Group By: Frequently Asked Questions (FAQ)

A collection of frequently asked questions (FAQ) and their answers regarding the Group By feature in RiskSense.

What is the Group By feature?

Group By allows our users to view aggregate counts of assets and findings based on certain filter types. Using this feature, you can answer questions such as

  • Which scanner plugins have the biggest asset footprint?
  • Which CVEs have the biggest asset footprint?
  • How many high-risk findings are associated with certain Operating Systems?
  • How many assets do I have in each RS³ band or at each business criticality level?

What fields (filters) can I use Group By on?

The Group By feature is available on the following pages:

  • Hosts
  • Host Findings
  • Applications
  • Application Findings

Group By

Hosts

Host Findings

Applications

Application Findings

Asset Criticality

Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check

Assigned To

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

Group Name

Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check

Network Name

Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check

Operating System

Group By FAQ - Check Group By FAQ - Check Group By FAQ - X Group By FAQ - X

Port

Group By FAQ - Check Group By FAQ - Check Group By FAQ - X Group By FAQ - X

RS³

Group By FAQ - Check Group By FAQ - X Group By FAQ - Check Group By FAQ - X

Scanner Name

Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check

Tag

Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check Group By FAQ - Check

Asset Tag

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

CVE

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - X

Discovered On

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

Due Date

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

Patch ID

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - X

Patch Title

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - X

Patch Vendor

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - X

Scanner Plugin

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

Status

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

VRR Group

Group By FAQ - X Group By FAQ - Check Group By FAQ - X Group By FAQ - Check

CWE

Group By FAQ - X Group By FAQ - X Group By FAQ - X Group By FAQ - Check

Finding Type

Group By FAQ - X Group By FAQ - X Group By FAQ - X Group By FAQ - Check

Location

Group By FAQ - X Group By FAQ - X Group By FAQ - X Group By FAQ - Check

OWASP

Group By FAQ - X Group By FAQ - X Group By FAQ - X Group By FAQ - Check

Web Application Name

Group By FAQ - X Group By FAQ - X Group By FAQ - X Group By FAQ - Check

How many results can I see for a single Group By?

All Group By return up to 100 rows per page by default. You can change the number of rows per page within the page configuration settings temporarily.

At maximum, you can see up to the first 1000 results within the platform.

How can I sort my Group By view?

To sort the Group By view by a specific column, click on the column header. You will sort the Group By view in descending order for that column. If you click the column again, you will sort the Group By view in ascending order.

Group By FAQ - Sort Group By

Note that you are running a new Group By operation when you change the sort. The system may take a few moments to run the new query and display the results.

How can I filter my Group By view?

You can apply filters the same way that you apply filters to the normal view of your assets or findings. You can apply filters either before adding a Group By or after applying a Group By. If you apply filters after you apply a Group By, keep in mind that the filters operate on the underlying data (assets or findings) rather than directly on rows shown in the Group By view.

How do I know if sorting is disabled for a particular column?

If a column has sort disabled, you will not see an arrow appear next to the column name if you hover your mouse over the column header. If the total size of your dataset exceeds 100,000 rows, you can only sort the Group By view by the Group By column You will see a warning pop up if you try to sort the Group By view by any other column. To re-enable sorting, try using filters to reduce the total size of the dataset.

What the default sort order for each Group By?

By default, all Group By views are sorted by the Group By column. The table below shows the default sorting behavior for each Group By. If the Group By field is sorted alphanumerically, terms starting with lower-case letters come after terms starting with upper-case letters.

Group By

Behavior

Default Order

Example

Asset Criticality

Numerical

Descending

5 (Most Critical), 4 (Very Critical), 3 (Moderately Critical), 2 (Less Critical), 1 (Least Critical)

Assigned To

Alphanumeric on first name

Ascending

Beth Ogle, Fred Adams

Group Name

Alphanumeric

Ascending

111 Street, Printers, east offices

Network Name

Alphanumeric

Ascending

111 Street, Internal, external

Operating System

Alphanumeric

Ascending

IOS, Linux, Microsoft servers 2003

Port

Alphanumeric

Ascending

100, 1000, 111

RS3

Lowest score range to highest

Ascending

Critical Risk: 300-399, High Risk: 400-549, Medium Risk: 550-699, Low Risk: 700-799, Very Low Risk: 800-850

Scanner Name

Alphanumeric

Ascending

Qualys, RISKSENSE, test

Tag

Alphanumeric

Ascending

2021-planned, Adams-reporting, trending

Asset Tag

Alphanumeric

Ascending

2021-planned, Adams-reporting, trending

CVE

Alphanumeric

Ascending

CVE-1999-0002, CVE-2001-0323, CVE-2001-0471

Discovered On

Date

Ascending

Feb 11, 2014; Jun 26, 2014; Feb 02, 2015

Due Date

Date

Ascending

Feb 11, 2014; Jun 26, 2014; Feb 02, 2015

Patch ID

Alphanumeric

Ascending

51192, apache-httpd-cve-2016-5387, qualys105543

Patch Title

Alphanumeric

Ascending

CUPS UDP Packet Remote Denial of Service Vulnerability, Statd Format Bug Vulnerability

Patch Vendor

Alphanumeric

Ascending

apache, cifs

Scanner Plugin

Alphanumeric

Ascending

10061, WEAK-CRYPTO-KEY

Status

Alphanumeric

Ascending

Closed, Open

VRR Group

Lowest score range to highest

Descending

Critical: 9.00-10.00, High: 7.00-8.90, Medium: 4.00 - 6.90, Low: 0.01-3.90, Info: 0.00

CWE

Alphanumeric

Ascending

1004, 116, 12

Finding Type

Alphanumeric

Ascending

Container, DAST, OSS, SAST

Location

Alphanumeric

Ascending

/, /Flash, http://192.168.1.21:9022/assets/omniture/

OWASP

Alphanumeric

Ascending

A1 - Injection, A2 - Broken Authentication

Web Application Name

Alphanumeric

Ascending

Demo6, https://127.0.0.1:443

Can I group my assets or findings by more than one field at a time?

