Managing Scans

Once you've started a scan, you have a number of options to organise and work with it.

Scan ID's

Once started, a unique scan ID will be generated for your scan.

Each scan (inc. those generated by monitor) has a unique scan ID.

The scan ID can be used to share the scan with other users.

ID's can be used in database queries or to download data using the API.

Stopping / Deleting Scans

You can stop or delete a running scan. You can also delete a completed scan.

This is useful when a scan has found the data you need, or you have started it incorrectly.

The difference between the two option is:

  1. Stopping: will stop the scan collecting any data but will keep any collected data.

  2. Deleting: will completely remove the scan and any data collected. Also works with completed scans. You cannot recover a deleted scan.

Stop or delete ThreatPipes scan

To stop or delete a scan:

  1. Go to the scan list page

  2. Locate the scan you want to stop or delete

  3. To:

    1. Stop: select the checkbox for the scan you want to stop and click the stop icon

    2. Delete: select the scan you want to delete and click the trash can icon in the action column

It is not possible to stop a scan created by a monitor. You must delete it.

Re-running / Cloning Scans

Did you know you can re-run scans on an automated basis using monitors? Read more here.

You can run a new scan with the same settings by either cloning or re-running a scan.

This is useful when you

The difference between the two option is:

  • Re-run: will simply copy the same scan settings and re-run the scan immediately.

  • Clone: will copy the scan settings to the start scan window allowing you to add new modules, investigations, and monitors.

In either case, a new scan ID will be generated for the scan.

Check the scan settings view to see how a scan was started. Read more here.

Re-run or clone a ThreatPipes scan

To re-run or clone a scan:

  1. Go to the scan list page

  2. Locate the scan you want to re-run or clone

  3. To:

    1. Re-run: select the refresh arrow icon

    2. Clone: select the copy icon

Investigations (paid)

Investigations allow you to group scans that have some relationship. Perhaps they are part of a single incident.

Creating new investigations

To add a new scan to an investigation, you need to create the investigation first.

ThreatPipes create new investigations

To create a new investigation:

  1. Navigate to investigations

  2. Select the + icon

  3. Give the scan a:

    1. Name (non-unique): used in UI

    2. Description (non-unique): used in UI

Adding a scan to an investigation

Scans can be added to an investigation when a scan is started.

ThreatPipes add scan to investigations

You can also add scans from an investigation once it has been started, completed, aborted, or has stopped because of an error.

To add a scan to an investigation:

  1. Navigate to scan list view

  2. Select the checkboxes for the scan(s) you want to add to the investigation

  3. Click the "Add to investigation" button and select the existing investigation you want to add the scan(s) to

Removing scans from an investigation

Sometimes, as an investigation develops you might want to remove scans from it.

ThreatPipes investigation

To remove a scan from an investigation:

  1. Navigate to the investigations list view

  2. Select the checkboxes for the scan(s) you want to remove from the investigation

  3. Click the remove can icon

Note, removing a scan from an investigation will not delete any scan data.

Monitors (automated scans only) (paid)

Monitors allow you to automatically rerun scans on set schedules. This is useful for tracking changes of a target and its relationships to affiliate targets.

ThreatPipes Monitors

Monitors can only be created when starting a scan.

Modifying / deleting monitors

Sometimes you might want to pause or completely remove a monitor.

The difference between the two option is:

  1. Modifying: You can change the frequency the monitor generated scans. Disabling will pause the monitor. When disabled it will not create any new scans, but will allow you to browse previous scans it has started on the monitors page. The monitor can also be enabled at any time. When reenable scans will begin on the next scheduled monitor time.

  2. Deleting: will completely remove the monitor. Once deleted, no new scans will be generated but any old scans created by the monitor will remain to browse in the scan list view. The monitors page will not longer exist though.

ThreatPipes manage monitor

To modify / delete a monitor:

  1. Navigate to Monitors

  2. To:

    1. Delete a monitor: Select the checkbox for the monitor you want to delete and click the trash icon.

    2. Modify a monitor: Click the monitor you wish to edit and modify the settings you wish to change. Make sure to click the Update button so that the changes take effect.