Eliz Skogquist
ServiceNow Employee
Options
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 05-20-2024 10:24 AM
In continuation of the "Success with VR" webinar series, May 15 & 16, William Tran, Sr. Business Process Consultant, from ServiceNow's Expert Services team joined me for a session reviewing "A Day in the Life of a Remediation Owner". When rolling out VR, it is imperative that the Remediation Owners have a good understanding of the intended process for completing their responsibilities. This webinar covers terminology for users new to Vulnerability Response, and the actions a Remediation Owner would do in the IT Remediation Workspace.
The agenda:
- Remediation Owner – Who is it?
- Terminology:
o Unit of work: Remediation Task/Vulnerable Item
o Data Flow in ServiceNow
o State Model
o Prioritizations: Risk Score/Risk Rating
o Deadlines: Remediation Targets
- Daily routine: IT Remediation Workspace
The recording can be viewed here:
Resource Links shared:
ServiceNow Documentation
- IT Remediation Workspace
- Vulnerability Response remediation task states
- Remove assignments from vulnerable items for you or your groups
- Requesting and approving an exception
- Change management for Vulnerability Response
Q&A:
| Question | Answer |
| This solution shown in the Remediation Task is not based on the VI table? | The solution shown in the Remediation Task is based on the VIs that are in that RT. It pulls and aggregates that data into the Solutions Tab. You can see next to the Solution number (starting with VS) there is a column there that shows the VIT number it is associated to. |
| Once the state is changed to Under Investigation this will "lock" the current RT. Any newly discovered VI will create a new one with the same criteria but with newly discovered items? For example, Monthly patching for High vulns will create a new RT each month if it is moved forward each month? | That is correct. After the first time it moves from the ‘Open’ state it will not continue to add new VIs into that RT task. All new VIs will be created with a new RT. If you do want VIs to continue to be added to an RT in progress, then disable BR: Set auto fresh Vulnerable Items |
| The Remediation Task shows a completed %. In the examples we are looking at it is showing High rated vulnerabilities. Does his mean remediation tasks should be created so no new VI are being added? If so can this be done automatically? | One thing to note is that after a RT moves out of the ‘Open’ state, no new VIs will be added to the RT. If there are new VIs created that fit a RT Rule, it will create a new RT for those VIs to be placed in. If you do want VIs to continue to be added to an RT in progress, then disable BR: Set auto fresh Vulnerable Items |
| Is there a option to merge the remediation tasks? or Create a new one based on VIT's that in scope for remediation owners ? Sometime one remediation owners / application owner managed more than 1 application and gets many RT created for same vulnerability based on assignment group owned by him/her | Currently there is not a means to join/merge remediation tasks. If multiple RTs are being created for the same vulnerability for the same assignment group two items to consider: once an RT moves from Open no new VIs are added to the RT. If you do want VIs to continue to be added to an RT in progress, then disable BR: Set auto fresh Vulnerable Items. The second item: are the emediation task rules needing to be designed to have these group together? |
| From a guidance standpoint, who creates the remediation task for the IT folks? Is it the Vul Analyst/manager? | The Vulnerability Manager/Administrator can create Remediation Task rules that would automatically assign VITs to Remediation Tasks based on conditions. Similarly, Vulnerability Managers can manually create Remediation Tasks. |
| Is the dashboard icon something to be turned on in the background? I dont see it in my instance. Just Home and Lists | The dashboard icon in VR workspaces were relaseed as part of November 2023 release. |
| Why doesn't Assign to me automatically set the state to Under Investigation? | We’ll look into this one. Thanks for the feedback. Please feel free to enter an idea using the Idea Portal whenever you feel an enhancement would be helpful |
| What is the logic of having a VIT assignment group/assignee in addition to a VUL also having an assignment group/assignee. I know that with a VUL you can open a CHG but not with a VIT. Just wondering the use case behind it. |
Remediation Task creation can have multiple use cases, and VIs may not be assigned to the same group within an RT. Thus, they are not always aligned. Regarding a CHG on a RT, the work is intended to be driven from the RT. |
