- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2026 10:42 AM
We have configured VR to scan devices and it creates VITs for specific client software that is vulnerable. That often is something that is not 'owned' by a remediation team in our environment. We have thousands of VITs created with their associated RT's assigned, but the remediation team cannot remediate. Will Exception Management help us close those out? The scanners want to make sure that the vulnerabilities are fixed, so they keep getting deferred and then they wake up and are never truly going to be fixed. Is there are ways to automate them to closed with some data indicating that a decision was made or a compensating process is in place. Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2026 10:59 AM
Hey there,
This sounds like it'd align quite well, with the VR feature -> "Exception Rules"
You can craft your condition as needed, to only target the Vulnerable Items (VITs) that meet the criteria you have in mind. There is a notion of an approval step for the Security Team to request this (blanket type of exception). This allows you to still keep a pulse on the exposure findings, and removing the burden on your Remediation Teams for now.
Alternatively, a bigger hammer / more aggressive approach to look at (perhaps for a subset of those findings), could be "Exclusion Rules"
- This would prevent the creation of Vulnerable Items (VITs) for criteria you define
- This can be handy, if you want to filter out what becomes a VIT and you need more granularity than what the upstream 3rd party tool supports for filtering via their API
- https://www.servicenow.com/docs/r/security-management/vulnerability-response/exclusion-rules.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2026 10:59 AM
Hey there,
This sounds like it'd align quite well, with the VR feature -> "Exception Rules"
You can craft your condition as needed, to only target the Vulnerable Items (VITs) that meet the criteria you have in mind. There is a notion of an approval step for the Security Team to request this (blanket type of exception). This allows you to still keep a pulse on the exposure findings, and removing the burden on your Remediation Teams for now.
Alternatively, a bigger hammer / more aggressive approach to look at (perhaps for a subset of those findings), could be "Exclusion Rules"
- This would prevent the creation of Vulnerable Items (VITs) for criteria you define
- This can be handy, if you want to filter out what becomes a VIT and you need more granularity than what the upstream 3rd party tool supports for filtering via their API
- https://www.servicenow.com/docs/r/security-management/vulnerability-response/exclusion-rules.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi Andy, couple of questions -
1- Any way we can Automate Patching for a set of VR Records (RFC template - submission - deployment) in SNOW ?
2- To create a RFC from VR - Is Remediation task the only way ? I looked at Watch Topics but from there as well we create a Remediation Effort and then again the Rem. task.
Thanks,
Utkarsh
