Search Lists - The Basics
Why flagged QIDs not included in the scan result or scan report? |
|
|
What is a search list?
Search lists are custom lists of vulnerabilities that you can save and use in order to customize vulnerability scans, reports and ticket creation.
How do I use search lists?
You can use search lists in a number of ways.
Scanning - Limit a vulnerability scan to only a select list of QIDs or only scan vulnerabilities for a particular vendor like Apache or Microsoft. Simply add your search lists to the option profile you want to use for the scan.
Reporting - Use search lists to filter the QIDs in your vulnerability scan reports. In this case you add search lists to your report template.
Remediation - You need search lists for creating policy rules. The search lists determine which vulnerabilities result in ticket creation.
Dynamic Lists vs. Static Lists
A Static search list includes a specific list of vulnerabilities (QIDs) that you select. A Dynamic search list has a set of vulnerability search criteria that you select. When you use a dynamic search list, we'll automatically find all the QIDs that match your criteria.
Here are some examples:
- Create a dynamic list for an always up-to-date Microsoft patch Tuesday scan report, scan option profile and remediation rule.
- Create a dynamic list of QIDs flagged for PCI compliance.
- Create a dynamic list of QIDs for a particular vendor or product, such as Apache, Cisco, Microsoft, or Sendmail.
- Create a dynamic list of QIDs that are remotely exploitable on the .net framework.
- Create a static list of QIDs for troubleshooting and verifying authentication.
- Create a static list of QIDs to exclude from scans and reports.
- Create a dynamic list of CVE IDs you're interested in. For a large list of CVE IDs, we recommend using the Dynamic Search List API since the UI is limited in the number of characters you can enter. Refer to the API User Guide for more information.
Import Search Lists from the Library
From the Search Lists tab, go to New > Import Search List. There are several pre-defined search lists for you to choose from. Select the search lists you like and click Import. The search lists will be copied to your account.
How do I make a search list global?
Select the option "Make this a globally available list" in the search list settings. When a Manager takes this action, the list is available to all users in the subscription. When a Unit Manager takes this action, the list is available to all users in their business unit. You can clear this option at a later time and the search list will no longer be available to other users.
Tell me about the owner
When creating a new search list, the user creating the search list is set as the owner. Managers and Unit Managers have the option to change the search list owner. To change the owner, first save the search list and then edit the search list. On the Edit page, select a different user from the Owner menu. The possible assignees listed in the Owner menu depends on the global status of the search list, the role of the manager making the change, and the current owner's role and business unit.
Who can own global and non-global search lists?
Tell me about conflicts with business objects
Why are flagged QIDs not included in the scan result or scan report?
This may occur for vulnerabilities that have half red / half yellow severity () . The half red / half yellow severity level in the KnowledgeBase represents vulnerabilities that may be confirmed in some cases and not confirmed in other cases because of various factors affecting scan results. If the vulnerability is confirmed during a scan, it appears as a red vulnerability in the results. If it cannot be confirmed, it appears as a yellow potential vulnerability in the results.
QIDs with the half red / half yellow severity match both confirmed and potential. That means these QIDs would match search lists for both confirmed and potential.
If you create a search list that includes all confirmed QIDs and excludes all potential QIDs, then the QIDs with half red / half yellow severity will be excluded. This is because these QIDs match confirmed and potential, and your report will always exclude the QIDs in the excluded list.