Group By: Frequently Asked Questions (FAQ)
Summary: A collection of frequently asked questions (FAQ) and their answers regarding the Group By feature in Ivanti Neurons.
What is the Group By feature?
Answer: Group By allows our users to view aggregate counts of assets and findings based on certain filter types. Using this feature, you can answer questions such as:
-
Which scanner plugins have the biggest asset footprint?
-
Which CVEs have the biggest asset footprint?
-
How many high-risk findings are associated with certain Operating Systems?
-
How many assets do I have in each RS³ band or at each business criticality level?
What fields (filters) can I use Group By on?
Answer: The Group By feature is available on the following pages:
-
Hosts
-
Host Findings
-
Applications
-
Application Findings
The table below shows whether each page supports a Group By based on a platform field. For scanner-specific fields, visit the article Scanner-Specific Fields as Group By.
|
Group By |
Hosts |
Host Findings |
Applications |
Application Findings |
|---|---|---|---|---|
|
Asset Criticality |
|
|
|
|
|
Assigned To |
|
|
|
|
|
Group Name |
|
|
|
|
|
Network Name |
|
|
|
|
|
Operating System |
|
|
|
|
|
Port |
|
|
|
|
|
RS³ |
|
|
|
|
|
Scanner Name |
|
|
|
|
|
Tag |
|
|
|
|
|
Asset Tag |
|
|
|
|
|
CVE |
|
|
|
|
|
Discovered On |
|
|
|
|
|
Due Date |
|
|
|
|
|
Patch ID |
|
|
|
|
|
Patch Title |
|
|
|
|
|
Patch Vendor |
|
|
|
|
|
Scanner Plugin |
|
|
|
|
|
Status |
|
|
|
|
|
VRR Group |
|
|
|
|
|
CWE |
|
|
|
|
|
Finding Type |
|
|
|
|
|
Location |
|
|
|
|
|
OWASP |
|
|
|
|
|
Web Application Name |
|
|
|
|
|
Severity Group |
|
|
|
|
|
Ticket ID |
|
|
|
|
|
Assessment Name |
|
|
|
|
|
Scanner Reported Severity |
|
|
|
|
|
VRR |
|
|
|
|
|
Last Discovered On |
|
|
|
|
|
Last Ingested On |
|
|
|
|
|
Finding Title |
|
|
|
|
|
First Discovered On |
|
|
|
|
|
First Ingested On |
|
|
|
|
|
Workflow State with Type |
|
|
|
|
|
Web Application Address |
|
|
|
|
|
NetBIOS |
|
|
|
|
|
IP Address |
|
|
|
|
|
DNS |
|
|
|
|
|
MAC Address |
|
|
|
|
|
Host Name |
|
|
|
|
|
FQDN |
|
|
|
|
|
EC2 Identifier |
|
|
|
|
|
Host ID |
|
|
|
|
|
Web Application ID |
|
|
|
|
|
Asset First Discovered On |
|
|
|
|
|
Asset Last Discovered On |
|
|
|
|
|
Asset First Ingested On |
|
|
|
|
|
Asset Last Ingested On |
|
|
|
|
|
VRR Updated On |
|
|
|
|
|
Threat Category |
|
|
|
|
|
CMDB Unique ID |
|
|
|
|
Why does Group By only support some scanner-specific fields?
Excluded scanner-specific fields usually contain long text like JSON objects or lists of values. If you performed a Group By on the field, you could only perform the operation over distinct strings. For example, say that you tried to do a Group By on a field called Operating System History. If you found a list like “Ubuntu 18.04 LTS, Windows 10 Professional Edition, Ubuntu 20.04 LTS”, the count of hosts would only include hosts with that exact history.
How many results can I see for a single Group By?
Answer: All Group By return up to 100 rows per page by default. You can change the number of rows per page within the page configuration settings temporarily.
At maximum, you can see up to the first 1000 results within the platform.
How can I sort my Group By view?
Answer: To sort the Group By view by a specific column, click on the column header. You will sort the Group By view in descending order for that column. If you click the column again, you will sort the Group By view in ascending order.
