Remediation - The Basics

What is a policy?

How are tickets reopened?

How do I order policy rules?

Manual reopen ticket option

What if a vulnerability matches more than one rule?

I fixed a vulnerability. How does the ticket get closed?

What if Qualys updates QID severity level?

How do scan options affect ticket updates?

How are scan results applied to policies?

Who can ignore and delete tickets?

How are tickets created?

How do I reassign a ticket?

Are tickets created from agent scans?

Will I be notified when tickets are updated?

Can I manually create tickets?

Can I choose a timeframe for ticket display?

How are tickets updated?

How are tickets created for cloud agent assets?

How are tickets closed

I see multiple remediation tickets created for the same QID on the same host


What is a policy?

A policy includes a set of rules that tell us when to create tickets, who to assign them to, and how quickly they should be resolved. You can have one global policy for the subscription and one policy for each business unit.

How do I order policy rules?

Policy rules are applied to scan results in the order in which they are listed. The rule at the top of the list has the highest priority and is applied first. To change the order, go to VM/VMDR > Remediation > Policies > New > Reorder. Move a rule up in the list to increase its priority or move it down to decrease its priority.

Tip - If you have a rule that specifies tickets should not be created when conditions are met, then make sure that rule is at the top of the list so it is applied first and a ticket will not be created.

Who can reorder policy rules?Who can reorder policy rules?

Managers can reorder policy rules for the global remediation policy (business unit "Unassigned") and for any business unit's policy. Unit Managers can reorder policy rules for their business unit only.

What if a vulnerability matches more than one rule?

If a detected vulnerability matches more than one rule, the action specified for the first rule it matches takes precedence. For this reason, if you have a rule that specifies tickets should not be created when rule conditions are met, then that rule should be at the top of the list.

How are scan results applied to policies?

Scan results are first compared to the user's business unit policy and then to the global policy. If the user who launched the scan is not assigned to a business unit or if the user's business unit does not have a policy, then the scan results are only compared to the global policy.

Scan results from users in the Unassigned business unitScan results from users in the Unassigned business unit

If the user who launched the scan is not assigned to a business unit, such as a Manager user or another user in the Unassigned business unit, then the scan results are only compared to the global remediation policy. The scan results are not compared to business unit policies. If a global policy does not exist, then no tickets are created.

Scan results from users in a business unit with a business unit policyScan results from users in a business unit with a business unit policy

If the user who launched the scan is assigned to a business unit and the business unit has a remediation policy, then the scan results are first compared to the user's business unit policy. If the results don't match conditions in the business unit policy, then the results are compared to the global remediation policy.

Scan results from users in a business unit without a business unit policyScan results from users in a business unit without a business unit policy

If the user who launched the scan is in a business unit that does not have a remediation policy, then the scan results are only compared to the global remediation policy. If a global policy does not exist, then no tickets are created.

No global remediation policyNo global remediation policy

Managers may choose not to create a global remediation policy and instead delegate this responsibility completely to the individual business units. In this case, only scans launched by users in the business units with policies will result in tickets. Scans launched by Managers and other users outside of the business unit will not result in tickets.

For example, let's say that the only policy in the subscription is a business unit policy created by a Unit Manager to create tickets for all severity 5 vulnerabilities. In this case, if a user in the business unit launches a scan and 10 severity 5 vulnerabilities are detected, then 10 tickets are created and assigned to the user designated in the policy. (Note that the ticket assignee may be somebody outside of the business unit when "Asset Owner" is used.) If a Manager in the same subscription launches a scan on the same hosts and 10 severity 5 vulnerabilities are detected, then no tickets are created. This is because the Manager is not in the business unit and there is no global remediation policy established for the subscription.

How are tickets created?

The service automatically creates new tickets when detected vulnerabilities match a remediation policy in the account. New tickets are created on a continuous basis as new scan results become available.

How are tickets created for cloud agent assets?

To create ticket for cloud agent asset, assign "Cloud Agent" tag in the policy rule. Similarly, you can create ticket by assigning "All" group or asset group having IP tracked entry of cloud agent asset in the policy rule. Policy Rule created with "ALL" asset group must have IP addresses for cloud agent in the VM license container.

Are tickets created from agent scans?

Yes. Tickets are created when vulnerabilities detected from agent scans match a remediation policy in the account. When the policy is set to assignee "User Running Scan" tickets will be assigned to the Manager Primary Contact for the subscription.

Can I manually create tickets?

Yes. You can manually create a ticket for any vulnerability instance. You can create a ticket from a scan report with the vulnerability listed or create a ticket from host information.

