Success with Vulnerability Response: Deep-dive into Classification Rules and Assignment Rules

Eliz Skogquist · ‎02-23-2023

Our "Success with Vulnerability Response" series of recommended practices deep-dive webinars continues. After the great feedback from the VR Performance and CI Matching calls earlier this month, I am pleased to share with you to the next installment.

On Feb 15 & 16, Christopher Walker, Advisory Solution Consultant, Security and myself presented the team's recommendations to be successful with Assignment and Classification rules.

The recording can be reviewed here:

Vulnerability Response: Deep-dive into Classification and Assignment Rules

Here is the video in a player:

The slides have also been attached at the bottom, for you to download and reference.

Resources available for this:

ServiceNow Support (must login)

Manage Vulnerable items with no Assignment Group

YouTube Videos

Vulnerability Response Classification Rules and Groups

Vulnerability Response Assignment Rules overview and Tips

Additional webinar sharing is scheduled for March 15 & 16, with a deep-dive into Risk Calculators and Remediation Target Rules. Please join us for the insights, if these are areas you would like to have additional understanding.

Cheers,

Elizabeth Skogquist

Sr. Product Success Manager, Security Operations

The Q&A from the Classification and Assignment Rules session is available below for your insight:

Question	Answer
What could be a training recommendation for process owner to understand how our VR module was configured, so they can pass down that knowledge also to the users.	Go to the nowlearning.servicenow.com/nowcreate site and search for Vulnerability Response. There is a Security Operations - Product Training Guide that will provide you the details of the curriculum to complete for VR implementation.
What training will teach us the syntax, available keywords, fields, etc. ?	To learn scripting in ServiceNow, consider the scripting training available here: https://developer.servicenow.com/dev.do#!/learn/courses/tokyo/app_store_learnv2_scripting_tokyo_scri...
We have Assignment Rules applied, but I saw it creates periodically a new Remediation Task, How can we avoid those recurrent Remediation Task creation, if we already have 1 created or if we plan to handle those VITs by an Exception Rule?	Depending on the state of a Remediation Task will determine if a VIT is added to an existing VUL or if a new Remediation Task is created.
Is this all based upon input from other tools such as Splunk?	Classification rules are assessing the data coming into the Third-Party Entry of Vulnerabilities defined in your scanner, or data coming into the Discovered Items table of assets coming in from the scanner.
I know this is specific to VR ... is Configuration Complaince going to support Classification	Discovered item table can have a use case for classification rules. With CC using the Discovered Items table, you can create them for CC.
Looking at CC I don't see a classification option under administration	For CC, There is no CVE and hence you can not use the Vulnerability classification however you can use the Discovered Item which is applicable for CC as well.
Is there any baseline option to re-run CI lookup rules for mismatched discovered items ?	From the Discovered Items table, you can select assets and go to the Action window and select Reapply CI Lookup, or go to the CI lookup rules, and if any have been changed so have an Reapply flag equal to True, can Reapply from the CI Lookup listing.
What is the URL for the assignment rules script syntax documentation?	To learn scripting in ServiceNow, take a look at the scripting training available here: https://developer.servicenow.com/dev.do#!/learn/courses/tokyo/app_store_learnv2_scripting_tokyo_scri...
What is the order of precedence for assignment rules applying and if assignment is updated because of a change in VUL assignment. Assignment seems to over right	If the assignment is updated manually at the VI level then assignment rules would not touch that VI . We have a field at the VI level indicating how the assignment group is derived. If it is manually Rules evaluation would skip those Vis.
Where can we find documentation about the scripting for assignment rules?	To learn scripting in ServiceNow, take a look at the scripting training available here: https://developer.servicenow.com/dev.do#!/learn/courses/tokyo/app_store_learnv2_scripting_tokyo_scri...
Can you please specify what do you mean by Application vulnerability? ? Is it Web Application vulnerability or its cots app vulnerabilities?	The application vulnerabilities that are discovered by vulnerability scanners are for Off the Shelf software applications.
Why should you avoid using Contain in the assignment rules?	CONTAINS conditions is processing extensive as it crawls across a field to assess if the value is anywhere within the field. Consider it's comparison to an IS statement, where the exact value is the full field value, no scanning across a field.
Is it ok to have multiple rules with the same execution order?	You can have multiple rules with the same execution order, but that doesn't guarantee the order they will be executed.
Remediation targets and SLAs are very similar, are there any reasons we would use one over the other?	SLAs are only able to be defined on tables that extend the Task table. With Vulnerable Item setup as a stand alone table, without extension from Task, the ability to run SLAs on it are not available. As such, Remediation Target Rules are available to define criteria for a due date from creation. Join us in the March webinar for more details on Remediation Target Rules.
