Configure Report Templates

Use report templates to create reports with views on your scan results and the current vulnerabilities on your hosts. You can choose an existing template we provide as a starting point, or you can create custom reports by telling us all the settings.

Check out this video:

 

A few things to consider...

Have you thought about which hosts you want to report on and what you want to see in your report? We can help you with this quickly - review the basics for some ideas.

Reporting - The Basics

 

What are the steps?

It's easy to use an existing template. Just go to Reports > Templates and:

1) edit the template you'd like to use - Patch Report, Scorecard Report, High Severity Report, Executive Report, etc.

2) we recommend you save a copy (click Save As), and

3) configure the report template settings.

Looking for more report templates to choose from?Looking for more report templates to choose from?

You can check out our templates library where we publish templates commonly requested by our customers. Just go to Reports > Template > Import from Library and download as many as you'd like. You can configure these templates to suit your reporting goals.

Do you want to create a new custom report template?Do you want to create a new custom report template?

Go to Reports > Templates > New and configure the report template settings.

Host Based FindingsHost Based Findings

We recommend Host Based Findings since it encompasses the latest vulnerability data from all of your scans. Each time you create a report, we'll automatically collect vulnerability data that we've indexed per host in your account - we refer to this as host based findings. This option gives you the most comprehensive and up to date picture of your vulnerability status.

Note:

  • When you generate a Host-based scan report for Asset Groups with "ALL" option, the report shows only those assets that are added to VM. If you want to view the assets that are not in VM, add the asset tags associated with the assets to the Asset Tags filter using the Add Tag option when you generate the report. For example, in the report, to view agent-tracked assets that are not in VM, add the agent tag for these assets to the Asset Tags filter using the Add Tag option.

  • While configuring a host-based report template based on asset group with its associated asset tags, if you choose to exclude certain asset tags from the report, any host assets that are a part of both the included and excluded asset tags do not get reported in the host based report. The report displays only the host asset details in the report. 

    Example:

    Host A is part of Asset Group – AG1. Host A is also part of Asset Tags (associated with asset group AG1) - AT1, AT2, AT3. You generate host based scan based on the following settings in the report template:

    • Asset Groups: AG1.

    • Include hosts that have any of the tag: AT1.

    • Do not include hosts that have tags: AT2.

    In this case, the host based report displays the host A asset details only. It shows only the asset details for Host A because Host A belongs to Asset Group – AG1. However, the report omits the associated tags details because Host A is linked to tags, include tag- AT1, and exclude tag AT2. Therefore, the Qualys system invalidates the tags associated with Host A and does not display any asset tag information.

You can create reports with trending information when you've selected Host Based Findings. If you use the default we'll include vulnerability information for the last 2 detections. In other words we'll analyze the last two detections for each vulnerability on each host and compare the current vulnerability status (New, Fixed, Re-Opened, Active) to the last known vulnerability status.

Do you want to analyze trends for a timeframe instead?Do you want to analyze trends for a timeframe instead?

Just choose the date range you're interested in - starting on a specific date - and we'll analyze the vulnerability status for your timeframe. In case the Last detected date or the Last fixed date of the vulnerability occurs during the specified timeframe, the vulnerability data is included in the Trending scan template based report. Currently, the Last fixed date field can be viewed only in the CSV output of the report.

Only include scan results from the specified timeframeOnly include scan results from the specified timeframe

Select this option to ensure that only vulnerability information gathered in the timeframe that you've specified is included in the report. If you do not select this option, vulnerability information for hosts that were last scanned prior to the report timeframe may be included. For example, let's say you want to create a report analyzing data for the past 4 weeks. Host A was scanned 5 weeks ago, and has not been scanned since then because it was firewalled and unreachable. By selecting this option you'll exclude Host A from the report and only analyze vulnerability information detected in the past 4 weeks. By clearing this option you'll include Host A in your report with the last known vulnerability information from 5 weeks ago.

