Configure Asset Groups

Asset groups give you a convenient way to make logical groupings of the assets you want to scan and report on. You can add your assets (hosts, domains, appliances) to multiple groups as needed.

Check out these videos:

Asset groups

How to use asset groups?

What are the steps?

Go to Assets > Asset Groups. Select New > Asset Group. To edit an existing asset group, select Edit from the Quick Actions menu.

Add IPs and domains to the group

It's simple. Go to the IPs section to add IPs and go to the Domains section to add domains. Enter or select the IPs and domains you want to add. You can even copy IPs from another asset group. Then save your group.

Note: If the asset group is created by a sub-user, then the manager user can only add IPs that are within the sub-user's scope.

Add scanner appliances to the group

By adding appliances you can manage which appliances are used for scanning the hosts defined in your asset group.

You have these options:

1) Scan your asset group using appliances in the group. By default up to 5 appliances will be used, and this can be customized for your account. Learn more

2) Scan your asset group using the default appliance in the group.

Business Info

The business information you provide can be used later when reporting on the hosts in the asset group.

Select a business impact levelSelect a business impact level

The business impact level you select is automatically applied to all hosts in the group. Business impact levels determine which asset groups are most critical to your organization. The higher the impact level, the higher the potential for business loss if compromised. For example, you may apply a higher impact level to a group of Linux servers running mission critical applications than to a group of desktop systems. If you do not assign an impact level to the asset group, then a level of Medium is used by default. (Tip: Managers can customize the business impact titles by going to VM/VMDR > Reports > Business Risk Setup.)

You can update the business impact for the existing asset group by selecting multiple asset groups in bulk.  
Valid values are - Medium, High, Low, Minor, or Critical.
The default value is Medium.

Perform the steps to update the business impact.

  1. Go to VM > Assets > Asset Groups.
  2. Select the single or bulk Asset Group from the list.
     
  3. Click Actions Menu list and select Update Business Impact.

    Selecting the Update Business Impact.
  4. Select the Business Impact as Low, Minor, Medium, High, or Critical from the list.

    Selecting the business impact as medium, low from the list.

    Note: The Update Business Impact is always set as Medium by default.
  5. Click Save.

You can observe the change when you edit the asset group by going to Quick Actions menu list and selecting Edit.

Selecting the asset group to check the impact.

Business impact set as medium.

 

Enter values for Division, Function and LocationEnter values for Division, Function and Location

When generating scorecard reports you can filter the hosts included in your reports by this business information. For example, only include asset groups where the Division is set to Finance, or only include asset groups where the Division is set to Finance and the Function is On-line Banking.

CVSS Info

If CVSS Scoring is enabled for the subscription, you'll see the option to set CVSS environmental metrics in the Business / CVSS Info section. Your selections will be used in reporting when determining the CVSS score for the hosts in this asset group.

Tell me about CVSS environmental metricsTell me about CVSS environmental metrics

CVSS Environmental Metrics capture the characteristics of a vulnerability that are associated with the user's IT environment. The values defined for the asset group apply to all hosts in the asset group.

Collateral Damage Potential represents the possibility for loss in physical equipment and property damage. See possible valuesSee possible values

Not Defined. Assigning this value to the metric will not influence the score. It is a signal to the CVSS scoring equation to skip the metric.

None. There is no potential for loss of life, physical assets, productivity or revenue.

Low. A successful exploit of this vulnerability may result in slight physical or property damage. Or, there may be a slight loss of revenue or productivity to the organization.

Low-Medium. A successful exploit of this vulnerability may result in moderate physical or property damage. Or, there may be a moderate loss of revenue or productivity to the organization.

Medium-High. A successful exploit of this vulnerability may result in significant physical property damage or loss. Or, there may be significant loss of revenue or productivity to the organization.

High. A successful exploit of this vulnerability may result in catastrophic physical or property damage or loss. Or, there may be a catastrophic loss of revenue or productivity to the organization.

Target Distribution represents the relative size of the field of the target systems susceptible to the vulnerability. See possible valuesSee possible values

Not Defined. Assigning this value to the metric will not influence the score. It is a signal to the CVSS scoring equation to skip this metric.

None. No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk.

Low. Targets exist inside the environment on a small scale. Between 1% - 25% of the total environment is at risk.

Medium. Targets exist inside the environment on a medium scale. Between 26% - 75% of the total environment is at risk.

High. Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is at risk.

The following Security Requirements metrics enable users to customize the final CVSS score, depending on the importance of the affected host to the user's organization.

Confidentiality Requirement represents the impact that loss of confidentiality has on the organization or individuals associated with the organization (for example employees, customers).

Integrity Requirement represents the impact that loss of integrity has on the organization or individuals associated with the organization (for example employees, customers).

Availability Requirement represents the impact that loss of availability has on the organization or individuals associated with the organization (for example employees, customers).

See possible values for security requirements metricsSee possible values for security requirements metrics

The possible values that may be assigned to the Security Requirements metrics are listed below.

Not Defined. Assigning this value to the metric will not influence the score. It is a signal to the CVSS scoring equation to skip this metric.

Low. Loss of requirement is likely to have only a limited adverse effect on the organization or individuals associated with the organization (for example employees, customers).

Medium. Loss of requirement is likely to have a serious adverse effect on the organization or individuals associated with the organization (for example employees, customers).

High. Loss of requirement is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (for example employees, customers).

Learn more about CVSS Scoring

Add hosts by hostname

If you have the Scan by Hostname feature, you'll see the option to add DNS and NetBIOS hostnames to the asset group. Add DNS names to the DNS section and NetBIOS names to the NetBIOS section. Only Managers can edit these sections of the asset group. You must also add a scanner appliance to the group. The scanner appliance must be able to resolve the hostnames in the group to their IP addresses.

Can I also add IPs to the group?Can I also add IPs to the group?

Yes. When the asset group is scanned, all assets in the group will be scanned, including DNS and NetBIOS hostnames and IP addresses.

Make sure hostnames are formatted correctlyMake sure hostnames are formatted correctly

When you add DNS and NetBIOS hostnames, validation will occur to make sure the hostnames are formatted correctly. If the hostnames do not meet the requirements below, then an error will appear. Correct the formatting and try again.

A DNS hostname must follow the formatting requirements of an FQDN (Fully Qualified Domain Name). The hostname may include 2 or more labels separated by a dot. Each label may include up to 63 characters, including alphanumeric characters and hyphens as long as the label doesn't start or end with a hyphen. The last label (the one furthest to the right) must include 2 or more characters and can only be alphabetic characters.

Here are some examples of acceptable DNS hostnames:
qualys.com
corp.qualys.com
host30-2-100.corp.qualys.com

A NetBIOS hostname may include up to 15 alphanumeric characters and these special characters:

! @ # $ % ^ & ( ) - _ ' { } . ~

Learn more about Scan by Hostname

See which groups users have assigned

A Manager can see this information when editing an asset group. Go to the Users section, select a user from the list and click the View button to see more information about the user account.

Change the owner

Managers and Unit Managers have the option to change the asset group owner when editing an asset group (not during creation). Edit the group and select a user from the Owner menu. The possible assignees listed in the Owner menu depends on the role of the manager making the change, and the current owner's role and business unit.

See possible ownersSee possible owners

Asset groups may be owned by Managers, Unit Managers and Scanners.

User Taking Action

Current Owner

Possible New Owner

Manager

Manager or Scanner in the Unassigned business unit

Manager or Scanner in the Unassigned business unit

Manager

Unit Manager or Scanner in a custom business unit

Manager in the Unassigned business unit
- or -
Unit Manager or Scanner in the same business unit as the current owner

Unit Manager

Unit Manager or Scanner in a custom business unit

Unit Manager or Scanner in the same business unit as the current owner

 

Tell me about conflicts with scheduled tasksTell me about conflicts with scheduled tasks

Changing the asset group owner may lead to conflicts with scheduled tasks. Conflicts occur when an asset group is no longer available to the owner of a scheduled task with the asset group specified as the target.

After you save the asset group with the new owner, a confirmation page appears with messages to assist you in resolving conflicts with scheduled tasks. Click the View Report button to see a list of scheduled tasks affected by the change. Then edit each scheduled task to assign a new target. If the scheduled task is left without a valid target before the next scheduled run time, then the scheduled task is automatically deactivated and the task owner is notified by email.

Ownership change from Scanner to Unit Manager or ManagerOwnership change from Scanner to Unit Manager or Manager

After changing ownership from a Scanner to a Unit Manager or Manager, the new owner may choose to edit the user's account and assign the asset group back to the user to avoid conflicts.

Ownership change from Unit Manager to ManagerOwnership change from Unit Manager to Manager

When you change the asset group owner from Unit Manager to Manager, the asset group automatically remains in the business unit so that users in the business unit can continue using it.

Find the asset group ID

Show the ID column on the asset groups list. Go to the Tools menu above the list (on the right side) and select Columns > ID. You'll also see the ID in the preview pane and in the Asset Group Information page.

Deleting asset groups

Go to Assets > Asset Groups. Select the check boxes for one or more asset groups in the list and then choose Delete from the Actions menu above the list. You'll get a confirmation window with a "View Report" button that lets you see the objects (i.e. business units, scheduled tasks, report templates, etc) that are still associated with an asset group being deleted. We recommend you clean up the objects by assigning new asset groups to them before proceeding. Deleting asset groups could result in empty or invalid business units and report templates. Scheduled tasks left without a target are automatically deactivated at the next scheduled run time.  

When Asset Tagging is enabled for your subscription, the system creates an asset tag in AssetView for each asset group in your subscription. You cannot delete system generated tags from AssetView but when you delete an asset group, the corresponding tag is also deleted. 

Impact on Business Units when updating/removing asset groups

Keep in mind Managers assign asset groups to a business unit, giving BU users access to the hosts, domains, appliances in these asset groups. BU users (Unit Managers, Scanners, Readers) can create personal asset groups including the hosts, domains, appliances in the BU asset groups.

Changes to BU asset groups impact:

- which assets BU users can see, and

- which assets appear in their own personal asset groups

Add IPs or IP ranges to a new line in an asset group

When viewing the IPs and IP ranges in an asset group, all the details are displayed in a single line. This makes it harder to identify where an IP or IP range starts and ends. Therefore, we have added the Display each IP/Range on new line checkbox. On selecting this checkbox, all IPs or IP Ranges are displayed on a new line.

Quick Links

All About Asset Groups | Organizing Assets | Scanning - The Basics | Scan by Hostname | Configure Business Units