Detection lifecycle - Detection states
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2024 12:02 AM
Hi,
I'm working on the custom scripted REST API for VR module. We create detections and VIT out of data send from 3rd party scanner data.
Since no plugin is involved and we create this api from scratch, could you please explain the lifecycle of the detection once the DET record is created. How each of the states are set? Documentation states that the VIT states are dependent on the detection state (when the det is closed - VIT closes), however how the Det can get closed?
Thanks for the clarification!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2024 06:35 AM
Hey there,
The primary "States" for Detections are:
- Open - Generally the starting point in the lifecycle on creation
- Closed - As 3rd party scanners indicate previously identified findings are mitigated, we'd close the corresponding Detections if they exist
These are the stateful values that would be key from a 3rd party integration perspective - and generally would be controlled by the baseline logic in the `detectionBase` Script Includes.
Other "States" for Detections to be aware of:
- Stale - Controlled by ServiceNow (scheduled job) to infer a previously identified finding has no longer been reported as "seen again" or "last seen" in a certain period of time
- Invalid - Controlled by ServiceNow (primarily when re-evaluations or re-calculations are performed and prior Detections are no longer relevant - e.g. Detection key changes)
- CI Decommissioned - Controlled by ServiceNow when the CI Operational Status changes to Retired
The Docs page you mentioned is probably this one - that reviews the "roll-up" to the Vulnerable Item State, based on the Detections tied to that Vulnerable Item
There is a VR Integration Guide - if you have not seen this already, it may be handy to look over and consider:
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1271280