VMDR

Getting Started Guide

June 8, 2022

Verity Confidential
Copyright 2022 by Qualys, Inc. All Rights Reserved.
Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
are the property of their respective owners.

Qualys, Inc.
919 E Hillsdale Blvd
4th Floor
Foster City, CA 94404
1 (650) 801 6100
 Table of Contents
About this Guide ...............................................................................................4
About Qualys ........................................................................................................................... 4
Qualys Support ........................................................................................................................ 4

About VMDR ...................................................................................................... 5

How does it work? ................................................................................................................... 6

Identify your Assets ......................................................................................... 7

Get Started with Cloud Agents ............................................................................................... 7
What are the other ways to find assets .............................................................................. 10

Discover Vulnerabilities.................................................................................. 11
Prioritize your Vulnerabilities .......................................................................12
Prioritization Modes .............................................................................................................. 12
Reading the VMDR Prioritization Report ............................................................................. 16

Patch Management......................................................................................... 19
Patch Vulnerabilities from VMDR Report ........................................................................... 19

Verity Confidential
 About this Guide
About Qualys

About this Guide

Thank you for your interest in Qualys Vulnerability Management, Detection, and Response
(VMDR). Qualys VMDR expands the capabilities of the Qualys Cloud Platform to discover,
assess, prioritize, and patch critical vulnerabilities in real time and across your global
hybrid-IT landscape — all from a single solution..

About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses
simplify security operations and lower the cost of compliance by delivering critical
security intelligence on demand and automating the full spectrum of auditing,
compliance and protection for IT systems and web applications.
Founded in 1999, Qualys has established strategic partnerships with leading managed
service providers and consulting organizations including Accenture, BT, Cognizant
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT,
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also
founding member of the Cloud Security Alliance (CSA). For more information, please visit
www.qualys.com

Qualys Support
Qualys is committed to providing you with the most thorough support. Through online
documentation, telephone help, and direct email support, Qualys ensures that your
questions will be answered in the fastest time possible. We support you 7 days a week,
24 hours a day. Access support information at www.qualys.com/support/

4
 About VMDR

About VMDR
Vulnerability Management, Detection and Response (VMDR) enables you to discover,
assess, prioritize, and patch critical vulnerabilities and misconfigurations in real time and
across your global hybrid-IT landscape all in one solution.
It helps you get continuous vulnerability assessments with cloud agents, network level
visibility using network scanners and multiple types of sensors' and leverages artificial
intelligence to instantly assess and prioritize threats based on relevant context.
VMDR starts with asset discovery and inventory to make sure you have an accurate
account of all devices in your environment.
We'll help you get started quickly!

Know your Subscription Type

If you are an existing VM customer then you are upgraded to VMDR experience by default
and you can buy VMDR to get additional features.

With VMDR experience you get

- Asset inventory across environments like: Certificate, Cloud, Container, Mobile Devices
- Unlimited sensors to help you identify those assets: Virtual Passive Sensors, Cloud
Agents, Mobile Agents, Container Sensors
- Search any asset in seconds using over 200+ searchable attributes
- Customizable dashboards and widgets with trending information

Once you upgrade to VMDR you’ll also get

- Security Configuration Assessment to start configuration assessment and identify
security misconfigurations on your assets based on CIS benchmarks
- Threat-based Prioritization based on continuously updated Real-time threat indicators
- Real-time Alerting by email of critical vulnerabilities and changes to your external
perimeter, etc.
- Detection of missing patches in context of the detected vulnerabilities
- Initiate deployment of missing patches from the Prioritization report directly
Note: Deployment of patches is available only for customers with the Patch Management
add-on

5
 About VMDR
How does it work?

How does it work?

With VMDR, you will be able to accomplish real time asset discovery and vulnerability
information, prioritizing or short listing the vulnerabilities according to the threat
intelligence and detecting and deploying right remedial patches at the click of a button. 

Identify Assets
Start identifying assets by installing Cloud Agents or upgrading existing agents for VMDR.
Assign tags to categorize and organize your assets. You can also use other methods such
as Scanners, Passive Sensor, Cloud Inventory, Container Inventory, Mobile Device
Inventory to build your inventory. To know more refer to Identify your Assets

Discover Vulnerabilities & Misconfigurations

Our always up-to-date signature database continuously discovers software vulnerabilities
and identifies security misconfigurations. Get a complete view of your vulnerability
posture from an asset and vulnerability point of view in the Vulnerabilities tab. To know
more refer to Discover Vulnerabilities

Prioritize Threats with TruRisk™

Run the Prioritization report to prioritize most critical threats on your assets based on
real-time threat indicators and identify what to remediate first. With TruRisk you can
assess the risk scores of your assets and prevent attacks. You can quantify asset risks
using parameters like Asset Risk Score and Qualys Detection Score.
To know more refer to Prioritize your Vulnerabilities

Detect & Deploy Missing Patches

VMDR for IT Service Management (ITSM) manages tracking of open vulnerabilities and
remediation mapping by using the ServiceNow ITSM platform. ServiceNow tasks are
automatically assigned to the group to deploy the most relevant patches.
To know more refer to Patch Management

6
 Identify your Assets
Get Started with Cloud Agents

Identify your Assets

Set up your Cloud Agents, scanners and sensors so as to continuously discover and build
inventory of your IT assets that are on-prem, cloud, mobile, container, applications
providing 100% real-time visibility.

