Can Qualys automatically detect new hosts added to the network and scan them? I've been asked this question a few times by customers. The answer is yes. It's a simple one-time setup and it runs automatically.
IT assets are continuously added and removed from the network. It's a challenge to identify hosts that have been newly added to the network and scan them, so they can be patched and hardened as soon as possible.
One way to identify newly added hosts is to run a Map on the network. The output shows you new live hosts and the Approved flag helps you identify devices that were not known earlier. However, the output of a Map cannot be used for tagging and hence cannot be set up for automated scanning.
How to automatically detect and scan new hosts added to the network?
There are three steps that need to be performed:
- Schedule a scan to detect live hosts on the network
- Identify hosts that have been newly added to the network
- Schedule a scan on the newly added hosts
1. Schedule a scan to detect live hosts on the network
The first step is to discover live hosts on the network. One way to do this is to run a Map, but the results of a Map cannot be used for tagging.
The alternative is to perform a light-weight scan that only performs discovery on the network. The Host-Alive Testing setting in the Option Profile can be used for this.
Start by creating a new Option Profile from Scans > Option Profiles > New Option Profile. Provide a title (I’ve called it Host-Alive testing profile) and under the Scans section, enable the option called Host-Alive testing.
When this option is selected, Qualys only performs the discovery portion of the scan, using the standard discovery modified as the user has selected in the Additional tab (i.e. ports, ICMP, packet options).
Read more about Host-Alive Testing: Host Alive Testing
Next, schedule a scan that will run automatically using this profile and detect live hosts on a regular basis.
Under Scans > Schedules > New > Schedule Scan.
Provide a title, select the Option Profile created earlier (Host-Alive testing profile). Under Target Hosts, provide the target IP range that will contain the newly added Hosts.
Under Scheduling, choose a frequency based on how frequently new hosts get added to your network. If you have a highly dynamic environment, where new hosts get added every few hours or every day, you may want to schedule this scan every day.
Click on Save to activate this schedule.
2. Identify devices that have been newly added to the network
The scan scheduled in the earlier step will identify all live hosts. However, we’re interested in hosts that have been newly added to the network. This can be accomplished using Asset Search.
Head over to Assets > Asset Search. Fill in the IP range that will contain the newly added hosts. Under First Found Date, fill in the number of days.
If new hosts are added every day, choose 1 day. Or if new hosts are added weekly, 7 days may be a good number.
Click on Create Tag and name it. Here I've named it as First found in last 24 hours.
This tag will contain all devices that have newly added to the network within the last X days.
3. Schedule a scan on the newly added hosts
Now that the newly added hosts have been tagged, next step is to schedule a scan.
Navigate to Scans > Schedules > New > Schedule Scan
Provide a title, select an Option Profile that is normally used to scan devices in your network.
Under Target Hosts, select the Tag that was created in the previous step. Under Scheduling, provide a scan frequency and Save to activate this schedule.
For the best results, schedule this scan to occur a few hours after the first scheduled scan (used to detect live hosts) occurs.