Hi there,

Thanks for posting these questions! I'm new here, but I'll try to provide some insight to help answer your questions.

1) When integrating with third party applications such as Qualys, results from the vulnerability scanner are imported as detections, which are distinct occurrences of vulnerabilities as reported by the scanners. The Search List Vulnerability table (sn_vul_qualys_m2m_search_list_vul) stores the mapping for the integration (see a full list of tables here). Additional information on Qualys data transformation can be found in this product documentation including information related to Dynamic Search List Import, Static Search List Import, Asset Group Import, and Appliance Import.

2) As detections are imported, they are used to create new vulnerable items and update the state of existing vulnerable items based on the external ID or the vulnerability entry and the configuration item ID. A vulnerable item is a detected combination of a vulnerability and configuration item. Detection data are paired with vulnerable items and the vulnerable item state is updated based on the state of the detections. If a vulnerable item is not found, a new one is created (see more here). The Detection script include (sn.vul.Detection) contains the functionality related to the vulnerable item creation and state transition. This script include extends the DetectionBase script include. Any customizations should be made on the Detection script include (not DetectionBase).

I hope this helps. Please let me know if you have any other questions!

Sarah