Hi Community
I was wondering if you anyone can tell me if there is a QID for the Ticket State column as returned in a scan report ? |
Hi Community
I was wondering if you anyone can tell me if there is a QID for the Ticket State column as returned in a scan report ? |
Hey David
I am referring to the column "Ticket State" which is generated from remediation tickets, we use this internally to allow us to filter out vulnerabilities which have gone through our internal exception process.
My problem is I have for the last few months been going after things like default credentials active on assets etc, but I have come across one where we have done the remediation parts but the other fix is a full s/w upgrade to remove the vuln completely , this will not be possible so these devices will be handled by our current lifecycle management process, they currently have a remediation ticket attached hence the Ticket State = Closed/Ignored while our internal risk exception is running.
No my problem in qualys is I cannot ignore these on the widgets because quite annoyingly qualys does not allow you to query this metadata using the widget queries, basically I wanted to either directly on the widget use something like "Not TicketState = Closed/Ignored", or like I queried here if it had a QID attached to ticket state I could tag it using QID****** = Closed/Ignored, and then use a Not tag = ******
Hope that makes sense only way I could describe this was the long way
But unless someone else knows a dynamic way to do this it looks like this idea is a bit like the titanic...
Regards, Mike Fennell.
Currently I don't think you can do that you may need to file an FR with your TAM. The other thing you could do is apply a TAG to the Asset and that you could have in a widget to at least indicate there is something more to look into.
David
Hey David
Pretty much guessed that would be the answer
Have considered the just tagging the static assets but then it removes any form of dynamic approach which means I have to add a reminder to check then later which is just a bunch of hassle.
Probably will end up going down the route though as it appears I am not going to be able to do this via QID , have a ticket open with support though so will possibly request it that way, from history though this takes ages to happen if it even will.
Thanks for responding anyway much appreciated.
Regards Mike.
Not necessarily. If you create a TAG for N number of IPs with the QIDs you have an issue with.
For example given the Asset Search TAG below; this tag will get applied to any asset in the IP Range but this could also be a bunch of IPs; and has any of the QIDS below.
In this case if you had an ip of 10.192.1.1 and they had 38628 detected the tag would be applied. On a subsequent scan if the vulnerability is no longer present then the TAG is removed.
Not perfect but it could help?
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<NETWORKS>
<NETWORK>06d553da-5bd8-4b3e-81af-f71e21dae7c7</NETWORK>
</NETWORKS>
<IP_RANGES>
<IP_RANGE>10.192.0.0/16</IP_RANGE>
</IP_RANGES>
<DETECTION>
<QID_LIST>
<QID>38628</QID>
<QID>38657</QID>
</QID_LIST>
</DETECTION>
</TAG_CRITERIA>
Hey David
Yep had considered this as well but i was trying ot go for the remediation ticket tracking as this may not get cleared ,the above would work perfectly for that , but it may come out of remediation i.e. our internal excpetion will expire and the ticket state change, this would mean the vulnerability will re-appear.
Hope that makes sense , really what i was after was a way to ignore the vulnerability while it had an accepted internal exception but when tha exception expires it will appear again meaning we have to go after it again. Just the way our internal process work if a vulnerability has been granted an exception then we would not spend time trying to get it remediated and concentrate on more pressing non exception vulnerabilities.
Chances are i will indeed have to go down the static route as above and just set a calendar reminder that lines with the current exception timeframe.
Just out of interest does the network ID within the search criteria work all the time for you ?, i have had mixed results with that one.
Mike.
Michael,
I think your talking about the tickets generated inside of Qualys. There is an API but I believe it is be deprecated and I am unaware of any new API for this feature.
If you are talking about the ignore/not on the Asset Detection then it should be in the API Documentation for Host Detection.
David