Identify and Manage Findings Using Rules (UAI)
In ETM, security findings for an asset are collected from multiple sources. Since the same issue can appear multiple times across tools, finding rules help you uniquely identify, de‑duplicate, merge, and clean up findings so you see a single, accurate view of risk.
These Identification rules are applicable for UAI enabled account.
What Are Finding Rules?
Finding rules define how findings are identified, combined, and maintained in the system. They ensure:
- Duplicate findings are detected and removed
- Related findings are consolidated into one record
- Outdated or irrelevant findings are automatically cleaned up
You can view and manage these rules from the Findings tab.
Types of Finding Rules
There are these three types of finding rules namely Identification, Merge, and Purge rules.
Identification Rules
Identify and de‑duplicate findings coming from different sources.
These rules are beneficial as they
- Prevent redundant findings
- Create a clean and normalized dataset before merging
Working
- Uses key attributes such as CVE ID, port, protocol, title, and other identifiers
- Detects duplicate findings across scanners and connectors
- Ensures each finding is uniquely recognized
Merge Rules
Combine identified duplicate findings into a single, unified record. With the help of merge rules, you get one comprehensive and accurate finding record
Working
- Applies defined rules to merge attributes from duplicate findings
- Resolves conflicts by selecting the most accurate or trusted data
Examples: most recent value, highest severity, or most trusted source
Types of Merge Rules
- Source Trust–Based Merge
- Aggregates findings based on source trust ranking
- Use the Reorder to define which sources are more trustworthy
- Higher‑ranked sources take precedence during conflict resolution
- Custom Attribute–Based Merge
- Aggregates findings using predefined Common Data Model attributes
- Available attributes include: First Found, Last Found, Status. Status is taken from the record with the latest Last Found or Source Trust Ranking (STR)
- Add Attributes
Use the Add Attributes to select Status attribute to be used during aggregation and merging
Customized Merge Rules
You can customize finding identification rules. It enables tailored de-duplication and identification logic for individual user environments.
These rules include:
- Support for customized identification rules
- Rule execution based on explicit priority order
- Database-backed rule management for improved scalability
- Automatic fallback to generic rules when no customized rules exist
Rule Management: Override, Enablement, and Recalculation Controls
- Customized rules fully replace generic rules for that user
- Findings are recalculated when rules change to prevent stale or inconsistent data
- New Rules will be applicable for all existing and new data.
Availability of the Customized Merge Rule
This feature is available on request. Contact your Technical Account Manager (TAM) or Qualys Support to enable it for your account.
Prerequisites for Customized Merge Rules
This feature is available on request. Contact your Technical Account Manager or Qualys Support to enable it for your account.
Purge Rules
Removes outdated or irrelevant findings from the system.
Working
Define conditions to automatically purge findings based on: Source, Connector ID, Finding name, First detected or last detected date.
These rules are beneficial as they
- Keep findings current and relevant
- Help maintain an accurate security posture
We provide 60 predefined rules covering all asset types such as Compute, Storage, Network, Container, Software, Identity, Application, Database, and Resource. Each rule defines a validated attribute combination that safely identifies the same finding across multiple sources and merges it into a single, consolidated record.