Share This:

In the IT world we regularly try to automate tasks that take up our time. We create procedures that have an input and produce an output.

One of my customer’s had this requirement where they needed to scan multiple subnets (with lots of dark space) and having ping (ICMP) opened through the firewalls was a challenge.

The idea to automate their scanning process became apparent, so I’ve created this custom pattern that will take as an input (trigger upon) the results of a Sweep Scan (that was set not to ping before scan) and it will produce as an output the creation of a Full Discovery in the form of an Open Discovery scan.


First step, we trigger on a DiscoveryRun. This seems to be, after asking around, the first time someone has attempted something like that.


        scantype := "Sweep Scan";
    end constants;
        // Trigger when DiscoveryRun has ended.
        on scan:= DiscoveryRun modified where scan_level = scantype and endtime exists and discovery_endtime exists;
    end triggers;


First thing in the body, we search for all the DiscoveryAccess’s, in that DiscoveryRun, that have resulted with “Success”


    endpoints := search(in scan
                                          traverse List:List:Member:DiscoveryAccess where result= "Success"
                                          show endpoint);


Following that, we need to make sure that we’re not going to be adding the same endpoints in the same Open Discovery Scan, in case we’re scanning multiple times the same endpoints.

Here, initially we were checking for the DiscoveryAccess’s, but that proven to be inaccurate as the DiscoveryRun could  have been updated at the same time by different ECA engines and thus causing the pattern to trigger multiple time.

Also, on a busy system, the DiscoveryAccess’s could take some time to be created and that could lead to double entries.

So I came up with this solution of using the “valid_ranges” from the DiscoveryRun, but that needed some fixing-up.


    if endpoints then
        //verify that the endpoints are not already part/scanned in an active Open Scan
        currentopenrun := search(DiscoveryRun where scan_type = 'Open' and not endtime
                                                     show valid_ranges);
       //cleanup and spit the result to generate a list of endpoints
        currentopenrun := text.strip("%currentopenrun%", "[]'");
        currentopenrun := text.split("%currentopenrun%", ", ");


Now we’re getting into the sorting process. Iterating through the endpoints of the Sweep Scan that was just finished and the endpoints that exist in the currently active one (if one exists). This will produce the list of endpoints that we’ll add to an Open Scan later.


        endpointlist := [];
        for endpoint in endpoints do
            addendpoint := 'True';
            for currentendpoint in currentopenrun do
                if endpoint = currentendpoint then
                    addendpoint := 'False';
                end if;
            end for;
            if addendpoint = 'True' then
            end if;                                         
    end for;



And the final step, initiate the open scan by using the discovery.scan() function.

    endpointsnum := discovery.scan(endpointlist);


The result in “endpointsnum” will be the count of the endpoints that were added in the open scan.



Optional enhancement:

Now if you would like to enhance this pattern, if there is a need to execute the scan on a specific Outpost, you could by forming the command like this:


    endpointsnum:= discovery.scan(endpointlist, "BMC", "outpost01");

(BMC is the name of the company and outpost01 is the name of the Outpost)



From this point the customer simply needed to create Sweep Scan schedules and make sure some prerequisites exist before using the pattern and invoking the discovery.scan() function.


  • A scheduled scan defined that includes the address or addresses of the scan targets
  • The Allow patterns to scan in this range check box is checked for that scan
  • The scheduled scan does not need to be in its specified scan time window
  • The scheduled scan needs to be activated


Hopefully this is helpful for some.



Open discovery run

An open discovery run is a one shot extendable list of endpoints to scan. When an open discovery run is created the scan starts immediately. Unlike snapshot and scheduled discovery runs, an open scan can be extended with additional endpoints.

It is possible to add any number of endpoints to an open discovery run until midnight (appliance local time) on the same day the open discovery run was created.

Adding additional endpoints after midnight creates a new open discovery run. An open discovery run is completed when all the endpoints it contains have been scanned and the time is after midnight. Open discovery runs remove the need for Discovery to have very many small snapshot scans. You can create open discovery runs using the TPL function discovery.scan.