Interesting. I’ll have to give this a try. My earlier assumption it wouldn’t work was based upon my theorizing the following (almost certain to occur) situation.
At point 0 there is a scheduled scan with all sorts of vulnerabilities related to needed patches. Over the course of week 1, patches are applied. At the end of week 1, an automated scan runs with an alert to produce a delta report against the previous run (at point 0) and in the conditions there is a filter for “delta_states=gcn matches at least one result more than the previous scan”. The delta report shows all sorts of changes, mostly related to vulnerabilities that are gone now that I’ve patched. One week later, the scheduled scan happens again with the Alert to produce the delta report setting the condition filter as described but now that there wasn’t any patching and / or it was a slow week for newly discovered vulnerabilities, the condition “filter matches at least one result MORE than previous scan” is not true and no alert would go out, meaning no delta report delivered. Even though there were SOME changes, it wasn’t as many as happened last week so the way I’m understanding the condition filter, the Alert will not meet conditions where what I ACTUALLY want to see is the delta report whether there were more or less changes than the previous run.
Have I missed something fundamental to the nature of alerts here? What I’m sort of looking for is a condition of “Always” WITH a filter of “delta_states=gcn”. That’s why I was looking to see if there was some sort of “under the hood” option to modify the alerts so it ALWAYS runs but WITH a filter on the results (which doesn’t appear to be available in the WUI).
If not, I can of always run scheduled scans with a simple alert to prompt a login to the WUI and examination of a delta report with a delta states filter, I’m just trying to chase down optimal automation, if I can.
Thanks so much for all your help,