Allowing Remediation Owner users to create their own custom VUL Remediation Tasks

Joe Kline
Kilo Guru

‎11-28-2023 11:09 AM

Hey everybody.

We are investigating the best way to allow a user with the Remediation Owner role to be able to create a custom Remediation Task without just opening everything up and giving everybody the write_all role.  Based on the ACLs and UI Button conditions, it seems that is what is required for the "New" button to be available out on the Remediation Task list view.

Does anybody out there do this kind of thing, and if so what was the choice of actions and direction taken to implement?

 

Thanks, in advance, for all input and dialog.

0 Helpfuls
  • 1,173 Views
12 REPLIES 12

andy_ojha
ServiceNow Employee
ServiceNow Employee

‎11-28-2023 05:34 PM

Hey there,


Curious - what's the compelling driver here, to allow Remediation Teams to create their own Remediation Task (RTs/ VULs)?

Just asking, as this tends to be one of those "just because we can, should we...." - and there are some got'chas that may pop-up.


There's no real right or wrong to it - just proceed with caution, and understand the risks / technical debt going down that path.

 

--------------------------------------------------------------------------


One detail I did not see on the original post; what particular "Grouping method" do we have in mind, for the RTs / VULs the Remediation Teams will create, are we thinking Manual, Filter, based, etc?

A risk you may want to consider / keep an eye on - is that Remediation Teams may have good intention, but may not be entirely familiar with ServiceNow VR's data model

  • They may accidentally create VULs / RTs with poor conditions, using filters like CONTAINS, DOES NOT CONTAIN
  • This may lead to the creation of VULs / RTs that are associated to VITs the Remediation Owner may not have intended, perhaps they were just tinkering or made an accident
    • E.g. Config Item.Name | DOES NOT CONTAIN | z
  • Over time, as these VUls / RTs may be built with poor conditions - we may see the M2M table balloon in volume as a result [sn_vul_m2m_vul_group_item]
  • Then, there is a scheduled job that refreshes the VITs on RTs (not tied to grouping rules)
    • As that M2M tends to balloon and inflate and we have more and more manually created RTs earmarked to be refreshed - we may see slow queries and potential performance impact 
  • There's a bunch of other band-aid type workarounds that you could look at to treat these risks - but now the question is, is the cost / technical debt really worth it 

Joe Kline
Kilo Guru
In response to andy_ojha

‎11-28-2023 06:41 PM

Hi Andy!  Thanks for asking and diving in ...

Currently we have some of our users ask for "custom VUL" remediation tasks mostly for the purpose of allowing a singular exception/deferral submission of a particular situation that the default grouping does not handle well (we use the out of box initial grouping rule of Vulnerability/Assignment Group.  Looking to see if we can minimize our bottleneck of creating the custom VUL upon their request of it, to then let them get the VUL deferred.  PRIMARY situation.

Totally agree with the "just because ... should we" thought and why I opened that door with this dialog as to options and thoughts out there to allow us to make a better informed decision than to "just go do it".  The levels of technical debt on my part is absolutely on my mind as we over customized VR when it was originally implemented and we pay for it at least twice a year with every upgrade.

As for the grouping method, I think my team mates have been using Filter based modes mostly when creating the VUL's so far, but I might be wrong in that I have not yet been personally involved in getting one of those requests assigned to me to get the VUL set up.

For your bullet items - I agree.  I can almost guarantee it in fact.  Quite possible that some of our existing VM Team built custom VULs may also have those conditions as well, sadly.  The condition is driven by what the users give us in the requests they make.

 

Really appreciate the perspective you provide in that full list of bullet items and thoughts.

0 Helpfuls

andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Joe Kline

‎11-28-2023 07:48 PM

Hey Joe - got'cha that is totally fair, I can appreciate some of the challenges with the baseline grouping logic / keys for the big picture scenario.

You may have already looked at it - but just in case:

 

  • The "Split Task" functionality, might offer something here - if the VITs are already grouped and assigned over to the Remediation Teams 
  • The Remediation Teams can click the UI Action button at the top the form on an existing Remediation Task (or scroll down to the related VITs and cherry pick which ones they want to carve out with the List UI Action)
  • The idea would be to carve out a select set of VITs into their own VUL (Remediation Task), and then request the exception there (for the carved out VITs)

Reference:

 

0 Helpfuls

Joe Kline
Kilo Guru
In response to andy_ojha

‎11-28-2023 07:55 PM

Andy,

I have used that for more of what you described "carve out a subset", but in the case of some of the conditions to get a singular VUL for deferral purpose, it is more like carving out bits and pieces from many VULs into a single VUL - like all Vulnerabilities on a device or two would be a best example where I don't think that split function works quite that way ... unless I am missing a fine point about what you can get away with using that UI Action ...

0 Helpfuls

andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Joe Kline

‎11-28-2023 08:22 PM - edited ‎11-28-2023 08:23 PM

Hey Joe - ah I see .. that is fair...

Perhaps check out this hidden nugget...

There is a UI Action called "Create Group from Filter" on the Vulnerable Item table 
  - At the moment, I think it is hidden due to the conditions on it baseline 

But perhaps something like this would be neat to consider as you solution this:
- The idea used to be, craft your filter query on the list of VITs (based on what they have permissions to see)
- Click the button to create a one-off VUL with those VITs meeting the filter criteria  

 

I know some deployments allow their Remediation Teams to see lists of VITs assigned to them, but not sure if you have opened that up in your deployment...
   --> If you haven't, I recognize this would be a no-go..

Just figured to mention it as an idea to look at, before you head down the path of exposing the New button to the Remediation Teams ...

Reference (After clawing back the permissions / condition on the UI Action)

_andy_grTDIR_do_0-1701231526612.png