Scan Groups in Invicti Enterprise
Scan groups in Invicti Enterprise help you filter scan results on the Targets Dashboard and Trend Matrix Report. They are created automatically by Invicti Enterprise when you launch a scan and are not editable or deletable. This document explains how and why Invicti Enterprise creates scan groups and how you can create a notification based on a scan group.
How and why Invicti Enterprise create scan groups
Each time you create a new scan, you define the target (path), scan scope, scan policy, report policy, and scan profile. These five criteria determine the creation of a scan group. They also play a critical role in the issues and reports you view in Invicti Enterprise.
The role of each criterion is explained below:
- Path: This is the target URL.
- Scope: The Scan Scope lets you define which parts of the target should be crawled. The scan scope you choose plays a critical role in specifying the depth of the crawler. A limited scope results in fewer vulnerabilities.
- Scan Policy: The scan policy lets you select which checks you want Invicti Enterprise to run against your target.
- Report Policy: The report policy includes profiles for vulnerabilities/issues. These profiles include an issue's severity, title, description, etc. You can define how Invicti Enterprise displays its findings in the application and reports.
- Scan Profile: The scan profile lets you save scan settings for future scans.
Scan groups help you distinguish between the results of scans with different scan settings even though the scans relate to the same target. If you try to analyze detected issues inside a single group, you will end up with a misleading dashboard or trend matrix report. For instance, it may display that an SQL Injection found on the first scan is no longer present in the second scan because the second scan did not check for the SQL Injection vulnerability due to a difference in the scan policy. That's why Invicti Enterprise uses scan groups so you can view relevant dashboards, issue trends, etc. based on the scan group you select.
Illustrative example
Let's imagine that you scanned https://www.example.com/blog and https://www.example.com/admin.
- These websites have different structures. While the blog page includes a list of blog posts you published, an admin web page is most likely password-protected.
- Their scan scopes differ.
- They may have different scan policies. For example, you may use the default scan policy for the blog web page and the default security checks + DOM XSS or a custom scan policy for the password-protected admin web page. These different scan policies would eventually affect the vulnerabilities found.
- Their report policies may also differ. Different report policies can have different severity sets for particular vulnerabilities, resulting in different vulnerability reports.
Therefore, Invicti Enterprise will show different vulnerabilities, issues, and severity trends for these web pages. If you scan your target more than once, the trend matrix report of these respective web pages will also greatly differ over time.
To illustrate further, we scanned one of our vulnerable test websites with two different scan preferences. The scope of the first scan was set to 'only entered URL,' whereas in the second scan, the scope was set to 'entered path and below.' The two scans also had different scan and report policies. The scan results images below show how different scan preferences can produce different scan results.
Scan Groups vs. Target Groups
Scan Groups and Target Groups are very different categories. While Invicti Enterprise automatically creates a scan group based on your scans, Invicti Enterprise does not take action by itself to create a target group. You can group your targets by creating target groups for easier management and you can start a scan for a target group. For more information about target groups, refer to What are target groups?
The chart below displays the distinction between scan groups and target groups.
How to view a scan group
- Select Targets > Targets from the left-side menu.
- In the list of targets, click on the target name of a target that has been previously scanned.
- From the target summary dashboard, select the All Scan Groups drop-down. Each scan group that the selected target belongs to is now visible. Selecting a scan group will change the information visible on the target summary dashboard.
How to create a notification for a scan group
- Select Notifications > New Notification.
- Enter a Name for the new notification.
- Click the Event drop-down and select an event that will trigger the notification.
- Ensure the Status field is set to Enabled.
- Select Target as the Target Scope.
- From the Target drop-down, select a target that the notification will pertain to.
- Click the Scan Group drop-down and select the relevant scan group.
- If Not Set is selected, you will receive all notifications about the target.
- Either enable or disable the Group setting depending on whether or not you want to receive one summary notification or individual notifications.
- Complete the remaining fields, as described in Creating Notifications.