Issue on grouping vulnerabillities by risk rating

Venkatesh4 · ‎03-04-2024

Hi Everyone,

We are using the risk rating to group vulnerabilities. We have defined that in our group rules.

When the remediation task gets created it is set to 4-low and the short description of the remediation task is set to 4-low later the remediation task risk rating changes to different risk rating and the short description remain the same (4-low).

I'm interested in understanding if there are any out-of-the-box capabilities available to address this issue. Additionally, I'm curious to learn whether grouping vulnerabilities based on risk rating is considered the best approach or not.

Thanks in advance

william_tran · ‎03-05-2024

Hi Venkatesh4,

The behavior is intentional, the short description of the Remediation Task gets populated on creation based on the Remediation Task rules, and it will not be automatically updated even if the fields changes. The 'Short Description' does not get populated based on field data in the Remediation Task itself, but gets populated based on the defined field groupings in the Remediation Task rules.

Another thing to note is that Remediation Task rules groups Vulnerable Item's based on similar criteria (i.e. Risk Rating in this situation), so if a new Vulnerable Item gets added to the Remediation Task that shifts the Risk Score higher or lower (and then subsequently affecting the Risk Rating), I would suggest modifying the Rollup Calculator so that the Risk Score of the Remediation Task doesn't shift.

I hope this helps.

William

View solution in original post

william_tran · ‎03-04-2024

Hi Venkatesh4,

There is no inherent issue with using Risk Rating to group vulnerabilities; we see a lot of customer implementations leveraging the Risk Rating field to group vulnerabilities with a similar risk profile.

Have you checked your risk rollup calculators? Specifically the "Remediation Task Rollup" calculator. This can be found in: All > Vulnerability Response > Administration > Vulnerability Rollup Calculator.

The Remediation Task's Risk Score is calculated differently than a Vulnerable Item and uses the following weights.

Maximum risk score: 80
Average risk score: 5
Count of vulnerable items: 15

If you want the Risk Score of the Vulnerable Item to match or be similar to the Risk Score of the Remediation Task, I suggest modifying these weights and letting the scheduled job recalculate the Risk Scores.

Documentation Link: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-respo...

Best,

William

Venkatesh4 · ‎03-04-2024

The risk rating on the remediation task is being calculated correctly. However, when a new vulnerable item is added, the risk rating tends to shift to either high or low, but the short description field does not reflect the same value. Is this behavior intentional?

william_tran · ‎03-05-2024

Hi Venkatesh4,

The behavior is intentional, the short description of the Remediation Task gets populated on creation based on the Remediation Task rules, and it will not be automatically updated even if the fields changes. The 'Short Description' does not get populated based on field data in the Remediation Task itself, but gets populated based on the defined field groupings in the Remediation Task rules.

Another thing to note is that Remediation Task rules groups Vulnerable Item's based on similar criteria (i.e. Risk Rating in this situation), so if a new Vulnerable Item gets added to the Remediation Task that shifts the Risk Score higher or lower (and then subsequently affecting the Risk Rating), I would suggest modifying the Rollup Calculator so that the Risk Score of the Remediation Task doesn't shift.

I hope this helps.

William