If a risk is considered unacceptable after being analyzed, a treatment event can be created during the Evaluation phase so that the measures necessary to remediate it can be taken.
Risk treatment events are divided into two subtypes: controls and vulnerabilities. These can treat risks individually or treat multiple risks, and there is also the option to create a parent event for an asset and child events for each control or vulnerability related to it. The system suggests a default USR score for events, which can be edited after the event is created. For details on how the default USR score is calculated, see Chapter 10: Workflow -> Events -> Calculating the USR.
For events to treat vulnerabilities detected by Qualys, an integration task is available which will allow these events to be automatically updated or closed depending on the status of the corresponding tickets in Qualys. For details, see Chapter 17: Administration -> Integrations -> Integration Tasks -> Creating a Task to Synchronize with Qualys Remediation.
The Subtype column in the list of events in the Workflow module is used to distinguish events to treat non-implemented controls and those to treat vulnerabilities.