Rule-based remediation tasks, splitting and new VITs - choosing the right task?

Christoph4 · ‎04-13-2022

Good morning,

I'm trying to figure out a scenario that involves remediation task (grouping) rules, manual splitting and updates when new VITs come in.

A remediation team member reported that he split one of his (rule-generated) remediation tasks to isolate a specific vulnerability and a couple of days later new items (not matching) were automatically added to his new remediation task.

I'm now trying to understand how the system picks a remediation task when grouping:

1) Let's assume we have a remediation task rule

2) It generates a single remediation task "TaskA" for an assignment group

3) Remediation owner splits the remediation task and generates a "TaskB" with a subset of the items from "TaskA"

4) If a new VIT comes in that matches the definition of the rule from (1), where does the new item get added and how does the system choose the right task? Let's further assume state is "Open" for both of them.

The observation we made was that in our case we think that new items were added to "TaskB" which does not necessarily make sense especially because they did not match the criteria used for the manual split.

Bonus question: where can I find the code that does grouping?

Christoph

dmathur09 · ‎04-18-2022

Hi Christoph,

I agree to the point you mentioned. Seeing your group rule, If the assignment group and selected business application is same for both the remediation task. Servicenow can randomly pick any remediation task. Maybe picking up the recently created one.

Regards,

Deepankar Mathur

View solution in original post

dmathur09 · ‎04-13-2022

Hi Christoph,

Can you share the screenshot of sn_vul_grouping_rule module record which is active. That active record is the one responsible for grouping the vulnerability items into group.

Once we have that details we can further investigate as which field have been configured for grouping

Regards,

Deepankar Mathur

Christoph4 · ‎04-14-2022

Sure, this is how it looks like. "Selected Business Application" is a field we added, it is a reference to the Business Application the VIT belongs to. The rule groups all vulnerable items for each business application into a remediation task.

Now when the team want to split this task to separate some VITs the system does not seem to care about if the group was created by the rule or the manual split. At least it looks like that.

dmathur09 · ‎04-18-2022

Hi Christoph,

I agree to the point you mentioned. Seeing your group rule, If the assignment group and selected business application is same for both the remediation task. Servicenow can randomly pick any remediation task. Maybe picking up the recently created one.

Regards,

Deepankar Mathur

Christoph4 · ‎04-28-2022

Hi,

this would explain the behavior, thank you.

Shouldn't the split-off remediation task be marked as "manual" or something? I believe the cause is that split-off tasks are still considered to be created by the automated rule but in fact they were defined manually by an analyst. So my expectation would be that the rule system should never touch them again. Is there a reason why it was implemented like that?

Christoph