Create PC Option Profile

action=create

Required

Specify action to create PC option profile

echo_request={0|1}

Optional

Specify 1 to view (echo) input parameters in the XML output. By default these are not included.

title={value}

Required

The title of the option profile.

owner={value}

Optional

The owner of the option profile(s), or the user who created the option profile.

global={0|1}

Optional

Share this profile with other users by making it global. Specify 1 to make the option profile global.

Are you a Manager? This profile will be available to all users.

Are you a Unit Manager? This profile will be available to all users in your business unit.

scan_parallel_scaling={0|1}

Optional

Specify 1 to enable parallel scaling. This setting can be useful in subscriptions which have physical and virtual scanner appliances with different performance characteristics (e.g., CPU, RAM).  

Specify this option to dynamically scale up the number of hosts to scan in parallel (at scan time) to a calculated value which is based upon the computing resources available on each appliance. Note that the number of hosts to scan in parallel value determines how many hosts each appliance will target concurrently, not how many appliances will be used for the scan.

Scan

scan_overall_performance={high|normal|low|custom}

Optional

The profile “normal” is recommended in most cases. The settings for scan_external_scanners, scan_scanner_appliances, scan_total_process, scan_http_process, scan_packet_delay, and scan_intensity change as per the specified profile.

Valid values are: high, normal, low and custom. Normal is the default.

Normal - Well balanced between intensity and speed.

High - Recommended only when scanning a single IP or a small number of IPs. Optimized for speed and shorter scan times.

Low - Recommended if responsiveness for individual hosts and services is low. Optimized for low bandwidth network connections and highly utilized networks. May take longer to complete.

scan_external_scanners={value}

Optional

Specify the number of external scanners to be used for associated scans. This setting is available only if you have multiple external scanners in your subscription. For example, if you have 10 external scanners in your subscription, you can configure this setting to any number between 1 to 10.

scan_scanner_appliances={value}

Optional

Specify the number of scanner appliances to scan at the same time (per scan task). Launching several concurrent scans on the same scanner appliance has a multiplying effect on bandwidth usage and may exceed available scanner resources. Don't have scanner appliances? Disregard the Scanner Appliance setting.

scan_total_process={value}

Optional

Specify the maximum number of processes to run at the same time per host. Note that the total number of processes includes the HTTP processes.

scan_http_process={value}

Optional

Specify the maximum number of HTTP processes to run at the same time.

scan_packet_delay={minimum|short|medium|

long|maximum}

Optional

Specify the delay between groups of packets sent to each host during a scan. With a short delay, packets are sent more frequently. With a long delay, packets are sent less frequently.

scan_intensity={normal|medium|low|minimum}

Optional

This setting determines the aggressiveness (parallelism) of port scanning and host discovery at the port level. Lowering the intensity level has the effect of serializing port scanning and host discovery. This is useful for certain network conditions like cascading firewalls and lower scan prioritization on the network. Tip - If you are scanning through a firewall we recommended you reduce the intensity level. Unauthenticated scans see more of a performance difference using this option.

scan_by_policy={0|1}

Optional

Specify 1 to enable scan by policy. The Scan by Policy option allows you to restrict your scans to the controls in specified policies. You can choose up to 20 policies, one policy at a time. Once you've specified a policy, all controls in that policy will be scanned including any special control types in the policy. This is regardless of the Control Types settings in the profile.

policy_names={value1,value2}

Optional

Specify policy names to scan by policy.

policy_ids={value1,value2}

Optional

Specify policy IDs to scan by policy.

auto_update_expected_value={0|1}

Optional

Specify 1 to update the control expected value used for posture evaluation with the actual value returned by the scan.

fim_controls_enabled={0|1}

Optional

Specify 1 to perform file integrity monitoring based on user defined file integrity checks. A file integrity check is a user defined control that checks for changes to a specific file. You should set auto_update_expected_value=1 in order to use this parameter.

custom_wmi_query_checks={0|1}

Optional

Specify 1 to run Windows WMI query checks. When enabled, WMI query checks will be performed for user defined WMI Query Check controls.

enable_dissolvable_agent={0|1}

Optional

Specify 1 to enable dissolvable agent. This is required for certain scan features like Windows Share Enumeration. How does it work? At scan time the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

enable_password_auditing={0|1}

Optional

Specify 1 to check for service provided password auditing controls (control IDs 3893, 3894 and 3895). These controls are used to identify 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary. This setting is available only if enable_dissolvable_agent=1.

custom_password_dictionary={value1,value2}

Optional

Specify passwords in order to create a password dictionary. This is used when evaluating control ID 3895, which identifies user accounts where the password is equal to an entry in the password dictionary.

enable_windows_share_enumeration={0|1}

Optional

Specify 1 to use Windows Share Enumeration to find and report details about Windows shares that are readable by everyone. This test is performed using QID 90635. Make sure 1) the Dissolvable Agent is enabled, 2) QID 90635 is included in the Vulnerability Detection section, and 3) a Windows authentication record is defined.

enable_windows_directory_search={0|1}

Optional

Specify 1 if you've set up Windows Directory Search controls and want to include them in the scan. This custom control allows you to search for files/directories based on various criteria like file name and user access permissions.

scan_ports={standard|targeted}

Required

Specify “standard” to enable standard scan of TCP ports. See Appendix B - Ports used for scanning for a list of ports used for standard scan.