Note that you are running a new Group By operation when you change the sort. The system may take a few moments to run the new query and display the results.
How can I filter my Group By view?
Answer: You can apply filters the same way that you apply filters to the normal view of your assets or findings. You can apply filters either before adding a Group By or after applying a Group By. If you apply filters after you apply a Group By, keep in mind that the filters operate on the underlying data (assets or findings) rather than directly on rows shown in the Group By view.
How do I know if sorting is disabled for a particular column?
Answer: If a column has sort disabled, you will not see an arrow appear next to the column name if you hover your mouse over the column header. If the total size of your dataset exceeds 100,000 rows, you can only sort the Group By view by the Group By column You will see a warning pop up if you try to sort the Group By view by any other column. To re-enable sorting, try using filters to reduce the total size of the dataset.
What the default sort order for each Group By?
Answer: By default, all Group By views are sorted by the Group By column. The table below shows the default sorting behavior for each Group By. If the Group By field is sorted alphanumerically, terms starting with lower-case letters come after terms starting with upper-case letters.
|
Group By |
Sort Behavior |
Default Order |
Example |
|---|---|---|---|
|
Asset Criticality |
Numerical |
Descending |
5 (Most Critical), 4 (Very Critical), 3 (Moderately Critical), 2 (Less Critical), 1 (Least Critical) |
|
Assigned To |
Alphanumeric on first name |
Ascending |
Beth Ogle, Fred Adams |
|
Group Name |
Alphanumeric |
Ascending |
111 Street, Printers, east offices |
|
Network Name |
Alphanumeric |
Ascending |
111 Street, Internal, external |
|
Operating System |
Alphanumeric |
Ascending |
IOS, Linux, Microsoft servers 2003 |
|
Port |
Numeric |
Ascending |
100, 1000, 111 |
|
RS³ |
Lowest score range to highest |
Ascending |
Critical Risk: 300-399, High Risk: 400-549, Medium Risk: 550-699, Low Risk: 700-799, Very Low Risk: 800-850 |
|
Scanner Name |
Alphanumeric |
Ascending |
Qualys, RBVM, test |
|
Tag |
Alphanumeric |
Ascending |
2021-planned, Adams-reporting, trending |
|
Asset Tag |
Alphanumeric |
Ascending |
2021-planned, Adams-reporting, trending |
|
CVE |
Alphanumeric |
Ascending |
CVE-1999-0002, CVE-2001-0323, CVE-2001-0471 |
|
Discovered On |
Date |
Ascending |
Feb 11, 2014; Jun 26, 2014; Feb 02, 2015 |
|
Due Date |
Date |
Ascending |
Feb 11, 2014; Jun 26, 2014; Feb 02, 2015 |
|
Patch ID |
Alphanumeric |
Ascending |
51192, apache-httpd-cve-2016-5387, qualys105543 |
|
Patch Title |
Alphanumeric |
Ascending |
CUPS UDP Packet Remote Denial of Service Vulnerability, Statd Format Bug Vulnerability |
|
Patch Vendor |
Alphanumeric |
Ascending |
apache, cifs |
|
Scanner Plugin |
Alphanumeric |
Ascending |
10061, WEAK-CRYPTO-KEY |
|
Status |
Alphanumeric |
Ascending |
Closed, Open |
|
VRR Group |
Lowest score range to highest |
Descending |
Critical: 9.00-10.00, High: 7.00-8.90, Medium: 4.00 - 6.90, Low: 0.01-3.90, Info: 0.00 |
|
CWE |
Alphanumeric |
Ascending |
1004, 116, 12 |
|
Finding Type |
Alphanumeric |
Ascending |
Container, DAST, OSS, SAST |
|
Location |
Alphanumeric |
Ascending |
/, /Flash, http://192.168.1.21:9022/assets/omniture/ |
|
OWASP |
Alphanumeric |
Ascending |
A1 - Injection, A2 - Broken Authentication |
|
Web Application Name |
Alphanumeric |
Ascending |
Demo6, https://127.0.0.1:443 |
|
Severity Group |
Lowest score range to highest |
Descending |
Critical: 9.00-10.00, High: 7.00-8.90, Medium: 4.00 - 6.90, Low: 0.01-3.90, Info: 0.00 |
|
Ticket ID |
Alphanumeric |
Ascending |
JINT-2245, JINT-2276 |
|
