In the IT world we regularly try to automate tasks that take up our time. We create procedures that have an input and produce an output.
One of my customer’s had this requirement where they needed to scan multiple subnets (with lots of dark space) and having ping (ICMP) opened through the firewalls was a challenge.
The idea to automate their scanning process became apparent, so I’ve created this custom pattern that will take as an input (trigger upon) the results of a Sweep Scan (that was set not to ping before scan) and it will produce as an output the creation of a Full Discovery in the form of an Open Discovery scan.
First step, we trigger on a DiscoveryRun. This seems to be, after asking around, the first time someone has attempted something like that.
scantype := "Sweep Scan";
// Trigger when DiscoveryRun has ended.
on scan:= DiscoveryRun modified where scan_level = scantype and endtime exists and discovery_endtime exists;
First thing in the body, we search for all the DiscoveryAccess’s, in that DiscoveryRun, that have resulted with “Success”
endpoints := search(in scan
traverse List:List:Member:DiscoveryAccess where result= "Success"
Following that, we need to make sure that we’re not going to be adding the same endpoints in the same Open Discovery Scan, in case we’re scanning multiple times the same endpoints.
Here, initially we were checking for the DiscoveryAccess’s, but that proven to be inaccurate as the DiscoveryRun could have been updated at the same time by different ECA engines and thus causing the pattern to trigger multiple time.
Also, on a busy system, the DiscoveryAccess’s could take some time to be created and that could lead to double entries.
So I came up with this solution of using the “valid_ranges” from the DiscoveryRun, but that needed some fixing-up.
if endpoints then
//verify that the endpoints are not already part/scanned in an active Open Scan
currentopenrun := search(DiscoveryRun where scan_type = 'Open' and not endtime
//cleanup and spit the result to generate a list of endpoints
currentopenrun := text.strip("%currentopenrun%", "'");
currentopenrun := text.split("%currentopenrun%", ", ");
Now we’re getting into the sorting process. Iterating through the endpoints of the Sweep Scan that was just finished and the endpoints that exist in the currently active one (if one exists). This will produce the list of endpoints that we’ll add to an Open Scan later.
endpointlist := ;
for endpoint in endpoints do
addendpoint := 'True';
for currentendpoint in currentopenrun do
if endpoint = currentendpoint then
addendpoint := 'False';
if addendpoint = 'True' then
And the final step, initiate the open scan by using the discovery.scan() function.
endpointsnum := discovery.scan(endpointlist);
The result in “endpointsnum” will be the count of the endpoints that were added in the open scan.
Now if you would like to enhance this pattern, if there is a need to execute the scan on a specific Outpost, you could by forming the command like this:
endpointsnum:= discovery.scan(endpointlist, "BMC", "outpost01");
(BMC is the name of the company and outpost01 is the name of the Outpost)
From this point the customer simply needed to create Sweep Scan schedules and make sure some prerequisites exist before using the pattern and invoking the discovery.scan() function.
- A scheduled scan defined that includes the address or addresses of the scan targets
- The Allow patterns to scan in this range check box is checked for that scan
- The scheduled scan does not need to be in its specified scan time window
- The scheduled scan needs to be activated
Hopefully this is helpful for some.
An open discovery run is a one shot extendable list of endpoints to scan. When an open discovery run is created the scan starts immediately. Unlike snapshot and scheduled discovery runs, an open scan can be extended with additional endpoints.
It is possible to add any number of endpoints to an open discovery run until midnight (appliance local time) on the same day the open discovery run was created.
Adding additional endpoints after midnight creates a new open discovery run. An open discovery run is completed when all the endpoints it contains have been scanned and the time is after midnight. Open discovery runs remove the need for Discovery to have very many small snapshot scans. You can create open discovery runs using the TPL function discovery.scan.