Scan Based FindingsScan Based Findings

Select Scan Based Findings to run a report based on saved scan results. This gives you a view of your risk at a particular moment in time (at the time of the scan). Each time you create a report with this setting, you must manually select saved scan results to include in the report. Vulnerability data and hosts included in your report are specific to the scans that you choose at run time.

Display optionsDisplay options

On the Display tab, select how much information to include in the report, in both the summary and detailed results sections. You can choose to include report graphics, add custom text to the report footer, determine how the detailed results should be sorted and how much detail to include for each vulnerability.

> What is the text summary?> What is the text summary?

The text summary includes the total number of vulnerabilities detected, the overall security risk, and the business risk (for reports sorted by asset group). The following tables also appear: total vulnerabilities by status, total vulnerabilities by severity, and top 5 vulnerability categories detected. Note that this option is not available in reports set to Manual scan results selection.

> Tell me about the vulnerability details> Tell me about the vulnerability details

Threat. A description of the threat.

Impact. Possible consequences that may occur if the vulnerability is exploited.

Solution: Patches and Workarounds. A verified solution to remedy the issue, such as a link to the vendor's patch, Web site, or a workaround.

Solution: Virtual Patches and Mitigating Controls. Virtual patch information that is correlated with the vulnerability, when this information is available in the KnowledgeBase. The service correlates virtual patch information obtained from Trend Micro real-time feeds.

Exploitability. Exploitability information that is correlated with this vulnerability, when this information is available in the KnowledgeBase. The service constantly correlates exploitability information from real-time feeds to provide up to date references to exploits and related security resources.

Associated Malware. Malware information that is correlated with this vulnerability, when this information is available in the KnowledgeBase. The service constantly correlates malware information obtained from Trend Micro Threat Encyclopedia real-time feeds to provide up to date references to malware threats and related security resources.

Results. Specific scan test results for each host. Also included: the date the vulnerability was first detected on the host, the date it was last detected on the host, and the total number of times it was detected on the host.

Reopened. The date/time a vulnerability was first reopened, last reopened, and the number of times it was reopened. A vulnerability is reopened when it was verified as fixed by the previous scan and is detected by a new scan. 

> Tell me about TruRisk details (ARS, ACS, QDS)> Tell me about TruRisk details (ARS, ACS, QDS)

This option is only visible in subscriptions with the Asset Risk Scoring feature enabled.

Select TruRisk Details (ARS, ACS, QDS) on the Display tab to show Qualys TruRisk scores in your report to help you prioritize vulnerabilities, including Asset Risk Score (ARS), Asset Criticality Score (ACS) and Qualys Detection Score (QDS). Learn more about these scores

Notes:

- This option is supported in reports with Host Based Findings.

- To see ARS and ACS in the report, you must also select Text Summary because these scores appear at the summary level for each host.

- To see QDS in the report, you must also select Vulnerability Details and at least one vulnerability detail like Threat because this score appears when you expand vulnerability details.

- When detailed results are sorted by Host and TruRisk Details are included, then you'll see scores in all report formats: CSV, XML, HTML, DOCX, PDF and MHT.

- When detailed results are sorted by some other method (e.g. vulnerability, operating system, asset group, etc) and TruRisk Details are included, then you'll only see scores in CSV and XML report formats. 

> Tell me about the custom footer> Tell me about the custom footer

This is a spot where you can add required information like a disclosure statement or data classification (e.g. Public, Confidential). The footer text you enter will appear on the last page of reports generated from this template, except reports in XML and CSV formats. 

Note - You can work with your Technical Account Manager or Qualys Support to have a custom header, footer and logo added to every page of Host Based Scan Reports in PDF format. This is a subscription level setting. See Custom Header, Footer, Logo for Host Based Scan Reports in PDF to learn more. 

> Display information for cloud instances> Display information for cloud instances

From Display Cloud Related Information section in the Display tab in the Scan Report Template:

- Select the "Cloud Provider Metadata" check box to include general fields that apply to all cloud providers, including AWS, Azure, GCP, and other future support to your report.

- Select the "Legacy EC2/Azure fields" check box to include cloud provider-specific metadata fields originally introduced for AWS and Azure.

