Understanding Old and New Vulnerability Queries
In past releases, we significantly improved how vulnerabilities are queried and displayed in the user interface (UI).
These updates take two approaches: one aligns with Qualys Identifier (QID) and the other with industry standards (CVE). This allows you to utilize QID and CVE-based data for more effective risk analysis and decision-making.
This topic explains the differences between these two approaches and how they are utilized.
New Vulnerability Queries: vulnerabilities.riskFactor
The vulnerabilities.riskFactor query offers a more precise method for evaluating vulnerabilities.
Here's how it works:
| Data Source |
These queries come from QDS (Qualys Data Service), which collects data from various sources, including detailed CVE (Common Vulnerabilities and Exposures) information and 25+ Threat Intelligence.
|
| CVE Link | The data is sourced from CVE details, QVS/QDS Data, or TruRisk enriched data, which means the risk factor is directly associated with specific CVE IDs. This allows you to assess vulnerabilities using globally recognized identifiers, providing a broader, industry-standard perspective. |
| Usage | When you click a widget such as "Top risk factor for TruRisk," multiple QQL queries related to vulnerabilities.riskFactor are shown in the Risk Calculation section. These valuable insights are derived from CVE data, offering a more comprehensive view of vulnerability risks. |
The vulnerabilities.riskFactor query better aligns with industry standards for tracking and managing risks, making it ideal for assessing risks based on external threat data and trends.
The QQLs under this query are as follows:
vulnerabilities.riskFactor.cisaKEVDueDatevulnerabilities.riskFactor.cisaKnownExploitsvulnerabilities.riskFactor.threatActorNamevulnerabilities.riskFactor.malwareNamevulnerabilities.riskFactor.exploitCodeMaturityvulnerabilities.riskFactor.exploitTypevulnerabilities.riskFactor.rtivulnerabilities.riskFactor.trending
Old Vulnerability Queries: QID-Based Queries
The old vulnerability queries are associated with QIDs (Qualys Identifier (QID), used before the VMDR TruRisk was introduced.
Here's how they work:
| Data Source |
These queries come from the Qualys Knowledge Base and are linked to QIDs, uniquely identifying specific vulnerabilities within the Qualys system. |
| Link to QID | When you apply filters (such as selecting "wormable" from the filter), the system retrieves the relevant data from the Knowledge Base, directly linked to the corresponding QID. |
| Usage | Old QQL queries can still be accessed through the left-hand filters in the UI. Clicking on a specific vulnerability type brings up details directly linked to the associated QID, providing a focused view within the Qualys environment. For more information on the RTIs, see: Real-time Threat Indicators. |
Key Differences
New Queries: Linked to CVE IDs through the QDS page, providing broader, industry-recognized insights into vulnerabilities.
Old Queries: Linked to QIDs via the Qualys Knowledge Base, focusing on Qualys-specific data.
When to Use Each Approach
Use the new Risk Factor QQL queries to understand vulnerabilities based on external data and trends, mainly when conducting comprehensive risk assessments.
Use the old QID-linked queries for a more detailed, internal view of vulnerabilities, especially when working with vulnerabilities tracked within the Qualys system.