What is the best way to differentiate between Application and Host vulnerability? Is there a specific field we can tap into? This question is specifically for Qualys	If you are referring to the Qualys vulnerability scanner, the truest way to check is content in the summary. The category provided, will offer some assistance, but when you get into general category it's not cleanly one or the other.
How watch topics are different from Remediation Task rules?	Remediation Task Rules run during VIT load and provide automation for grouping. Watch Topics are manually created and allow you to have ad-hoc groupings for oversight.
Is there any plan on the table to offer a "reapply assignment" on a small subset of CI's only rather than all rules on all CI/VITs - the background job on millions of records is just terrible.	The ability to reapply assignment rules on a subset of CIs is currently being worked on. Watch for this enhancement in future releases.
say you want to group and assign all VITs to a specific user group where the vendor is canonical and the product is linux. is there an advantage or benefit to doing that using a assignment rule only vs using a classification rule, or a combination of the two?	The classification rule is mainly to categorize the vulnerabilities and then can be easily used in the assignment rules to have better performance. Otherwise deriving the category for each VI during the assignment rule execution is going to be performance intensive. As such, it is recommended to categorizing with Classification Rules, and condition to them in your Assignment Rule.
What effect does having the same execution order number on several classification rules?	Rules with similar execution orders are not running at the same time. I would encourage control by having them with a unique order value. Having multiple rules with the same order will execute in a race condition: first accessed. first executed.
ultimately, we want to automate remediation using remediation tasks, and of course assignment of the correct team to a remediation task. to that end, how much time do we really need to allocate to assign and/or work individual vulnerable items? why don't we just put the assignment rules on vulnerability group/remediation task and not on VIT??	Remediation Tasks are often grouped by like vulnerability and assignment group, and assigning the Remediation Task on the VIT.Assignment Group. If you are creating groups, and selecting the group for assignment from the group list in your Remediation Task you'll likely have more Remediation Task Rules. If it can address assignment of all Remediation Tasks it could be an option.
I want to classify a defined list of subnets with classification rules. What's the best way to do this for several hundred subnets?	Use the script based option instead of defining those many rules.
If VITs are manually reassigned to a different classification/team (instead of Platform, assigned to Application), how do we prevent overriding of these records when Assignment Rules are recalculated due to change?	We are working on an enhancement to be able control the list of VIs in the reapply of assignment rules.
If we used the classification type in an assignment rule and we change that classification rule, will the changes apply where all that classification type is used in re-assignment or on all VITs?	We have some enhancements to let you reassign for a specific set of VIs. Once the classification type is changed. Stay tuned. As of now also you can do it , but it will execute on all VITs.
Is it recommended to create assignment rule based on discovered item -> Host Tag?	Yes, it is reasonable to create an assignment rule based on a Discovered Item Host Tag.
Is the assignment group info obtained from CI or from an Application service?	Depending on the design of your CMDB. If it is an application service then you might have to write a script because there could be multiple application services for one CI. But be mindful about the performance. You might rather calculate and store the group at the Discovered item and use that in the assignment rule.
When considering assignment, how are permissions to be configured to differentiate between the Accountable and Responsible party? E.g. The Business Application owner is accountable for the infrastructure supporting the app, but a third party service is responsible for actually managing the infrastructure(patching, etc.). How can a single VIT be assigned to where the Accountable and Responsible parties can both see the finding? Further, how can the VIT be visible to all parties involved if only 1 assignment is allowed?	You can create an assignment group having all the Accountable and responsible users in it. All the users in the new assignment group should be assigned, then will be able to see, or you can customize the ACL and include both group in permissions.
If any VITs are being targeted under different assignment rules that were setup using contain condition , Will using Classification type solve the problem of correctly assigning the VIT to the correct group ?	If the logic in the Classification Type makes the Assignment rule logic correct, it will correct the VITs group.
Is there any plan to separate OT VR? Because the findings in Tenable are a lot different than network based scans. This requires quite some adjustment to the assignment and classification rules. Having them separate helps to keep the rules clean.	You cloud use the attribute in the CI to identify if the asset is OT. We also plan to separate the access for OT VR in future releases.
Where there is no common naming convention of CIs. What is the best way to group CIs of departments to assign to their remediation team?	You could define an assignment group in the Discovered item based on the CI Class and use that in the assignment group. There could be a lot of other ways. Please post your question in the community with more information, we should be able to help you.
