Does anyone know how (or if) you can tag assets if they are VM scanned and a specific QID is not detected?
Yes, this can be done by running an AssetView query like this:
Replace the QID number with what you're looking for.
Select all assets returned in the results > Actions > Add Tags.
I think this could also be automated with a Groovy Script.
Thank you for this. I did the following search in AssetView:
QID 45038 - Host Scan Time
The results were cleaned up to not include WAS hosts. But, I see a lot of my VM hosts showing up. Looking into the asset details I notice I have no Information Gathered QIDs. Is this normal?
I initially planned to use this method to purge out IPs that were scanned and a network appliance responded but they are not an actual asset. This is causing overall asset counts to be substantially larger than what actually exists.
I tested the results for not vulnerabilities.vulnerability.qid:45038 in my sandbox, and it appears the VM instances that are returned are EC2 cloud instances, do you see the same? What is unique about the VM hosts that are showing up in your subscription?
we do not have any EC2 instances. the assets are a combination of asset types i.e. Windows workstations/servers, RHEL servers, routers/switches.
Any agents deployed amongst those?
we do not use agents
To further test for the absence of IG data, please...
what will showing 100+ Information QIDs for every asset do for my issue? The fact that the major QID i.e. Host Scan Time is not being documented is the concern. When we are talking about environments of 50k devices, this type of report is not manageable. Having assets with no Host Scan Time QID populated is an issue as we try to weed out false asset detection.
"I initially planned to use this method to purge out IPs that were scanned and a network appliance responded but they are not an actual asset."
Would it help instead to search for hosts that responded to the initial ping (like a firewall on behalf of addresses that don't actually exist) but during the OS detection phase no host OS was detected ? That is, there was no host on that IP ?
Creating a tag for QID 45017 NOT detected would give you a useful list.
See Busby's post here.
My request for the IG report was to see if the IGs were reporting in the scan, but not in the search results, which may indicate a bug.
Retrieving data ...