Get Started with Cloud Agents

Start building your inventory by installing new cloud agents or by upgrading your existing
cloud agents for VMDR.
VMDR requires the activation of a purpose-built engine for detecting missing patches for
Cloud Agents. While this engine is extremely lightweight and efficient, activating Cloud
Agents for VMDR will require a 20MB download and 100MB of free space on each host for
these components.
Install new agents
Upgrade existing agents

Know the requirements

Here are the system requirements for installing and running Cloud Agents:
- Host must reach Qualys Cloud Platform (or Qualys Private Cloud Platform) over HTTPS
port 443
- (Windows) Local administrator privileges on the host. Proxy configuration is supported.
- (Linux, Mac, AIX) Root privileges, non-root with sudo root delegation, or non-root with
sufficient privileges. Proxy configuration is supported.

7
 Identify your Assets
Get Started with Cloud Agents

Install new agents

Navigate to the Welcome
option in the Help menu to
view the Welcome page. In
the Identify Assets section
click the Download Cloud
Agent button.

Select an OS and download

the agent installer to your
local machine. Run the
installer on each host from
an elevated command
prompt.
For example, click Windows
and follow the agent
installation instructions
displayed on the page. We
provide you with a default AI
activation key for the agent
installation. To add or
manage your keys, go to
Cloud Agent > Agent
Management.

8
 Identify your Assets
Get Started with Cloud Agents

Upgrade existing agents

Navigate to the Welcome
option in the Help menu to
view the Welcome page. In
the Identify Assets section
click the Configure Agents
for VMDR button.

Select the desired activation

keys and click Upgrade. The
selected activation keys will
be upgraded for VMDR.

To know more download the Cloud Agent Getting Started Guide.

9
 Identify your Assets
What are the other ways to find assets

What are the other ways to find assets

You can also build your inventory for on-prem (devices and applications), mobile,
endpoints, clouds, containers, OT and IoT assets using scanners, sensors, or connectors.
Navigate to the Welcome option in the Help menu to view the Welcome page. In the
Identify Assets section select how you want to start configuring your inventory.  

What’s next?
You will start viewing all your assets and vulnerability details in the Vulnerability tab in
VMDR.

10
 Discover Vulnerabilities

Discover Vulnerabilities
Once your inventory is built, you can view the vulnerability posture of your assets in the
Vulnerability tab. You can search for vulnerabilities by vulnerability and by asset. All the
assets and their associated vulnerability details that are identified by cloud agents,
scanners and sensors are listed in the Vulnerabilities tab.

Switch between the Asset and Vulnerabiliy view and drill down to a specific asset or
vulnerability. From the Quick Action menu, click View Details to get more information.
In case the vulnerability is Qualys patchable and you have the Patch Management add on
in your subscription then you can view the Patch Now option in the details view, which
helps you initate the deployment workflow in Patch Management.
If you have the Security Configuration Assessment add-on then you can do configuration
assessment and identify security misconfigurations on your assets based on CIS
benchmarks

11
 Prioritize your Vulnerabilities
Prioritization Modes

Prioritize your Vulnerabilities

VMDR Prioritization allows you to automatically prioritize the riskiest vulnerabilities on
your most critical assets – reducing potentially thousands of discovered vulnerabilities, to
the few that matter. Using real-time threat intelligence, we help you detect and prioritize
the vulnerabilities to remediate first, based on your environment.
The VMDR Prioritization report indicates the most critical threats and prioritizes patching.
It also:
- Guides you to focus resources in the right area to first patch the highest risk
vulnerabilities.  
- Increases the security posture of your organization by identifying and remediating the
vulnerabilities that are likely to get exploited in the wild by threat actors.
- Empowers security analysts to pick and choose the relevant threat indicators. For
example, if an organization has financial data of users, they can prioritize vulnerabilities
based on ‘High Data Loss’ indicator to first identify and remediate vulnerabilities that may
result in data exfiltration, if exploited.  
- Helps you identify the specific patch that fixes a particular vulnerability.
- Reduces remediation time by detecting the patch to be deployed from the same platform
in an integrated workflow, at the click of a button (if Patch Management app is enabled in
your subscription).
- Includes only the confirmed vulnerabilities.

