This document explains the use of lightweight scans to discover newly added assets. The "Split Scan Strategy" of combining a lightweight Inventory/Discovery scan coupled with a later full VM scan on discovered assets is usually recommended only for large networks having a sparse address space and a tight scan window, and allowed to do discovery scans outside the scan window. By performing the discovery outside your VM scan windows, and then performing your VM scans against only discovered assets by utilizing tags, and minimizing discovery by selecting Scan Dead Hosts in the option profile, you effectively extend your scan window. This is only a viable option when discover can be performed, and complete, very close in time to the VM scan, otherwise drift can invalidate the discovery process. What "close in time" means of course, depends on the level of churn in the network.
A lightweight scan is a VM scan with very few ports and QIDs enabled, in other words performing the bare minimum to simply detect whether or not the target is "live" and possible collect minimal inventory data based on customer needs. Because this is a VM scan, for new hosts to be discovered their IP's must be in your subscription.
IT assets are continuously added and removed from the network. It's a challenge to identify hosts that have been newly added to the network and scan them, so they can be patched and hardened as soon as possible.
One way to identify newly added hosts is to run a Map on the network. The output shows you new live hosts and the Approved flag helps you identify devices that were not known earlier. However, the output of a Map cannot be used for tagging and hence cannot be set up for automated scanning. Additional limitations on a Map are: Maps tend to be "greedy" of scanner resources, and can cause other scheduled jobs on the same scanner to block or defer until the Map is complete, and Maps can only be run on a single scanner at a time, and cannot be distributed over multiple scanners like a VM scan.
How to automatically detect and scan new hosts added to the network?
There are three steps that need to be performed:
- Schedule a scan to detect live hosts on the network
- Identify hosts that have been newly added to the network
- Schedule a scan on the newly added hosts
1. Schedule a scan to detect live hosts on the network
The first step is to discover live hosts on the network. One way to do this is to run a Map, but the results of a Map cannot be used for tagging.
The alternative is to perform a light-weight scan that only performs discovery on the network. The Host-Alive Testing setting in the Option Profile can be used for this.
Start by creating a new Option Profile from Scans > Option Profiles > New Option Profile. Provide a title (I’ve called it Host-Alive testing profile) and under the Scans section, enable the option called Host-Alive testing.
When this option is selected, Qualys only performs the discovery portion of the scan, using the standard discovery modified as the user has selected in the Additional tab (i.e. ports, ICMP, packet options).
Read more about Host-Alive Testing: Host Alive Testing
Next, schedule a scan that will run automatically using this profile and detect live hosts on a regular basis.
Under Scans > Schedules > New > Schedule Scan.
Provide a title, select the Option Profile created earlier (Host-Alive testing profile). Under Target Hosts, provide the target IP range that will contain the newly added Hosts.
Under Scheduling, choose a frequency based on how frequently new hosts get added to your network. If you have a highly dynamic environment, where new hosts get added every few hours or every day, you may want to schedule this scan every day.
Click on Save to activate this schedule.
2. Identify devices that have been newly added to the network
The scan scheduled in the earlier step will identify all live hosts. However, we’re interested in hosts that have been newly added to the network. This can be accomplished using Asset Search.
Head over to Assets > Asset Search. Fill in the IP range that will contain the newly added hosts. Under First Found Date, fill in the number of days.
If new hosts are added every day, choose 1 day. Or if new hosts are added weekly, 7 days may be a good number.
Click on Create Tag and name it. Here I've named it as First found in last 24 hours.
This tag will contain all devices that have newly added to the network within the last X days.
3. Schedule a scan on the newly added hosts
Now that the newly added hosts have been tagged, next step is to schedule a scan.
Navigate to Scans > Schedules > New > Schedule Scan
Provide a title, select an Option Profile that is normally used to scan devices in your network.
Under Target Hosts, select the Tag that was created in the previous step. Under Scheduling, provide a scan frequency and Save to activate this schedule.
For the best results, schedule this scan to occur a few hours after the first scheduled scan (used to detect live hosts) occurs.