Note: In AGMS and network-enabled accounts, the ticket assignee list has only the users with access to that particular host.

How to create a ticket from a scan reportHow to create a ticket from a scan report

Go to VM/VMDR > Reports > Templates. Run a scan report template that is configured with host based findings. Choose the HTML report format. When your report appears online scroll down to the Detailed Results section and click Remediation Action icon in reports next to the vulnerability instance you want to create a ticket for. Then choose Create ticket from the menu that appears.

How to create a ticket from host informationHow to create a ticket from host information

Go to VM/VMDR > Assets > Host Assets or Assets > Asset Search, find a vulnerable host and then open the Host Information page for that host. Select Vulnerabilities on the left side and view the list of vulnerabilities (or potential vulnerabilities). Click Remediation Action icon in reports next to the vulnerability instance you want to create a ticket for. Then choose Create ticket from the menu that appears.

Note: If Asset Group Management Service (AGMS) is enabled for your subscription, you will see the Address Management tab instead of Host Assets. To understand the changes that happen when AGMS is enabled for your subscription, refer to Introducing AGMS.

How are tickets updated?

The service automatically adjusts ticket state/status as new scan results become available. For example, if a user has marked a ticket Resolved and a subsequent scan verifies that the issue has been successfully fixed, then the service will close the ticket.

How are tickets closed?

There are a few ways that a ticket can be closed. The most common is that you've fixed the vulnerability, and a new scan has verified the fix. In this case, the ticket will be automatically closed for you. You can also close/ignore a ticket if you don't plan to fix the vulnerability. Learn more

How are tickets reopened?

Tickets that have been resolved or closed will be reopened automatically if the related vulnerability is detected by a new scan. Users can also manually reopen a ticket. Learn more

Tell me about the manual Reopen ticket option

The Reopen ticket option allows you to automatically reopen the ticket in a set number of days. You can select this option from the UI (host information) and from within template based scan reports with host based findings. Learn moreLearn more

The status of the ticket will be based on the following conditions:

I fixed a vulnerability. How does the ticket get closed?

After applying a fix launch a new scan on the host to verify the fix and close the ticket. Remediation options set for the subscription determine if a user must mark a ticket resolved before it can be closed or if the service can immediately close an open ticket when a fix is verified by a new scan. Go to VM/VMDR > Remediation > Setup to see options related to ticket transitions.

How do scan options affect ticket updates?

The scan options set at the time of the scan determine which tickets are updated. Scan results are applied to tickets in the following ways:

- Scan results from a selective vulnerability scan are only applied to tickets related to the target vulnerabilities.

- Scan results from a partial port scan are only applied to tickets related to those specific ports.

- Scan results from an authenticated scan are only applied to tickets created as the result of an authenticated scan. If a ticket is opened as the result of an authenticated scan and you fix the vulnerability, you must run another authenticated scan on the host to verify the fix and close the ticket.

Who can ignore and delete tickets?

Managers and Unit Managers have permission to ignore and delete tickets. Scanners and Readers can ignore and delete tickets on hosts only when these remediation options are set for the subscription. Go to VM/VMDR > Remediation > Setup > Remediation to change permissions for Scanners and Readers.

How do I reassign a ticket to someone else?

Go to VM/VMDR > Remediation > Tickets. Select the tickets you want to reassign and choose Edit from the Actions menu. Then select a user to assign the tickets to.

Will I be notified when tickets are updated?

This depends on whether you have the Daily Trouble Tickets email notification option enabled in your account. Select User Profile below your user name (in the top right corner) and then go to the Options section to see and edit notification options.

Can I choose a timeframe for ticket display?

This option is available to Managers, Unit Managers, Scanners and Readers. Users with Remediation User role will default to 30 days.

What if Qualys updates QID severity level?

When Qualys updates the QID severity level, it gets reflected on the remediation ticket listing page (Remediation>Tickets tab) only after executing the subsequent scan. However, the Ticket Information, Host Information, ASR (Asset Search Report) display the updated QID severity level.

Example: There is a policy rule with severity level = 5. A ticket gets created after running the scan with severity level 5. Qualys updates a severity level after a few days from 5 to 3. The updated severity level 3 is displayed on the page (Ticket Information, Host Information, ASR) except remediation ticket listing page.

I see multiple remediation tickets created for a single QID on the same host

Multiple remediation tickets may appear for a single QID on the same host. This is because each instance of these QIDs is technically distinct according to the following criteria: