How to export scan start, end and duration times

Document created by Parag Baxi on Nov 15, 2013Last modified by Parag Baxi on Nov 15, 2013
Version 6Show Document
  • View in full screen mode

Use case

To store scan times locally in order to discover scan trend times.

Host level scan times from manual scan data

For host level scan times, all the values are in the Results section of IG QID 45038 labelled, Host Scan Time.

 

Below is a sample from a raw scan XML. Relevant text is in RESULT tag:

 

<SCAN value="scan/1234567890.12345">
  ...
  <IP value="192.168.1.1" name="you-supafly">
    ...
    <INFOS>
      ...
      <CAT value="Information gathering">
        ...
        <INFO number="45038" severity="1">
          <TITLE>Host<![CDATA[ Scan Time]]></TITLE>
          <LAST_UPDATE><![CDATA[2004-11-19T02:46:12Z]]></LAST_UPDATE>
          <PCI_FLAG>0</PCI_FLAG>
          <DIAGNOSIS><![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. 
<P>
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.]]></DIAGNOSIS>
          <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
          <SOLUTION><![CDATA[N/A]]></SOLUTION>
          <RESULT><![CDATA[Scan duration: 116 seconds


Start time: Mon, Nov 04 2013, 20:14:43 GMT


End time: Mon, Nov 04 2013, 20:16:39 GMT]]></RESULT>
        </INFO>
        ...
      </CAT>
      ...
    </INFOS>
    ...
  </IP>
  ...
</SCAN>

 

Scan level times from manual scan data

For scan level end time, the raw scan header has the info looking for. All you need to is to add some numbers. Relevant text is in KEY tags:

 

<SCAN value="scan/1234567890.12345">
  <HEADER>
    ...
    <KEY value="DATE">2013-11-04T20:15:06Z</KEY>
    ...
    <KEY value="DURATION">00:02:01</KEY>
    ...
  </HEADER>
  ...
</SCAN>

 

Simply add value of the <KEY value="DATE"> to the value of the <KEY value="DURATION"> to obtain the end date time.

 

For example, let's the above scan XML values:

End date time = 2013-11-04T20:15:06Z + 00:02:01 = 2013-11-04T20:17:07Z

 

 

Host level scan times from host detection API

One can leverage the host list detection API call and filter against the QID 45038 to obtain the latest scan times.

 

 

 

Below is a sample API response. Relevant text is in RESULT tag:

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE HOST_LIST_VM_DETECTION_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/host_list_vm_detection_output.dtd">
<HOST_LIST_VM_DETECTION_OUTPUT>
  <RESPONSE>
    <DATETIME>2013-11-15T22:03:44Z</DATETIME>
<!-- keep-alive for HOST_LIST_VM_DETECTION_OUTPUT  -->
...
<!-- keep-alive for HOST_LIST_VM_DETECTION_OUTPUT  -->
    <HOST_LIST>
      <HOST>
        <ID>123456789</ID>
        <IP>10.10.1.1</IP>
        <TRACKING_METHOD>IP</TRACKING_METHOD>
        <OS><![CDATA[Solaris 9-10]]></OS>
        <OS_CPE><![CDATA[cpe:/o:sun:sunos:5.9:::]]></OS_CPE>
        <DNS><![CDATA[ohyeahhhhhh.company.com]]></DNS>
        <LAST_SCAN_DATETIME>2013-11-13T08:41:45Z</LAST_SCAN_DATETIME>
        <DETECTION_LIST>
          <DETECTION>
            <QID>45038</QID>
            <TYPE>Info</TYPE>
            <RESULTS><![CDATA[Scan duration: 630 seconds


Start time: Wed, Nov 13 2013, 08:34:06 GMT


End time: Wed, Nov 13 2013, 08:44:36 GMT]]></RESULTS>
          </DETECTION>
        </DETECTION_LIST>
      </HOST>
    </HOST_LIST>
  </RESPONSE>
</HOST_LIST_VM_DETECTION_OUTPUT>
<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2013, Qualys, Inc. //--> 

 

An example Chrome POSTMAN collection is attached as "VM, host list detection.json.postman_collection". Please note, the truncation limit is set to 10 instead of 0 for demonstration purposes.

 

For help on how to use the POSTMAN collection, follow the instructions on the Qualys API example calls page.

Outcomes