diff --git a/docs/docs.json b/docs/docs.json index c76b7174ef..720c60e5d7 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -133,6 +133,7 @@ ] }, "user-guide/tutorials/prowler-app-attack-paths", + "user-guide/tutorials/prowler-app-finding-groups", "user-guide/tutorials/prowler-cloud-public-ips", { "group": "Tutorials", diff --git a/docs/images/finding-groups-drawer.png b/docs/images/finding-groups-drawer.png new file mode 100644 index 0000000000..2c07f63249 Binary files /dev/null and b/docs/images/finding-groups-drawer.png differ diff --git a/docs/images/finding-groups-expanded.png b/docs/images/finding-groups-expanded.png new file mode 100644 index 0000000000..677df0020f Binary files /dev/null and b/docs/images/finding-groups-expanded.png differ diff --git a/docs/images/finding-groups-list.png b/docs/images/finding-groups-list.png new file mode 100644 index 0000000000..e70d2bb969 Binary files /dev/null and b/docs/images/finding-groups-list.png differ diff --git a/docs/images/finding-groups-other-findings.png b/docs/images/finding-groups-other-findings.png new file mode 100644 index 0000000000..35605a7710 Binary files /dev/null and b/docs/images/finding-groups-other-findings.png differ diff --git a/docs/user-guide/tutorials/prowler-app-finding-groups.mdx b/docs/user-guide/tutorials/prowler-app-finding-groups.mdx new file mode 100644 index 0000000000..e1bf83a50f --- /dev/null +++ b/docs/user-guide/tutorials/prowler-app-finding-groups.mdx @@ -0,0 +1,119 @@ +--- +title: 'Finding Groups' +description: 'Organize and triage security findings by check to reduce noise and prioritize remediation effectively.' +--- + +import { VersionBadge } from "/snippets/version-badge.mdx" + + + +Finding Groups transforms security findings triage by grouping them by check instead of displaying a flat list. This dramatically reduces noise and enables faster, more effective prioritization. + +## Triage Challenges with Flat Finding Lists + +A real cloud environment produces thousands of findings per scan. A flat list makes it impossible to triage effectively: + +- **Signal buried in noise**: the same misconfiguration repeated across 200 resources shows up as 200 rows, burying the signal in repetitive data +- **Prioritization guesswork**: without grouping, understanding which issues affect the most resources requires manual counting and correlation +- **Tedious muting**: muting a false positive globally requires manually acting on each individual finding across the list +- **Lost context**: when investigating a single resource, related findings are scattered across the same flat list, making it hard to see the full picture + +## How Finding Groups Addresses These Challenges + +Finding Groups addresses these challenges by intelligently grouping findings by check. + +### Grouped View at a Glance + +Each row represents a single check title with key information immediately visible: + +- **Severity** indicator for quick risk assessment +- **Impacted providers** showing which cloud platforms are affected +- **X of Y impacted resources** counter displaying how many resources fail this check + +For example, `Vercel project has the Web Application Firewall enabled` across every affected project collapses to a single row — not one per project. Sort or filter by severity, provider, or status at the group level to triage top-down instead of drowning in per-resource rows. + +![Finding Groups list view](/images/finding-groups-list.png) + +### Expanding Groups for Details + +Expand any group inline to see the failing resources with detailed information: + +| Column | Description | +|--------|-------------| +| **UID** | Unique identifier for the resource | +| **Service** | The cloud service the resource belongs to | +| **Region** | Geographic region where the resource is deployed | +| **Severity** | Risk level of the finding | +| **Provider** | Cloud provider (AWS, Azure, GCP, Kubernetes, etc.) | +| **Last Seen** | When the finding was last detected | +| **Failing For** | Duration the resource has been in a failing state | + +![Finding Groups expanded view](/images/finding-groups-expanded.png) + +### Resource Detail Drawer + +Select any resource to open the detail drawer with full finding context: + +- **Risk**: the security risk associated with this finding +- **Description**: detailed explanation of what was detected +- **Status Extended**: additional status information and context +- **Remediation**: step-by-step guidance to resolve the issue +- **View in Prowler Hub**: direct link to explore the check in Prowler Hub +- **Analyze This Finding With Lighthouse AI**: one-click AI-powered analysis for deeper insights + +![Finding Groups resource detail drawer](/images/finding-groups-drawer.png) + +### Bulk Actions + +Bulk-mute an entire group instead of chasing duplicates across the list. This is especially useful for: + +- Known false positives that appear across many resources +- Findings in development or test environments +- Accepted risks that have been documented and approved + + +Muting findings does not resolve underlying security issues. Review each finding carefully before muting to ensure it represents an acceptable risk or has been properly addressed. + + +## Other Findings for This Resource + +Inside the resource detail drawer, the **Other Findings For This Resource** tab lists every finding that hits the same resource — passing, failing, and muted — alongside the one currently being reviewed. + +![Other Findings For This Resource tab](/images/finding-groups-other-findings.png) + +### Why This Matters + +When reviewing "WAF not enabled" on a Vercel project, the tab immediately shows: + +- Skew protection status +- Rate limiting configuration +- IP blocking settings +- Custom firewall rules +- Password protection findings + +All for that same project, without navigating back to the main list and filtering by resource UID. + +### Complete Context Within the Drawer + +Pair the Other Findings tab with: + +- **Scans tab**: scan history for this resource +- **Events tab**: changes and events over time + +This provides full context without leaving the drawer. + +## Best Practices + +1. **Start with high severity groups**: focus on critical and high severity groups first for maximum impact. +2. **Use filters strategically**: filter by provider or status at the group level to narrow the triage scope. +3. **Leverage bulk mute**: when a finding represents a confirmed false positive, mute the entire group at once. +4. **Check related findings**: review the Other Findings tab to understand the full security posture of a resource. +5. **Track failure duration**: use the "Failing For" column to prioritize long-standing issues that may indicate systemic problems. + +## Getting Started + +1. Navigate to the **Findings** section in Prowler Cloud/App. +2. Toggle to the **Grouped View** to see findings organized by check. +3. Select any group row to expand and see affected resources. +4. Select a resource to open the detail drawer with full context. +5. Use the **Other Findings For This Resource** tab to see all findings for that resource.