Can VR auto close a VI/VG if its a false positive?

Dommer
Tera Contributor

‎10-28-2022 08:38 AM - edited ‎10-28-2022 08:38 AM

Hey all,

 

How can we get a false positive VI/VG to automatically close without setting an expiration date in the request exception to avoid it opening to its previous state? According to the following VR state workflow diagram that is out of the box config?

 

https://docs.servicenow.com/bundle/rome-security-management/page/product/vulnerability-response/conc...

 

Also, I don't want VR reopening the false positive VI/VG based on new scan detections. As of now all our exception requests for False Positives require an expiration date. I presume these will reopen after the expiration date regardless of it being classified as a False Positive? Any clarification or solution here would help me out greatly. Thanks.

0 Helpfuls
  • 912 Views
5 REPLIES 5

Nikan Keyhani
Mega Guru

‎10-31-2022 01:28 AM

Hey @Dommer

 

when requesting an exception/deferral, a duration is always required. 

 

But for False positive requests, it is not required to provide an until date, this is optional. 

If we populate the until field, correct, the affected VITs will reopen whenever it expires. 

But for False Positives without an until date, they are handled as a permanent false positive and will not re-open.

 

Hope this helps answering the question 

0 Helpfuls

Dommer
Tera Contributor
In response to Nikan Keyhani

‎10-31-2022 07:10 AM

Thanks @Nikan Keyhani . When I leave the Until field blank and click submit for a false positive, it's giving an error that it needs a valid future date (see below). Is it easy to change this to not require a date? Thanks.

 

Dommer_0-1667225299455.png

 

0 Helpfuls

Nikan Keyhani
Mega Guru

‎10-31-2022 07:19 AM

Hey @Dommer,

 

I see, rather than using the regular False Positive request, which is typically used for requesting false positives, youre using the deferral/exception requests for that, with the reason false positive. 

 

For deferral/exception requests an until date is mandatory, regardless of the reason, this is causing the issue. 

 

It would be possible to configure the until field not to be mandatory for this specific case, but I would first check, why we are not using the regular false positive requests, to request false positives. 

 

Maybe you can provide some further information on this. 

 

0 Helpfuls

Dommer
Tera Contributor
In response to Nikan Keyhani

‎10-31-2022 07:35 AM

I am not aware of any other false positive request option other than using the request exception. Is that a button on the remediation task? If so, I don't have it in my environment. Maybe is specific to a newer version(s) of Vulnerability Response? I included snapshots of our versions installed. Thanks.

 

Dommer_0-1667226720070.pngDommer_1-1667226731240.png

 

0 Helpfuls