I'm trying to develop a process using the Qualys APIs to identify scans that have level 4 or 5 vulnerabilites. The plan is to run this process everyday, reporting on the scans and/or the vulnerabilities detected since the process last ran.
I thought about using the Findings API to retrieve vulnerabilities and use the first detected date.
I'm running into some unexpected results. The environment I will be running this process against contians multi-scan configurations. These configurations can have hundreds of WAS configurtions included in them and the multi-scan can run for days. In this scenario, when I use the Findings API to download the vulnerabilities while the multi-scan is running, I can see different results over each day. So as a scan finishes it seems the results (findings) are available. But the issue is that the first detected date is always the start date/time of the multi-scan itself, not the date/time that the individual scan started. For example let's say a multi-scan starts on 03-01 and completes on 03-04. For individual sites scans that actually run on 03-04, the first detected date/time of the vulnerabilites is start date/time of the multi-scan, 03-01. And the start date/time of the individual scan is 03-01 as well.
Is this how the multi-scan details are stored? I was expected that if a WAS site scan acutally ran on 03-04, then the start time of the scan and any vulnerabilities found during the scan would have the 03-04 date/time stamp. Am I missing something?
Is there another way (API) i should be using to achieve this? I would prefer not to have to download/save data on one day and compare it to data downloaded/saved the following day to detect any new differences. That seems a bit crude...
Does anyone have a suggestions? I'm running this in a Windows/PHP environment and would prefer a PHP solution if possible.
thanks in advance for your help!