Group By: Frequently Asked Questions (FAQ)

Summary: A collection of frequently asked questions (FAQ) and their answers regarding the Group By feature in Ivanti Neurons.

What is the Group By feature?

Answer: Group By allows our users to view aggregate counts of assets and findings based on certain filter types. Using this feature, you can answer questions such as:

  • Which scanner plugins have the biggest asset footprint?

  • Which CVEs have the biggest asset footprint?

  • How many high-risk findings are associated with certain Operating Systems?

  • How many assets do I have in each RS³ band or at each business criticality level?

What fields (filters) can I use Group By on?

Answer: The Group By feature is available on the following pages:

  • Hosts

  • Host Findings

  • Applications

  • Application Findings

The table below shows whether each page supports a Group By based on a platform field. For scanner-specific fields, visit the article Scanner-Specific Fields as Group By.

Group By

Hosts

Host Findings

Applications

Application Findings

Asset Criticality

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Assigned To

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Group Name

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Network Name

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Operating System

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Port

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

RS³

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Scanner Name

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Tag

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Asset Tag

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

CVE

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Discovered On

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Due Date

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Patch ID

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Patch Title

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Patch Vendor

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Scanner Plugin

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Status

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

VRR Group

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

CWE

Group By FAQ - X

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Finding Type

Group By FAQ - X

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Location

Group By FAQ - X

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

OWASP

Group By FAQ - X

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Web Application Name

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - Check

Severity Group

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Ticket ID

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Assessment Name

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Scanner Reported Severity

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

VRR

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Last Discovered On

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Last Ingested On

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Finding Title

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - Check

First Discovered On

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

First Ingested On

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - Check

Workflow State with Type

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Web Application Address

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - Check

NetBIOS

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

IP Address

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

DNS

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

MAC Address

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Host Name

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

FQDN

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

EC2 Identifier

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Host ID

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Web Application ID

Group By FAQ - X

Group By FAQ - X

Group By FAQ - X

Group By FAQ - Check

Asset First Discovered On

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Asset Last Discovered On

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Asset First Ingested On

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Asset Last Ingested On

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

VRR Updated On

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

Threat Category

Group By FAQ - X

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - Check

CMDB Unique ID

Group By FAQ - Check

Group By FAQ - Check

Group By FAQ - X

Group By FAQ - X

Why does Group By only support some scanner-specific fields?

Excluded scanner-specific fields usually contain long text like JSON objects or lists of values. If you performed a Group By on the field, you could only perform the operation over distinct strings. For example, say that you tried to do a Group By on a field called Operating System History. If you found a list like “Ubuntu 18.04 LTS, Windows 10 Professional Edition, Ubuntu 20.04 LTS”, the count of hosts would only include hosts with that exact history.

How many results can I see for a single Group By?

Answer: All Group By return up to 100 rows per page by default. You can change the number of rows per page within the page configuration settings temporarily.

At maximum, you can see up to the first 1000 results within the platform.

How can I sort my Group By view?

Answer: To sort the Group By view by a specific column, click on the column header. You will sort the Group By view in descending order for that column. If you click the column again, you will sort the Group By view in ascending order.

Group By FAQ - Sort Group By

Note that you are running a new Group By operation when you change the sort. The system may take a few moments to run the new query and display the results.

How can I filter my Group By view?

Answer: You can apply filters the same way that you apply filters to the normal view of your assets or findings. You can apply filters either before adding a Group By or after applying a Group By. If you apply filters after you apply a Group By, keep in mind that the filters operate on the underlying data (assets or findings) rather than directly on rows shown in the Group By view.

How do I know if sorting is disabled for a particular column?

Answer: If a column has sort disabled, you will not see an arrow appear next to the column name if you hover your mouse over the column header. If the total size of your dataset exceeds 100,000 rows, you can only sort the Group By view by the Group By column You will see a warning pop up if you try to sort the Group By view by any other column. To re-enable sorting, try using filters to reduce the total size of the dataset.