Specify “targeted” to perform a targeted scan.

Which ports are included in a targeted scan?

For Unix hosts, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, specify this option and define a custom ports list in the Unix authentication record. Note: The actual ports scanned also depends on the Ports setting in the Unix authentication record.

For Windows hosts, the service scans a fixed set of required Windows ports (a service defined, internal list).

mssql_db_udc_restriction={0|1}

Optional

Set value to 1 if you want to specify a limit on the number of rows to be returned per scan for custom MS SQL Database checks.

mssql_db_udc_limit={value}

Optional

Provide a value to define the number of rows to be returned per scan (default is 256).

oracle_db_udc_restriction={0|1}

Optional

Set value to 1 if you want to specify a limit on the number of rows to be returned per scan for custom Oracle Database checks.

oracle_db_udc_limit={value}

Optional

Provide a value to define the number of rows to be returned per scan (default is 5000).

sybase_db_udc_restriction={0|1}

Optional

Set value to 1 if you want to specify a limit on the number of rows to be returned per scan for custom Sybase Database checks.

sybase_db_udc_limit={value}

Optional

Provide a value to define the number of rows to be returned per scan (default is 256). Maximum allowed limit for Sybase is 2500 rows.

postgreSQL_db_udc_restriction={0|1}

Optional

Set value to 1 if you want to specify a limit on the number of rows to be returned per scan for custom PostgreSQL/Pivotal Greenplum Database checks.

postgreSQL_db_udc_limit={value}

Optional

Provide a value to define the number of rows to be returned per scan (default is 256). Maximum allowed limit for PostgreSQL/Pivotal Greenplum is 5000 rows.

sapiq_db_udc_restriction={0|1}

Optional

Set value to 1 if you want to specify a limit on the number of rows to be returned per scan for custom SAP IQ Database checks.

sapiq_db_udc_limit={value}

Optional

Provide a value to define the number of rows to be returned per scan (default is 256). Maximum allowed limit for SAP IQ is 10000 rows.

db2_db_udc_restriction= {0|1}

Optional

Set value to 1 if you want to specify a limit on the number of rows to be returned per scan for custom IBM DB2 Database checks.

db2_db_udc_limit= {value}

Optional

The default value is 256 and maximum allowed limit is 5000 rows.

enable_auth_instance_discovery={0|1}

Optional to create or update option profile record

Specify enable_auth_instance_discovery=1 to enable auto discover instances and system record creation for the chosen auth types. When unspecified (enable_auth_instance_discovery=0), we will not scan to auto discover instances. The parameters enable_auth_instance_discovery, scan_by_policy and include_system_auth are mutually exclusive and cannot be specified together in the same request.

In UI, this parameter is a check box and referred to "Allow instance discovery..." in the System Authentication Records section in the Scan tab on the New/Edit Compliance Profile page.

auto_auth_types={value}

Optional to create or update option profile record

Specify the technologies for which you want to enable auto discover instances and system record creation. The valid values are: Apache Web Server, IBM WebSphere App Server, Jboss Server, Tomcat Server, Oracle and MongoDB. Multiple technologies are specified as comma separated values.  This parameter can only be specified if enable_auth_instance_discovery=1 .

ibm_was_discovery_mode={value}

Optional to create or update option profile record

Specify ibm_was_discovery_mode=server_dir to auto discover instances at the server directory level. Specify ibm_was_discovery_mode=installation_dir to auto discover instances at the installation directory level.

When unspecified and auto_auth_types=IBM WebSphere App Server, we will auto discover instances at the installation directory level.

This parameter can only be specified if auto_auth_types includes IBM WebSphere App Server.

oracle_template_id={value}

Optional

The Template ID for the Oracle system record template you want to assign to the compliance profile for discovery scans.

When auto_auth_types=Oracle is specified, then oracle_template_id or oracle_template_name must also be specified.

oracle_template_name={value}

Optional

The Template Name for the Oracle system record template you want to assign to the compliance profile for discovery scans.

When auto_auth_types=Oracle is specified, then oracle_template_id or oracle_template_name must also be specified.

mongodb_template_id={value}

Optional

The Template ID for the MongoDB system record template you want to assign to the compliance profile for discovery scans.

When auto_auth_types=MongoDB is specified,then mongodb_template_id or mongodb_template_name must also be specified.

mongodb_template_name={value}

Optional

The Template Name for the MongoDB system record template you want to assign to the compliance profile for discovery scans.

When auto_auth_types=MongoDB is specified, then mongodb_template_id or mongodb_template_name must also be specified.

include_system_auth={0|1}

Optional to create or update option profile record

Specify include_system_auth=1 if you have a system created auth record and user created auth record for the same instance configuration and choose which one to include for scans. When unspecified (include_system_auth=0), system record will be selected for scan by default.

