The following types of reports are provided by the service:
Note: For displaying scan results, the service uses pre-defined settings and those settings are not customizable. If your account was created using version 4.7 or earlier, then you'll notice the "Scan Results" template in your report templates list. This template is no longer the default template for viewing saved scan results and can be renamed or deleted. The "Scan Results" template remains available to you for generating reports based on saved scan data.
The Library provides a variety of scan report templates that you can import to your account. These templates are designed to address many of your vulnerability reporting requirements. See About the Library.
The following scan report templates are provided by the service:
• Technical Report. Use this template to generate a report with the most recent scan data. This report does not show trends, meaning that it does not compare the most recent scan to previous scans. It includes the IP addresses (or ranges) from your most recent scan, and includes individual host details, which are sorted by host.
• Executive Report. Use this template to generate a trend report providing a global view of your network security. This template creates a report that compares your scan results over the last 8 weeks, displays a bar graph outlining the total vulnerabilities by severity and a flow graph comparing the total vulnerabilities by severity over time. This report does not include individual host results or specific vulnerability information; therefore, it can be easily distributed because it does not contain sensitive data. This report is ideal for CIO or executive level managers.
• High Severity Report. Use this template to generate a report identifying all severity 4 and severity 5 vulnerabilities on your network. The following are filtered from this report: severity 1-3 vulnerabilities, potential vulnerabilities, information gathered, disabled checks and ignored checks.
The following patch report template is provided by the service:
• Qualys Patch Report. Use this template to generate a patch report based on the current vulnerability detection data in your account. The resulting patch report shows the patches that need to be applied to fix the detected vulnerabilities on all hosts in your account. The detailed results in the report include a table of QIDs that will be fixed by applying each missing patch, and links for available patches are displayed if available.
The following compliance report templates are provided by the service. You cannot edit or delete these templates.
• Qualys Top 20 Report. Use this template to generate a report identifying the Qualys Top 20 vulnerabilities on your network. The Qualys Top 20 list includes the 10 most prevalent internal vulnerabilities (detected on private IPs) and the 10 most prevalent external vulnerabilities (detected on public IPs). The Qualys Top 20 list is updated automatically and continuously from a statistically representative sample of thousands of networks.
• SANS
Top 20 Report. You'll notice the title is "2008 SANS Top 20
Report" if your subscription was created using version 6.18 or later.
Use this template to generate a report identifying the SANS Top 20 vulnerabilities
on your network. The SANS Institute publishes a list of the 20 most critical
Internet security vulnerabilities, including top vulnerabilities in Windows
systems, Unix systems, cross-platform applications and networking products.
For each of the top 20 vulnerabilities, the service scans for multiple
QIDs and reports results for those detected.
Important: The SANS Top 20 list was last updated in 2008. For more accurate
information on the most prevalent and critical real-world vulnerabilities
use the Qualys Top 20 list.
The following report templates are available only when the Payment Card Industry (PCI) compliance feature is enabled for the subscription.
Important: Starting September 1st, 2010, the PCI Executive Report can no longer be used to demonstrate compliance with the PCI Data Security Standard. The PCI Security Standards Council released new Approved Scanning Vendor (ASV) requirements on March 16, 2010; these changes are detailed here. Please use the Share with PCI feature to share a PCI scan with your PCI Merchant account in order to generate a PCI network report and complete the required actions for PCI certification.
• Payment Card Industry (PCI Executive Report. This report includes overall PCI compliance status, the PCI compliance status for each scanned host, and the PCI scan configuration settings used.
• Payment Card Industry (PCI) Technical Report. This report includes the same information as the PCI Executive Report plus a Detailed Results section with detailed vulnerability information sorted by host so you can quickly find and eliminate network security vulnerabilities. All vulnerabilities and potential vulnerabilities that fail PCI compliance must be remediated to pass the PCI compliance requirements.
The following report templates are available only when the compliance module is enabled for your subscription and you have compliance management privileges. Note that these templates are hidden and cannot be viewed from the templates list.
• Authentication Report. Use this template to generate a report identifying the authentication status for each host. If the scanning engine was able to successfully authenticate to a host, then the status Passed appears. If the scanning engine was not able to authenticate to a host, then the status Failed appears. Successful authentication is a requirement for compliance scanning.
• Policy Report. This report requires a user-created policy report template. Use this template to generate a report identifying compliance status for a specific policy. The report lists hosts relevant to the policy with the controls tested on each host and the passed/failed status for each control. The report also includes compliance trend information over time.
The following interactive reports are only available when the compliance module is enabled for your subscription and you have compliance management privileges. When you run interactive reports, you can change the report source settings, display options and sorting options from within the report to immediately change the report content. Interactive reports are not saved to Report Share.
• Control Pass/Fail. Run this report to identify pass/fail status for a specific control. When running this report, identify the policy and control you want to report on. Hosts included in the report are listed with a pass or fail status for the specified control.
• Individual Host Compliance. Run this report to identify the compliance status for a specific host. When running this report, identify the policy and host you want to report on. Each control from the policy that is applicable to the host is listed with a pass or fail status.
The following map report template is provided by the service:
• Unknown Device Report. Use this template to compare the approved hosts list for a particular domain to saved map results. Any host that is not in the approved hosts list for the domain is considered "rogue" and will appear in your map report.
The following remediation report templates are provided by the service. Note that you cannot edit or delete any of these templates.
• Executive Remediation Report. This report includes graphical elements, illustrating the total number of Open and Closed tickets at each severity level, ticket state changes over the past 12 weeks, and an Open ticket trend over the past 12 weeks.
• Tickets per Vulnerability. Each vulnerability in the account with associated tickets is listed. For each vulnerability, the following appears: the total number of tickets related to the vulnerability, the number of tickets at each ticket state, the average number of days for resolution on tickets, and the total number of overdue tickets.
• Tickets per User. Each user in the account with assigned tickets is listed. For each user, the following appears: the total number of tickets assigned to the user, the number of tickets at each ticket state, the average number of days for resolution on tickets, and the total number of overdue tickets.
• Tickets per Asset Group. Each asset group in the account with associated tickets is listed. For each asset group, the following appears: the total number of tickets, the number of tickets at each ticket state, the average number of days for resolution on tickets, and the total number of overdue tickets.