IBM Support

Vulnerability results and how they display in QRadar SIEM

Question & Answer


Question

Why do some vulnerability scans report a different number of vulnerabilites than expected after I import results in to QRadar SIEM?

Cause

The original scan data might be identified as one or more vulnerabilities in the QRadar vulnerability catalog. This can cause a single vulnerability from the original source to identify as one or more vulnerabilities in QRadar SIEM.

Answer

Vulnerability scan data can be added to QRadar SIEM using APIs, importing completed scan result files, or by polling a database by using JDBC. When scan data is processed, the vulnerability information provided by the 3rd party scanner is matched to vulnerabilities in QRadar's vulnerability catalog using known external reference data.

Known external references can be any of the following type of vulnerability references:

  • CVE number
  • Bugtraq ID
  • Microsoft Security Bulletin ID
  • IBM X-Force Database Reference (XFDB)
  • Open Source Vulnerbility Database (OSVDB)
  • Or other form of common external reference.


XML import of scheduled scan data to the QRadar Vulnerability Catalog

The QRadar vulnerability catalog is updated weekly, however, users might occasionally see some differences between the number of vulnerabilities in the original scan report and the number of vulnerabilities identified in QRadar. When the vulnerability data is processed, QRadar examines the contents of the vulnerability data for external references to properly correlate the newly reported vulnerabilities to the QRadar vulnerability catalog. During this process, the system might identify vulnerabilities from the scan source to multiple entries in the QRadar vulnerability catalog or not be able to locate a vulnerability. This can lead to a situation where more vulnerabilities are reported for an asset in QRadar than were listed in the original source vuln data.

Situations where a vulnerability difference might occur between the scan source data and QRadar:

  1. The original scan report does not contain an external reference, so the QRadar vulnerability catalog does not have a reference it can correlate against. When this situation occurs, the asset is not updated with the vulnerability identified in the original scan.

    Vulnerability data without external references can cause correlation problems
  2. The QRadar vulnerability catalog might be out-of-date or not have a reference to a valid external reference that should exist. This can create a situation where QRadar reports less vulnerabilities than the original scan data provided by the scanner.

    An outdated vulnerability catalog or error in the catalog can cause correlation issues.
  3. The QRadar vulnerability catalog has multiple entries that can be identified by a single external reference.

    This leads to an issue where the source report can identify one vulnerability, but QRadar can report multiple vulnerabilities associated with an asset. The number of vulnerabilities that can be assigned to the asset is dependent on the number of matches found in the QRadar vulnerability catalog.

    One identifier might match multiple entries in the QRadar vulnerability catalog.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"VA Scanners","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21665232

Page Feedback