Question & Answer
Question
Why do some vulnerability scans report a different number of vulnerabilites than expected after I import results in to QRadar SIEM?
Cause
The original scan data might be identified as one or more vulnerabilities in the QRadar vulnerability catalog. This can cause a single vulnerability from the original source to identify as one or more vulnerabilities in QRadar SIEM.
Answer
Vulnerability scan data can be added to QRadar SIEM using APIs, importing completed scan result files, or by polling a database by using JDBC. When scan data is processed, the vulnerability information provided by the 3rd party scanner is matched to vulnerabilities in QRadar's vulnerability catalog using known external reference data.
Known external references can be any of the following type of vulnerability references:
- CVE number
- Bugtraq ID
- Microsoft Security Bulletin ID
- IBM X-Force Database Reference (XFDB)
- Open Source Vulnerbility Database (OSVDB)
- Or other form of common external reference.
![XML import of scheduled scan data to the QRadar Vulnerability Catalog](/support/pages/system/files/support/swg/sectech.nsf/0/b5e195f52c63927e85257c840073f1ad/Content/0.414.jpg)
The QRadar vulnerability catalog is updated weekly, however, users might occasionally see some differences between the number of vulnerabilities in the original scan report and the number of vulnerabilities identified in QRadar. When the vulnerability data is processed, QRadar examines the contents of the vulnerability data for external references to properly correlate the newly reported vulnerabilities to the QRadar vulnerability catalog. During this process, the system might identify vulnerabilities from the scan source to multiple entries in the QRadar vulnerability catalog or not be able to locate a vulnerability. This can lead to a situation where more vulnerabilities are reported for an asset in QRadar than were listed in the original source vuln data.
Situations where a vulnerability difference might occur between the scan source data and QRadar:
- The original scan report does not contain an external reference, so the QRadar vulnerability catalog does not have a reference it can correlate against. When this situation occurs, the asset is not updated with the vulnerability identified in the original scan.
- The QRadar vulnerability catalog might be out-of-date or not have a reference to a valid external reference that should exist. This can create a situation where QRadar reports less vulnerabilities than the original scan data provided by the scanner.
- The QRadar vulnerability catalog has multiple entries that can be identified by a single external reference.
This leads to an issue where the source report can identify one vulnerability, but QRadar can report multiple vulnerabilities associated with an asset. The number of vulnerabilities that can be assigned to the asset is dependent on the number of matches found in the QRadar vulnerability catalog.
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg21665232