In VR: When would you use SLAs rather than Remediation Targets

LeslieC · ‎03-14-2022

Hello,

We have the API integration with Rapid 7's InsightVM and are ready to set timelines on vulnerability remediation. We have 4-5 tiers for remediation timelines and I'm trying to determine if we should use SLAs or Remediation Targets. It seems like Remediation Targets are easier to set up, but we can get more granular with SLAs. Also, we already use Vulnerability Groups/Remediation Tasks to assign these to CI Support group. This is who we'd want the notifications to go to, but I don't see this option for Remediation Targets.

Does anyone have any best practices or use cases for either SLAs or Remediation Tasks?

Thanks,

Leslie

Chris McDevitt · ‎03-14-2022

Hi,

There is a very small use case in VR to use an SLA. You can use an SLA on Remediation Tasks that represent an extreme risk to the organization. In reality, very few organizations use SLAs for vulnerabilities. Most organizations stick to RTR. RTR are lightweight and work on the Vulnerable Item table, whereas SLA's do not. (SLA requires the target table to be derived from the Task table.).

As for notifications, check out the Notification module and search for "Remediation target rule". You should craft your notification for RTR here. The Notification tab you see in the RTR is if you wish to notify the Vulnerability Response Managers. (Confusing I know...)

I would recommend rolling out VR with RTR and in the future, IF you find an edge case for SLA, THEN consider implementing an SLA.

You should find RTR to be enough.

View solution in original post

Chris McDevitt · ‎03-14-2022

Hi,

There is a very small use case in VR to use an SLA. You can use an SLA on Remediation Tasks that represent an extreme risk to the organization. In reality, very few organizations use SLAs for vulnerabilities. Most organizations stick to RTR. RTR are lightweight and work on the Vulnerable Item table, whereas SLA's do not. (SLA requires the target table to be derived from the Task table.).

As for notifications, check out the Notification module and search for "Remediation target rule". You should craft your notification for RTR here. The Notification tab you see in the RTR is if you wish to notify the Vulnerability Response Managers. (Confusing I know...)

I would recommend rolling out VR with RTR and in the future, IF you find an edge case for SLA, THEN consider implementing an SLA.

You should find RTR to be enough.

LeslieC · ‎03-16-2022

Hello,

I have a related question. Does creating Remediation Target Rules create Vulnerability groups according to the rule?

Can you apply RTR to VGs?

Leslie

Chris McDevitt · ‎03-16-2022

The short answer is no, the RTR is applied to the VI, not the Remediation Task. The Remediation Target field on the Remediation Task is derived from its VIs.

Long answer:

Remediation Target Rules are where you define a "due date" for a VI.

Remediation Task Rules are where you define how to "group" the VI's together in a logical bucket which becomes the Remediation Task.

The Remediation Task "takes/inherits" properties like Assignment Group but Remediation Targets and Risk Score are "rolled-up" from the VI to the Remediation Task. The Remediation Tasks RT reflects the earliest date found on the VI's it contains.

Way more than you wanted to know; All the ugly details can be found in the Script Include: VulnerableGroupRule (For your reference only, do not customize!)

Don Dom · ‎07-31-2025

Hello. is this still valid after 3 years? Those recommendations did not changed till now? 🙂

Please advise.