Working with Scan Results - Work Queue

Modified on Thu, 15 May at 3:57 PM

Items Tab

When a scan completes, you can view the results by returning to the Scan Module and using the table of items in the Items tab. This table will populate with new items as they are discovered, and this list of items becomes the new work queue.

The table comprises sixteen columns that provide detailed information about every item. Users can sort and filter jobs via the Column Headings, as well as filter jobs based on the name, type, or finding from categories via the search bar.

Items Tab Column Heading	Description
Name	The discovered asset’s identifier (e.g., domain name, IP)
Type	The classification of the item (e.g., domain, IP)
Finding from	The seed item (initial data/settings used to populate a database/application) from which the discovery was made
Finding from type	The method used to discover the item
Finding from details	Evidence and reasoning behind the discovery
Scan Mode	The method used (Static or Deep Discovery)
Created at	When the discovery started
Updated at	Last time the item was updated
Status	Done, in progress, pending, or ignored
Status detail	Real-time updates on discovery or scan results
Trust	Confidence percentage that the asset belongs to the organisation (below 50% = not included by default)
Use	Toggle to include/exclude item from current scan run
Domain	Name of the domain
Duration	Time to discovery
Comments	Field to annotate specific items with notes or justification
Actions	Option to remove the item from the scan list

System items

After you have run your first scan, two System Items will appear in the work queue table:

Database Calculation: runs at the end of every scan and performs data analysis and many other tasks to calculate and build the final set of results including attack surface score, risk score, application comparison, supplier detection, indicator assessment, and so on.
trWebScan: assigned by default to all projects, this task is passive until applications are onboarded to the TR Web Scan Security program, at which point it activates this service.

These items are automatically generated and cannot be modified.

The Work Queue and Trust

Below the system items, every item manually added to the work queue or discovered by a scan will be listed. When you run a new scan (or update the existing scan), these items will be included in the discovery process.

Before you run a new scan, it is important that you review the work queue and manually remove items not relevant to your organisation. To help you make this assessment, every item is assigned a Trust score from 0–100, where 100 is the most trusted. This Trust score indicates how confident the TR Discovery algorithms are that an asset or ‘Thing’ belongs to your organisation and is relevant to the process.

Items added manually will automatically have a score of 100. Items discovered through scanning might have a lower Trust score, based on the pivoting algorithms and intelligence gathering of the TR Discovery platform.

You can permanently remove unneeded items using the ‘Delete a scan item’ button in the Actions column. However, these items may return to the Work Queue if they are rediscovered in subsequent scans. Therefore, a better option is to use the toggling ‘Use/Don’t use’ feature, which controls when items are included in reporting, dashboards, and scan updates. By default, items with a Trust score under 50 are toggled to ‘Don’t use’.

Tip: Use the tabular sort and filter options to review everything with a Trust score over 50. Toggle ‘off’ any that don’t belong to the organisation. Then review everything with a Trust score under 50 and toggle ‘on’ if they do belong. Update the relevant scans accordingly.

Updating or starting a scan

After making any necessary changes—such as reviewing items based on Trust and manually adding or removing items—you can update scan results by clicking on the main scan icon and selecting one of the options from the drop-down menu.

A screenshot of a computer

AI-generated content may be incorrect.

The options are:

Update the current test
1. the user makes changes to the work queue to exclude/include items and re-starts the scan which continues from where it left off
2. additional findings are added to the already existing data
New test
1. uses the existing work queue items
2. generates an updated set of findings
New test based on user entries only
1. this option wipes the existing work queue items and starts over with user-input items (for example main domain)
2. generates a completely new set of findings.

Tip:

Updating a scan is faster and more efficient as it only scans the items in the work queue that have been modified
New scans should be done on a regular basis to catch any new unknowns and monitor status on remediation
New test based on user entries only is typically used if scan results return too many false positives (rare), the wrong starting domain was used, or for organisations that seldom scan, for example a one-off scan each year
In the rare event that a user requires complete removal of work queue items and scan data, please submit a ticket to support@thingsrecon.com.