-
1. Re: Discovery Report Query Unique List of Active IP Addresses
Jesse Richardson
May 22, 2019 6:43 PM
1 of 1 people found this helpfulSuccessfully moved to Discovery so product experts can help
-
2. Re: Discovery Report Query Unique List of Active IP Addresses
Brice-Emmanuel Loiseaux
May 23, 2019 1:44 AM
2 of 2 people found this helpfulThis community post should help you to define the query you need -
-
3. Re: Discovery Report Query Unique List of Active IP Addresses
Andrew Waters
May 23, 2019 3:24 AM
3 of 3 people found this helpfulThat is not correct. It is reporting recognised devices which is not the same as things which are responding. For example, if you have no credentials but nmap does an OS fingerprint because something responded you wold get NoAccess.
In general, dark space is no longer causes generation of DiscoveryAccess nodes (though an endpoint that used to respond will, for a period of time depending upon device ageing, create NoResponse DAs). The search
SEARCH DiscoveryAccess
WHERE _last_marker AND end_state <> 'NoResponse'
is the easy way to find all IPs which did not respond. If you have excluded IPs you would need
SEARCH DiscoveryAccess
WHERE _last_marker AND end_state not in ['NoResponse', 'Excluded']