Applicable for customers with the Asset Risk Scoring feature enabled for their subscription. Contact Qualys Support or your Technical Account Manager if you're interested in this feature.
You have the option to display Qualys TruRisk details in vulnerability scan reports, including Asset Risk Score (ARS), Asset Criticality Score (ACS) and Qualys Detection Score (QDS). See the sections below to better understand these scores.
Jump to a section below:
How to display TruRisk details
Qualys Vulnerability Score for CVEs
1) Go to Reports > Templates. Create a new scan report template or edit an existing scan report template.
2) On the Findings tab, select Host Based Findings.
3) On the Display tab, select the following options:
- TruRisk Details (ARS, ACS, QDS)
- To see ARS and ACS in the report, you must also select Text Summary because these scores appear at the summary level for each host.
- To see QDS in the report, you must also select Vulnerability Details and at least one vulnerability detail like Threat because this score appears when you expand vulnerability details.
- Choose a Sort by option. When you sort by Host and TruRisk Details are included, then you'll see scores in all report formats: CSV, XML, HTML, DOCX, PDF and MHT. When you sort by some other method (e.g. vulnerability, operating system, asset group, etc) and TruRisk Details are included, you'll only see scores in CSV and XML report formats.
Asset Risk Score (ARS) is the overall risk score assigned to the asset. The ARS range is between 0 to 1000, and is divided as follows:
- Severe: 850-1000
- High : 700-849
- Medium : 500-699
- Low: 0-499
ARS is calculated based on the following contributing factors:
a) Asset Criticality Score (ACS)
b) QDS scores for each QID level
c) Auto-assigned weighting factor (w) for each criticality level of QIDs
The following formula is used to calculate the ARS:
ARS = ACS * {wc(Avg(QDc)) + wh(Avg(QDSh)) + wm(Avg(QDSm)) + wl(Avg(QDSl))}
In the above formula:
ACS - Asset Criticality Score
w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]
Avg(QDS) - Average of Qualys risk score for each severity level of QIDs
If an asset does not have a critical vulnerability, the next available QDS will be used to calculate the ARS. To understand how QDS is calculated, see Qualys Detection Score.
It is calculated based on multiple tags assigned to the asset with Asset Criticality Scores (ACS) defined. The highest score is considered for the ACS if multiple tags are assigned to the asset.
For example, if you have assigned 6 tags to your asset, the tag with the highest value between 1-5 will be considered as the contributing factor while calculating the Asset Risk Score (ARS).
The Qualys Detection Score (QDS) is assigned to vulnerabilities detected by Qualys. QDS has a range from 1 to 100 and with four severity levels:
- Critical: 90-100
- High: 70-89
- Medium: 40-69
- Low: 1-39
QDS is derived from the following factors:
a) Vulnerability technical details (CVSS score): The highest Qualys Vulnerability Score (QVS) for CVEs is associated with the QID.
b) Vulnerability temporal details: Monitors external threat intelligence details for a vulnerability and collect data like Exploit Code Maturity (ECM), malware, active threat actors, and if a threat is trending.
c) Vulnerability remediation details (CIDs): Applies mitigation controls to mitigate the risk from the vulnerability. Vulnerabilities that have applied mitigation controls via Qualys compliance modules will have reduced risk scores.
Note: If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation.
Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE such as CVSS and external threat indicators like active exploitation, exploit code maturity, and many more.
Qualys offers various mitigation controls (CIDs) that are applied to the QVS. Applying all the CIDs to a QID will reduce the QVS. If no CID is applied the QVS will be equal to the QDS.
The following formula is used to calculate the QDS:
QDS = QVS - CID
You'll only see scores for hosts that were scanned after the Asset Risk Scoring feature was enabled for the subscription. If you don't see scores for a host, then check when it was last scanned.
Let's say the same IP address belongs to 2 different networks (Global Default Network and Network A). You'll have 2 different host IDs for the same IP address. If you scanned the host in Network A but you did not scan it in the Global Default Network and you run a report on the IP address, then you'll see scores for the host in Network A but you won't see scores for the host in Global Default Network.