3 of 3 people found this helpful
That is not correct. It is reporting recognised devices which is not the same as things which are responding. For example, if you have no credentials but nmap does an OS fingerprint because something responded you wold get NoAccess.
In general, dark space is no longer causes generation of DiscoveryAccess nodes (though an endpoint that used to respond will, for a period of time depending upon device ageing, create NoResponse DAs). The search
WHERE _last_marker AND end_state <> 'NoResponse'
is the easy way to find all IPs which did not respond. If you have excluded IPs you would need
WHERE _last_marker AND end_state not in ['NoResponse', 'Excluded']