Inside the alert object for my regular network discovery scan, I chose to produce a Delta Report against the previously run task of the same name. In the emailed report, I get lots of identical results, which is what I expect. I then end up scrolling through the report looking for that icon in the top left of each section to NOT be an equals sign and examine those to see if they are a scanner blip, a transient port that is known to change on it’s own or a legitimate change in my environment.
Does anyone know if there’s a way to make the Delta report leave out any results that are identical between the 2 reports? The items that are equal are pretty easy to pick out, but I’d prefer an option that doesn’t involve scrolling through a bunch of information that is of no use in this context and risk glossing over something important.
I didn’t know that was an option. Thanks so much! At least I can do it through the web interface.
Can this filter be applied to emailed reports delivered via the alert mechanism? I don’t see a spot for it through the Alert configuration in the web interface, but perhaps somewhere under the hood?
I see there’s a filter option for report generation conditions, but I don’t think that’s the right kind of filter to filter report content. Or am I wrong?
If this is only available in the web interface that’s certainly a workaround I can live with, but I was hoping to get a report delivered by email that only contained “interesting” data in this context.
You can specify this filter not using the s flag there and the delta report configured within the alert should arrive without identical items (at least it is doing this on my GVM-20.08 setup.
Interesting. I’ll have to give this a try. My earlier assumption it wouldn’t work was based upon my theorizing the following (almost certain to occur) situation.
At point 0 there is a scheduled scan with all sorts of vulnerabilities related to needed patches. Over the course of week 1, patches are applied. At the end of week 1, an automated scan runs with an alert to produce a delta report against the previous run (at point 0) and in the conditions there is a filter for “delta_states=gcn matches at least one result more than the previous scan”. The delta report shows all sorts of changes, mostly related to vulnerabilities that are gone now that I’ve patched. One week later, the scheduled scan happens again with the Alert to produce the delta report setting the condition filter as described but now that there wasn’t any patching and / or it was a slow week for newly discovered vulnerabilities, the condition “filter matches at least one result MORE than previous scan” is not true and no alert would go out, meaning no delta report delivered. Even though there were SOME changes, it wasn’t as many as happened last week so the way I’m understanding the condition filter, the Alert will not meet conditions where what I ACTUALLY want to see is the delta report whether there were more or less changes than the previous run.
Have I missed something fundamental to the nature of alerts here? What I’m sort of looking for is a condition of “Always” WITH a filter of “delta_states=gcn”. That’s why I was looking to see if there was some sort of “under the hood” option to modify the alerts so it ALWAYS runs but WITH a filter on the results (which doesn’t appear to be available in the WUI).
If not, I can of always run scheduled scans with a simple alert to prompt a login to the WUI and examination of a delta report with a delta states filter, I’m just trying to chase down optimal automation, if I can.
