High-level overview of the default group in RiskSense.
The Default Group is a special Group within RiskSense, serving as a temporary repository for uploaded scan results related to assets and their vulnerabilities not already assigned to user-defined groups. While the default group cannot be deleted or renamed, it does offer the same user access controls as all other groups.
The default group works in conjunction with RiskSense Networks to manage the aggregation of vulnerability and asset fingerprint data during data ingestion. The Network specified during the ingestion process determines asset uniqueness and the aggregation point (host names or IP addresses). If an asset’s aggregation point (host name or IP address, depending on the network) exactly matches an existing asset within that same Network, the RiskSense platform correlates the newly uploaded scan results to the asset no matter to which group(s) is belongs. If no matching IP address or host name is found within that same network, a new asset is created and assigned to the Default Group.
The default group can therefore be considered a “home for ungrouped assets”. Assigning these hosts or applications to their appropriate group or groups and removing them from the default group can then be performed from within the Manage > Hosts or Manage > Applications list views. Subsequent scan results uploaded into the same network are then automatically aggregated to the existing assets, no matter to which group(s) they belong.
Assigning assets to user-defined Groups and removing them from the default group after uploading new scan results can aide in quickly identifying hosts and applications whose scan results have been uploaded into RiskSense for the first time. If there are no assets assigned to the default group before new scan data is uploaded, anything belonging to the default group after scan ingestion is complete would be an indicator of an asset that is new to the platform.
Auto-assignment of assets to groups using commonalities such as operating systems, IP ranges/subnets, or host name prefixes/suffixes is a very common use case of RiskSense Playbooks.