Fixed Vulnerable Items still show open in Servicenow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-16-2022 11:42 AM
We have some vulnerable items that only show a single Open detection, but do not seem to be recorded the Closed/Fixed detection. These items no longer exist in Qualys and wondering why Servicenow still shows them as open. We have rescanned and Servicenow updates daily but they are still unable to find the Closed/fixed detection. The vulnerable item in question last updated a few weeks ago. Is there a way to autoclose everything that is not active in Qualys?
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-16-2022 11:51 AM
We have dealt with a similar issue however we are no longer on Quebec. Paris and Rome have a scheduled job to auto-close stale detections based on how many days your organization determines is valid for your processes. I don't believe this available on Quebec, but look to see if you have a way to have Qualys close any detections that are stale or no longer flagged when you rescan them. We use another product but when you re-scan the device you can flag it to close any open detections. But we also use the auto-close stale detection job.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-16-2022 12:30 PM
It's going to depend on the version of the Vulnerability Response application that you have installed in your instance.
Starting in version 15, stale detections can be closed automatically (causing the state to roll down to the VITs):
https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/concept/auto-close-common.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2022 02:43 PM
Do you know if VR looks for a fixed status for QIDs in order to close them? My concern is if there is a processing issue in Servicenow, or something gets purged in Qualys, it will not be able to picked up a fixed status. There is a code comment in the store version of detectionBase, "Mark VI as closed-fixed if there are no open detections and VI is not already closed", but this doesn't appear to be "active".
Thanks,
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-16-2022 12:37 PM
Thank you for the responses. We are on version 15, we recently deployed. We also have a stale detection rule set to 45 days, so this is really an issue in that 45 day window for accurate reporting. My guess is that Servicenow missed a fixed flag or something else is going on because Qualys has not shown these vulnerabilities for some time.