| To move from IT remediation and open a change request, do we need the Change Management module also, or this capability to open a change is included in VR module? | Creating a Change record does require the Change Management application to be licensed. |
| why do we use the VI acronym/term when VIT's are what is actually created upon ingest i.e. VIT12345 instead of VI12345 | The acronym of VI, stands for Vulenrable Item. The VIT is simply the prefix of the numeric value on the record. |
| Can the fields shown in the Vulnerable item view be adjusted? | In Worskspace this is not a configuration. It is possible but would require some level of customisation. |
| Is there a default approver for the Exception / False positive? | The Approvers need to be assigned/set-up for the Exception and False Positive approval process. |
| How do remediation targets and SLA definitions work together? | The Remediation Target is commonly driven by a compliance requirement. The SLAs, if used, would be related to the operational timeline and allows for consideration of pauses, resets (i.e. due to reassignment) or what the organization allows. |
| What if the CMDB isn't accurrate? | We create unmatched discovered item (DI) if a CI which was not able to be matched in the CMDB. This list of unmatched CIs provides the CMDB team a means to tune their processes and get these assets reclassified into the appropriate class in the CMDB. |
| Our biggest issue is large number of “Unclassed Hardware” CI’s created after import of Rapid7 data | Take a look at the CI matching webinar and see if it provides further insight on how to tune your Lookup rules to better align with CIs. If it's a CMDB maturity situation, you now have a means to reclassify these unclassed hardware into the CMDB and have the CIs created. |
| Can you split a task for OS and APP related vulnerabilities? | In theory, you can split a task based on OS/APP related vulnerabilities, but that depends on how your Remediation Task rules are configured currently. Example, you can Split by the ‘Vulnerability’. |
| IT remediation workspace is included in VR module? | Yes, a VR license provides you access to the IT Remediation Workspace. |
| am I wrong in my assumption that remediation tasks are still not yet completely built out on the AVR side? | AVR does support the creation of Remediation Task rules in AVR to group them. Is there a specific capability of RTs that you are referencing? |
| Can you request one change for multiple remediation tasks? | When you submit a Change Request for an RT from the IT Remediation Workspace, it will only be for that one RT. However, the drop down from Create Change action is Add to existing change, which you can then have other RTs added to that change. |
| what is the difference between a remediaiton task and remediaiton effort? | The remediation efforts allow a Vulnerability Analyst to set-up Remediation Efforts for tracking work. If Remediation Tasks are created and assigned, it allows multiple remediation owners to work on their tasks as it relates to the Remediation Effort. Here’s a great webinar where Lisa Henderson highlights how these work within Watch Topics together and separately: https://www.servicenow.com/community/secops-articles/vr-symbiosis-of-watch-topics-remediation-effort... |
| Is this call specifically only related to Vulnerability Response not inclusive of AVR? | For this call we’re focusing specifically on the IT Remediation Workspace for Infrastructure related vulnerabilities, the IT remediation workspace does also also allow work for Application Vulnerability Response RTs (AVUL) records. |
| Can a item has multiple exceptions, and the time until when the exception is requested a commulative ? | A Vulnerable Item that is a part of multiple Remediation Tasks that have deferrals, will align with the until date of the later date considered from the Remediation Tasks. |
| Can we create a dashboard view for raised exceptions. Requirement is to provide visibility to team about number of Exceptions raised last month. | On the Vulnerability Management (PA) Dashboard, there is a tab for ‘Exceptions’ that shows some reports available as it relates to Exceptions. For your specific requirement, configuration of reports to accomodate that use case. |
| We utilize Tenable - is there anyway to get Solution Records into the system? | The Solutions Management module within VR does support the CVRF framework at this moment. CSAF framework is coming in a future release and will be announced when it is avaiable. I would recommend to submit a request on the Ideas Portal to bring this to the Product team’s attention. |
A copy of the slides has been attached for your review.
Enjoy!
- 2,553 Views
