Table is not necessarily only showing OS detection from "hosts". "operating_system_count_pl" in queries.py returns all host_scan docs tagged with the relevant snapshot_id(s). However, it's possible that not every host_scan in those results are active hosts (host: 'state.up':true). That means it's possible for us to report on OSes that cannot be related back to hosts when looking at the CyHy report.
Currently, the "Top OS" table is based on any OS that was detected by our nmap scans, regardless of whether or not any services was detected on that address. "hosts.csv" only shows hosts with active services.
This has caused a little confusion for stakeholders trying to find the devices with questionable OSs since we do not provide a list of OS to IP except for those that are considered hosts.
Could you please make the OS information reported in the Cyber Hygiene reports only about the hosts found in hosts.csv that way customers are able to pinpoint what IP has the OS they'd like to verify?
To reproduce
Open up a CyHy weekly report.
Navigate to "Top Operating System Detected" table
See that it's reporting multiples OS's for not only for hosts, but non-hosts as well
Expected behavior
The number in the the OS detection table should equal (or at least not be greater) than the number of hosts. It should only be looking at those IPs with a value of "state.up = true". No non-host results should be calculated within this table.
š Summary
Table is not necessarily only showing OS detection from "hosts". "operating_system_count_pl" in queries.py returns all host_scan docs tagged with the relevant snapshot_id(s). However, it's possible that not every host_scan in those results are active hosts (host: 'state.up':true). That means it's possible for us to report on OSes that cannot be related back to hosts when looking at the CyHy report.
Currently, the "Top OS" table is based on any OS that was detected by our nmap scans, regardless of whether or not any services was detected on that address. "hosts.csv" only shows hosts with active services.
This has caused a little confusion for stakeholders trying to find the devices with questionable OSs since we do not provide a list of OS to IP except for those that are considered hosts.
Could you please make the OS information reported in the Cyber Hygiene reports only about the hosts found in hosts.csv that way customers are able to pinpoint what IP has the OS they'd like to verify?
To reproduce
Expected behavior
The number in the the OS detection table should equal (or at least not be greater) than the number of hosts. It should only be looking at those IPs with a value of "state.up = true". No non-host results should be calculated within this table.
Any helpful log output or screenshots
Stakeholder OS Table Example:
Same Stakeholder's Host Count: