Detection lifecycle - Detection states

Joanna17 · ‎11-27-2024

Hi,

I'm working on the custom scripted REST API for VR module. We create detections and VIT out of data send from 3rd party scanner data.

Since no plugin is involved and we create this api from scratch, could you please explain the lifecycle of the detection once the DET record is created. How each of the states are set? Documentation states that the VIT states are dependent on the detection state (when the det is closed - VIT closes), however how the Det can get closed?

Thanks for the clarification!

andy_ojha · ‎11-27-2024

Hey there,

The primary "States" for Detections are:

Open - Generally the starting point in the lifecycle on creation
Closed - As 3rd party scanners indicate previously identified findings are mitigated, we'd close the corresponding Detections if they exist

These are the stateful values that would be key from a 3rd party integration perspective - and generally would be controlled by the baseline logic in the `detectionBase` Script Includes.

Other "States" for Detections to be aware of:

Stale - Controlled by ServiceNow (scheduled job) to infer a previously identified finding has no longer been reported as "seen again" or "last seen" in a certain period of time
Invalid - Controlled by ServiceNow (primarily when re-evaluations or re-calculations are performed and prior Detections are no longer relevant - e.g. Detection key changes)
CI Decommissioned - Controlled by ServiceNow when the CI Operational Status changes to Retired

The Docs page you mentioned is probably this one - that reviews the "roll-up" to the Vulnerable Item State, based on the Detections tied to that Vulnerable Item

- https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/vulnerability-respons...

There is a VR Integration Guide - if you have not seen this already, it may be handy to look over and consider:

- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1271280