be a bunch of IPs; and has any of the QIDS below.
      
      In this case if you had an ip of 10.192.1.1 and they had 38628 detected the tag would be applied. On a subsequent scan if the vulnerability is no longer present then the TAG is removed.
      
      Not perfect but it could help?
      
      <?xml version="1.0" encoding="UTF-8"?>
      <TAG_CRITERIA>
      <NETWORKS>
      <NETWORK>06d553da-5bd8-4b3e-81af-f71e21dae7c7</NETWORK>
      </NETWORKS>
      <IP_RANGES>
      <IP_RANGE>10.192.0.0/16</IP_RANGE>
      </IP_RANGES>
      <DETECTION>
      <QID_LIST>
      <QID>38628</QID>
      <QID>38657</QID>
      </QID_LIST>
      </DETECTION>
      </TAG_CRITERIA>
      Like • Show 0 Likes0
      Actions
      - Michael Fennell @ Busby on Oct 2, 2019 12:35 AM
        Hey David
        
        Yep had considered this as well but i was trying ot go for the remediation ticket tracking as this may not get cleared ,the above would work perfectly for that , but it may come out of remediation i.e. our internal excpetion will expire and the ticket state change, this would mean the vulnerability will re-appear.
        Hope that makes sense , really what i was after was a way to ignore the vulnerability while it had an accepted internal exception but when tha exception expires it will appear again meaning we have to go after it again. Just the way our internal process work if a vulnerability has been granted an exception then we would not spend time trying to get it remediated and concentrate on more pressing non exception vulnerabilities.
        Chances are i will indeed have to go down the static route as above and just set a calendar reminder that lines with the current exception timeframe.
        Just out of interest does the network ID within the search criteria work all the time for you ?, i have had mixed results with that one.
        Mike.
        Like • Show 0 Likes0
        Actions

QID To retrieve Ticket State

Outcomes

Related Content

Recommended Content