ETM Findings – QQL Token Mapping Reference
This reference maps the Qualys data model field keys used in connector finding ingestion to their corresponding Qualys Query Language (QQL) tokens in Qualys Enterprise TruRisk Management (ETM). Use these tokens to filter, search, and build queries against ingested findings in the ETM Findings view.
The tables below are organized by field category. Each entry identifies the data model key, the ETM label, a description of the field's meaning and importance, and the QQL token available for querying in ETM.
Core Identity and Description
These fields provide the primary identity and descriptive context for each finding. The externalFindingId is the most reliable unique identifier for deduplication across sources.
| Finding Field (Data Model Key) | ETM Token Name | Description |
|---|---|---|
finding[].name |
finding.title |
The finding title or name as reported by the source. Useful for display but unreliable as a unique identifier because names may repeat across sources. |
finding[].externalFindingId |
finding.externalFindingId |
Unique finding identifier assigned by the source system (for example, a scanner finding ID or vulnerability instance ID). This is the preferred identifier for deduplication and should be marked as an identifier field in the transform map. |
finding[].description |
finding.description |
Detailed description of the finding. Provides triage context for analysts. Maps from the description text field in the source. |
finding[].category |
finding.type |
High-level classification of the finding type (for example, Vulnerability, Misconfiguration, Secret). Used for categorization and filtering in ETM. |
finding[].subCategory |
finding.subType |
More specific sub-classification within the finding category. Supports granular filtering and reporting by finding type. |
Severity, Status, and Scoring
These fields control prioritization and lifecycle state for each finding. The severity and risk score fields are critical inputs for TruRisk scoring and remediation SLA tracking.
| Finding Field (Data Model Key) | ETM Token Name | Description |
|---|---|---|
finding[].severity |
finding.severity |
Normalized severity level on a scale of 1–5. Values must conform to the validated enumeration. Maps from source severity normalized to the Qualys 1–5 scale. |
finding[].findingStatus |
finding.status |
Lifecycle state of the finding. Accepted values are NEW, ACTIVE, FIXED, REOPENED, and NONE. Drives workflow and SLA tracking in ETM. |
finding[].riskScore |
finding.qds |
Qualys Detection Score (QDS) derived from CVSS or the source risk score. Used for risk prioritization and TruRisk calculation. Accepts values from 0–100. |
finding[].sourceScoreRange |
finding.sourceScoreRange |
Describes the scoring scale used by the source (for example, 0-10 or 0-100). Retained for traceability and score normalization context. |
finding[].sourceSeverity |
finding.sourceSeverity |
The original severity label as reported by the source (for example, Critical, High, Medium). Retained for traceability alongside the normalized finding.severity value. |
Dates and Timeline
Timeline fields capture the full lifecycle of a finding from first detection to last fix. These are critical for SLA measurement and exposure duration calculations. All values are stored as epoch timestamps.
| Finding Field (Data Model Key) | ETM Token Name | Description |
|---|---|---|
finding[].firstFoundOn |
finding.firstFoundDate |
Timestamp of when the finding was first observed. Used to calculate SLA start time and total exposure duration. Accepts epoch format. |
finding[].lastFoundOn |
finding.lastFoundDate |
Timestamp of the most recent observation of the finding. Indicates data freshness and whether the finding is still actively detected. |
finding[].reopenedOn |
finding.reopenedDate |
Timestamp of when a previously fixed finding was reopened. Supports workflow tracking for recurring or regressed vulnerabilities. |
finding[].lastFixedOn |
finding.lastFixedDate |
Timestamp of when the finding was last remediated. Used for SLA compliance reporting and remediation trend analysis. |
Network and Service Context
These fields provide network-level context for the finding, indicating which port and protocol were associated with the detection. They support exploitability assessment and network segmentation analysis.
| Finding Field (Data Model Key) | ETM Token Name | Description |
|---|---|---|
finding[].port |
finding.port |
Network port associated with the finding detection. Relevant for network-exposed vulnerabilities and exploitability context. Accepts integer values. |
finding[].protocol |
finding.protocol |
Network protocol associated with the finding (for example, TCP, UDP). Provides additional context for port-based findings and firewall rule correlation. |
Recommendation, Rationale, and References
These fields capture remediation guidance, detection rationale, and supporting references. They are primarily used to support analyst triage and remediation planning workflows.
| Finding Field (Data Model Key) | ETM Token Name | Description |
|---|---|---|
finding[].detectionMethod |
finding.detectionMethod |
The method used by the scanner or source to detect the finding (for example, authenticated scan, agent-based, passive). Supports confidence and explainability assessments. |
Exception and Ignore
This field controls whether a finding is suppressed from active risk calculations. It maps to the ETM ignore flag, which excludes findings from TruRisk scoring while retaining the finding record.
| Finding Field (Data Model Key) | ETM Token Name | Description |
|---|---|---|
finding[].exceptionDetail.isFindingToBeIgnored |
finding.isIgnored |
Boolean flag indicating whether the finding should be suppressed from risk scoring and active queues. When set to true, the finding is excluded from TruRisk calculations but retained in the data model for audit purposes. |