"Last Scan", agents, and reports

DanM · April 5, 2022, 9:37pm

I’ve been trying to write a SQL report that uses fact_asset_discovery.last_discovered, but was surprised to find that it does not reflect contacts from the Rapid7 Insight Agent. The Last Scan column on the Assets page does, however. Is there anything analogous to the Last Scan value in the reporting schema? There seems to be hardly any mention of the agent in the reporting schema documentation.

I also tried querying for the max value from dim_asset_scan.scan_finished, but that was no help.

Without going into much more detail, at the heart of this problem is the fact that we have corporate laptops running the agent which haven’t connected to the network in, sometimes, months, so they have not been scanned but we know they’re alive. (The fact that they show up in InsightVM data with an IP address from an employee’s home network is another bother associated with these assets.)

holly_wilsey · April 8, 2022, 3:14pm

I haven’t tested these in a query myself, but there are a couple other options that may get you what you’re looking for here.

The first one is “last_assessed_for_vulnerabilities” in dim_asset, which is a timestamp to denote when the asset was last scanned.

The second is “last_scan_id” in dim_site. This one may depend on how you schedule + scan your assets, but in this case you could join with dim_site_asset to get the associated assets, and dim_scan (using that scan ID) to get the “finished” timestamp for that scan.

I hope that helps some. I’d be interested in hearing if these work out for you for future query reference.

DanM · April 12, 2022, 6:00pm

Thanks, Holly. Will let you know how it works when I have a chance to get back to it.

Rocker_01 · May 25, 2022, 2:58pm

Can you please help us with the SQL query for Last Scan and first Discovered