Enterprise TruRisk Management Release 1.3
June 06, 2025
Time to Detect and Time to Remediate Indicators for Findings
We have introduced the Time to Detect (TTD) and Time to Remediate (TTR) indicators you can apply to your business entities.
Time to Detect (TTD) measures how long it takes to detect findings after a CVE is published. A lower TTD is preferable, as it signifies a quicker detection process.
TTD=First Detected Date−( MIN(host was created ,CVE Publication Date))
Mean Time to Detect (MTTD) measures the average time taken to detect findings across a scope of findings.
MTTD = Sum(First Detected Date−( MIN(host was created ,CVE Publication Date)) /Total Number of Findings
Time to Remediate (TTR) measures the average time taken to remediate findings across a scope of findings. A lower TTR indicates faster remediation efforts.
TTR=Last Found Date (FIXED)−First Detected Date
Mean Time to Remediate (MTTR) measures the average time taken to remediate findings across a scope of findings.
MTTR =Sum (Last Found Date (FIXED)−First Detected Date) / Total Number of Findings
To support these indicators, we have introduced two new tokens: findings.ttr and findings.ttd. By measuring TTD, organizations can identify vulnerabilities faster, allowing for more proactive security measures and reducing the risk of exploitation. Implementing TTD and TTR can lead to a more robust and responsive security framework within an organization. You can use these tokens in the Findings tab. Details of the tokens are given in the following table.
| Token | Description | Example |
|---|---|---|
|
finding.ttd |
Used to find the time taken to detect the vulnerability from the moment it was introduced. |
|
|
finding.ttr |
Used to find the estimated days required to fix the vulnerability. |
|
Identification Rule for Web Applications
In ETM, vulnerability data is imported from various sources, often leading to overlapping information like identical CVEs. To prevent duplicate records, the system uses specific identification attributes from the Common Data Model as unique identifiers. The Vulnerability Rule includes predefined conditions that specify these attributes to identify vulnerabilities, regardless of their source uniquely.
The identification rules aim to identify and de-duplicate security findings from various data sources. Different identifier attributes, such as CVE ID, port, protocol, and title, are utilized to detect and flag duplicate findings. This process ensures that each finding is uniquely recognized, preventing redundancy in the system. In addition to the other two identification methods, we have now added a Default Vulnerability Rule for Web Applications.
Now, you can also view an additional column that indicates whether these vulnerabilities and misconfiguration rules are based on asset class, such as host assets and web applications.
For more information on Identification Rule, refer to ETM Online Help.
Introduced Risk Heat Map Widget
We have introduced a new widget called the Risk Heat Map. You can create a graph of the Asset Criticality Score (ACS) versus the Qualys Detection Score (QDS) to identify critical vulnerabilities in your most important assets. You can prioritize vulnerabilities and create a remediation plan that focuses on the most critical issues while allowing you to ignore less important ones for now.
The graph displays ACS scores ranging from 1 to 5 and QDS scores categorized as Low, Medium, High, and Critical. Each cell represents the ACS score, the QDS score, and the total findings for those values. Clicking on a specific cell redirects you to the Findings page, where you can view the details.
To add the widget to your dashboard, navigate to Dashboard, click Add Widget, and select Risk Heat Map from available ETM widgets.
Enhancing Risk Management: Introduction of the Risk Workbench
We have renamed the Prioritization tab to Risk Workbench to better capture its enhanced role in prioritizing, analyzing, planning, and taking action on risk. This new name reflects how you can effectively engage with this feature: by deconstructing risk through filtering by business entities, threat signals, asset exposure, and exploitability. You can build dynamic risk reduction plans and monitor progress and impacts on TruRisk, from identification to resolution. This new name represents an important transition towards a proactive and teamwork-focused way of managing risk in various areas.
RBAC for Purge Rules and Custom Attributes
ETM has two out-of-the-box (OOTB) roles for ETM users:
- ETM Manager: This role has all the permissions for the application.
- ETM Reader: This role has View only permissions for the application.
We have introduced the following new permissions for Manager users.
Permissions ETM Manager
- View Finding Purge Rules
- Edit Finding Purge Rules
- Delete Finding Purge Rules
- Create, Edit, and Delete your own Finding Purge Rules
We have introduced the following new permissions for the Reader users.
Permissions ETM Reader
- View Finding Purge Rules
- View custom Attributes
To know more details on RBAC, refer to the ETM RBAC section.
Enhanced CSV Report Download Capacity for Vulnerabilities and Misconfigurations tab
You can now download a CSV report containing up to 50,000 findings records from the Vulnerabilities and Misconfiguration tab. Previously, the limit was set to 5,000 records. This improvement helps you access more comprehensive data for analysis and decision-making.
To download the CSV reports, go to the Vulnerabilities or Misconfiguration tab, click the download 
icon.