When include_system_auth=1, one of these parameters should be enabled: use_system_auth_on_duplicate or use_user_auth_on_duplicate.

In UI, this parameter is a check box and referred to "Use System Authentication Records" in the System Authentication Records section in the Scan tab on the New/Edit Compliance Profile page.

use_system_auth_on_duplicate={0|1}

Optional to create or update option profile record

Specify use_system_auth_on_duplicate=1 to include system created auth record if you have a system record and user record for the same instance configuration.

The parameters use_system_auth_on_duplicate and use_user_auth_on_duplicate are mutually exclusive and can only be specified if "include_system_auth=1".

use_user_auth_on_duplicate={0|1}

Optional to create or update option profile record

Specify use_user_auth_on_duplicate=1 to include user created authentication record if you have a system record and user record for the same instance.

The parameters use_system_auth_on_duplicate and use_user_auth_on_duplicate are mutually exclusive and can only be specified if "include_system_auth=1".

Instance Data Collection

enable_instance_data_collection={0|1}

Optional

Specify 1 to enable database instance data collection by using underlying OS authentication record. By default, this option is disabled.

Note: If you are using the respective database authentication records for compliance scans, we recommend not to enable this option. Because if you enable it, you see duplicate results in compliance reports, one by using database authentication records and the other by using OS-based authentication records. This functionality is useful in a scenario where you have a team responsible for compliance assessment of host operating systems, which does not have access to database authentication records. In this case, if they want to scan database instances running on host assets, they can go ahead by using OS-based authentication records.

instance_data_collection_auth_types={value}

Optional

Specify the database technologies for which you want to enable OS authentication-based data collection. The valid values are: IBM DB2, InformixDB, MongoDB, MSSQL, MySQL, Oracle, Pivotal Greenplum, PostgreSQL, Sybase. You can use this parameter only if you set the value of the enable_instance_data_collection parameter to 1.

enable_os_based_instance_discovery={0|1}

Optional

Set the value to 1 to enable technology instance data collection by using underlying OS authentication record. By default, this option is disabled.

os_based_instance_disc_technologies={value}

Optional

Specify a comma-separated list of technologies to enable OS authentication-based data collection. Currently, we support Oracle JRE and IBM WebSphere Liberty. Hence, the valid values are: Oracle JRE and IBM WebSphere Liberty. You can use this parameter only if you set the value of the enable_os_based_instance_discovery parameter to 1.

Additional

additional_tcp_ports={0|1}

Optional

Specify 1 to enable host discovery on additional TCP ports. Default setting is 1.

additional_tcp_ports_standard_scan={0|1}

Optional

Specify 1 to enable standard scan of additional TCP ports. Standard Scan includes 13 ports: 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445. Default setting is 1.

additional_tcp_ports_additional={value1,value2}

Optional

Specify additional TCP ports to scan. You can specify up to 20 ports including the standard scan ports.

additional_udp_ports={0|1}

Optional

Specify 1 to enable host discovery on additional UDP ports. Default setting is 1.

additional_udp_ports_type={standard|custom}

Optional

Specify “standard” to enable standard scan of additional UDP ports. Standard Scan includes 6 ports: 53, 111, 135, 137, 161, 500. Default is “standard”.

Specify “custom” to provide a custom list of ports using additional_udp_ports_custom.

additional_udp_ports_custom={value1,value2}

Optional

Specify additional UDP ports to scan. You can specify up to 10 ports including the standard scan ports.

icmp={0|1}

Optional

Specify 1 to only discover live hosts that respond to an ICMP ping. Default setting is 1.

blocked_resources={0|1}

Optional

Specify 1 in order to add ports protected by your firewall/IDS to prevent them from being scanned.

protected_ports={default|custom}

Optional

Ports protected by your firewall/IDS. Specify “default” to provide a list of default blocked ports: 0-1, 111, 513-514, 2049, 4100, 6000-6005, 7100, 8000. Default setting is “default”.

Specify “custom” to provide a custom list of protected ports using protected_ports_custom.

protected_ports_custom={value1,value2}

Optional

Specify a custom list of protected ports.

protected_ips={all|custom}

Optional

IP addresses and ranges protected by your firewall/IDS. Default is “all”.

protected_ips_custom={value1,value2}

Optional

Specify a custom list of IP addresses and ranges protected by your firewall/IDS.

ignore_rst_packets={0|1}

Optional

Specify 1 to ignore all TCP RESET packets - firewall-generated and live-host-generated.

ignore_firewall_generated_tcp
_syn_ack_packets={0|1}

Optional

Specify 1 to determine if TCP SYN-ACK packets are generated by a filtering device and ignore packets that appear to originate from such devices.

not_send_tcp_ack_or_syn_ack_packets
_during_host_discovery={0|1}

Optional

Specify 1 if you do not want to send TCP ACK or SYN-ACK packets. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session.