Is it possible to use VM scan to find the unkown hosts on network, such as non-domain member computers, recently added computers in a period?
You can start with the Unknown device report. This report compares the approved hosts list for a particular domain to saved map results. This report is useful for detecting rogue devices that may have been placed on your network without authorization.
Configure a list of hosts that are approved for the domain you want to report on. Any host that is not in the approved hosts list for the domain will be considered rogue when you run the Unknown Device Report.
Under VM, go to Assets > Domains. Edit the domain you're interested in from the Quick Actions menu. Click Configure next to Approved Hosts. You can add hosts to the approved hosts list manually, add hosts from an asset group or add hosts from a saved map.
Under VM, go to Reports > Templates. Find the Unknown Device Report template in the list and select Run from the Quick Actions menu. On the New Map Report page, provide report details (title and format), select the domain you want to report on and then choose one or two saved map results that you want to compare to the approved hosts list for the domain. Click Run.
The Unknown Device Report is generated and appears in the report format that you selected at run time. By default, only rogue hosts are listed in the report. If the report template was edited so that approved hosts are also included in the report, then you can tell which hosts are approved and which hosts are rogue by looking at the Approved (A) column. If an "A" appears in this column, then the host is approved. If this column is blank, then the host is rogue.
I also suggest scheduling a weekly map of your network, this way when you get to work on Monday you will have an email from Qualys indicating if you have changes within your network, here is the email I receive every week. Hope this helps Jack.
Email map summaryby QualysGuard
Map Title :Weekly Map
Start Date : 09/04/2011 at 14:02:12 (GMT-0800)
Duration : 00:01:00
Target Groups : No Group
Hosts Found : 37 (= No Change)
Option Profile:Initial Options
Launched By : Jimmy Bennett (quays_ib6)
Company : Qualys
Launch Type : Scheduled
Status : Finished
(+)(-)(=):Difference in the total number of hosts found since the previous discovery for
the target domain (regardless of netblock). For a complete explanationof
trend information, refer to the "Map Summary" topic in themain online help.
Thank you Jimmy!
Is there a way to use it in order to know which assets/IPs from the subscription is no more part of the network and therefore purge them in Qualys?
As you may already know that Vulnerability scanning is only available on IP's that are a part of your subscription, while discovery scan can happen on any valid and reachable IP. Purge is applicable on IP's that have been scanned at-least once. Else you need to drop the IP from subscription.
In order to identify the IP's that is no longer a part of the network, you can use a logic called "Last scan date". To do that you will need to run an Asset search on hosts not scanned with X amount of days given you scan frequency. Once you have identified hosts not been scanned for a while, you could then check if that still belongs to your VM program scope, if it does not then you may choose to purge data about them or may be entirely drop them from your subscription depending on whether or not you need to reatin data about them for your retention for compliance requirements.
If you want to find out IP's that happen to consume a license each but are hosts that do not actually exist or ae free-ip's, then you may do the following :
Retrieving data ...