What the default sort order for each Group By?

Answer: By default, all Group By views are sorted by the Group By column. The table below shows the default sorting behavior for each Group By. If the Group By field is sorted alphanumerically, terms starting with lower-case letters come after terms starting with upper-case letters.

Group By

Sort Behavior

Default Order

Example

Asset Criticality

Numerical

Descending

5 (Most Critical), 4 (Very Critical), 3 (Moderately Critical), 2 (Less Critical), 1 (Least Critical)

Assigned To

Alphanumeric on first name

Ascending

Beth Ogle, Fred Adams

Group Name

Alphanumeric

Ascending

111 Street, Printers, east offices

Network Name

Alphanumeric

Ascending

111 Street, Internal, external

Operating System

Alphanumeric

Ascending

IOS, Linux, Microsoft servers 2003

Port

Numeric

Ascending

100, 1000, 111

RS³

Lowest score range to highest

Ascending

Critical Risk: 300-399, High Risk: 400-549, Medium Risk: 550-699, Low Risk: 700-799, Very Low Risk: 800-850

Scanner Name

Alphanumeric

Ascending

Qualys, RBVM, test

Tag

Alphanumeric

Ascending

2021-planned, Adams-reporting, trending

Asset Tag

Alphanumeric

Ascending

2021-planned, Adams-reporting, trending

CVE

Alphanumeric

Ascending

CVE-1999-0002, CVE-2001-0323, CVE-2001-0471

Discovered On

Date

Ascending

Feb 11, 2014; Jun 26, 2014; Feb 02, 2015

Due Date

Date

Ascending

Feb 11, 2014; Jun 26, 2014; Feb 02, 2015

Patch ID

Alphanumeric

Ascending

51192, apache-httpd-cve-2016-5387, qualys105543

Patch Title

Alphanumeric

Ascending

CUPS UDP Packet Remote Denial of Service Vulnerability, Statd Format Bug Vulnerability

Patch Vendor

Alphanumeric

Ascending

apache, cifs

Scanner Plugin

Alphanumeric

Ascending

10061, WEAK-CRYPTO-KEY

Status

Alphanumeric

Ascending

Closed, Open

VRR Group

Lowest score range to highest

Descending

Critical: 9.00-10.00, High: 7.00-8.90, Medium: 4.00 - 6.90, Low: 0.01-3.90, Info: 0.00

CWE

Alphanumeric

Ascending

1004, 116, 12

Finding Type

Alphanumeric

Ascending

Container, DAST, OSS, SAST

Location

Alphanumeric

Ascending

/, /Flash, http://192.168.1.21:9022/assets/omniture/

OWASP

Alphanumeric

Ascending

A1 - Injection, A2 - Broken Authentication

Web Application Name

Alphanumeric

Ascending

Demo6, https://127.0.0.1:443

Severity Group

Lowest score range to highest

Descending

Critical: 9.00-10.00, High: 7.00-8.90, Medium: 4.00 - 6.90, Low: 0.01-3.90, Info: 0.00

Ticket ID

Alphanumeric

Ascending

JINT-2245, JINT-2276

Assessment Name

Alphanumeric

Ascending

2021-01-22, May Assessment 2021, new scanner evaluation

Scanner Reported Severity

Alphanumeric

Ascending

(ACUNETIX7) medium, (BURP) High, (RBVM) 10.0

VRR

Highest score to lowest score

Descending

10.0, 9.97, 9.84

Last Discovered On

Date

Ascending

Feb 11, 2014; Jun 26, 2014; Feb 02, 2015

Last Ingested On

Date

Ascending

Feb 11, 2021; Jun 26, 2021; Feb 02, 2022

Finding Title

Alphanumeric

Ascending

7-ZIP Vulnerability, Flash Player XSS, application error message

First Discovered On Date Ascending Feb 11, 2021; Jun 26, 2021; Feb 02, 2022
First Ingested On Date Ascending Feb 11, 2021; Jun 26, 2021; Feb 02, 2022

