Close/Defer Workflow Question

Jimmy26 · ‎07-15-2020

Hello, I'm currently working on developing some reports for any VI or VG that was subject to the "Close/Defer" button. In doing that, I noticed that depending how a VI or VG is marked as closed, it may or may not be reflected within the table known as sysapproval_approver. With that being said, could someone explain why certain closures are not reflected in the table? Are these closure options really more intended for VR admins as opposed to regular users? Also does anyone have the dictionary definition of each close/defer option? For example, I am confused on the intent of the Close > Cancelled options....no entirely sure why a VI or VG would be cancelled.

The following Closure types to do not show in the table known as sysapproval_approver

VIs: Close > Cancelled

VIs: Close > Fixed

VGs: Close > Cancelled

VGs: Close > Fixed with exceptions

andy_ojha · ‎07-15-2020

Hey there - sounds like you might be still be working with Vulnerability Response, older than v10.3.

Baseline (v9, v10.0), the approval workflow will trigger whenever a user requests any flavor of Defer from the Vulnerability Group:

The reason is, when a user requests to Defer a Vulnerability Group -> that will impact the states of the associated Vulnerable Items for all flavors of Defer

The same is not true when requesting to Close a Vulnerability Group:

When a user submits a request to Close the Vulnerability Group, the flavor they choose, will determine if an approval is generated
This is because, only some flavors of Closed, actually impact the states of the associated Vulnerable Items

To summarize:

Closed Flavor	Impacts Assoc. Vuln Items?	Requires Approval?
Result Invalid	Yes	Yes
Cancelled	No	No
Fixed w/ Exceptions	No	No

Deferred Flavor	Impacts Assoc. Vuln Items?	Requires Approval?
Awaiting Maintenance Window	Yes	Yes
False Positive	Yes	Yes
Fix Unavailable	Yes	Yes
Risk Accepted	Yes	Yes
Mitigating Control in Place	Yes	Yes
Other	Yes	Yes

In VR v10.3 the False Positive flavor has changed:

- https://docs.servicenow.com/bundle/orlando-security-management/page/product/vulnerability-response/c...

View solution in original post

Jimmy26 · ‎07-15-2020

Ojha, Thank you so much for the detailed explanation. Yes we are on 10.0.4 at the moment. Can you give me some clarification the impact of certain Closed flavors? I'm looking at the example of Cancelled not having an impact against vulnerable items but at the same time it looks like it really does have an impact in that now its marked as closed without any validation or approvals (See below image). My fear is simply users abusing this feature to just get VIs of VGs in a closed state for a brief period.