View Findings Using Custom Attributes

Organizations encounter challenges when managing and categorizing Findings within cyber security platforms, primarily due to the varying business needs across different sectors. These complexities require a custom approach to ensure effective findings management and security.

  • Custom Attribute Creation

    Write your own formula to calculate custom attributes for each finding.

  • Flexible Tagging Options

    Flexibility in using custom attributes as QQL tokens for creating dashboard widgets and filtering all findings.

  • Improved Categorization

    With the ability to categorize findings using relevant attributes, users can enhance data organization and searchability.

You can define and manage Custom Attributes for findings in Qualys ETM. We provide five static Custom Attributes that you can personalize and utilize according to your preferences. You can view these Custom Attributes on the Configuration tab. 

View location of custom attributes.

Creating Custom Attribute

Navigate to Custom Attribute
  1. Navigate to Configuration > Custom Attributes.
  2. Select an attribute, and click Edit from Quick Actions menu.

Create Custom Attibute
  1. Provide a suitable Attribute Name for your attribute.

  2. Enter Calculation Logic in Calculation Field section. 

    To determine which expression you can use, refer to the Guidelines for creating Custom Attribute section.

  3. Click Validate to check logic of the your formula.


    - Currently, only numeric computations are permitted. The result of the calculated field type must be a numeric value. The result is rounded to the nearest integer.
    - Validation of the provided formula is based on assumed valuation.
    - Custom Attributes are updated every 6 hours.

  4. To view the result of the Custom Attribute and see the predefined values it uses, click How it works?

  5. To save the Custom Attribute settings, click Save.

Use Case: Creating a Custom Attribute

Let us consider an example to illustrate the effective use of this feature. The Qualys Detection Score (QDS) is designated to vulnerabilities identified by Qualys, with a default value set at 50. If you wish to develop a custom risk score that aligns with your specific needs and categorize your findings accordingly, you can create a custom attribute utilizing the provided formula.

Let us see one example where we want to develop a custom QDS  considering environmental factors. In the following script, we want to increase the risk score value if the asset is internet-facing; otherwise, the normal formula for the risk score value applies.

In the following example, 

asset.internetFacing,asset.criticalityScore are asset attributes and finding.qds is a finding attribute. For more information, you can refer Supported Attribute section. 

Currently, only numeric computations are permitted. The result of the calculated field type must be a numeric value. The result is rounded to the nearest integer.

Integer envQds = 0

if (asset.internetFacing) {
    envQds = asset.criticalityScore * finding.qds * 1.2
} else {
    envQds = asset.criticalityScore * finding.qds
}

return envQds

To create Custom Attribute as Custom Risk Score, follow these steps.

  1. Navigate to Configuration > Custom Attributes.
  2. Select an attribute, and click Edit from Quick Actions menu.
  3. Provide a suitable Attribute Name for your attribute. 
    For example, Custom Score.
  4. Enter Calculation Logic in Calculation Field section and click Validate.

    A validation successful message is displayed.

  5. To view the calculation logic and see the predefined values it uses, click How it works?

    Validation Details window is displayed.
    It displays Asset Attributes and Finding Attributes and Evaluated Result.

  6. Click Save to create Custom Attribute for Custom Score.

    The customNumber5 attribute is updated with your defined Custom Risk Score.

    Now using customNumber5 token you can filter your findings.

Search Findings Using Custom Attributes

You can use the customNumber tokens to search findings for specific Custom Attributes.

In the following example, you can see findings related to custom attribute with help of token customNumber5.

To filter the findings based on your created attribute, follow these steps.

  1. Navigate to Risk Management > Findings.
  2. Enter the token and value.

    All the findings that apply to this token are displayed.

  3. To view details of the findings, select View Details from Quick Actions menu.

    You can view your Custom Risk Score in details of the findings.

Guidelines for Creating Custom Attributes

The following section lists a few tips for creating custom attributes, what type of expression you can use, and supported attributes. We are offering a domain-specific language that adheres to the rules of the Java programming language, with specific restrictions.

Limitations

You can write the logic the same way as writing the Java Method. It allows you to write the body of the method. You can not provide a function declaration.

  • Support for declaring a method is not available.
  • Support for initializing an object or property access on an object or invoking a method on an object is not available.

Currently, only numeric computations are permitted. The result of the calculated field type must be a numeric value. The result is rounded to the nearest integer.

Example of Expressions

Custom attributes provide support for expression evaluation. The language supports constructs similar to Java and Groovy.

Expression

 
if/ else if/ else conditions
 		 if (cond) {
    // code
} else if (code) { // code } else {
    // code
}
switch/case blocks switch (obj)
 		 switch (expr) {
    case X:
        // code 
    case Y:
        // code 
    default:
        // code
}
generic block statements
 		 {}
return statements
 		 return X
invocation of static methods from java.lang.Math (auto imported to the script)  
Allowed receiver types for declaration
  • Integer
  • Float
  • Long
  • Double
  • BigDecimal
  • Boolean
  • String
  • List
  • ArrayList
  • Map
  • HashMap
  • Asset
  • Finding
  • FindingCategory
  • FindingStatus
  • FindingTypeDetected

Supported Attributes

To help with the logic writing, the evaluation engine injects the respective asset and finding object into the script during runtime evaluation. The current context determines these assets and finding objects.

You can access a range of attributes for both the asset and the finding, as outlined in the following details:

Assets Attributes

Attribute Name

Datatype

Possible Values
asset.criticalityScore Integer 1 - 5
asset.id String  

asset.name

String

 

asset.internetFacing

Boolean

  • true

  • false

asset.truRiskScore

Integer

0-1000

Findings Attributes

Attribute Name

Datatype

Possible Values

finding.id

String

 

finding.name

String

 

finding.status

Java enum - FindingStatus

 public enum
FindingStatus {
    NEW,
    FIXED,
    ACTIVE,
    REOPENED,
    PASS,
    FAIL,
    NONE;
}

finding.category

 Java enum - FindingCategory public enum
FindingCategory {
    VULNERABILITY,
 MISCONFIGURATION,
    NONE;
}

finding.severity

Integer

1- 5

finding.qds

Integer

1-100

finding.cvss2Base

Float

0.0 to 10.0

finding.cvss2Temporal

Float

0.0 to 10.0

finding.cvss3Base

Float

0.0 to 10.0

finding.cvss3Temporal

Float

0.0 to 10.0

finding.typeDetected 

 Java enum - FindingTypeDetected public enum 
FindingTypeDetected {
    CONFIRMED,
    POTENTIAL,
    INFORMATION,
    NONE;
}

finding.epss

Float

Probability score between 0 and 1 Includes decimal

Supported Operators 

EQUALS =
PLUS  +
MINUS  -
MULTIPLY  *
DIVIDE /
MOD %
POWER **
PLUS_PLUS  ++
MINUS_MINUS  --
COMPARE_EQUAL  ==
COMPARE_NOT_EQUAL  !=
COMPARE_LESS_THAN  <
COMPARE_LESS_THAN_EQUAL  <=
COMPARE_GREATER_THAN  >
COMPARE_GREATER_THAN_EQUAL  >=
LOGICAL_AND  &&
LOGICAL_OR  ||
COMPARE_TO  <=>
COMPARE_NOT_IN  !in
NOT !

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.