Workflow State with Type

Alphanumeric

Ascending

FP Expired, FP Reworked, RA Approved, RA Reworked

Web Application Address

Alphanumeric

Ascending

*.jar test-1.2, Demo App, Docker Hub/consul:latest

NetBIOS

Alphanumeric

Ascending

2.Hostname.com, MOODLE, win7pro

IP Address

IP Address (by octet)

Ascending

192.168.25.9, 192.168.102.100, 192.168.250.6

DNS

Alphanumeric

Ascending

1.DNS.com, desktop-0ekqujc, win7pro

MAC Address

Alphanumeric

Ascending

00-11-55-bf-ee-0a, 02-32-69-e6-18-af

Host Name

Alphanumeric

Ascending

011047, 1.hostname.com, adc02

FQDN

Alphanumeric

Ascending

50-232-static.telecom.com, desktop-qgj8

EC2 Identifier

Alphanumeric

Ascending

i-1234567890abcdef0, i-2234567890abcdef0

Host ID

Alphanumeric

Ascending

12345, 2211

Web Application ID

Alphanumeric

Ascending

12345, 2211

Asset First Discovered On

Date

Ascending

Feb 11, 2021; Jun 26, 2021; Feb 02, 2022

Asset Last Discovered On

Date

Ascending

Feb 11, 2021; Jun 26, 2021; Feb 02, 2022

Asset First Ingested On

Date

Ascending

Feb 11, 2021; Jun 26, 2021; Feb 02, 2022

Asset Last Ingested On

Date

Ascending

Feb 11, 2021; Jun 26, 2021; Feb 02, 2022

VRR Updated On

Date

Descending

Feb 02; 11, 2022; Jun 26, 2021; Feb 11, 2021

Threat Category

Alphanumeric

Ascending

Exploit Kit, Remote Code Execution (RCE), Trojan

CMDB Unique ID

Alphanumeric

Ascending

1a02e5227b1de09e313abff12821, 8738391e19fa67256d18aba0777a

Can I group my assets or findings by more than one field at a time?

Answer: Currently, you can only Group By one field at a time.

Can I save my page settings for a single Group By or for all Group By views across sessions?

Answer: Currently, the platform applies the default settings for a Group By view each time that you use the Group By drop down to select a new Group By operation.

When I do a Group By on the Host Findings page, I see that the Hosts column sometimes has links to the Host page or that the Fixes column sometimes has links to the Patches page. Why are some of those links missing?

Answer: If you click on a link in the Hosts or Fixes columns, you will go to another page in the platform with different filters. Group By creates links based on ID filters when you go from a Group By view to another page in the platform. A single link can contain up to 5,000 IDs. The same limitation applies to links from the Application Findings Group By views to the Applications page.

How can I view the counts of open Critical, High, Medium, Low, and Info host findings or application findings?

Answer: All Host Findings and Application Findings Group By let the user add the columns VRR Critical, VRR High, VRR Medium, VRR Low, and VRR Info. These columns show the total counts of findings by default. To view just Open findings, apply Status is exactly Open as a filter.

How can I view the distribution of findings by Severity?

Answer: Add the Severity Group columns (Severity Critical, Severity High, Severity Medium, Severity Low, and Severity Info) to the Group By view through the Settings menu.

If my Group By has more than 1000 items, how can I see them?

Group By can display up to 1,000 items. To view all items, export the results of your Group By to a CSV, JSON, or XLSX file.

Do my current sort and filters carry over when I export my Group By view?

Answer: The Group By query for the export will include your active filters. Your current sort will have no impact on the order of items in the export file.

Why do my exports show different numbers in the columns than I see in the platform?

Answer: Group By returns estimates for counts. The platform abbreviates numbers by truncating them and appending “K” (thousands) or “M” (millions). Exports show the original estimates. Use the spreadsheet program of your choice to sort data and format numerical columns.

