Understanding Map Results

Document created by Shyam Raj Employee on Apr 24, 2018Last modified by Robert Dell'Immagine on Apr 26, 2018
Version 5Show Document
  • View in full screen mode

Map scans can be used to discover assets that are live on the network. While that's the primary use of a Map, there's a wealth of information contained within a Map result.

 

There are two ways to look at Map results - one in a List format (View Report) and other in a Graphical format (View Graphic Mode).

 

 

When opened in List format, the Map results look like below:

 

 

The Domain shows the target of the map. Maps can be of two types: On-Demand and Scheduled. It also shows a Reference number, a unique number assigned to each map/scan, and can be referenced for troubleshooting with Support. The Duration shows how long it took to complete the map operation.

 

Total Hosts Found tells you how many hosts were discovered. In this case, the map target was only 10 IP's (64.41.200.231-64.41.200.240), but 16 devices were discovered. This happens when you have intermediate devices between the scanner appliance and your target (such as routers, firewalls, Layer 3 switches etc.).

 

The Option Profile used determines the ports/methods used by Qualys to discover hosts. This can be configured under Scans > Option Profiles.

 

 

Within the Map results, the Results section shows all IP's that were discovered from the Map.

 

 

On the left of every IP, you'll find a small black arrow. It contains information about how a specific IP was discovered.

 

 

In the above example, on 64.41.200.231, TCP ports 135, 139, 445 and UDP port 137 were found to be open.

 

I'm often asked - if the device responds to any one of the methods/ports defined in the Option Profile, does mapping for that IP stop? The results above show that Qualys tries all ports/methods defined in the Option Profile.

 

When intermediate devices get discovered, the discovery method is TraceRoute, like seen below.

 

On the right side of the Results section are some legends: A (Approved), S (Scannable), L (Live), and N (Netblock).

 

Approved: Hosts that you've configured as approved (devices that you expect to find) will show up with the A. Unapproved hosts are represented as Rogue in the Graphical map report.

 

Scannable: Hosts that you've added to your subscription (under Assets > Host Assets) will show up with S.

 

Live: Hosts that respond to the discovery process will show up with L.

 

Netblock: Hosts that are part of the target that you defined for your map, will show up with N. In the above screenshot, we saw that the target was 10 IP's (64.41.200.231-64.41.200.240). But Qualys managed to detect 16 hosts. In this case, 10 of them will have the N and 6 won't.

 

 

The Map results can be used to perform a variety of Actions (from the top-left) such as Adding IP's to a new/existing Asset Group, Approving and Subscribing hosts, Launching a vulnerability/compliance scan and purging hosts.

 

 

When you approve hosts or add hosts to subscription, the legends A and S do not appear immediately. When the hosts are mapped again, these legends will show up.

 

The Graphical format can be used to view the topology of the network.

 

 

The Summary pane shows information at a high-level and also has a clickable doughnut Operating System Families chart. 

When clicked, only the topology of the selected operating system is shown. For example, in the below screenshot only Windows has been selected.

 

 

Toggle to the Results panel, to see all discovered Hosts.

 

 

Click on a specific IP to focus on and view all information for that IP.

 

Attachments

    Outcomes