Assessment Name |
Alphanumeric |
Ascending |
2021-01-22, May Assessment 2021, new scanner evaluation |
|
Scanner Reported Severity |
Alphanumeric |
Ascending |
(ACUNETIX7) medium, (BURP) High, (RBVM) 10.0 |
|
VRR |
Highest score to lowest score |
Descending |
10.0, 9.97, 9.84 |
|
Last Discovered On |
Date |
Ascending |
Feb 11, 2014; Jun 26, 2014; Feb 02, 2015 |
|
Last Ingested On |
Date |
Ascending |
Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
|
Finding Title |
Alphanumeric |
Ascending |
7-ZIP Vulnerability, Flash Player XSS, application error message |
| First Discovered On | Date | Ascending | Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
| First Ingested On | Date | Ascending | Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
|
Workflow State with Type |
Alphanumeric |
Ascending |
FP Expired, FP Reworked, RA Approved, RA Reworked |
|
Web Application Address |
Alphanumeric |
Ascending |
*.jar test-1.2, Demo App, Docker Hub/consul:latest |
|
NetBIOS |
Alphanumeric |
Ascending |
2.Hostname.com, MOODLE, win7pro |
|
IP Address |
IP Address (by octet) |
Ascending |
192.168.25.9, 192.168.102.100, 192.168.250.6 |
|
DNS |
Alphanumeric |
Ascending |
1.DNS.com, desktop-0ekqujc, win7pro |
|
MAC Address |
Alphanumeric |
Ascending |
00-11-55-bf-ee-0a, 02-32-69-e6-18-af |
|
Host Name |
Alphanumeric |
Ascending |
011047, 1.hostname.com, adc02 |
|
FQDN |
Alphanumeric |
Ascending |
50-232-static.telecom.com, desktop-qgj8 |
|
EC2 Identifier |
Alphanumeric |
Ascending |
i-1234567890abcdef0, i-2234567890abcdef0 |
|
Host ID |
Alphanumeric |
Ascending |
12345, 2211 |
|
Web Application ID |
Alphanumeric |
Ascending |
12345, 2211 |
|
Asset First Discovered On |
Date |
Ascending |
Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
|
Asset Last Discovered On |
Date |
Ascending |
Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
|
Asset First Ingested On |
Date |
Ascending |
Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
|
Asset Last Ingested On |
Date |
Ascending |
Feb 11, 2021; Jun 26, 2021; Feb 02, 2022 |
|
VRR Updated On |
Date |
Descending |
Feb 02; 11, 2022; Jun 26, 2021; Feb 11, 2021 |
|
Threat Category |
Alphanumeric |
Ascending |
Exploit Kit, Remote Code Execution (RCE), Trojan |
|
CMDB Unique ID |
Alphanumeric |
Ascending |
1a02e5227b1de09e313abff12821, 8738391e19fa67256d18aba0777a |
Can I group my assets or findings by more than one field at a time?
Answer: Currently, you can only Group By one field at a time.
Can I save my page settings for a single Group By or for all Group By views across sessions?
Answer: Currently, the platform applies the default settings for a Group By view each time that you use the Group By drop down to select a new Group By operation.
When I do a Group By on the Host Findings page, I see that the Hosts column sometimes has links to the Host page or that the Fixes column sometimes has links to the Patches page. Why are some of those links missing?
Answer: If you click on a link in the Hosts or Fixes columns, you will go to another page in the platform with different filters. Group By creates links based on ID filters when you go from a Group By view to another page in the platform. A single link can contain up to 5,000 IDs. The same limitation applies to links from the Application Findings Group By views to the Applications page.
How can I view the counts of open Critical, High, Medium, Low, and Info host findings or application findings?
Answer: All Host Findings and Application Findings Group By let the user add the columns VRR Critical, VRR High, VRR Medium, VRR Low, and VRR Info. These columns show the total counts of findings by default. To view just Open findings, apply Status is exactly Open as a filter.
How can I view the distribution of findings by Severity?
Answer: Add the Severity Group columns (Severity Critical, Severity High, Severity Medium, Severity Low, and Severity Info) to the Group By view through the Settings menu.
If my Group By has more than 1000 items, how can I see them?
Group By can display up to 1,000 items. To view all items, export the results of your Group By to a CSV, JSON, or XLSX file.
Do my current sort and filters carry over when I export my Group By view?
Answer: The Group By query for the export will include your active filters. Your current sort will have no impact on the order of items in the export file.
Why do my exports show different numbers in the columns than I see in the platform?
Answer: Group By returns estimates for counts. The platform abbreviates numbers by truncating them and appending “K” (thousands) or “M” (millions). Exports show the original estimates. Use the spreadsheet program of your choice to sort data and format numerical columns.
Why am I seeing a mismatch between the column value that I just clicked and the number of results in the filtered list view?
Answer: This may occur if the Group By returns 2 (or more) values with the same letters and different capitalization schemes. Group By treats values with different capitalization schemes as separate values. On the other hand, list view filters return all results for any match regardless of case. This behavior impacts features that either implicitly or explicitly rely on Group By, including user widgets based on Group By views.
The following example demonstrates this. Assume that you have applied a tag called “testTag” to 5 open findings and another tag called “TESTtag” to 4 open findings. In the Group By, you will see both of these tags when you group your findings by tag name.
If you click on the Open Findings column in either row, the filter query will return 9 results.
When I filter my Group By, why am I seeing more items (or fewer) items than I expected?
Answer: You may encounter this scenario if you try to perform a Group By on fields such as Tag, Group name, CVE, CWE. Findings and assets can be associated with one or more group, tag, CVE, or software weakness. Similarly, a single group, tag, CWE, or software weakness can be associated with more than one finding or asset. Consequently, fields such as Tag and Group Name have a “many-to-many” relationship with assets and findings.
These data relationships have an impact on filtering. When you do Group By, your filters are applied to the dataset before the Group By operation occurs. Depending on the filters that you have selected, you may see more items or fewer items than you expect.
The following examples demonstrate how the underlying data relationships can impact filtering.
Group Filter Example
Multiple hosts are in the group “Canada”. You want to do a Group By to find out many hosts within the group are potentially vulnerable to ransomware.
To build this query, first add a filter for the group “Canada” and a filter for findings with ransomware threat. Second, do a Group By on Status.
The Status Group By shows you how many hosts within the group have open or closed findings associated with ransomware threat.
Now, change the Group By to Group Name. This Group By will show you all the groups that share hosts with the group “Canada”.
CVE Filter Example
Assume that your client has 2531 CVEs present on open findings. If you do a Group By on CVE, you will see the actual total number of CVEs in the upper right.
While exploring the data, you try to remove the CVE-2014-3566.
Since the filters operate on the underlying findings, your query removes any finding with CVE-2014-3566. The remaining number of CVEs in the dataset is 2494.
Why am I seeing a message that I should try my Group By operation again in 60 seconds?
Answer: The system only allows a certain number of concurrent Group By operations to run at once. This limit is applied per platform (as opposed to per user or per client).
What are some types of Group By queries that I can do?
Answer: This section describes possible uses of Group By.
Top CVEs by Asset Footprint
Apply the CVE Group By on the Host Findings page. To narrow the list to just unremediated CVEs, filter on Status is exactly Open. Then click the Hosts column to sort the view by host count.
Top Critical Application Scanner Plugins
The Scanner Plugin Group By lacks a sort directly on the VRR for the scanner plugin. One work around is to sort the list by the count of findings in a particular VRR Group. For example, sort the list by the column VRR Critical, the total count of Critical findings, to identify the scanner plugins with a VRR between 9.0 and 10.0.
Top Operating Systems by Fix Count
Apply the Operating System Group By on the Host Findings page. Then click the Fixes column to sort view by highest fix count (patch count).
RS³ Distribution for Internal Hosts
On the Hosts page, apply IP Address Type is exactly Internal as a filter. Then apply the RS³ Group By. The Group By view will be sorted from lowest RS³ range to highest RS³ range by default.
