AnsweredAssumed Answered

How can I detect Agents not executing VM scans?

Question asked by Steven Heranic on Feb 5, 2019
Latest reply on Feb 11, 2019 by Jake VanMast

Concern: We have seen agents "break" such that they continue to check-in but are not providing updated vulnerability data and we need a way to find and track those systems. Our current tracking solution is a Qualys Dashboard to list systems tagged with "Cloud Agent", a "lastCheckedIn" within the past week, but no "lastVmScanDate" within the past two weeks.  (those specific timeframes are somewhat arbitrary)

 

Scanning Posture: We currently have agents deployed across all supported platforms.  We also execute weekly authenticated network scans.  Leveraging Unified View, we only have a single host record that is updated by both the agent and network scans. 

 

Problem: Since unified view would be updating the "lastVmScanDate" field when an authenticated network scan is executed, we are likely missing systems with agents that aren't actively scanning.  How can we better define our query to ensure we capture those systems with broken agents?

Is there an agent specific analog to "lastVmScanDate"?

Outcomes