Scan Differencing

When generating a difference report for a particular node's configurations, you can choose to difference two scans of the same node that occurred on different dates. For example, you could select a scan for April 14th 2024 and compare it to a previous scan from April 1st 2024 to track the changes in configuration items between those two scan dates. This feature can be critical in uncovering and understanding inconsistencies within your node set, especially when troubleshooting changes in behavior that may have occurred within a specific time frame. The following topic describes how to utilize the full scope of functionality available when differencing two scans of the same node.

To difference two scans of the same node, complete the following steps:

  1. In the Node Groups drop-down menu, select the node that you want to compare two scans for from the 'All Nodes' node group. The node scan report for the selected node is displayed.

  2. By default, the most recent scan is displayed in the report. Here, you can select a different scan date from the Scans drop-down list.

  3. In the Compare to drop-down menu, select Another Scan from the drop-down list to generate a difference report for the two scan dates.

The node scan report is automatically updated with the total differences between the two scan dates. Here, you can configure the scan results for the two nodes to access the data required, see below for more information.

Note: Additionally, the Edit and Scan buttons are displayed here. For more information on either process, see Edit Node and Scan Nodes.

Total Difference

The difference between the configuration items on each scan date are divided into three categories within the Total Difference drop-down menu:

  • Added (Blue) – Configuration items that have been added to the node, as registered during the most recent scan, or in between the two scan dates.

  • Modified (Yellow) – Configuration items that have been modified on the node, as registered during the most recent scan, or in between the two scan dates.

  • Removed (Dark Gray) – Configuration items that have been removed from the node, as registered during the most recent scan, or in between the two scan dates.

Note: There is an additional category, Unchanged, that is not included within this section as it denotes a configuration item that has experienced no changes between the two scan dates. To filter your display according to common or uncommon configuration items, see Display for more information.

Each configuration item is represented by a square. Each square is assigned a color depending on the category it is assigned, as described above. To view more information about a configuration item's differences between each scan date, select one of the colored squares in the difference report. Once selected, a side panel is displayed with the name of the configuration item, each attribute within that configuration setting, and then the differences between each attribute, if present.

In the example above, we can see the results of the Credential Report configuration item, 'dogfood'. Although the configuration item is present on both nodes, the Last Used Date, Region, and Service values are different. As a result, the configuration item is displayed in yellow, falling within the Modified category. Here, you can see the different values returned for each scan date, with the Previous Scan displayed underneath the first scan, in gray.

Policy Compliance

Policies are a series of checks that you can apply to a node during scanning to detect and uphold a desired state. As demonstrated in the example below, the 'CIS AWS IAM [latest]' policy has been applied during both node scans. One of the checks this policy runs is against the Users group, specifically those with the 'Administrator' role, to ensure that they have the correct properties defined.

The Policy Compliance drop-down menu divides the node configuration data into the following categories:

  • Passed (Green) – Configuration items with a policy check assigned that passed during the selected scan.

  • Failed (Red) – Configuration items with a policy check assigned that failed during the selected scan.

  • Unmanaged (Light Gray) – Configuration items with no policy check assigned. These are more commonly known as unmanaged nodes.

To view more information about a policy check, select one of the green or red configuration items to display the checks that were run, whether they were successful, as well as the policy that is applied. In the example below, we can see the successful result of the 'CIS AWS IAM [latest]' policy check on the 'Administrator' Users configuration item. For more information on policies, see Policies.

Scans

By default, the most recent scan is displayed when a node is selected. However, the Scans drop-down menu contains a list of all the scans that have occurred on the selected node. To access the scan results for a different date or time, select a scan from the drop-down list.

Compare To

The Compare To drop-down menu contains two options for configuring the difference report:

  • Previous Scan drop-down list – Select a date from the drop-down list to generate a new difference report for the two selected scan dates.

  • Select Node button – Select a node from the Compare to Node side panel to compare the results of the currently selected node's scan with a different node's scan. The data is then displayed in a difference report. For more information on this report type, see Node Differencing.

    Note: If you click the Add New Node button, the Add Nodes page is displayed. Here, you can add a single node or add nodes in bulk, then return to this page to complete the difference report. For more information on how to add a node, see Add Nodes.

If either option is selected, the page is automatically updated with the new scan data.

Display

With two scans selected, you can filter the results of the node scan report according to the categories outlined in the Total Difference section, with the addition of the two following categories:

  • Unchanged – Configuration items that have experienced no changes between the two scan dates.

  • Ignored Items – Configuration items that have been configured to be ignored within the node's scans and drift reports. For more information on how to configure your ignore list, see Node Scan Ignore Lists.

Switch the toggles on or off for the corresponding categories to filter the results of your node scans. For example, you could disable all Unchanged configuration items, to only display the items that contain differences.

Policies

As described in the Policy Compliance section, policies are assigned to node groups to uphold a desired state of configuration. In the Policies drop-down menu, you can filter the Failed, Passed, and Unmanaged policies displayed within the differences report by switching the corresponding toggle On or Off. In addition, each of the policies that are currently active and assigned to the selected nodes are displayed here. To access more information about a policy, select a policy from the list to view the Policy Details page, see Policies for more information.

Configuration Items

For each configuration item within the report, there is a set of corresponding settings that can be applied. To access a configuration item's settings, right-click on the square within the report.

The following list of options is displayed:

  • Add to Policy – Create a policy from the selected scan of the configuration item to uphold the current state. For more information, see Policies.

  • Dynamic Node Group – Create a dynamic node group with a (dynamic group) query that automatically assigns any nodes that match the selected configuration item's value(s) to the group. For more information, see Dynamic Group Queries.

  • Add to Ignore List – Add the configuration item to the ignore list for the selected node's scans and drift reports. For more information, see Node Scan Ignore Lists.

  • Lookup – Search your default browser for the name of the configuration item you selected.

  • Add Scan Option – This option is only displayed for files. Add a file scan option for the selected configuration item. Select a node group from the list of options displayed to scan the raw contents of the file as part of the node group's regular scanning. The results of the file scan are then displayed within the configuration item itself. For more information on additional scan options that can be configured, see Scan Options.

    Note: Additionally, you can add a directory to be scanned within the node's group settings. For more information, see Edit Node Group.