As part of verifying that we are scanning all hosts on our network, we do periodic Light Inventory Scanning to detect new hosts that come on the network. This scanning uses the normal VM scanning, but with a much smaller set of QIDs; our LIS Option Profile has 3 search Lists:
(1) Windows (12 QIDs),
(2) Unix (4 QIDs),
(3) General LIS (21 QIDs).
To limit the number of host assets which need to be dispositioned to a manageable number, we use authenticated scanning, such that only newly created hosts would have host objects created in Qualys.
Use Case #1: Identifying new hosts:
In cases where LIS does NOT overlap with VM Scanning, we can use create time to identify these hosts.
Use Case #2: Verifying all hosts are being VM scanned:
When no LIS is performed, "Last Scan Time" can be used to determine whether each host in subscription is being VM scanned. When using LIS to periodically scan all address space, other than using First Created together with Last Scan (and keeping a large break between LIS), we don't see a great way to separate/tag these scan types.
Looking for any advice on how to tag LIS vs VM scans...
Is there any recommended criteria to identify hosts created during Lite Inventory Scanning? There are no QIDs for scanner or Option Profile. Has anyone messed around with a Groovy script to tag based on a very small set of QIDs found? Is there any specific QIDs that can be hardcoded into the Option Profile type of the scan which are sure to appear if included, such that we can tag on QID being present?