Exclusion Rules - what closes existing Vulnerable Items

Lukasz Bojara · ‎09-17-2024

Hello Experts,

I wanted to ask about a feature of Vulnerability Response that was introduced not very long time ago, which is the option to add an Exclusion Rule. I understand the overall concept and how it works, but I'm having difficulty finding one specific detail. The documentation doesn't seem to be very helpful in this case.

There's a system property (sn_vul.close_vit_with_excluded_detections) that, when set to "true", will tell the system to close all existing Vulnerable Items that come from excluded detections. This is great, but the documentation only provides information about the property itself. It doesn't explain what actually closes vulnerable items.

Is there a specific flow, scheduled job, or some other mechanism responsible for this?

Martin Dewit · ‎09-17-2024

Hi Lukasz,

In VR 22.1.3, the only script include I could find that calls this system property is DetectionBase (variable at line 121) line 1246 and sets the VIT state and substate (reason). My assumption is once an integration is run (after Exclusion rules are added) the detections and VITs matching the exclusion criteria are set to Closed - Excluded. It also populates the Exclusion rule field on the Detection with the Exclusion rule that was used. If you have a non-prod environment you could test adding the Exclusion rule and running an integration with your scanner to see the behavior.

Nitesh Tolani · ‎09-23-2024

Hi Lukasz,

The vulnerable items will be closed through the import process. As the system gets the same detections again during import, that time it will check whether the vulnerable item already exists and needs to be excluded, and it will close the same based on the system property 'sn_vul.close_vit_with_excluded_detections'.