cannot apply exclusion rules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello,
I am having trouble executing exclusion rules.
I followed the steps described in the official documentation to set up the rules.
1. I defined the exclusion rule with the following criteria:
Schwachstelle.Quellinstanz.Name=Tenable.sc and Schwachstelle=TEN-10736.
2. I set the system parameter sn_vul.close_vit_with_excluded_detections to true.
3. I restarted the ingestion process. Vulnerability Response -> Administration -> Integration -> Tenable.sc Open Vulnerabilities Integration (Execute Now).
The system didn't throw any errors. However, the exclusion does not apply. Although the preview shows over 13,000 hits for this filter, everything remains unchanged for over a week now. The detection runs every day at a fixed time.
My goal is to exclude invalid vulnerabilities from the detection process. Furthermore, I want to close the invalid vulnerabilities ingested prior to the exclusion rules.
Has anyone experienced this issue and can provide advice on how to solve it?
Thanks!
Bolivar
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hey there,
That is not quite how the default behavior works.
The Docs page here has more details about how this works for existing data, and what the property does when set to 'True'
In essence, once that property (sn_vul.close_vit_with_excluded_detections) is set to True, as detections are brought in from the scanner and match to existing detections that exist in ServiceNow (sn_vul_detection), then that logic kicks in and updating the VIT > Closed Excluded
This video also clarifies the baseline behavior, of what happens when the property is True, and you have an existing Detection that gets updated by another integration run
So if the Detections that exist already, are not coming in again with delta imports - we may have to rely on the Auto-Close rules to eventually close these out.
We'd be relying on both
- 1) The Exclusion Rule Property (sn_vul.close_vit_with_excluded_detections)
- This handles updating the Vulnerable Items to "Closed/Excluded" when detections under that VIT match that Exclusion Rule, once those detections come back in (e.g. via delta import)
- 2) Auto-Close rules
- To handle any Detections that have not been brought in again (via delta integration run), even though they match the criteria of the Exclusion Rule we've setup
