We would like to find the appliance used for scanning in the past for a particular asset.
I have an outstanding feature request for Qualys to add an Information Gathered finding that stores the scanner used for the most recent scan. Unfortunately I haven't seen any indication they're working on this. While that information is available in the raw scan data, we scan a large number of IPs during a scan and it takes a very long time to generate the report just to identify the scanner used during a scan.
As I recall this is not part of the Asset data but is in the SCAN data. So if you started pulling scans the appliances are in the data although it may only be the scan number. You could build off of that.
If you need an example please let me know but I don't please you will build a "report" as Qualys sees it that would have that information.
Additionally the scans might have the groups as well. You may need to pull multiple sources like the host detection and and the scans to get the full picture your describing.
May I ask what your goal is? This could help me to try and identify a solution for you?
Thanks for your quick response.
We have thousands of IPs that needs to be scanned and there is no trace of appliances. So we would like to identify the appliance and asset group from previous information in Qualys and re-scan them.
I am not sure I understand the "there is no trace of appliances"
If you have your IP Addresses/Ranges in Asset Groups you can assign one or more appliances to each Asset Group. When you configure the scan you can tell the scan to use the scanners in the Asset Groups.
Lets say you have the following:
Asset Group A
Scanner: Internal Scanner #1
Asset Group B
Scanner: Internal Scanner #2
Asset Group C
Scanner: Internal Scanner #1, Internal Scanner #2
You could create one scan or scheduled scan for all asset groups that utilizes the scanners in each Asset Group.
Now if your trying to detect assets that have not been scanned in say 15 days; I can give you a TAG that identifies those assets and then you can create a scan to target those systems; but it would not use a specific scanner.
If you really need to go that route then you can use TAGS with scanners but I have not set that up so you may want to work with your TAM and get documentation and assistance from Qualys on setting that up and making sure it is meeting your needs.
I hope this helps, David
Sure, the best way is to take Qualys support on this as the asset groups were not mapped with any appliance at the time of their creation. So its tough to identify the appliance.
I have a similar one as well because I wanted to be able to identify an internet exposed .vs. not issue; so it was down to the finding level that I was looking at.
Adding to this for another use case, we've got scanner appliances deployed in different segments of the network. No single scanner can reach 100% of our assets. It would be *extremely* useful if we could tell what scanner reached a certain asset, as we're not sure what scanners can reach certain assets. Without doing full scans of our entire network with each and every appliance, I don't see how we could accurately get this data otherwise.
This information is available in the Qualys raw scan reports in the appendix section. It is labeled "Target distribution across scanner appliances". It's comes after "Successfully Scanned Hosts (IP)" and before "Hosts Not Scanned".
No QID for it as far as I know.
Right, but that involves pulling each scan result down, not anything stored in the asset data itself.
Do you know if we have an API to extract the IPs that are successfully scanned (Under each Appliance) from Qualys raw scan results?
Unfortunately, I don't have any experience with the API and can't tell you.
This doesn't give you which scanner but....
Retrieving data ...