You could prioritize vulnerabilities depending on detection age or vulnerability age.
Detection age is based on when the vulnerability was first detected (by a scanner or cloud agent). Select detection age ranges (0-30, 31-60, etc.) to include in the report. For example, select 180+ to prioritize vulnerabilities that have been active in your environment the longest.
Vulnerability age is the number of days since the vulnerability was disclosed. Select detection age ranges (0-30, 31-60, etc.) to include in the report. For example, select 0-30 to include the vulnerabilities that have been recently disclosed.
Select the Real-Time Threat Indicators (RTIs) that you’re interested in. Your report will include vulnerabilities that match *any* of the selected RTIs.
You can toggle between the two options Match Any (logical OR) and Match All (logical AND) for the selected RTI filters.
Match Any - Vulnerabilities that match at least ONE of the selected RTIs are picked for prioritization. For example, if you opt for Match Any and select three Potential Impact RTIs and two active threats, we prioritize all the assets that are detected with at least one of the five selected vulnerabilities.
Match All - Vulnerabilities that match ALL of the selected RTIs are picked for prioritization. For example, if you opt for Match All and select three Potential Impact RTIs and two active threats, we prioritize only those assets that are detected with all the five selected vulnerabilities.
High Data Loss - Successful exploitation will result in massive data loss on the host. |
High Lateral Movement - After a successful compromise, attacker has high potential to compromise other machines in the network. |
Wormable - Wormable has been associated with this vulnerability. The vulnerability can be used in “worms” - malware that spreads itself without user interaction. |
Denial of Service - Successful exploitation will result in denial of service. |
Patch Not Available - Vendor has not provided an official fix. |
Privilege Escalation - Successful exploitation allows an attacker to gain elevated privileges. |
Unauthenticated Exploitation - Exploitation of this vulnerability does not require authentication. |
Remote Code Execution - Successful exploitation allows an attacker to execute arbitrary commands or code on a targeted system or in a target process. |
Actively Attacks - Active attacks have been observed in the wild. This information is derived from Malware, Exploit Kits, acknowledgment from vendors, US-CERT and similar trusted sources. In addition, if there are no patches available from the vendor, Qualys will also add the Zero Day RTI. |
Malware - Malware has been associated with this vulnerability. |
Zero Day - Active attack has been observed in the wild and there is no patch from the vendor. An active attack is a prerequisite for this RTI in addition to no patch from the vendor. If a vulnerability is not actively attacked this RTI will not be set (even if there is no patch from the vendor). If a patch becomes available Qualys will remove the Zero Day RTI attribute which helps users to focus only on vulnerabilities that are actively exploited and there is no official patch. |
Public Exploit - Exploit knowledge is well known and a working exploitation code is publicly available. Potential of active attacks is very high. This attribute is set for example when PoC exploit code is available from Exploit-DB, Metasploit, Core, Immunity or other exploit vendors. This RTI does not necessarily indicate that active attacks have been observed in the wild. |
Predicted High Risk - Predicted High Risk has been associated with this vulnerability. Leverages machine learning to determine if a non-exploited vulnerability should be prioritized. |
Easy Exploit - The attack can be carried out easily and requires little skills or does not require additional information. |
Exploit Kit - Exploit Kit has been associated with this vulnerability. Exploit Kits are usually cloud based toolkits that help malware writers in identifying vulnerable browsers/plugins and install malware. Users can also search on Exploit Kit name like Angler, Nuclear, Rig and others. |
Wormable - Wormable has been associated with this vulnerability. The vulnerability can be used in “worms” - malware that spreads itself without user interaction. |
Use these filters to remove vulnerabilities from the report that aren’t the highest priority so you can focus on what’s most critical to your organization. For example, remove vulnerabilities that are not exploitable because they were found on a non-running kernel or service.
Running Kernel - It’s possible that multiple kernels may be detected on the same Linux host. Toggle this filter On to filter out kernel-related vulnerabilities that are not exploitable because they were found on a non-running kernel. |
Running Service - Toggle this filter On to filter out service-related vulnerabilities that are not exploitable because they were found on a non-running port/service. |
Not Mitigated by Configuration - We may detect software on a host that is considered vulnerable, however there’s a specific configuration present on the host that makes it not exploitable. Toggle this filter On to filter out config-related vulnerabilities that are not exploitable due to host configuration. |
Remotely Discoverable - Only Toggle this filter On to only include vulnerabilities that can be detected by a scanner using remote (unauthenticated) scanning. |
Internet Facing Only - Toggle this filter On to include assets with IP addresses that could be exploitable. Our system tag named Internet Facing Assets includes a range of pre-defined IP addresses. We automatically tag assets that matches this pre-defined IP address range in the tag. To view the complete range of IP addresses that are included in the Internet Facing Assets system tag, go to AssetView app, navigate to Assets > Tags and then select Internet Facing Assets tag. From the quick-action menu, select View and then click Tag Rule in the View mode to view the complete list of IP addresses defined in the tag. |