Azure metadata information: public IP address, image offer, image version, subnet, VM state, private IP address, size, subscription ID, location, and resource group name

EC2 metadata information:  public and private DNS name, image ID, VPC ID, instance state, instance type, account ID, region code and subnet ID

GCP metadata information: public IP address, VM instance ID, private IP address, VPC network, machine state, machine type, zone, hostname, and MAC address

Refer to the Qualys API (VM, PC) User Guide (section: Cloud Asset Metadata Fields in CSV Format and Cloud Asset Metadata Fields in XML Format) to know the tags which will appear in your scan report

> Display Qualys system IDs> Display Qualys system IDs

Select the "Qualys System IDs" check box (under Display Host Details) to include host identifiers such as host ID, asset ID in the host-based scan report template. Once you launch or download the host-based scan report, the host ID, asset ID information is displayed in the report. 

> Tell me about MITRE ATT&CK (MITRE ATT&CK Tactic & Technique Details)  > Tell me about MITRE ATT&CK (MITRE ATT&CK Tactic & Technique Details)  

Select MITRE ATT&CK (MITRE ATT&CK Tactic and Technique Details) on the Display tab to show the MITRE ATT&CK details.

On selecting this option, the report displays the Tactic and technique name and IDs in the CSV host based report. 

This allows you to identify and display the MITRE ATT&CK details associated with QID in the host-based scan report. This provides a clear and structured view of how potential or active threats align with known adversary behaviors. This allows you to take faster remediation actions from an MITRE prioritization perspective.

Note: It supports only host-based CSV reports.

Filter optionsFilter options

On the Filter tab, choose from various options to filter the hosts and/or the vulnerabilities included in your report. See Reporting - The Basics to learn more or turn on help tips.

Configuring "required" and "unauthorized" services and portsConfiguring "required" and "unauthorized" services and ports

It's possible to flag specific services and ports as either "required" or "unauthorized". When these are marked as "required" or "unauthorized" and they are not detected, they will appear as vulnerabilities in the report by these QIDs:

- 38175 (Unauthorized Service Detected)
- 82043 (Unauthorized Open Port Detected)
- 38228 (Required Service Not Detected)
- 82051 (Required Port Not Detected)

Tip - Want your report to include certain QIDs? Select Custom for Selective Vulnerability Scanning in the Filters section of your report template and be sure to add these QIDs (in search lists).

Make this a globally available template Global IconMake this a globally available template Global Icon

Managers and Unit Managers can select this option to make the template globally available to all users. Once published as a global template, users have the option to save personal copies of the template and can use them as the basis for creating new, custom templates.

Permissions: When is option is selected by a Unit Manager, the template is available to users in their own business unit.

 

 

I configured my report template. What's next?

Launch a report using your templateLaunch a report using your template

We'll create a new report using the report template you've configured. Go to Reports > Templates, select your template in the list, and then select Run from the menu. You can also go to Reports > Reports > New. Learn more

Schedule a report using your templateSchedule a report using your template

Schedule your report to run automatically - daily, weekly, monthly - and you'll get the most up to date vulnerability data with the most accurate trends. Learn more

Still have questions?

Tell me about the ownerTell me about the owner

The user who created the report template is the owner by default. Managers and Unit Managers have the option to change the owner by editing the template. Learn more. 

Using the Scan by Hostname featureUsing the Scan by Hostname feature

If you are using the Scan by Hostname feature and you want to report on hosts scanned by hostname, note the following requirements. You can include IP addresses that are resolved from the scanned DNS and NetBIOS hostnames. Learn more

Quick Links

Manage your reports

Tell me about sharing reports

Become PCI compliant

Using search lists and patch supersedence

From the Community

Best Practices for Reporting

Watch videos

Tip We provide many report templates for common reporting needs. You can use these templates as is, and edit the settings to create custom reports.

Tip Add search lists to your report templates to filter reports to specific QIDs or to QIDs that match certain criteria.

Did you know? You can easily create many reports using templates from our library. Just go to Reports > Templates > New > Import from Library.