Are there any recommendations on using assignment group from parent CIs? For example if no assignment group is found at VM level, can we assign the support group which is set on the server record which is being Virtualized by the VM?	This would be a more complex assignment and require scripting in the Assignment Rule.
The "Avg Assignment Rules time" is that per imported VIT or per active vits on the table? Also what is a good target for "avg Assignment Rules Time" - is 46 seconds too long?	46 seconds is processing time for each creation of a VIT, and starting to get high. A good target is related to how many VITs are being loaded, and if the job is completing in an acceptable length of time. If issues arise from the job running long, at 46 seconds assignment rules could be an area to assess for more efficiency.
Classification rules were introduced in v15, when were Classification Groups introduced? And how are rules and groups related?	A Classification Group contains the Classification Rules for a table, they work in conjunction.
is assignment rule applied per VUL group or per VIT?	Assignment Rules are defined to run on the Vulnerable Item, and the Assignment Groups on VITs become available for use in VUL group assignment.
Not dot-walking is difficult when you have 100's of application support groups across 1000's of servers. Simply saying Application\Adobe with classification. That still doesn't get you to the correct application group for a given CI\application pair	Business use cases will always drive exceptions. As long as processing isn’t effected, or you tune to have processing manageable, it is allowed. Recommendations are to minimize, when possible.
Where in the Rule Execution process s the Classification Rule Run?	Classification execute at the creation of a Vulnerability in the Third-Party table if your running against the Vulnerability, or at the creation of the Discovered Item if your running against Discovery Item. So at the time of loading your vulnerability library or your asset library, respectively.
Where classification rule sits in the vulnerable item process execution?	Classification Rules execute for the Vulnerabilities (Third-Party Entry table) at the time of importing the vulnerabilities, and for the Classification Rules created for the Discovered Item table execute at the time of Discovered Item record creation. The Assignment Rules run at the time of VIT creation.
So, Classification is a higher level of grouping than Classification Type, which is more granular?	Correct, Classification determines what classification types are available.
Is there any recommended classification rule or documentation we can refer? There are more than 100Ks of vulnerabilities and I wonder how we can define different classification rules per every possible use cases.	If Classification Rules are defining a Classification Type for assignment, you’ll be setting up based on the need for assignment to your remediation teams. So depending how wide spread support is in your organization will determine the amount of Classification required. Condition filters within the Classification Rule can have it apply against many of the vulnerabilities at once, so there won't be a one to one alignment. Most Third-Party tables are around 200K, so it is likely there will be many Classification Rules on the table. The initial setup may take time, but once setup the automation runs with each data load.
Can this be used to classify Unclassed Hardware for hosts that only the scanner will see and not Discovery?	If you are reclassifying the class type of a CMDB CI that is a different process. This Classification use is more like “tagging” for use in conditioning follow-on processing.
Can a VIT be kept unassigned if it did not match any assignment rule? Is there any issues with that?	It can be kept unassigned. However, you’ll want to be sure someone should has the responsibility of assessing all VITS with empty assignment group to determine if data needs to be updated in the CMDB or if a new assignment rule is needed to prevent it from happening in the future.
Does sn_vul.rerun_task_rule regroup the reassigned VITs or ALL VITs?	Manually reassigned VITs are always excluded, otherwise it runs against all VITs.
About the reapply: What is the impact of reapply on performance? any recommended practices	If your VIT table is sizable, up near or over 1M open VITs, adding threads to the background job of "Reapply all vulnerability assignment rules(VITs)" (in Background Job Configuration module) can speed up its execution. Default is 4. Consider 6 or 8, depending on how many nodes are in your instance.
Is there an easy way to determine easily that you have created rules that step on one another	Only one classification rule will apply. So, if you review the resulting classification type assigned and your preference is a classification type value assigned in a later ordered rule, you would update your order of execution. Otherwise, there isn’t a report, for example, that is recording that another rule would apply if it hadn’t hit an early rule.
Re: Execution order. If there are multiple rules that have the same execution order - are they all run at same time? Any limit or recommendation?	Rules with similar execution orders are not running at the same time. I would encourage control by having them with a unique order value. Having multiple rules with the same order will execute in a race condition: first accessed. first executed.
I'd like to create something called platform-application that has a combination of both. Is that a bad practice?	The benefit of configuration is it can be set-up so it fits for your organization’s business needs. If it fits your use case, all is good. Wouldn’t see it as a “bad practice”.
Is there a certain base VR version this presentation will be based on?	The capabilities shown in today’s session are available with all VR license types, it is configuration in the Vulnerability Response application.
