Skip to main content

I have a use case where I want to search for historical activity of services on a large number of hosts (200k+)

Currently this is my approach (using the API):

  • Search for hosts
    • For each host: get changed events within a time period
      • For each changed event: check if the event potentially matches the service criteria (e.g. port or protocol)
        • For each of these candidate events: get host details at the candidate event timestamp
          • Extract service details from response

This works, but is quite involved and consumes a lot of API credits.
Did anyone find a better way  to query the service history of multiple hosts?

Thanks!

That’s the way I would do this now, @Zebaz.  But we’re exploring some use cases where folks might want to consume specific host change events for hosts that match a query over time. Wondering if that would be helpful in the use case you described?

ie -

  1. define a query you want to monitor
  2. subscribe to specific events for hosts in that query - ie, service observed events or dns change events
  3. do lookups for the host at that time to get service info. 

 

Thanks for your reply! A feature as you describe would definitely be of interest.

Some use cases I would be looking for would be something like this:

  • “Find all hosts that at one point in time had a SSH server running on port 12345”
  • “Find all hosts that first had a webserver running @ 443/TCP and later @ 8443/TCP”
  • “Find all hosts where, in one day, first a SSH service was found and subsequently a SMB service was found”

Thanks!

Reply


Terms & ConditionsCookie settings