Hey @jeffeyssn 

The reason a Transform Map search comes up short is that the Qualys integration delegates the actual field-level mapping to Script Includes. The Transform Maps in the sn_vul_qualys scope mostly act as routing layers — their transformRow scripts are minimal or empty, and the heavy lifting happens in scope Script Includes invoked from the integration's processing pipeline.

For the most common case (Vulnerable Item fields populated from Qualys host detections), the Script Include to read is:

• QualysComprehensiveHostDetectionIntegration (scope sn_vul_qualys) — this is the processor for the active "Qualys Host Detection Integration" run. The mapping from Qualys API XML elements onto Vulnerable Item fields lives here.

For other data types, the parallel processors are:

• Host List (CI side) → QualysHostListIntegration and QualysHostListImportReportProcessor
• PC Results (configuration compliance) → QualysPCResultsIntegration, QualysComprehensivePCRSTestResultsIntegration
• Knowledge Base (Vulnerability Entries) → QualysKnowledgeBaseBackfillIntegration

Before changing the mapping logic itself, consider whether you can apply the transformation after the record lands rather than during ingest. A Business Rule, Calculator Rule, or Assignment Rule on the Vulnerable Item (or other target table) lets you derive the field you want without modifying the Qualys store-app code, and survives upgrades cleanly.

Heads-up: modifying the Qualys Script Includes is a customization. 

They ship with the Qualys store app, so each Qualys app release may include new versions. Your changes will appear under "Skipped Updates" after upgrade, and you'll need to re-merge each time. That's the trade-off versus a post-ingest approach.

Validate against current ServiceNow documentation for your release and confirm the behavior on your instance before relying on this map.

If this helped, please mark it as helpful or accept as solution so others running into the same issue can find it.