Vulnerable Item Detections Open but VI Closed

Armacar2
Kilo Expert

‎11-18-2020 09:31 AM

Hi,

I have detected that many of the Vulnerable Items are state "Closed" with the substate "Stale" but their Vulnerable Item Detections are "Open". I confirmed on Rapid7 they are open so I ran the comprehensive Integration to run before the last found date for those VIs but this integration is not refreshing the last found date on them. I raised a ticket on HI but they haven't get to the solution, Any recommendations? I got Rapid7 v11 and Vulnerability Response v12 running on Paris.

Thank you.

 

0 Helpfuls
  • 1,910 Views
6 REPLIES 6

andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Armacar2

‎11-19-2020 11:50 AM

Hey - you mentioned something interesting.

The old version of Rapid7 with the "Close by Age" feature that you had enabled - I don't believe that set the Substate to "Stale"?

I thought it only set the State of the VI to Closed, and updated the Work Notes accordingly.

---------------------------------------------

On one of your Vulnerable Items that were Closed as Stale (still active in Rapid7), what is the system value (integer) of the State and Substate?

If the Value of the Substate is something that is not expected today - you will see behavior like this (Active Detections not re-opening Closed VIs)...

If your Substate number, is not '4' or '6' on the sample records - it might explain why the Vulnerable Item is stuck in Closed.

In fact, if the Substate is empty and State is Closed - I don't believe those VI records have a chance of re-opening either - it must be one of '4' or '6'.

Can you check to see what the 'Substate' value is on a sample of your Closed Vulnerable Items (the ones with Active Detections that are not re-opening)?

You can check it like this:

 

find_real_file.png

find_real_file.png

Preview file
76 KB
Preview file
137 KB
Preview file
124 KB
0 Helpfuls

Armacar2
Kilo Expert
In response to andy_ojha

‎11-19-2020 02:39 PM

Hey Andy,

You absolutely right, this old (and deprecated feature) only changed the status to closed but it didn't change the substate to anything, SN HI Support made me ran a short background script to assign the 'stale' substatus to them, but even after doing that and upgraded the plugins (both Rapid7 and Vulnerability Response) and ran a complete comprehensive integration this VIs reminds as Closed-Stale.

Thanks.

0 Helpfuls