-
1. Re: Discovery Report Query Unique List of Active IP Addresses
Jesse RichardsonMay 22, 2019 6:43 PM (in response to David Blackburn)
1 of 1 people found this helpfulSuccessfully moved to Discovery so product experts can help
-
2. Re: Discovery Report Query Unique List of Active IP Addresses
Brice-Emmanuel LoiseauxMay 23, 2019 1:44 AM (in response to David Blackburn)
2 of 2 people found this helpfulThis community post should help you to define the query you need - Re: How do I filter the results of a sweep scan for only newly discovered endpoints?
-
3. Re: Discovery Report Query Unique List of Active IP Addresses
Andrew WatersMay 23, 2019 3:24 AM (in response to Brice-Emmanuel Loiseaux)
3 of 3 people found this helpfulThat is not correct. It is reporting recognised devices which is not the same as things which are responding. For example, if you have no credentials but nmap does an OS fingerprint because something responded you wold get NoAccess.
In general, dark space is no longer causes generation of DiscoveryAccess nodes (though an endpoint that used to respond will, for a period of time depending upon device ageing, create NoResponse DAs). The search
SEARCH DiscoveryAccess
WHERE _last_marker AND end_state <> 'NoResponse'
is the easy way to find all IPs which did not respond. If you have excluded IPs you would need
SEARCH DiscoveryAccess
WHERE _last_marker AND end_state not in ['NoResponse', 'Excluded']