Issue with decommissioned configuration items between servicenow and Rapid7 nexpose?

sai yaswanth ku
Giga Expert

Nexpose closes the vulnerable items when issue is fixed for assets/configuration items which is alive/operational in nexpose scanning but it is not happening for dead/non-operational assets, may i know why?

I want to know is there any process to close vulnerable items when assets/configuration items are removed from nexpose scanning? 


I have gone through this below link, but it doesn't help me:
Solved: How to deal with the issue of decommissioned asset... - ServiceNow Community

# sandiego #vulnerablityrespose #secops #secopsforum

2 ACCEPTED SOLUTIONS

joe_harvey
ServiceNow Employee
ServiceNow Employee

Hey Sai,

 

Without R7 reporting that the vulnerability was Fixed, VR has no way of knowing that it should be closed.  There are a couple of things you can look into. Both can be found by navigating to:

Vulnerability Response > Administration > Auto-Close Configuration:

Stale Detections

 - This will automatically close a Vulnerable Item when the scanner has not reported the vulnerability for X number of days. 

 - I have seen customers set this value anywhere from 15 to 60 days

Configuration Item Lifecycle

 - Auto-close VIs linked to Retired CIs [checkbox]

 - Before deciding to use this feature, you should consider how well you trust your CMDB processes. If a CI is Retired in the CMDB but the actual device is still running on your network, the VI will be closed even though it is in reality an active vulnerability in your environment.

 

I hope that this helps,

--Joe

View solution in original post

Hey Sai, 

here are the jobs that process the configurations that I mentioned [System Definition > Scheduled Jobs]

  • Close detections/VIs for decommissioned CIs
  • Auto-Close Stale Detections

--Joe

View solution in original post

5 REPLIES 5

joe_harvey
ServiceNow Employee
ServiceNow Employee

Hey Sai,

 

Without R7 reporting that the vulnerability was Fixed, VR has no way of knowing that it should be closed.  There are a couple of things you can look into. Both can be found by navigating to:

Vulnerability Response > Administration > Auto-Close Configuration:

Stale Detections

 - This will automatically close a Vulnerable Item when the scanner has not reported the vulnerability for X number of days. 

 - I have seen customers set this value anywhere from 15 to 60 days

Configuration Item Lifecycle

 - Auto-close VIs linked to Retired CIs [checkbox]

 - Before deciding to use this feature, you should consider how well you trust your CMDB processes. If a CI is Retired in the CMDB but the actual device is still running on your network, the VI will be closed even though it is in reality an active vulnerability in your environment.

 

I hope that this helps,

--Joe

Thanks @joe_harvey it got worked for me! 

may i know which scheduled job it runs?

may i know which scheduled job it runs? @joe_harvey