To store scan times locally in order to discover scan trend times.
Host level scan times from manual scan data
For host level scan times, all the values are in the Results section of IG QID 45038 labelled, Host Scan Time.
Below is a sample from a raw scan XML. Relevant text is in RESULT tag:
<SCAN value="scan/1234567890.12345"> ... <IP value="192.168.1.1" name="you-supafly"> ... <INFOS> ... <CAT value="Information gathering"> ... <INFO number="45038" severity="1"> <TITLE>Host<![CDATA[ Scan Time]]></TITLE> <LAST_UPDATE><![CDATA[2004-11-19T02:46:12Z]]></LAST_UPDATE> <PCI_FLAG>0</PCI_FLAG> <DIAGNOSIS><![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. <P> The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.]]></DIAGNOSIS> <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE> <SOLUTION><![CDATA[N/A]]></SOLUTION> <RESULT><![CDATA[Scan duration: 116 seconds Start time: Mon, Nov 04 2013, 20:14:43 GMT End time: Mon, Nov 04 2013, 20:16:39 GMT]]></RESULT> </INFO> ... </CAT> ... </INFOS> ... </IP> ... </SCAN>
Scan level times from manual scan data
For scan level end time, the raw scan header has the info looking for. All you need to is to add some numbers. Relevant text is in KEY tags:
<SCAN value="scan/1234567890.12345"> <HEADER> ... <KEY value="DATE">2013-11-04T20:15:06Z</KEY> ... <KEY value="DURATION">00:02:01</KEY> ... </HEADER> ... </SCAN>
Simply add value of the <KEY value="DATE"> to the value of the <KEY value="DURATION"> to obtain the end date time.
For example, let's the above scan XML values:
End date time = 2013-11-04T20:15:06Z + 00:02:01 = 2013-11-04T20:17:07Z
Host level scan times from host detection API
One can leverage the host list detection API call and filter against the QID 45038 to obtain the latest scan times.
- URL: https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/
Below is a sample API response. Relevant text is in RESULT tag:
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE HOST_LIST_VM_DETECTION_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/host_list_vm_detection_output.dtd"> <HOST_LIST_VM_DETECTION_OUTPUT> <RESPONSE> <DATETIME>2013-11-15T22:03:44Z</DATETIME> <!-- keep-alive for HOST_LIST_VM_DETECTION_OUTPUT --> ... <!-- keep-alive for HOST_LIST_VM_DETECTION_OUTPUT --> <HOST_LIST> <HOST> <ID>123456789</ID> <IP>10.10.1.1</IP> <TRACKING_METHOD>IP</TRACKING_METHOD> <OS><![CDATA[Solaris 9-10]]></OS> <OS_CPE><![CDATA[cpe:/o:sun:sunos:5.9:::]]></OS_CPE> <DNS><![CDATA[ohyeahhhhhh.company.com]]></DNS> <LAST_SCAN_DATETIME>2013-11-13T08:41:45Z</LAST_SCAN_DATETIME> <DETECTION_LIST> <DETECTION> <QID>45038</QID> <TYPE>Info</TYPE> <RESULTS><![CDATA[Scan duration: 630 seconds Start time: Wed, Nov 13 2013, 08:34:06 GMT End time: Wed, Nov 13 2013, 08:44:36 GMT]]></RESULTS> </DETECTION> </DETECTION_LIST> </HOST> </HOST_LIST> </RESPONSE> </HOST_LIST_VM_DETECTION_OUTPUT> <!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2013, Qualys, Inc. //-->
An example Chrome POSTMAN collection is attached as "VM, host list detection.json.postman_collection". Please note, the truncation limit is set to 10 instead of 0 for demonstration purposes.