Trying to better understand when to use Discovered Items Classification.	The more common use cases are on Vulnerability table. However, as use cases are surfaced the flexibility to use them on Discovered Item Classification. You may not have a need to define against the Discovered Item classification, no harm with no use of that table for Classification.
Will re-apply button apply on the existing applied VITs ??	The re-apply button on Classification Group will reapply the Classification Rules on the Vulnerabilities (records in the Third-Party Entry table) or Discovered Items, if the Classification Group was defined for the DI table. The reapply button for assignment rules, executes on all VITs that are in an Open state and have not been manually reassigned.
I really struggle with the "Group by"... 'And then from' options. When does the 'And then from' come into play? Why doesn't the first "Group vulnerable items from..." work enough?	The second level of grouping break out allows for different groups who own assets with the same vulnerability to have a group specific to their assets. If there wasn’t a second level by assignment group, the vulnerability as a single level grouping, could have assets that are the responsibility of multiple groups. If your organization doesn’t present this diversity it may be more confusing to recognize.
So, you advocate only assigning VI that you intend to then have in Remediation Task? We have approached it as trying to have as close to 100% of VI assigned, then cherry pick the more critical VI to go into Tasks that we want people to be closing. In this way we can report 'Risk' in terms of all VI that role up to CI, App teams, Business Unit, etc	The use of assignment also playing into the grouping is common practice. If your discipline for assigning for remediation is limited the more critical VIs that seems logical. Most organizations do not have the bandwidth to address remediation on every vulnerability discovered so need a program that prioritize remediation of those with highest risk/exposure or highest impact applications. I would suggest having your grouping rules conditioned to only apply on the more critical VIs, then you'll be able to leverage the automation provided.
Is there anything to handle the multiple application teams on one VIT? For example, if there is a Vulnerability for Java, and if a server has multiple applications that may use the Java, it would affect all app teams seat on that VIT but only one VIT is created for server, so that has been a struggle to select one specific app team for remediation while it is really the responsibility for all app teams on the server.	This may be a use case for Watch Topics in the Workspace, where multiple Remediation Efforts can be used.
when entering the Assignment Rules table, this transaction takes over 1 minute. Is this expected behavior?	This will differ by platform and number of assignment rules in the list; however 1 minute seems long for opening the assignment rule listing. You might open a support case to have it reviewed.
We mentioned that we need to avoid Dot walking in assignment rule condition, if possible, but whether we use Third-Party record's Classification field, or we use Discovered Item Classification to determine the Dynamic group (in Assignment rule), we are actually using Dot Walking here, so is it the right way?	Understand the use of dot walking to get to the classification type. Best practice is to minimize the use of dot walks. The benefit of using dot walking to get to classification type is ahead of the detriment of using CONTAINS to have the search for content in vulnerability.summary field.
Not dot-walking is difficult when you have 100	Understand, simply minimize where possible.
Sorry, How are these classification rules going to help the assignment of vulnerabilities?	Using Classification Rules to add a Classification Type allows you to use a direct IS condition in Assignment rules instead of a CONTAINS condition, which is processing expensive.
Can I get recording of this session to download?	We are looking into getting approval to publish the recording and the slides
Are there general definitions for what the "Classification" field should be used for versus the "Classification type" field?	OOB definition for Classification: Application or Platform, and Classification. The type choices are dependent on selection of Classification. You also have the capability to edit these choice tables to add additional Classification types as your organization may need.
Is it okay to use dot walk fields in classification rules?	Yes, dot walk fields can be used, given they are recommended to be set-up on low volume tables.
When you select a classification, we would like to only show certain classification types. Is that the normal practice	Classification types are dependent on Classification selected. If that's what's intended, that it is doing so by design.
Going back to to the Unclassed hardware question can you use Discovered Item classification for this. I have not been able to find examples of using Discovered Item classification	One use case for building Classification Rules on the Discovered Items is if they should have Host Tags imported from the scanner.
so if VIT is assigned to group A based on assignment rules, then in VUL group assignment the VUL which is relavent to that VIT is configured to assign to group B, will that VIT be finally assigned to B instead of A? in other words, VUL assignment overwrite VIT assignment?	The VITs will assign first, based on processing order. The VUL Group assignment will follow. The VUL assignment will overwrite the VIT assignment. You can test by going to a VUL, entering a new assignment group, update and observe the change of assignment group on all the VITs.
