Reporting - The Basics

Good to Know

What to Report

How to Report

Vulnerability Data

 

 

Have you installed cloud agents? Click here to learn about reporting on agent hosts

Recommendations

We recommend you start small, maybe scan and report on one or two IPs. Review the reports, fix the vulnerabilities found, re-scan the IPs to verify your fixes, and rerun your reports. Once you have this process down you'll feel more comfortable scanning larger sets of IPs.

What you can report on

The simple answer to what to report on is this: any IPs in your account that have been scanned for vulnerabilities. IPs may include any devices on your network: routers, switches, hubs, firewalls, servers (all common operating systems), workstations, databases, desktop computers, printers, and wireless access devices.

How often you should create reports

Vulnerabilities must be identified and eliminated on a continuous basis because new vulnerabilities are discovered every day. For example, Microsoft releases advisories and patches on the second Tuesday of each month – commonly called ‘Patch Tuesday’. We recommend you schedule your scans to run automatically (daily, weekly, monthly) and create reports with at least this the same frequency. That way you'll always have the current vulnerability information for your hosts. You can even set up report schedules so your reports are launched automatically (daily, weekly, monthly).

Email notifications

You can choose to be notified via email each time a report completes. The email gives you a summary of the results and a secure link to the report. Select User Profile below your user name, go to the Options section and select Report Notification. You'll notice additional email notifications you can opt in to.

Scan settings and their impact

The scan settings you choose at scan time (option profile, authentication etc) impact how we conduct scans and which vulnerabilities are detected. We save scan results per scan within your account for your reference. Once scan results are processed we also save the vulnerability data per host - this makes it possible for us to include the latest findings in your reports. Keep in mind your reports will include the most recent vulnerability data we've found for each host, unless you create a custom report (template based) with host based findings. Learn more

Tip - We recommend you use consistent scan settings. This gives you the most accurate picture of your host security and vulnerability trends over time.

Tell me about the various reports

Check out: Patch Reports | Scorecard Reports | High Severity Report | Executive Report | Technical Report | Authentication Report | PCI Reports

Which IPs can I report on?

Go to VM > Assets > Host Assets to see the IPs you can scan for vulnerabilities and report on. If the IPs you want to report on are not listed then add them (or have your manager add them and assign them to you) and then scan them. One way you can tell if an IP address has been scanned is to do an asset search. Go to Assets > Asset Search, enter the IP and click Search. Your IP address will appear in the search results if it has been scanned. Just click it and you'll see host information including its current vulnerabilities.

What are asset groups?

Asset groups are user-defined groupings of host assets (IP addresses). You can group hosts by importance, priority, location, ownership, or any other method that makes sense for your organization. When you report on an asset group, only the hosts in the group are included. This allows you to limit the scope of your reports to a particular group of hosts or a subsection of your network, making the reports more manageable. Learn more

What are asset tags?

Asset tagging is another method for organizing and tracking the assets in your account. You can assign tags to your host assets. Then when launching scans and reports you can select tags associated with the hosts. This dynamic approach is a great way to ensure you include all hosts that match certain criteria, even if your network is constantly changing as hosts are added and removed. For example, scan and report on all Windows XP hosts or all hosts with Port 80 open. There are multiple ways to create tags, for example you can create tags from asset search (go to Assets > Asset Search) or by using the AssetView application. Learn more

Can I see my IPv6 addresses in my reports?

Yes. If you've scanned IPv6 addresses, we'll display the IPv6 address in place of the mapped IPv4 address whenever possible. IPv6 addresses appear in vulnerability reports and the host assets list (after the mapped IP) for example. You'll need to have IPv6 Scanning enabled in order to perform IPv6 scans - please contact Support or your Technical Account Manager. Want to get started with IPv6 scanning? Learn more

Tell me about Security Risk

We'll show a security risk score for the overall report (in the report summary) and per host (in the detailed results). Your scan report must: 1) be template based (Executive Report, High Severity Report, Technical Report, or another report based on a scan report template), and 2) select host based findings (instead of scan results).

The score for the overall report is the average security risk for all hosts in the report (all hosts matching filters). This is calculated as the sum of all security risk scores for all hosts in the report divided by the number of hosts. The score for each host is the average severity level detected (the default) or the highest severity level detected - all vulnerabilities and potential vulnerabilities are counted in the calculation. Managers can configure the calculation method for the subscription by going to Reports > Setup > Security Risk. (Are you an Express Lite user? If yes the average severity level is always used.)

Show me the formula

What if I my report isn't sorted by host?

Don't see the score per host?

