Working with report formats

The choice of a format is important in report creation. Formats not only affect how reports appear and are consumed, but they also can have some influence on what information appears in reports.

Working with human-readable formats

Several formats make report data easy to distribute, open, and read immediately:

Note:  If you wish to generate PDF reports with Asian-language characters, make sure that UTF-8 fonts are properly installed on your host computer. PDF reports with UTF-8 fonts tend to be slightly larger in file size.

If you are using one of the three report templates mandated for PCI scans as of September 1, 2010 (Attestation of Compliance, PCI Executive Summary, or Vulnerability Details), or a custom template made with sections from these templates, you can only use the RTF format. These three templates require ASVs to fill in certain sections manually.

Working with XML formats

Tip:  For information about XML export attributes, see Export template attributes. That section describes similar attributes in the CSV export template, some of which have slightly different names.

Various XML formats make it possible to integrate reports with third-party systems.

Asset Risk Exploit Title Site Name
Exploit IDs Malware Kit Name(s) Site Importance
Exploit Skill Needed PCI Compliance Status Vulnerability Risk
Exploit Source Link Scan ID Vulnerability Since
Exploit Type Scan Template  

 

*Qualys is a trademark of Qualys, Inc.

XML Export 2.0 contains the most information. In fact, it contains all the information captured during a scan. Its schema can be downloaded from the Support page in Help. Use it to help you understand how the data is organized and how you can customize it for your own needs.

Working with CSV export

You can open a CSV (comma separated value) report in Microsoft Excel. It is a powerful and versatile format. Not only does it contain a significantly greater amount of scan information than is available in report templates, but you can easily use macros and other Excel tools to manipulate this data and provide multiple views of it. Two CSV formats are available:

The CSV Export format works only with the Basic Vulnerability Check Results template and any Data-type custom templates. See Fine-tuning information with custom report templates.

Using Excel pivot tables to create custom reports from a CSV file

The pivot table feature in Microsoft Excel allows you to process report data in many different ways, essentially creating multiple reports one exported CSV file. Following are instructions for using pivot tables. These instructions reflect Excel 2007. Other versions of Excel provide similar workflows.

If you have Microsoft Excel installed on the computer with which you are connecting to the Security Console, click the link for the CSV file on the Reports page. This will start Microsoft Excel and open the file. If you do not have Excel installed on the computer with which you are connecting to the console, download the CSV file from the Reports page, and transfer it to a computer that has Excel installed. Then, use the following procedure.

To create a custom report from a CSV file:

  1. Start the process for creating a pivot table.
  2. Select all the data.
  3. Click the Insert tab, and then select the PivotTable icon.

The Create Pivot Table dialog box, appears.

  1. Click OK to accept the default settings.

Excel opens a new, blank sheet. To the right of this sheet is a bar with the title PivotTable Field List, which you will use to create reports. In the top pane of this bar is a list of fields that you can add to a report. Most of these fields re self-explanatory.

The result-code field provides the results of vulnerability checks. See How vulnerability exceptions appear in XML and CSV formats for a list of result codes and their descriptions.

The severity field provides numeric severity ratings. The application assigns each vulnerability a severity level, which is listed in the Severity column. The three severity levels—Critical, Severe, and Moderate—reflect how much risk a given vulnerability poses to your network security. The application uses various factors to rate severity, including CVSS scores, vulnerability age and prevalence, and whether exploits are available.

Note:    The severity field is not related to the severity score in PCI reports.

The next steps involve choosing fields for the type of report that you want to create, as in the three following examples.

Example 1: Creating a report that lists the five most numerous exploited vulnerabilities

  1. Drag result-code to the Report Filter pane.
  2. Click drop-down arrow in column B to display result codes that you can include in the report.
  3. Select the option for multiple items.
  4. Select ve for exploited vulnerabilities.
  5. Click OK.
  6. Drag vuln-id to the Row Labels pane.

Row labels appear in column A.

  1. Drag vuln-id to the Values pane.

A count of vulnerability IDs appears in column B.

  1. Click the drop-down arrow in column A to change the number of listed vulnerabilities to five.
  2. Select Value Filters, and then Top 10...
  3. Enter 5 in the Top 10 Filter dialog box and click OK.

The resulting report lists the five most numerous exploited vulnerabilities.

Example 2: Creating a report that lists required Microsoft hot-fixes for each asset

  1. Drag result-code to the Report Filter pane.
  2. Click the drop-down arrow in column B of the sheet it to display result codes that you can include in the report.
  3. Select the option for multiple items.
  4. Select ve for exploited vulnerabilities and vv for vulnerable versions.
  5. Click OK.
  6. Drag host to the Row Labels pane.
  7. Drag vuln-id to the Row Labels pane.
  8. Click vuln-id once in the pane for choosing fields in the PivotTable Field List bar.
  9. Click the drop-down arrow that appears next to it and select Label Filters.
  10. Select Contains... in the Label Filter dialog box.
  11. Enter the value windows-hotfix.
  12. Click OK.

The resulting report lists required Microsoft hot-fixes for each asset.

Example 3: Creating a report that lists the most critical vulnerabilities and the systems that are at risk

  1. Drag result-code to the Report Filter pane.
  2. Click the drop-down arrow that appears in column B to display result codes that you can include in the report.
  3. Select the option for multiple items.
  4. Select ve for exploited vulnerabilities.
  5. Click OK.
  6. Drag severity to the Report Filter pane.

Another of the sheet.

  1. Click the drop-down arrow appears that column B to display ratings that you can include in the report.
  2. Select the option for multiple items.
  3. Select 8, 9, and 10, for critical vulnerabilities.
  4. Click OK.
  5. Drag vuln-titles to the Row Labels pane.
  6. Drag vuln-titles to the Values pane.
  7. Click the drop-down arrow that appears in column A and select Value Filters.
  8. Select Top 10... in the Top 10 Filter dialog box, confirm that the value is 10.
  9. Click OK.
  10. Drag host to the Column Labels pane.
  11. Another of the sheet.
  12. Click the drop-down arrow appears in column B and select Label Filters.
  13. Select Greater Than... in the Label Filter dialog box, enter a value of 1.
  14. Click OK.

The resulting report lists the most critical vulnerabilities and the assets that are at risk.

How vulnerability exceptions appear in XML and CSV formats

Vulnerability exceptions can be important for the prioritization of remediation projects and for compliance audits. Report templates include a section dedicated to exceptions. See Vulnerability Exceptions. In XML and CSV reports, exception information is also available.

XML: The vulnerability test status attribute will be set to one of the following values for vulnerabilities suppressed due to an exception:

exception-vulnerable-exploited - Exception suppressed exploited vulnerability

exception-vulnerable-version - Exception suppressed version-checked vulnerability

exception-vulnerable-potential - Exception suppressed potential vulnerability

CSV: The vulnerability result-code column will be set to one of the following values for vulnerabilities suppressed due to an exception.

Vulnerability result codes

Each code corresponds to results of a vulnerability check:

Working with the database export format

You can output the Database Export report format to Oracle, MySQL, and Microsoft SQL Server.

Like CSV and the XML formats, the Database Export format is fairly comprehensive in terms of the data it contains. It is not possible to configure what information is included in, or excluded from, the database export. Consider CSV or one of the XML formats as alternatives.

Nexpose provides a schema to help you understand what data is included in the report and how the data is arranged, which is helpful in helping you understand how to you can work with the data. You can request the database export schema from Technical Support.