Can the classification rules be overridden when there are conditions at parent child level?	A Classification rule is used to set a value, consider it like a flag. If the flag isn't applicable, you would be scripting around it in the Assignment Rule for parent child conditioning.
Which classification rule is recommended? Classification rules on Discovered Items table or Vulnerable Entry table?	Depends on your data. Differentiating vulnerabilities for assignment to application teams vs host teams makes the use case of Classification rules on Vulnerable Entry favorable. If you have Host Tags being imported in from your scanner that will provide insight for assignment, then the use case for Classification Rules on Discovered Items is beneficial.
will the newly added classification type/classification that are added in Classification type under set values can we see those under third-party	As Classification Types are assigned to Third-Party Entry records, the Classification Type values, new or old, will display on the record. You will want to update the listing on the Third-Party Entry to include Classification Type to see the assigned value.
When we create a new classification type and called those rules in Assignment rules why we are unable to see classification type in the pop up	Assignment rules are created on VI table, and Classification Type is likely being created on the Vulnerability table. The condition created will include a dot walk from the VI Vulnerability field to the Classification Type field (Vulnerability.Classification Type).
Where in the community is the recording for the CI Matching?	https://www.servicenow.com/community/secops-forum/recommended-practices-for-ci-matching-success-cust...
Got error: "Job exceeded processing time and was forced to complete status." when integration run from Prisma Cloud Vulnerability run. Any idea, how to resolve?	Reduce your chunk size, increase data sources, and review KB1157979 for the details for the scanner you are utilizing. The KB is located on support.servicenow.com, where you will need to login to get access.
Do you recommend using the remediation task rules or is it better to use remediation effort creation (incl. creating tasks) in the workspace... or in other words, what are the advantages of using remediation effort	Remediation efforts come from an ad-hoc understanding of the need for remediation and assigning the work from the Watch Topic in workspace. A Remediation Task will automate the masses of Remediation Tasks across all VITs that fit the defined conditions in the Remediation Task Rule(s).
Is the downside of using contains just the processing? We utilize that a lot in our assignment rules as classification rules were not available when we initially created our assignment and task rules	The CONTAINS condition is processing extensive. If your vulnerable item table is small, you may not have performance issues. Be aware that as it grows, the opportunity to add efficiency by converting to Classification rules is beneficial and recommended for high volume VIT tables.
Still, this expects us to populate the assignment info on all CI's that can be several 10000. Thats next to impossible. Any better way to achieve this?	The maturity and built out of a CMDB can take years and will continue to iterate with updates. If the CMDB data isn't available for you to use a CI field assignment, assign with the use of a selected User Group in your Assignment Rules.
Does the rerun_task_ only regroup reassigned VIT or does it regroup all the VITs?	The property controls when a VIT is reassigned if it needs to be removed from a grouping and added to a different one based on the new assignment group.
What is the Scheduled Job name that needs to be activated for Reapplying VR Assignment Rules?	The scheduled job name to reapply updated assignment rules is: Reapply all vulnerability assignment rules
What is the 'average' number of 'Assignment Rules' do you see used? For example, we used 45 Assignment Rules	Unfortunately and average number is hard to come by. I would say 45 is not an unreasonable number, if they are designed efficiently and you are not seeing any performance hits when loading VITs.
Post the creation of assignment rule the VITs are created but VULs are not specific to that particular assignment rule. Is that how SNOW SecOps VR works?	VULs will assign based on the Remediation Task Rule "Assign" definition. Assignment Rules are running on VITs.
For the sn_vul.rerun_task_rules property. Is this something that we could leave true at all times? As some organizations will make updates to assignment rules and reapply them in Production instances. This would save them having to reapply their Remediation task rules manually.	Yes, once it is understood what the property will do and it is determine it is wanted, once activated it can remain active going forward.
If we need to avoid "contains" (like using a naming convention for assignment rule), we need to create a classification with the naming convention then use that for assignment	Yes, to avoid CONTAINS as a condition in the Assignment Rules, it is likely a Classification Rule can assign a Classification Type that can be used in the Assignment rule Condition builder for better efficiency. Recognize that the use of CONTAINS in a Classification Rule against the Vulnerability table is executing on a (commonly) much smaller table than the VIT table where Assignment Rules are run.
What I like about assignment rules, utilizing the support group of the CI, changes can be made at the CI level and don't require a "code" change. With classification rules, suppose any change will require a "code" change (and go through DEV/UAT/PROD), which is a lengthy process for us.	Yes, using a data driven Assignment Rule is ideal. Encourage this use case when at all possible. Classification rules will be beneficial to condition when assignment may go to another group other than the one on the CI record.

Eric Feron · ‎03-20-2023

Here is the video in a player:

Eric Feron · ