Split Qualys detections based on vulnerability instance

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Vulnerability Response allows you to split detections from Qualys scanners, creating a unique Vulnerable Item (VIT) for each detected vulnerability instance. This supports more precise assignment to remediation teams and improves vulnerability management and tracking.

    Before you begin

    Role required: admin

    About this task

    The Qualys scanner payload includes detection data with proof details. Each path in the proof is used to identify and split vulnerability instances. The output tag in the payload indicates the location of the vulnerability, enabling accurate separation and management of detections.

    Procedure

    1. Enable detection splitting
      1. Navigate to the Third-party Integration table [sn_sec_int_integration].
      2. Open the record for Qualys Cloud Platform.
      3. Set the Include proof VI key to true.
      4. Save the record.
    2. Optional: Exclude specific QIDs from detection splitting
      1. Open the system property [sn_vul_qualys.skip_split_detection_ids].
      2. In the Value field, enter a comma-separated list of QIDs you want to exclude from splitting.
        Note:
        By default, the following QIDs are excluded from splitting due to the volume of their findings: QID-989920, QID-993308, QID-5001711, QID-5001632.
      3. Save the property.
    3. Ensure QIDs are listed for splitting
      1. Navigate to the Proof Key Vulnerability List table [sn_vul_proof_key_vulnerability_list].
      2. Verify that the QIDs you want to split are listed.

    Result

    After executing the Qualys Host Detection Integration, detections are split based on proof, creating individual Vulnerable Items (VITs) for each vulnerability instance. You can verify the results in the Vulnerability Item Detections table [sn_vul_detection_list], where each detection appears as a separate record.