Prioritization Modes
We provide you with the following two options to prioritize the remediation of
vulnerabilities based on:
- Age, RTI, and Attack Surface
- Qualys TruRisk™ Mode

Age, RTI, and Attack Surface

Qualys offers you an option to prioritize and remediate vulnerabilities based on filters like
Age, RTI, and Attack Surface.

12
 Prioritize your Vulnerabilities
Prioritization Modes

Prerequisites: Before you start generating the prioritization report, ensure that:
- You have gathered the vulnerability posture for the assets. You could build your
asset inventory using Cloud Agents or other methods such as Scanners, Passive
Sensor, Cloud Inventory, Container Inventory, Mobile Device Inventory. All the
assets and their associated vulnerability details that are identified by cloud
agents and sensors are listed in the Vulnerabilities tab. Refer to Identify your
Assets.
- You have the Create Report permission (part of Global Reporting permissions).
Contact your manager if you do not have the adequate permissions.

1. In the Prioritization tab click Reports.

2. Click Start Prioritizing

3. Select at least one Asset tag to display the prioritized list of vulnerabilities associat ed
with the assets.

4. Click to proceed with Prioritization.

5. In the Asset Tags section, from Include and Exclude menu, select one of the following
options:
-Any: to include or exclude all assets that might have any of the selected tags.
-All: to include or exclude only those assets which have all the selected tags.
6. Select the various filters for VMDR Prioritization report.

13
 Prioritize your Vulnerabilities
Prioritization Modes

Detection Age: Select detection age ranges (0-30, 31-60, etc.) to include in the report. The
Detection age is based on when the vulnerability was first detected (by a scanner or cloud
agent).
Real-Time Threat Indicators:  Select the Real-Time Threat Indicators (RTIs) that you’re
interested in. Your report will include vulnerabilities that match *any* of the selected RTIs.
Attack Surface: Select these filters to remove vulnerabilities from the report that aren’t
the highest priority so you can focus on what’s most critical to your organization.
7. Click Prioritize Now to enable the threat intelligence to prioritize the riskiest
vulnerabilities on your network for the assets you selected.
Once you generate the report, you could proceed with patching the vulnerabilities (if Patch
Management app is enabled in your subscription), export the report in the form of a
widget to your dashboard or download the report in CSV format. To know more refer to
Reading the VMDR Prioritization Report

Qualys TruRisk™ Mode

Attackers can exploit the vulnerabilities while you are in the process of reviewing,
prioritizing, and patching all the reported vulnerabilities. Qualys VMDR with TruRisk™
Mode offers risk-based vulnerability management with unique insights into an
organization's outlook to prioritize its most critical threats.
Qualys TruRisk Mode vulnerability management include features like:
- intelligence-driven vulnerability severity scoring.
- detecting the location of assets vulnerabilities, including their business and operational
criticality, association with business-critical applications, context about the asset's
exposure to attack and many more.
This mode helps prioritize Assets or Vulnerabilities based on risks generated in the result.
Perform the following steps to enable Qualys TruRisk™ Mode to provide data for Asset
Criticality, Qualys Detection Score (QDS), and Asset Risk Score (ARS):
1. In the Prioritization tab click Reports.

2. Click Start Prioritizing

3. Select at least one Asset tag to display the prioritized list of vulnerabilities associated
with the assets.

4. Click to proceed with Prioritization.

5. In the Asset Tags section, from Include and Exclude menu, select one of the following
options:
-Any: to include or exclude all assets that might have any of the selected tags.
-All: to include or exclude only those assets which have all the selected tags.
6. Toggle the Qualys TruRisk™ Mode to enable it.

14
 Prioritize your Vulnerabilities
Prioritization Modes

By default, the result displays the highest value of Asset Criticality and the Qualys
Detection Score.

7. You can select the range of Asset Criticality (1-5) using the Asset Criticality bar graph.
The highest score is considered if multiple tags are assigned to the asset.
8. You can select the range of Risks (Low-Critical) in the Qualys Detection Score (QDS) bar
graph. The risk scores generated prioritizes the assets and vulnerabilities.
9. You can select the Asset Risk Score (ARS) from the pie chart. ARS helps you prioritize
your vulnerabilities based on the risk to your assets and not just the technical severity.
10. Click Prioritize Now to enable the threat intelligence to prioritize the riskiest
vulnerabilities on your network for the assets you selected.
Once you generate the report, you could proceed with patching the vulnerabilities (if Patch
Management app is enabled in your subscription), export the report in the form of a
widget to your dashboard or download the report in CSV format. To know more refer to
Reading the VMDR Prioritization Report

15
 Prioritize your Vulnerabilities
Reading the VMDR Prioritization Report

Reading the VMDR Prioritization Report

Using the VMDR Prioritization Peport, you can detect which vulnerabilities to remediate
first. The report contains of two sections: Summary and Details.

