Home New York Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Vulnerability groups and group rules overview

Vulnerability groups and group rules overview

Starting with Vulnerability Response v10.0, configure vulnerability groups (VG) to help analysts and remediation specialists organize vulnerable items (VI) and analyze them in bulk. The criteria by which groups are formed is configured so that you do not have to manually assign vulnerable items into groups. Using vulnerability groups, you can monitor progress and drive the remediation process more efficiently.

Understanding vulnerability groups

Vulnerability groups represent a set of vulnerable items to remediate. Grouping vulnerable items has many advantages. You can move vulnerable items through the remediation states, mark them under investigation, defer them, mark them resolved in bulk by using groups. You can create conditions to automatically group all items with specified vulnerabilities, departments, locations, and any other data related to the vulnerable item. Vulnerable items can belong to more than one vulnerability group giving you the flexibility to actively work with one group and monitor another. It all depends on your organizational needs. For example, you could group by department, and also create a group containing all currently exploitable vulnerabilities.

Vulnerability groups are created as follows.

Manually, using one of three options, to add vulnerable items to the group.
- Add vulnerable items to the group by hand.
- Use a Condition filter that automatically adds vulnerable items to the vulnerability group.
- Use a Filter group that automatically adds vulnerable items to the vulnerability group.
Note: Manually added vulnerable items are not automatically removed from vulnerability groups by vulnerability group rules or group conditions.
Automatically, using vulnerability group rules (VGR). This option is the easiest option, once configured, vulnerability group rules create all desired vulnerability groups.

From a vulnerability group, the group of vulnerable items may be assigned to a user, deferred until later, used to create a Change Request, and so on.

Starting with version 10.0, when a group is formed based on a specific vulnerability, that vulnerability is listed on the VG form.

When it is determined that a new vulnerable item can be added to a group, the vulnerability item is included in the Vulnerable Items list of the vulnerability group. Conversely, the vulnerability group appears in the Vulnerability Group list of Vulnerable Items.

When updating the state of a vulnerability group, associated vulnerable items can have their state updated to match this vulnerability group. See Vulnerability group and vulnerable item states for more information on state changes.

You can create security incidents and change requests from vulnerability groups, as needed.

Refreshing vulnerable items automatically

Note: Vulnerable item refresh automation applies only to groups created using the condition filter or filter group. Automation does not apply to VIs that were added manually or grouped using vulnerability group rules (VGRs).

When the Automatically refresh vulnerable items check box is selected, new VIs matching the vulnerability group filter criteria are automatically added to the group. Vulnerable items in the group that no longer match the filter criteria are automatically removed from the group.

By default, when the group leaves the Open state, the check box is cleared. If you want vulnerable items to continue being added to the group, regardless of state, disable the Set auto refresh vulnerable items business rule.

You can select the check box again manually from the Under Investigation state. Automatically refresh vulnerable items is not disabled when the group moves into the Awaiting Implementation state. Once in the Awaiting Implementation state, no new vulnerable items can be added to the existing group, nor can existing vulnerable items be removed from the group.

Note: When a group is created manually, and VIs are added using the Condition filter or Filter Group, the check box is unchecked. You have the choice to select the box or not.

Refreshing vulnerable items manually

For manually created vulnerability groups with a Filter Group or Condition filter, when you click the Re-scan vulnerable items related link on the Vulnerability Group page, any vulnerable items that match the filter criteria are added. Items no longer matching the criteria are removed. This action allows an immediate update of the list of vulnerable items and is used whether the Automatically refresh vulnerable item check box is selected or not.

Manually created vulnerability groups using Condition or Filter Group filter types are refreshed once an hour.

Understanding vulnerability group rules

Vulnerability groups rules allow you to define how vulnerable items are automatically grouped and assigned. A default rule, Vulnerability, is included in the base system grouping vulnerable items based on its vulnerability. However, you can group by any other set of values in columns accessible from the VI. These values could include configuration item (CI) support group, vulnerability severity, and, so on. You can use up to six Group by selections and any number of conditions. You can automate group assignment, as well. See Create or edit vulnerability group rules and Filtering within Vulnerability Response for more information.

Note: To make Rapid7 InsightVM asset tags available for use in the Condition filter for Vulnerability Group Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

For example, you can group your vulnerable items by the cost center of the vulnerable CI, or by the attack vector of the vulnerability. You can have one group rule for low severity vulnerabilities or low risk CIs. You can have another group rule for critical servers, and vulnerabilities with exploits — vulnerable items that expose the company to more risk.

A different set of rules can be used for vulnerable items that expose the company to more risk. The VGR name is appended to the VGR Group by values to make the short description of the new vulnerability group. See Create a Vulnerability Response group for more information on available fields.