Availability of Vendor Product Name as an Attribute in Purge Rules
We have added the Vendor Product Name as an attribute when creating the Findings Purge Rule. Now, when setting up a rule, you can use the Vendor Product Name alongside other existing attributes to define your criteria.
This enhancement allows you to create more specific and targeted criteria for purging findings, which helps manage findings more effectively. You can quickly identify relevant findings associated with specific products.
Custom Attributes Column in Findings
Custom Attributes allows you to define and manage custom attributes for findings within Qualys ETM. This enhancement provides enhanced flexibility to create calculated fields for findings in ETM. With this release, a column for custom attributes is now added, simplifying the search for Findings based on specific Custom Attributes added.
Introduced Quick Filters and Pivot in the All tab
We have introduced Quick Filters and Pivot in the All tab from Findings tab. You can sort data based on various filters. This allows you to quickly narrow down the information to what you need. Once you click on a specific category from the list, your selection gets translated into a QQL (Qualys Query Language) query in the search bar.
This flow enhances your ability to sift through information efficiently and access relevant details quickly.
Reorganized the Navigation for Asset and Finding Overview Pages
We have reorganized the navigation to improve the user experience. As overview page was already there in inventory we have moved Overview tab under Assets in inventory. As overview was already there in Risk management tab we have moved Overview under Findings tab. This adjustment enhances clarity and makes it easier for users to locate and identify these pages.
The following screenshot displays the assets Overview Page. The Overview page has details like total hosts, total web applications, and total software
Now Inventory tab is moved above of Risk Management tab.
Enhanced Dashboard Widgets Support for All Finding Types
We have added support for widgets that allows for more comprehensive queries. Previously, you could use query for vulnerabilities or misconfigurations Findings separately for building widgets. Now, you can incorporate a query that supports All sub types of findings and assets.
Once you click on a specific category from the chart, your selection gets translated into a QQL (Qualys Query Language) query in the search bar and the widget navigates you to view All types of findings.
Support for New Connectors
We are expanding our connector ecosystem with two new API integrations and an update to our CSV integration.
CrowdStrike Falcon – On Prem
The Crowdstrike Connector on the Qualys platform seamlessly integrates asset data monitored for Extended Detection and Response (XDR) and Vulnerability Management (VM), along with the vulnerabilities reported on these assets, directly into Qualys Enterprise TruRisk™ Management (ETM)
Microsoft Security Defender V2
The Microsoft Defender Connector V2 integrates with Microsoft Defender for Endpoint platform to facilitate regular data retrieval , enabling quicker, data-driven remediation. When configured, it automatically transfers asset inventory and security findings through scheduled API calls. The bulk API is primarily used to handle Microsoft API's rate-limiting issue.
CSV via All Methods
The enhanced CSV connector now supports importing Vulnerability/Application (Web Application Scan Findings) and Assets-only data. You can now select their target data model while configuring connections and upload a Generic CSV format to the connector.
New Tokens for Findings Tab
|
Name/Description |
Example |
|---|---|
|
Use a text value to search findings based on method used to detect the findings. |
|
|
Use the token value as the ID from the external system or vulnerability scanner to search for findings. |
|
|
Select (True, False) to seach vulnerabilities for which a public exploit is available. |
|
|
Select (TRUE, FALSE) to find vulnerabilities for which patches are available. |
|
|
Select (TRUE, FALSE) to find vulnerabilities that are patchable via Qualys. |
|
|
Use the sub-technique ID as a token to search findings assocoated with MITRE ATT&CK. |
|
|
Use the sub-technique name as a token to search findings assocoated with MITRE ATT&CK. |
|
|
Use the MITRE ATT&CK tactic ID as a token to search findings assocoated with MITRE ATT&CK. |
|
|
Use the MITRE ATT&CK tactic name as a token to search findings assocoated with MITRE ATT&CK. |
|
|
Use the sub-technique ID as a token to search findings assocoated with MITRE ATT&CK.
|
|
|
Use the MITRE ATT&CK technique name as a token to search findings assocoated with MITRE ATT&CK. |
|
|
Use this token to search for misconfigurations related to a given policy ID. |
|
|
Use this token to search for vulnerabilities related to a given product vendor ID. |
|
|
Use this token to search for vulnerabilities related to a given product version. |
|
|
Used to find the time taken to detect the vulnerability from the moment it was introduced. |
|
|
Used to find the estimated days required to fix the vulnerability. |
|
|
Use the token value as an attack vector string to search the findings, such as the CVSS vector string that describes how the vulnerability can be exploited. |
|
For more details on these tokens, refer to Search Tokens for Findings.
API Features and Enhancements
With this release, we have extended support for OpenID Connect Authentication Standards. This new update benefits users by eliminating the need for them to provide a username and password and system-generated JWT tokens. This streamlines access by allowing users to use their own tokens, thereby bypassing the hassle associated with the username, password, and system-generated token. As a result, users can access the API gateway more efficiently and with greater ease.
For more details, refer to EnterPrise TruRisk Management Release 1.3 API Release Notes.