Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Remediation Target Rules

Go to solution
jslee102
Tera Contributor

‎06-24-2025 06:01 AM

So, my vuln analysts are wondering if there is any way to have the remediation target use a base of when a VIT is assigned to a service now group.  The reason being that the remediation teams are complaining because as certain items get assigned (like we keep. a bunch of lows unassigned, but something changes to make it high), they get the VIT and it is already out of remediation target date.

 

Any thoughts on how that would work?

0 Helpfuls
  • 866 Views
1 ACCEPTED SOLUTION

Go to solution
HMR00
Tera Expert

‎06-24-2025 06:25 AM

so u can a create a business rule to reset the open/last open date upon change of assignment group, this will cover re-assignment use case as well.  Also, only open, in progress may only be considered !

 

Hope this help

View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
Kevin Lillis
Tera Expert

‎06-24-2025 06:23 AM

We've run into this too a few times.  Our experience is slightly different in that we assign all VITs regardless of severity, but we don't necessarily require remediation on all.  But whether we require remediation on all or not, there are scenarios with the Risk Rating changes from a Low (not required to remediate) or a Medium (3 months to remediate) to a Critical (15 days to remediate) and once that happens, it is already overdue and the status changes to Missed Target immediately upon changing the Risk Rating.

Interested if there is a way to have the clock start from the point the escalation in Risk Rating takes place.

0 Helpfuls

Go to solution
Sarath S
ServiceNow Employee
ServiceNow Employee
In response to Kevin Lillis

yesterday

Hi @Kevin Lillis ,We are adding additional configuration options in the Remediation Target Rule to address the scenario you described. This enhancement will be available in the December 2025 release.

 

Here are the configurations, you can set : 

  • Default calculation Uses the original Target from (date) value to calculate the remediation target (RT) date. When the risk rating changes, the RT date remains unchanged. 
  • Recalculate from risk change date : Recalculates the RT date using the SLA for the new risk rating, starting from the most recent risk change date. If a finding changes from Medium (15 days) to High (10 days) on Feb 10, the new target date becomes Feb 20. 
  • Recalculate from risk change date and always set to earliest target date : Recalculates the RT date on every risk change and always keeps the earlier applicable target date. If a finding created on Feb 1 (Medium, 15 days → Feb 16) changes to Low (30 days) on Feb 10, the target date remains Feb 16. 
  • Recalculate from risk change date and set to earliest target date only when risk rating increases 
    Tooltip: Recalculates the RT date on every risk change and keeps the earlier date if the risk decreases. If a finding created on Feb 1 (Medium, 15 days → Feb 16) changes to Low (30 days) on Feb 10, the new target date will be March 12. If it changes to High (10 days) on Feb 10, the target date remains Feb 16.

Go to solution
Kevin Lillis
Tera Expert
In response to Sarath S

18 hours ago

Thank you Sarath!  This will help us a lot.  We will wait for the December release to start using these.

Go to solution
Kevin Lillis
Tera Expert
In response to HMR00

‎06-24-2025 08:25 AM

I am guessing we could also create a business rule that states if the Risk Rating of the VIT has increased (ex. Low to High), then recalculate the Remediation Target?  Do you know if that is possible?

0 Helpfuls