Example of a vulnerability group rule showing the Group By entries

When a new vulnerable item is created, imported, or reopened after being closed, the vulnerability rules are evaluated against it. A VI is only evaluated once, automatically, unless it is reopened after being closed or the rules are reapplied manually.

The following process is used for each new or reopened VI:

For each vulnerability group rule, the VI is compared to the VGR filter.
For each rule where the VGR condition matches, the rule pulls the data from the Group by selections on the VI. It builds a group name and field. In this case, High Risk: QID-32342:Summary of QID-3242 (Name:vulnerability ID:vulnerabilty summary).
Note: The short description field is limited to 160 characters. Longer vulnerability summaries are truncated.
The rule checks to see if there is a matching Open vulnerability group that is assigned to the same assignment group as the VI.
- If the group is found, the VI is added to the existing group in the Open state.
- If no group in the Open state is found, the rule creates a High Risk: QID-32342 group, assigns it to the same assignment group as the VI, and places the VI in the vulnerability group.

More than one VGR can be defined, to group different kinds of vulnerabilities. Since each vulnerability is compared with the VGR conditions before putting it in a group, too many rules may have a performance impact.

By default, VGRs use the assignment group set by the Assignment Rules on the vulnerable item when grouping the items, and assigns the vulnerability group to match the vulnerable items.

As part of the default group rule, the assignment of these vulnerability groups is controlled by the rules in the Assignment Rules module. For more information on assignment rules, see Vulnerability Response assignment rules overview.

When a group rule is deleted, from the form or list view, you have the option to delete all Open groups created by that rule. Groups not in the Open are excluded.

Reapplying vulnerability group rules

When you want to change a vulnerability group rule, use the Reapply button on the vulnerability group rule page to rerun the changed rule on all active Open vulnerability groups created by that rule. It deletes and recreates vulnerability groups based on the changed rule automatically.

Previous topic

Next topic

Release version

Vulnerability groups and group rules overview

Understanding vulnerability groups

Vulnerability groups are created as follows.

Manually, using one of three options, to add vulnerable items to the group.
- Add vulnerable items to the group by hand.
- Use a Condition filter that automatically adds vulnerable items to the vulnerability group.
- Use a Filter group that automatically adds vulnerable items to the vulnerability group.
Note: Manually added vulnerable items are not automatically removed from vulnerability groups by vulnerability group rules or group conditions.
Automatically, using vulnerability group rules (VGR). This option is the easiest option, once configured, vulnerability group rules create all desired vulnerability groups.

From a vulnerability group, the group of vulnerable items may be assigned to a user, deferred until later, used to create a Change Request, and so on.

Starting with version 10.0, when a group is formed based on a specific vulnerability, that vulnerability is listed on the VG form.

You can create security incidents and change requests from vulnerability groups, as needed.

Refreshing vulnerable items automatically

Note: When a group is created manually, and VIs are added using the Condition filter or Filter Group, the check box is unchecked. You have the choice to select the box or not.

Refreshing vulnerable items manually

Manually created vulnerability groups using Condition or Filter Group filter types are refreshed once an hour.

Understanding vulnerability group rules

The following process is used for each new or reopened VI:

For each vulnerability group rule, the VI is compared to the VGR filter.
For each rule where the VGR condition matches, the rule pulls the data from the Group by selections on the VI. It builds a group name and field. In this case, High Risk: QID-32342:Summary of QID-3242 (Name:vulnerability ID:vulnerabilty summary).
Note: The short description field is limited to 160 characters. Longer vulnerability summaries are truncated.
The rule checks to see if there is a matching Open vulnerability group that is assigned to the same assignment group as the VI.
- If the group is found, the VI is added to the existing group in the Open state.
- If no group in the Open state is found, the rule creates a High Risk: QID-32342 group, assigns it to the same assignment group as the VI, and places the VI in the vulnerability group.

By default, VGRs use the assignment group set by the Assignment Rules on the vulnerable item when grouping the items, and assigns the vulnerability group to match the vulnerable items.

When a group rule is deleted, from the form or list view, you have the option to delete all Open groups created by that rule. Groups not in the Open are excluded.

Reapplying vulnerability group rules

How search works:

Topics are ranked in search results by how closely they match your search terms

Vulnerability groups and group rules overview

Vulnerability groups and group rules overview

Understanding vulnerability groups

Refreshing vulnerable items automatically

Refreshing vulnerable items manually

Understanding vulnerability group rules

Reapplying vulnerability group rules

On this page

Vulnerability groups and group rules overview

Vulnerability groups and group rules overview

Understanding vulnerability groups

Refreshing vulnerable items automatically

Refreshing vulnerable items manually

Understanding vulnerability group rules

Reapplying vulnerability group rules

Log in to personalize your search results and subscribe to topics