You’ll notice host results from your scans and agents are displayed separately in reports and asset views by default. You can choose to merge host results to get unified views of your assets. Just follow these steps.
There are two unique asset identifiers: Agentless Tracking Identifier and Agent Correlation Identifier. You can use one or both identifiers.
Use the Agentless Tracking Identifier to track hosts by a unique asset UUID. The Agentless Tracking Identifier is supported for both VM and PC. Once your hosts are scanned using Agentless Tracking they are tracked by asset UUID. To get started, the Manager primary contact for the subscription must go to Assets > Setup > Asset Tracking & Data Merging to accept the Agentless Tracking Identifier. Once accepted, there are additional steps that must be completed before you can start scanning with agentless tracking. Go here to see complete steps.
Use the Agent Correlation Identifier to merge unauthenticated and authenticated vulnerability scan results from scanned IP interfaces and agent VM scans for your cloud agent assets. The Agent Correlation Identifier is supported for VM only and is detected by QID 48143 "Qualys Correlation ID Detected". When the Manager Primary Contact accepts this option for the subscription, this new identifier will also be used to identify the asset and merge scan results as per the selected data merge option. Go to Assets > Setup > Asset Tracking & Data Merging to get started. Then there are additional steps that must be completed to use this feature. Go here to see complete steps.
Host data from agents is tracked and merged by a unique Qualys asset UUID and/or Agent Correlation ID with different options.
What are the steps? Any Manager can go to Assets > Setup > Asset Tracking & Data Merging > Asset Tracking & Data Merging and select appropriate options to merge and track the data. There are different scenarios to merge agent scan results with selection of unique asset identifiers. Refer Agent Scan Merge Cases to see these scenarios.
Each option is described below to help you better understand how assets will be tracked and the number of asset records that may be created as a result of your selection.
With this option, we will not merge scan results from agent scans and IP scans. You’ll get a separate asset record for each agent and scanned IP interface of an asset. Multiple interfaces will be maintained separately.
Good to Know - Mobile laptops will create multiple asset records based on the IPs they report from scans. Thus, for a single machine, you can have multiple asset records.
Asset records:
Asset1: Agent scanned asset (Tracking Method: Agent UUID and/or Agent Correlation ID)
Asset2: IP 1 (Tracking Method: IP)
Asset3: IP 2 (Tracking Method: IP)
Asset4: IP 3 (Tracking Method: IP)
...
With this option, data will be merged based on the scanning method. You can end up with 2 asset records for the same machine. All scanned interfaces of an asset will be merged into a single asset record (tracked by IP). You will get a separate asset record (tracked by agent UUID and/or Agent Correlation ID) from the cloud agent scan results. Results of network scans and agent data will NOT be merged together.
Good to Know - Multiple interface systems will have single IP tracked asset record and vulnerabilities from different interfaces will not be tracked separately. Thus, for the same machine, you’ll have 2 asset records at the most (if an agent is installed).
Asset records:
Asset1: Agent scanned asset (Tracking Method: Agent UUID and/or Agent Correlation ID)
Asset2: IP 1, IP 2, IP 3 (Tracking Method: IP)
With this option, you’ll get a single asset record with results from cloud agent scans and results from all scanned IP interfaces merged for a single unified view of the asset. Assets with a cloud agent will be tracked by agent UUID and assets without a cloud agent will be tracked by IP.
Good to Know - If machines are cloned, various machines with the same unique asset UUID will be merged into a single asset record.
Asset record:
Asset1: Agent UUID, IP1, IP2, IP3 (Tracking Method: Agent UUID and/or Agent Correlation ID or IP)
This option is a hybrid approach that will allow customers to maintain their multi-home servers without agents AND user endpoints with agents. We’ll automatically detect whether a cloud agent is installed and merge results into a single unified view of the asset *only* when an agent is found. Assets with a cloud agent will be tracked by agent UUID and/or Agent Correlation ID and all the scanned interfaces of an asset without a cloud agent will be tracked by IP.
Good to Know - When you enable smart merging, we will automatically choose between merging Option 1 and merging Option 3.
- For multi-home servers with an agent installed, you’ll get a single asset record with results from cloud agent scans and results from all scanned IP interfaces merged for a single unified view of the asset (same as Option 3).
- For endpoints without agents having multiple interfaces (for example, LAN & Wifi) or roaming laptops, you’ll get a separate asset record for each scanned IP interface of the asset. Multiple interfaces will be maintained separately (same as Option 1).
Asset records if an agent is found:
Asset1: Agent UUID, IP 1, IP 2, IP 3 (Tracking Method: Agent UUID and/or Agent Correlation ID)
Asset records if an agent is not found:
Asset1: IP 1 (Tracking Method: IP)
Asset2: IP 2 (Tracking Method: IP)
Asset3: IP 3 (Tracking Method: IP)
...
Agentless Tracking Identifier setup instructions