VIT records do not show relevant data. Need to have the Solution/Fix information on the VIT record, not a related list.

rogerburns · ‎05-13-2022

We used to have solution/fix information appear n the VIT record. Somewhere along the way, it stopped and we do not know exactly when. Our remediation teams complain incessantly that they do not have time to sit in front of a ServiceNow web page and walk through one VIT at a time, open tabs, look for related lists, and hope to find some fix information. They want to use API's to identify the VITs assigned to them and have all the information needed on one record, so they can remediate those vulnerabilities AT SCALE. This user inferface is fine for 1 or 2 VITs, on occasion, but not for tens of thousands that get generated every week. It is untenable.

For example, in this VIT it shows the Summary, the threat, etc. but the 'Remediation Notes' aka Solution field is empty. The user needs to go to the Detections tab, find an open detection, and then it gives them some information. It is so convoluted to use and is certainly not a single pane of glass, as it's described.

How can we get the useful information on the VIT record? The goal is to have everything that is relevant on ONE record (VIT) so that remediation teams can use API calls to pull data without having to open SN. The new remediation workspaces are a joke and suffer from the same problem: Remediation teams do not sit in front of SN all day long. They have other authoritative systems that need the information so they can be patched.

from the detection record:

thanks, and sorry if this sounds salty, we just keep getting beaten up by all the changes that are not helpful to our users that add up.

TL;DR: Solutions used to appear on VITs and they were useful, now they are difficult and time consuming to locate and looking for a way to return the functionality to improve the experience.

sean10 · ‎05-13-2022

It looks like you are on Rome still. Is there a reason to stay back on it or can you move forward to San Diego for Vul Response? Also what do you have for integrations? What are you using to feed Vul Response? That might help quite a bit to formulate a response on this one.

My teams have the same issue. Moving over to workspaces has helped some but we still haven't deployed to our prod environment yet. We've also upgraded to San Diego and our Rapid7 integration which helped out quite a bit and attached preferred solutions to our VITs.

I guess also what solution data did you used to have? Was it Microsoft and RedHat or did you have the solutions coming in from another source as well and that broke?

Also I wonder. If they are going to use an API instead of the SNOW interface could they not target the solutions themselves and pull over the Items attached to them that way?

rogerburns · ‎05-26-2022

Hi Sean,

Thanks for the reply. We are on Rome platform version, but we are on the v16.1.3 of VR.

We have Rapid7 InsightVM as our scanner.

We have not had much success with the workspaces (yet?). The remediation teams mainly use the existing agent interface. They would prefer not using it at all as their work is in other systems. We are working toward granting API access and improve processes for some of the larger groups, but the smaller remediation teams are struggling with the effort and the interface(s).

It looks like the Vulnerability Solution (sn_vul_solution) table maybe was meant to be used and later deprecated, or it's only used with certain integrations. Because we use Rapid7, it looks like the table is "Solutions(Rapid7)" ( sn_vul_r7_solution). I was able to create a database view that joins Detections, Rapid7 Solutions, and the third-party vulnerability table. It's ugly and slow, but reduces some of the complexity for the remediation teams.

Ideally the issue is that there is too much complexity for a remediation team member to go through to try and identify a solution for every vulnerability. From their perspective, they get assigned a VIT, which is part of a VUL group (or now referred to as "remediation task" for some reason). They open the VIT, which shows the vulnerability, but no solution (blank). From there, they have to click to open the Vulnerability, which shows some details like severity and CVSS scores, scroll down to the related lists, and poke through Vulnerability References, CVE's, and Solutions (Rapid7). From there they have to open more than one record to determine the course of action. Then, they manually take notes and go to their patching system to determine if any of those options apply. Then they patch a reference system and set up patching for the issue hoping that the scanner closes out the VIT. This is times thousands of records and takes teams a lot of time.

I get that it's a complicated process to scan and remediate, but the relational table structure of a VIT is partly the problem. Ideally a VIT would have all the details on it that the remediation team needs. Not digging down 2-3 levels with each one. Our previous systems did provide that 'one stop shop' for remediation teams and they are loudly lamenting the effort required compared to competitor solutions.

This probably should be move to an Idea, but wanted to reply back since you took the time to help. I think the database view may improve efforts in the short term. It would be nice to have the single pane of glass which is how it is portrayed. Here is the database view tables in case anyone is interested: