Vulnerability response: False Positive VI/VG
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-21-2022 12:44 AM
Hello,
I have a Remediation Task created in "Open" state. This RT contains only one Vulnerability Item also "Open". I mark VI as False Positive, approve it and state/substate changes to Closed/False Positive (3/22).
Next I run the "Rollup vulnerable item values to vulnerability and group" scheduled Job and expect, that Vulnerability Group(VT) will be closed with the same state/substate(Closed/False Positive). But it happens nothing, RT still has the Opened state. I want to get know if is it expected behaviour? Should it be working of described way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-22-2022 09:45 AM
Hey there,
In this situation - the roll-up of state from the Vuln Item (VI) to the Vuln Group aka Remediation Task will not really work this way.
There is a notion of States being rolled up from the VI to Vuln Group - but not for False Positive - it is more for VIs being Closed as either Fixed or Stale. Also, pretty sure the job you mentioned just handles the risk score, counts and percentage type attributes on the Vuln Group - rather than State precedence.
In the scenario you described - the path would be to to trigger False Positive downward from the Vuln Group layer --> to the associated VIs.
In the scenario of only wanting a subset of the VIs in a Vuln Group to be in scope - you'd use the "Split Group" path to carve out the ones you would prefer to target and then trigger the False Positive on the split Vuln Group.
Rollup of VI states to VGs
*Note - False Positive does not roll-up - only Closed/Fixed and Closed/Stale or combo of both
State precedence: Open > Closed - Fixed > Closed - Stale.
- If any VIs in a VG are Open, the VG state is not changed.
- If at least one VI is Closed - Fixed and the rest are Closed - Stale, the VG state transitions to Closed - Fixed.
- If all the VIs in a VG are Closed - Stale, the VG state transitions to Closed - Canceled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-28-2022 11:57 AM
Hi,
Thank you for reply. You are right and this behaviour is described on the ServiceNow documentation. Any way to be absolute sure regarding the False Positive status I asked the same question to the SN Support and got following explanation:
The rollup of vulnerable item state to remediation task happens in only very specific cases like when all vulnerable items in a remediation task are Closed-Fixed or Closed-Stale.
We DO NOT rollup the vulnerable item state to the remediation task in case of False positives. One of the reasons why we don't do that is because the vulnerable item can be reopened from the False Positive state. Then what would happen to the remediation task as the remediation task can never be reopened.
If you want to customise this behaviour, we would recommend doing so in the method 'closedFixedGroupIfItemsClosedFixed' of the script include 'VulnerabilityGroup'. This will be called by the scheduled job 'Rollup vulnerable item values to vulnerability and group'. This would be more performant than the custom BR.