Why am I seeing a mismatch between the column value that I just clicked and the number of results in the filtered list view?

Answer: This may occur if the Group By returns 2 (or more) values with the same letters and different capitalization schemes. Group By treats values with different capitalization schemes as separate values. On the other hand, list view filters return all results for any match regardless of case. This behavior impacts features that either implicitly or explicitly rely on Group By, including user widgets based on Group By views.

The following example demonstrates this. Assume that you have applied a tag called “testTag” to 5 open findings and another tag called “TESTtag” to 4 open findings. In the Group By, you will see both of these tags when you group your findings by tag name.

If you click on the Open Findings column in either row, the filter query will return 9 results.

When I filter my Group By, why am I seeing more items (or fewer) items than I expected?

Answer: You may encounter this scenario if you try to perform a Group By on fields such as Tag, Group name, CVE, CWE. Findings and assets can be associated with one or more group, tag, CVE, or software weakness. Similarly, a single group, tag, CWE, or software weakness can be associated with more than one finding or asset. Consequently, fields such as Tag and Group Name have a “many-to-many” relationship with assets and findings.

These data relationships have an impact on filtering. When you do Group By, your filters are applied to the dataset before the Group By operation occurs. Depending on the filters that you have selected, you may see more items or fewer items than you expect.

The following examples demonstrate how the underlying data relationships can impact filtering.

Group Filter Example

Multiple hosts are in the group “Canada”. You want to do a Group By to find out many hosts within the group are potentially vulnerable to ransomware.

To build this query, first add a filter for the group “Canada” and a filter for findings with ransomware threat. Second, do a Group By on Status.

Group By FAQ - Filter

The Status Group By shows you how many hosts within the group have open or closed findings associated with ransomware threat.

Group By FAQ - Filter - Status

Now, change the Group By to Group Name. This Group By will show you all the groups that share hosts with the group “Canada”.

Group By FAQ - Filter - Group Name

CVE Filter Example

Assume that your client has 2531 CVEs present on open findings. If you do a Group By on CVE, you will see the actual total number of CVEs in the upper right.

Group By FAQ - Max CVE Total

While exploring the data, you try to remove the CVE-2014-3566.

Group By FAQ - Filter Out CVE

Since the filters operate on the underlying findings, your query removes any finding with CVE-2014-3566. The remaining number of CVEs in the dataset is 2494.

Group By FAQ - Max CVE Total After

Why am I seeing a message that I should try my Group By operation again in 60 seconds?

Answer: The system only allows a certain number of concurrent Group By operations to run at once. This limit is applied per platform (as opposed to per user or per client).

What are some types of Group By queries that I can do?

Answer: This section describes possible uses of Group By.

Top CVEs by Asset Footprint

Apply the CVE Group By on the Host Findings page. To narrow the list to just unremediated CVEs, filter on Status is exactly Open. Then click the Hosts column to sort the view by host count.

Group By FAQ - Top CVEs by Asset Footprint

Top Critical Application Scanner Plugins

The Scanner Plugin Group By lacks a sort directly on the VRR for the scanner plugin. One work around is to sort the list by the count of findings in a particular VRR Group. For example, sort the list by the column VRR Critical, the total count of Critical findings, to identify the scanner plugins with a VRR between 9.0 and 10.0.

Group By FAQ - Top Critical Application Scanner Plugins

Top Operating Systems by Fix Count

Apply the Operating System Group By on the Host Findings page. Then click the Fixes column to sort view by highest fix count (patch count).

Group By FAQ - Operating System by Fix Count

RS³ Distribution for Internal Hosts

On the Hosts page, apply IP Address Type is exactly Internal as a filter. Then apply the RS³ Group By. The Group By view will be sorted from lowest RS³ range to highest RS³ range by default.

Group By FAQ - RS3 Distribution for Internal Hosts