Forum Posts
Issue with Duration Calculations on sn_si_incident Table for Closed Incidents
Hi Community,I'm currently working with the Security Incidents table (sn_si_incident) and have encountered an issue related to duration calculations.What I'm trying to do:Access the sn_si_incident tableFilter the list to show only closed incidentsDis...
Resolved! Vulnerability Assignment Rule Logic and Execution Order
Hi There, Just wanting some clarity around how vulnerability assignment rules are applied when a new VI is created. We currently have a few hundred vulnerability assignment rules configured because each technology type have different requirements for...
VIT Records are still open after detection closed as stale
Hello Everyone,Seeing VIT records are still open after the detections are closed as stale. Only few records fall under this issue, what might be the reason for this? I also saw there are few VITs which are closed as stale when the detections are clos...
Resolved! How to disable/hide encryption popup for attachments on a catalog form in Portal for SIR Scope
Hi All,How to disable/hide encryption popup for attachments on a catalog form in Portal for specific scoped record producers, in my case I need to disable this option for Security Incident Response related record producers. Any idea how can we resolv...
Resolved! VIT and Detection records not closed when not detected by scanner
Hello Everyone, We have an open VIT and open detection records; however, the detection was not found since a month. I believe when no detection found, respective detection record should be marked as closed and also the VIT record. But in our case, th...
Azure Sentinel Incident Aggregation Conditions
Hello, We are currently setting up the integration with ServiceNow and Azure Sentinel. We created a profile for Azure Sentinel and wanted to ask if anyone has found a good or recommended solution on aggregating alerts (step 3 of profile set up). Duri...
Report pulling
Hi,I have to pull a report with records close to 2 million from VIT table with 8 million active records.How to achieve it, I have a brief Idea about the pagination concept, can someone explain in detail about this. Or any other solution which doesn't...
What happens to open detections when a VIT is closed
Hello Everyone,We encountered a situation where a VIT was closed with the reason field as "invalid". The worknotes mention the following:Additional Information: Closed because of CIs do not matchClosed by: SecCommon SystemClosed VIT (VITXXXXXXX) and ...
Resolved! Any way to see what Vulnerability Calculator was used on a particular _VIT ?
I need to see which vulnerability calculator was used for any AVIT, CVITS or VITS, is this possible? I'm not seeing a field on the table that would give me that information and I'm just curious if I'm missing something?The reason I need to see this i...
Regarding SecOps-VR's Reconcile unmatched discovered items.
In the following Docs' Reconcile unmatched discovered items, we understand that there is a function to re-execute CI LOOK UP for discovered items in the Unmatched state. https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/v...
Splunk Enterprise Event ingestion for Security Operation plugin COST
HI Community!I want to install the Splunk Enterprise Event ingestion for Security Operation plugin, but i want to make sure that this plugin does not have costI saw that I can install in the production instance but...Do you know if this plugin have c...
Why are Discovered Item created without a Vulnerable item from Qualys Integration?
I see that there are Discovered Items from Qualys integration that do not have an associated Vulnerable Item, and the CI is created for that Discovered Item (created from IRE). I want to limit creation of new CIs so new CIs are not created for those ...
Resolved! Security Incident Response Worksapce
Hi,I hope you can help me. I would like to configure the Security Incident Response Workspace, but I don't know where to start. Could you help me with info, more technical, not process and interface.Thanks!
Resolved! Remove/hide column list from Security Incident Response (SIR) Workspace
Hi all, How can I remove or hide a column from a Security Incident table list in the SIR workspace. Even make it visible only to admin is fine. Ex. If I want to hide/remove the below columns, is there anyway to do that? Thanks PriorityBusiness Impact...
