how to configure vulnerability response to auto close certain vulnerabilities?

rogerburns · 2 hours ago

We have configured VR to scan devices and it creates VITs for specific client software that is vulnerable. That often is something that is not 'owned' by a remediation team in our environment. We have thousands of VITs created with their associated RT's assigned, but the remediation team cannot remediate. Will Exception Management help us close those out? The scanners want to make sure that the vulnerabilities are fixed, so they keep getting deferred and then they wake up and are never truly going to be fixed. Is there are ways to automate them to closed with some data indicating that a decision was made or a compensating process is in place. Thanks

andy_ojha · 2 hours ago

Hey there,

This sounds like it'd align quite well, with the VR feature -> "Exception Rules"

https://www.servicenow.com/docs/r/security-management/vulnerability-response/vi-classification-rule-...

You can craft your condition as needed, to only target the Vulnerable Items (VITs) that meet the criteria you have in mind. There is a notion of an approval step for the Security Team to request this (blanket type of exception). This allows you to still keep a pulse on the exposure findings, and removing the burden on your Remediation Teams for now.

Alternatively, a bigger hammer / more aggressive approach to look at (perhaps for a subset of those findings), could be "Exclusion Rules"

This would prevent the creation of Vulnerable Items (VITs) for criteria you define
This can be handy, if you want to filter out what becomes a VIT and you need more granularity than what the upstream 3rd party tool supports for filtering via their API
https://www.servicenow.com/docs/r/security-management/vulnerability-response/exclusion-rules.html