Summary
The Summary section of the VMDR Prioritization report displays the findings with the
following three sections:

Prioritized Assets  
Depending on the asset tags that you choose, the assets are identified for this report.
Prioritized Assets is the count of assets out of the total assets with vulnerabilities that
meet the combination of the detection age, RTIs, and attack vectors you selected.
In the above example, 8 assets matched the selected asset tags. Out of the 8 assets, 2
assets had vulnerabilities that met the combination of the selected detection age, RTIs,
and attack surface.

Prioritized Vulnerabilities
The Prioritized Vulnerabilities section displays a summary of prioritized vulnerabilities
that are detected on the assets.
Instances: The count indicates the total number of vulnerabilities that meet the
combination of the detection age, RTIs, and attack surface you selected.  
The count may include multiple occurrences of a single vulnerability (that is a single QID)
detected on multiple assets.
In the above example, 154 vulnerabilities were detected on the 8 assets. Out of the 154
vulnerabilities, 8 vulnerabilities met the combination of the selected detection age, RTIs,
and attack surface across the 2 assets.
Unique: The count of unique vulnerabilities (excluding duplicate QID instances) out of the
vulnerability instances identified/detected.
In the above example, out of the 8 instances, 6 are unique vulnerabilities.

16
 Prioritize your Vulnerabilities
Reading the VMDR Prioritization Report

Available Patches
Count of the patches that are available with Qualys. Click Patch Now to initiate the
process of patching the vulnerabilities. For more details refer to Patch Management.

Note: The Patch Now button is enabled only when Qualys can automatically
patch the  vulnerability and the Patch Management app is enabled in your
subscription.

Details
The details section includes detailed information about prioritized vulnerabilities, patches
and prioritized assets. Use the tabs to toggle between the three views. The Vulnerabilities
and Assets tabs offer search capabilities using limited tokens.

Export To Dashboard
You can export the VMDR Prioritization report to dashboard in the form of a widget and
continuously monitor the widget to check the vulnerabilities on the prioritized assets.
Here are the steps to export the report to your dashboard.
Note: The Export to Dashboard button is enabled only after you have generated the report.
1) On the VMDR Prioritization report, click Export to Dashboard.  
2) Provide a name for the widget.
3) Select the Dashboard you want to add the widget to and then click Export.
The widget is added to the dashboard.

Download Reports (CSV format)

You can download the VMDR Prioritization report to your local system in CSV format. The
Download button is enabled after you have generated the VMDR Prioritization report.
Note: Missing patches can be downloaded in your report only if you have the Patch
Management add-on enabled in your subscription.
1) On the VMDR Prioritization report, click Download.  

17
 Prioritize your Vulnerabilities
Reading the VMDR Prioritization Report

2) Provide a name and description (optional) for the report.

3) Currently only CSV option is supported so it is preselected for you.
4) If required, you can change timezones for dates included in report using the Change
timezones for dates included in report option. By default, the browser's time zone is used
to report dates in the report.
5) Click Download.
The VMDR Prioritization report  is downloaded to your local system in CSV format for
future reference.

18
 Patch Management
Patch Vulnerabilities from VMDR Report

Patch Management
In the VMDR Prioritization report you can view the assets and vulnerabilities that can be
patched by Qualys. You can initiate the patching process and patch the vulnerabilities
directly from the report.
Note: Deployment of patches is available directly from the VMDR Prioritization report only
for customers with the Patch Management add-on.

Patch Vulnerabilities from VMDR Report

The Summary section of the VMDR Prioritization report displays findings with the
following three sections:

The Available Patches widget shows the count of the patches that are available with
Qualys. Click Patch Now to initiate the process of patching the vulnerabilities.
Note: The Patch Now button is enabled only when Qualys can automatically patch the
vulnerability and the Patch Management app is enabled in your subscription.
To initiate the patching process click the Patch Now button and choose to perform one of
the following actions:

Zero Touch Patch Job- Opens the wizard to create an automated job to proactively patch
current and future Windows vulnerabilities based on the criteria selected while
generating the Prioritization report in the Patch Management app. Follow the instructions
in the wizard and initiate the patching process by creating a new job.
Windows Patches- Displays the list of Windows Patches in the Patch Management app.

19
 Patch Management
Patch Vulnerabilities from VMDR Report

View Missing Windows Patches - Displays the list of missing Windows patches for the
prioritized assets and vulnerabilities. You can view the list of missing patches even with
the free version of Patch Management app that is activated for the assets.

Linux Patches -Displays the list of Windows Patches in the Patch Management app.
View Missing Linux Patches - Displays the list of missing Linux patches for the prioritized
assets and vulnerabilities. You can view the list of missing patches even with the free
version of Patch Management app that is activated for the assets.
For more information, refer to the Patch Management online help.

20