How do Remediation Tasks (VUL) close?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2022 11:48 AM
Based on a few ServiceNow documents, It seems the expected behavior is that "When all the VIs in a remediation task are closed, the remediation task is closed."
We are seeing numerous remediation tasks still in an open state even with 0 open Vulnerable Items. Why would these Remediation Tasks not be closing? Is there any dependency on the state of the VUL?
https://docs.servicenow.com/bundle/rome-security-management/page/product/vulnerability-response/concept/vulnerabillity-states.html
https://docs.servicenow.com/bundle/rome-security-management/page/product/vulnerability-response/concept/vr-ws-overview.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2022 12:10 PM
I really depends on which Version of VR you are on. IF you are on 13.x or lower, it might be because some of the VITs might be closed/stale and you need some custom rule/scheduled job to close the remediation task.
For newer versions, while there might be some clean up you need to do, this should happen automatically.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2022 03:04 PM
Thanks for the info. We just rolled out VR15, and we're just starting to get our teams using the tool, so I'm not sure if this had persisted.
Can you confirm that with VR15, the VUL should close regardless of state?
Do you have any leads as to what we might need to clean up?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2022 02:47 PM
Steve,
Here is how I went about Cleaning stale items
1. Try this URL in your instance "<Instance Name>/sn_vul_vulnerability_list.do?sysparm_query=state!%3D3%5Erisk_rating%3D5%5Eactive_nd_vis%3D0%5EORactive_nd_vis%3DNULL&sysparm_view="
This will give you a list of Remediation tasks that have all VITs closed with one or more stale VITs in them
2. Next, I created a fix script to close these remediation tasks. You may choose to do it manually but our volume was huge. I have ran this script on my production instance so I am fairly confident. However, with any script usage in SNow, pls use caution and proceed only if you completely understand what is going on here. THis script just goes thru all remediation tasks on our list to close them as either fixed with Exceptions or Cancelled based on how many stale VITs are part of a VUL group.
var vul = new GlideRecord('sn_vul_vulnerability');
vul.addQuery('state!=3^risk_rating=5^active_nd_vis=0^ORactive_nd_vis=NULL');
vul.query();
while (vul.next()) {
var vit_all_stale = true;
var vul_m2m = new GlideRecord('sn_vul_m2m_vul_group_item');
vul_m2m.addQuery('sn_vul_vulnerability', vul.sys_id);
vul_m2m.query();
while (vul_m2m.next()) {
var vit = new GlideRecord('sn_vul_vulnerable_item');
vit.addQuery('sys_id', vul_m2m.sn_vul_vulnerable_item);
vit.query();
while (vit.next()) {
if (vit.substate != 6) {
vit_all_stale = false;
break;
}
}
}
if (vit_all_stale == true) {
vul.state = 3;
vul.substate = 5; //Cancelled
vul.close_notes = 'ASR Closure-All VITs remediated (stale rule)';
} else {
vul.state = 3;
vul.substate = 16; //Fixed with Exceptions
vul.close_notes = 'ASR Closure-All VITs remediated (stale rule)';
}
//vul.setWorkflow(false);
vul.autoSysFields(false);
vul.update();
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2023 12:40 PM
A useful tidbit for anyone that comes across this. The VUL/Remediation Task closure is completed by a scheduled job that is run every 15 minutes titled "Rollup VI values to vulnerability, Remediation Task (RT), and VI count on RT".