Also Jonathan - Can you confirm should I use Group rules for creatin vulnerability groups based on Vulnerability or Configuration Item or both?

In base platform, Group Rule with Vulnerability is already provided.

 

Appreciate your time and support.

The use of group rules allows you to create them to match your "remediation ownership" methodology.  So you can dot walk to use any field from the vulnerability, or CI.  For instance some customers remediation ownership methodology aligns by "OS" (IE:  windows patch team, linux patch team, network device, etc...)  Some customers use the CI owner, or application owner, or business service owner.

But based on your previous question about CI population on the Vuln. Item record, and not having CI's in the CMDB...this exercise may be challenging for you at 1st, with no defined CI ownership in the CMDB.

Exactly. As of now, we do not have CMDB setup. So I was thinking to provide one of the below solution. 1) Group Rule with just vulnerability (Base Rule) 2) Group Rule with Vulnerability and CI. What do you think, which one should I go with? Do you have any other recommendations till we setup CMDB data?

How do you want the data grouped?

• A Vuln. Group that has all vulnerable items grouped with ONLY that one vulnerability but that vulnerability on all CI's it's been found on? (BASE RULE)

---OR--

• A Vuln Group that has all vulnerable items grouped with any & all vulnerabilities found, but on only one CI?

 

For your scenario I'd probably go w/ the 2nd option.

If you can group the CI's by naming convention or subnet or something and know you'd want to assign those to a specific remediation owner...you may be able to use a filter condition to get some better grouping.

You may want to just setup the integration & take a look at the data that comes in both for the Qualys created CI's & the vulns...and then come up w/ the best methodology you can (understanding the data & your organizational intricacies) for setting up the group rules.