Currently, you can only Group By one field at a time.

Can I save my page settings for a single Group By or for all Group By views across sessions?

Currently, the platform applies the default settings for a Group By view each time that you use the Group By drop down to select a new Group By operation.

When I do a Group By on the Host Findings page, I see that Hosts column sometimes has links to the Host page or that the Fixes column sometimes has links to the Patches page. Why are some of those links missing?

If you click on a link in the Hosts or Fixes columns, you will go to another page in the platform with different filters. Group By creates links based on ID filters when you go from a Group By view to another page in the platform. A single link can contain up to 5,000 IDs. The same limitation applies to links from the Application Findings Group By views to the Applications page.

How can I view the counts of open Critical, High, Medium, Low, and Info host findings or application findings?

All Host Findings and Application Findings Group By let the user add the columns VRR Critical, VRR High, VRR Medium, VRR Low, and VRR Info. These columns show the total counts of findings by default. To view just Open findings, apply Status is exactly Open as a filter.

If my Group By has more than 1000 items, how can I see them?

Group By can display up to 1,000 items. To view all items, export the results of your Group By to a CSV, JSON, or XLSX file.

Do my current sort and filters carry over when I export my Group By view?

The Group By query for the export will include your active filters. Your current sort will have no impact on the order of items in the export file.

Why do my exports show different numbers in the columns than I see in the platform?

Group By returns estimates for counts. The platform abbreviates numbers by truncating them and appending “K” (thousands) or “M” (millions). Exports show the original estimates. Use the spreadsheet program of your choice to sort data and format numerical columns.

When I filter my Group By, why am I seeing more items (or fewer) items than I expected?

You may encounter this scenario if you try to perform a Group By on fields such as Tag, Group name, CVE, CWE. Findings and assets can be associated with one or more group, tag, CVE, or software weakness. Similarly, a single group, tag, CWE, or software weakness can be associated with more than one finding or asset. Consequently, fields such as Tag and Group Name have a “many-to-many” relationship with assets and findings.

These data relationships have an impact on filtering. When you do Group By, your filters are applied to the dataset before the Group By operation occurs. Depending on the filters that you have selected, you may see more items or fewer items than you expect.

The following examples demonstrate how the underlying data relationships can impact filtering.

Group Filter Example

Multiple hosts are in the group “Canada”. You want to do a Group By to find out many hosts within the group are potentially vulnerable to ransomware.

To build this query, first add a filter for the group “Canada” and a filter for findings with ransomware threat. Second, do a Group By on Status.

Group By FAQ - Filter

The Status Group By shows you how many hosts within the group have open or closed findings associated with ransomware threat.

Group By FAQ - Filter - Status

Now, change the Group By to Group Name. This Group By will show you all the groups that share hosts with the group “Canada”.

Group By FAQ - Filter - Group Name

CVE Filter Example

Assume that your client has 2531 CVEs present on open findings. If you do a Group By on CVE, you will see the actual total number of CVEs in the upper right.

Group By FAQ - Max CVE Total

While exploring the data, you try to remove the CVE-2014-3566.

Group By FAQ - Filter Out CVE

Since the filters operate on the underlying findings, your query removes any finding with CVE-2014-3566. The remaining number of CVEs in the dataset is 2494.

Group By FAQ - Max CVE Total After

Why am I seeing a message that I should try my Group By operation again in 60 seconds?

The system only allows a certain number of concurrent Group By operations to run at once. This limit is applied per platform (as opposed to per user or per client). RiskSense is currently evaluating common usage patterns for patterns and may increase the capacity per platform at some time in the future.

What are some types of Group By queries that I can do?

This section describes possible uses of Group By.

Top CVEs by Asset Footprint

Apply the CVE Group By on the Host Findings page. To narrow the list to just unremediated CVEs, filter on Status is exactly Open. Then click the Hosts column to sort the view by host count.

Group By FAQ - Top CVEs by Asset Footprint

Top Critical Application Scanner Plugins

The Scanner Plugin Group By lacks a sort directly on the VRR for the scanner plugin. One work around is to sort the list by the count of findings in a particular VRR Group. For example, sort the list by the column VRR Critical, the total count of Critical findings, to identify the scanner plugins with a VRR between 9.0 and 10.0.

Group By FAQ - Top Critical Application Scanner Plugins

Top Operating Systems by Fix Count

Apply the Operating System Group By on the Host Findings page. Then click the Fixes column to sort view by highest fix count (patch count).

Group By FAQ - Operating System by Fix Count

RS³ Distribution for Internal Hosts

On the Hosts page, apply IP Address Type is exactly Internal as a filter. Then apply the RS³ Group By. The Group By view will be sorted from lowest RS³ range to highest RS³ range by default.

Group By FAQ - RS3 Distribution for Internal Hosts