Configure a PCI Scan Report Template

You use a PCI scan report template to report on PCI internal vulnerability scans. Template settings allow you to customize what information is included (scan results, hosts, vulnerabilities and services) and how much to display for your report.

How do I create a PCI scan report template?

What is PCI risk ranking?

Tell me about host based findings

How to customize the PCI risk ranking

Tell me about scan based findings

Tell me about report filters

How much information is displayed?

Flag services and ports as required or unauthorized

How do I share reports with other users?

Using the Scan by Hostname feature?


How do I create a PCI scan report template?

Go to VM/VMDR > Reports > Templates to view the report templates in your account. To create a new template, select New > PCI Scan Template. To edit an existing one hover over a PCI scan template and select Edit from the Quick Actions menu.

Tell me about host based findings

We recommend Host Based Findings since it encompasses the latest vulnerability data from all of your scans. Each time you create a report, we'll automatically collect vulnerability data that we've indexed per host in your account - we refer to this as host based findings. This option gives you the most comprehensive and up to date picture of your vulnerability status.

You can create reports with trending information when you've selected Host Based Findings. If you use the default we'll include vulnerability information for the last 2 detections. In other words we'll analyze the last two detections for each vulnerability on each host and compare the current vulnerability status (New, Fixed, Re-Opened, Active) to the last known vulnerability status. Do you want to analyze trends for a timeframe instead? Just choose a different timeframe (daily, weekly or monthly) and we'll analyze the vulnerability status for the timeframe selected.

Only include scan results from the specified timeframeOnly include scan results from the specified timeframe

Select this option to ensure that only vulnerability information gathered in the timeframe that you've specified is included in the report. If you do not select this option, vulnerability information for hosts that were last scanned prior to the report timeframe may be included. For example, let's say you want to create a report analyzing data for the past 4 weeks. Host A was scanned 5 weeks ago, and has not been scanned since then because it was firewalled and unreachable. By selecting this option you'll exclude Host A from the report and only analyze vulnerability information detected in the past 4 weeks. By clearing this option you'll include Host A in your report with the last known vulnerability information from 5 weeks ago.

Tell me about scan based findings

Select Scan Based Findings to run a report based on saved scan results. This gives you a view of your risk at a particular moment in time (at the time of the scan). Each time you create a report with this setting, you must manually select saved scan results to include in the report. Vulnerability data and hosts included in your report are specific to the scans that you choose at run time.

How much information is displayed?

The Display tab allows you to select how much information to include in the report, in both the summary and detailed results sections. You can choose to include report graphics, add custom text to the report footer, determine how the detailed results should be sorted and how much detail to include for each vulnerability.

What is the text summary?What is the text summary?

The text summary includes the total number of vulnerabilities detected, the overall security risk, and the business risk (for reports sorted by asset group). The following tables also appear: total vulnerabilities by status, total vulnerabilities by severity, and top 5 vulnerability categories detected. Note that this option is not available in reports set to Manual scan results selection.

Tell me about the vulnerability detailsTell me about the vulnerability details

Threat. A description of the threat.

Impact. Possible consequences that may occur if the vulnerability is exploited.

Solution: Patches and Workarounds. A verified solution to remedy the issue, such as a link to the vendor's patch, Web site, or a workaround.

Solution: Virtual Patches and Mitigating Controls. Virtual patch information that is correlated with the vulnerability, when this information is available in the KnowledgeBase. The service correlates virtual patch information obtained from Trend Micro real-time feeds.

Compliance. Compliance information associated with this vulnerability. Compliance types that may be included in your report include SOX, HIPAA, GLBA and CobIT.

Exploitability. Exploitability information that is correlated with this vulnerability, when this information is available in the KnowledgeBase. The service constantly correlates exploitability information from real-time feeds to provide up to date references to exploits and related security resources.

Associated Malware. Malware information that is correlated with this vulnerability, when this information is available in the KnowledgeBase. The service constantly correlates malware information obtained from Trend Micro Threat Encyclopedia real-time feeds to provide up to date references to malware threats and related security resources.

Results. Specific scan test results for each host. Also included: the date the vulnerability was first detected on the host, the date it was last detected on the host, and the total number of times it was detected on the host.

Tell me about the custom footerTell me about the custom footer

This is a spot where you can add required information like a disclosure statement or data classification (e.g. Public, Confidential). The text you enter will appear in all reports generated from this template, except reports in XML and CSV formats.

How do I share reports with other users?

Managers and Unit Mangers can grant users access to reports created from this template (when Report Share is enabled for your subscription). On the User Access tab, you can grant access to any user who wouldn't be distributed the report automatically, based on their account settings.

What is PCI risk ranking?

The PCI Council requires merchants to establish a process to identify and assign risk rankings for newly discovered security vulnerabilities. The service uses the risk rankings High, Medium and Low. By default these are set to the same CVSS scores as required for ASV external scans. By customizing the risk ranking scale within the PCI scan report template, you have the ability to create different reports on different sub-nets using a different risk ranking scale for each.

How to customize the PCI risk ranking

On the PCI Risk Ranking tab click the Custom PCI Risk Ranking button. Use the Customized Ranking sliders to set the risk rankings. Click and move the M slider to set the level for medium risk. Click and move the H slider to set the level for high risk. The slider setting indicates greater than or equal to the selected score. For example, if the H indicator is set to 7, this means a CVSS score 7.0 or greater will be considered High ranking.

A comment is required for customized ranking. You may, for example, provide a reason why the selected ranking is appropriate in your environment.

Click the "Add Search List Exception" button to add vulnerability exception using search lists. Select one or more vulnerability search lists and then select a risk ranking for each list from the Ranking menu. The ranking selected for a list will apply to all QIDs in that list.

A comment is required for each search list for which you define a custom ranking. You may, for example, provide a reason why the selected ranking is appropriate for that vulnerability search list in your environment.

A note about search list exceptions: If multiple search lists are selected and a QID is included in more than one of the lists, that QID receives the ranking selected for the last search list. In other words, if QID 1234 is included in search lists A, B and C, and search list C is the last of these to be added, then QID 1234 receives the ranking selected for search list C.

Tell me about report filters

On the Filter tab, you can customize the vulnerabilities included in the report (under Selecting Vulnerability Reporting) and filter the report by operating system, vulnerability status, or vulnerability category. Selected items are included in the report and cleared items are filtered out.

Flag services and ports as required or unauthorized

On the Services and Ports tab, it's possible to flag specific services and ports as either "required" or "unauthorized". When services and/or ports are marked as "required" or "unauthorized" and they are not detected, they will appear as vulnerabilities in the report by these QIDs: 38175 (Unauthorized Service Detected), 82043 (Unauthorized Open Port Detected), 38228 (Required Service Not Detected) and 82051 (Required Port Not Detected). The filters for the report template on the Filter tab must include these QIDs. Note if Custom is selected in the Selective Vulnerability Reporting section, you must add these QIDs (in search lists).

Requirements when using the Scan by Hostname feature

If you are using the Scan by Hostname feature and you want to report on hosts scanned by hostname, note the following requirements. In IPs/Ranges you must enter IPs/ranges that are resolved from the scanned DNS and NetBIOS hostnames. In Asset Groups you must enter asset groups which contain IP addresses that are resolved from the scanned DNS and NetBIOS hostnames.