Grouping Rules

With grouping rules, you can group individual posture incidents in a group based on different criteria. This reduces the number of incidents, making the remediation easier.

You must have one-to-one detection rules configured in Qualys Core to define the grouping rules. The grouping rules group the incidents from the incident table based on the defined rules.

Perform the following steps to define Grouping Rules:

  1. Go to Configuration > Detection Event Rules > Grouping Rules to view the grouping rules that are available by default. However, you can update an existing rule or create a new rule.

    detection_grouping_rules

    You can use the Copy this Rule option to clone the detection rule, modify the required field, and save the rule with a new name. See Clone a detection rule.

  2. Review the existing values in the fields and modify them as required:

    detection_grouping_rule_new

    • Source table - Select the Incident table, where the incidents are created when the one-to-one detection rules are triggered.

    • Destination table - Select Incident. This is where the group incident are created when this rule is triggered.

      To create a change request, select Change Request in the Destination table.

      The Trigger Criteria tab defines the condition in which the detection event rule is triggered.

      detection_grouping_rules- trigger

    • Order - Provide the number that indicates the order of priority for running this detection event rule. The value in the Order field is a relative value, and the detection event rules are executed in ascending order, from lowest to highest. The order assigned to a rule helps decide the priority when multiple rules exist for the same table.

    • Stop processing - Select this check box to stop processing the rules ordered after this rule once the detection conditions are met.
      Grouping       defines how grouping is performed.

      detection_grouping_rules-grouping

    • Group by - Select which field from the Source table should be used as a criteria for grouping the incidents. You can select a criteria for grouping from the list

      detection_grouping_rules-criteria

      You can define up to 4 criteria for grouping.

      For details on how the incident grouping works, see Example of Grouping.

      Once you select a value in the Group by field, you cannot edit the value in the field. To change value in the Group by field, click Clear Group By Fields. This clears values in the Group by field. The Clear Group By Fields option is available only if you have the required privileges. 

      You can also define when the incident grouping should be stopped. For example, the following image displays that a incident should not be included in a group if its state matches any of the selected values.

      detection_grouping_rules-stopgrouping_example

      The Assignment tab defines how the assignment groups are assigned.

      detection_grouping_rules-assignment

      If the Assignment group based on ServiceNow Assignment Rules is selected, the incidents are assigned based on the rules set in the Configure Assignment Rules.

      If the Assignment based on Detection Event Rule is selected, you can select a value in the Assignment Group field. This assignment group is applicable only for this rule.

      If the Assignment based on Group by field is selected, you can select a value in the Assignment Group field. This assignment group will be applicable only for this rule.

  3. Click Submit to create a new detection event grouping rule.

Detection Event Field Maps

Once the detection event rule is created, add field mappings.

Click your created detection event group rule, and go to Detection event field maps.

You must add the following field mappings:

detection_field_map_grouping

Reprocess Detection Event Rules

To import a new posture, you need to process one-to-one detection rules manually, and subsequently, the grouping rules must also be processed again.

To manually reprocess the grouping and one-to-one rules, click Reprocess Detection Event in the detection event rule. 

The Reprocess Detection Event option is available only if you have the required privileges. If you cannot view this option, contact your ServiceNow administrator.

Clone Detection Rule

You can create a clone of a grouping rule or one-to-one rule. Click Copy this Rule to create a copy of the rule with all the defined settings along with detection event field maps.

You can provide a new name or save the rule with the default name. In this case, the prefix COPY is added to the existing name.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.