Fixed Vulnerable Items are not changing to closed status even after detected closed/fixed by Qualys?

Go to solution
AndrewP
Kilo Expert

‎05-05-2021 12:40 PM

I am finding multiple vulnerable items that are remaining in Open status, even after Qualys no longer detects them. The Vulnerable Item Detection (DET#) shows them with a Status of Closed and a Source Status of Fixed, however the VIT# still shows as Open.

I believe the logic needed to update is in DetectionBase (QualysHostImportReportProcessor > Detection > DetectionBase). I have seen mention of Detection, but the bulk of the logic is in DetectionBase.

We are using VR version 12.1.4

Labels:
Preview file
87 KB
0 Helpfuls
  • 4,481 Views
1 ACCEPTED SOLUTION

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎05-06-2021 06:17 AM

Hi,

First up, avoid customization to the Scripts Includes like the plague.

Second, keep an eye on the June Store release of VR and upgrade. (but if you customize the VR SI then it is much harder to upgrade....).

Third, take advantage of the "Close Stale Vulnerabilities"

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/vr-autoclosevi.html

And Auto delete rules:

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html

Fourth,

Take a look at the VI's that are not closing. Drill down into the Detections. Are you seeing one Detection closed and another open? (one or more). Add "Detection Key" to the list view on the Detections list (related list). Are the keys different? Take a look at the Proof. Are they different? If the answer is yes, then this is most likely the issue. Again keep an eye on the June Store release.

 

It is hard to remote diagnose.... so...

 

View solution in original post

25 REPLIES 25

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to AndrewP

‎05-11-2021 12:26 PM

Hi,

Start here:

https://developer.servicenow.com/dev.do#!/learn/learning-plans/orlando/servicenow_administrator/app_store_learnv2_scripting_orlando_extend_a_script_include

Here is the deal... 

Script Includes are VERY complicated. Your environment may very... At this point, I would gently recommend some professional services from ServiceNow or a certified partner. 

 
0 Helpfuls

Go to solution
AndrewP
Kilo Expert
In response to Chris McDevitt

‎05-11-2021 01:47 PM

Thanks Chris, we are looking at professional services now. Is there a way to search for all Detections? This field does not seem to be in the Vulnerable Item table. We are looking to find all Detections with a status of closed and corresponding fields (VI state, asset name, etc.) to better understand impact.

 

Thanks,

Andrew

0 Helpfuls

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to AndrewP

‎05-12-2021 06:17 AM

Andrew,

Yes... what you are seeing in the Vulnerability Item Form View is an Embedded List that is pointing to the Vulnerable Item Detection table [sn_vul_detection]. You can access this table by typing sn_vul_detection.list into the filter navigator and hitting enter.

You will probably want to focus on items that are Open and Last found greater than your scan schedule.

find_real_file.png

 

 
Preview file
54 KB
0 Helpfuls

Go to solution
Matt Martin1
Tera Contributor
In response to AndrewP

‎05-20-2021 12:19 PM

Hi Andrew,

 

Was experiencing the same issue here:

Vulnerable Item Detection - Security Operations - Question - ServiceNow Community

 

Here is the specific KB to update the detection key: https://hi.service-now.com/kb_view.do?sys_kb_id=e495b73e1b80a0103222ea89bd4bcbc8

 

Thanks,

Matt

Go to solution
AndrewP
Kilo Expert
In response to Matt Martin1

‎06-03-2021 10:13 AM

Thanks Matt,

 

It doesn't appear I have access to those resources

0 Helpfuls