Question what is definition of a failed scan?
Are you referring to setting "Display unreachable host" = Enabled
Display unreachable hosts | Disabled | When enabled, hosts that did not reply to the ping request are included in the security report as dead hosts. Do not enable this option for large IP blocks. |
I used to use this setting a lot back in the day; This should show up in pluginID=19506.
Days since last observed should be more than that of last scan.
index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
going to need to compare a live/dead hosts pluginText in verbose and see which flag; shows up. Then focus on the needed Rex; next week before I can run a test scan if this is what is meant to dig any further
