AnsweredAssumed Answered

Getting list of hosts that weren't scanned x days ago using API

Question asked by Alexandre Philbert on May 21, 2019
Latest reply on Jun 3, 2019 by Alexandre Philbert

From AssetView I get ~4k results using the following query:

lastVmScanDate<2019-02-21

 

When I try with the /api/2.0/fo/asset/host endpoint I get way more when using the API (I stopped the execution because it takes too long, I tried both "no_vm_scan_since" and "vm_scan_date_before"):

call = '/api/2.0/fo/asset/host/'
parameters = {
    'action': 'list',
    'no_vm_scan_since': args.vm_scan_date_before,
    #'vm_scan_date_before': args.vm_scan_date_before,
    'details': 'None'
}
$ python3 list_hosts_not_scanned_since.py -d "2019-02-21"
0 hosts found up to date... starting from None
1000 hosts found up to date... starting from 37979308
2000 hosts found up to date... starting from 63623941
3000 hosts found up to date... starting from 63909900
4000 hosts found up to date... starting from 67232755
5000 hosts found up to date... starting from 70252560
6000 hosts found up to date... starting from 72669722
[...]

 

Same thing happens using the /qps/rest/2.0/search/am/hostasset/ endpoint (with xml as input):

<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="lastVulnScan" operator="LESSER">2019-02-21</Criteria>
</filters>
</ServiceRequest>

 

I've also tried creating a "dynamic" tag in AssetView (re-evaluate on save) and I get around 4.75k results (slightly more than the initial AssetView query):

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<LAST_SCAN_DATE>
<SEARCH_TYPE>NOT_WITHIN</SEARCH_TYPE>
<DAYS>90</DAYS>
</LAST_SCAN_DATE>
</TAG_CRITERIA>

 

I am currently trying with the /api/2.0/fo/report/asset/ endpoint. Currently waiting for a response, seems to be hanging. We have a lot of assets in our subscription. Will try with smaller asset groups later.

 

Please let me know what I'm doing wrong or if something is wrong with the API since I can't seem to get the same numbers using the different provided options. At this day I'm still unsure how many assets needs to be purged.

Outcomes