Tell me about Business risk

We'll show a business risk rating for asset groups in your scan reports. You'll need to create a scan report that: 1) is template based (go to Reports > New > Scan Report > Template Based), 2) has asset groups selected for the report target, 3) scan results selection is set to Status or Status and Trend, and 4) detailed results are sorted by asset group. The asset group's business impact level and security risk are factors used to calculate the business risk rating. A Manager can configure the method for calculating business risk in reports by going to Reports > Setup > Business Risk. (Express Lite users cannot edit the settings.)

What happens when security risk falls between two values? A linear interpolation between the two values is calculated.

Example 1: Security risk is 3.4 and business impact is High

Example 2: Security risk is 4.7 and business impact is Critical

Help me with creating custom reports

Our reports are template based so you can easily change report settings and rerun reports to get different views of your vulnerability data and security risk. You can configure existing report templates and create new ones. Learn more

Use search lists to filter report data

Add search lists to your vulnerability scan report template to filter the report to specific QIDs (static search list) or to QIDs that match criteria that you specify (dynamic search list). In your scan report template, go to the Filter section and select Custom under Selective Vulnerability Reporting. Then add custom search lists from your account or import search lists from our Library. Not sure how to create custom search lists? Just go to Reports > Search Lists > New.

Report on vulnerabilities with published date

You can easily create reports including vulnerabilities based on their published date using search lists. Learn more

Display or Exclude non-running kernels (Linux)

It's possible that multiple kernels are detected on a single Linux host. By default we'll report all vulnerabilities found on all Linux kernels. Want to list vulnerabilities found on non-running kernels? Choose the "Display non-running kernels" option. Want to filter out vulnerabilities found on non-running kernels? Choose the "Exclude non-running kernels" option. Only 1 option may be selected at a time. Apply these options to your scan reports, patch reports and scorecard reports.

Don't see these options?

How can I identify the running kernel on my host?

Exclude non-running services

When selected, vulnerabilities found on a port/service that is not running are excluded from your reports. This filter applies only to certain QIDs. Apply this filter to your scan reports, patch reports and scorecard reports.

Which QIDs does this filter apply to?

Exclude QIDs not exploitable due to configuration

We may detect software on a host that is considered vulnerable, however there’s a specific configuration present on the host that makes it not exploitable. When selected, we will exclude vulnerabilities that are not exploitable because of the host configuration. Apply this filter to your scan reports, patch reports and scorecard reports.

Which QIDs does this filter apply to?

Exclude superseded Microsoft patches

This option appears in scan report templates, under Filters. Select this option to exclude Microsoft patch QIDs that are superseded by another Microsoft patch QID recommended for the same host. A missing patch is identified by a QID like any other vulnerability.

Note:

- This filter is only honored when Host Based Findings in selected in the template (on the Findings tab)

- This filter only applies to Operating System (OS) level patch QIDs

 

This option appears in scan report templates, under Filters. It only applies when Host Based Findings is also selected in the template.

We'll report all missing patches for a host (even those that have been superceded by newer patches) unless you select this option. A missing patch is identified by a QID like any other vulnerability.

Exclude Glossary data (XML format)

For scan reports in XML format - You may choose to exclude the <GLOSSARY> tag and this will reduce the size of your reports. Whether or not this tag is included depends on if you've selected any of the "Vulnerability Details" sub options in the scan report template like Threat, Impact, Results, etc. These options appear on the Display tab in the template.

- the <GLOSSARY> tag will be excluded from the XML format if none of the “Vulnerability Details” sub options are selected

- the <GLOSSARY> tag will be included in the XML format if any one of the “Vulnerability Details” sub options is selected

Including the latest vulnerability data

Your scan(s) must be complete. You'll know this when the scan status shows "Finished" on the scans list.

And scan results must be ready. We'll merge (process) your scan results into your account after the scans finish. This process involves indexing the scan findings per host. Watch for the solid green circle Scan Finished, Results Processed Icon next to your scans in the scans list to know whether the scan results are processed. Then you're ready to launch reports - and the vulnerability data from the processed scans will be included.

Tell me about vulnerability detections

We maintain the industry's most comprehensive Vulnerability KnowledgeBase with more than 26,000 vulnerabilities across hundreds of applications and operating systems. We scan for vulnerabilities in a broad range of categories, including: back doors and trojan horses, brute force attacks, CGI, databases, DNS and Bind, e-commerce applications, file sharing, FTP, firewalls, General Remote Services, hardware and network appliances, mail services, SMB/Netbios Windows, TCP/IP, VMware, VoIP, web servers, wireless access points, X-windows and more. Go to the Search option in the KnowledgeBase to see a complete list of vulnerability categories.

Our engineers develop vulnerability signatures every day in response to emerging threats. As soon as these signatures pass rigorous testing in our Quality Assurance Lab they are automatically made available to you for your next scan. No user action is required. In addition, you can sign up to receive daily or weekly vulnerability signature update emails, detailing the new vulnerabilities we're capable of detecting.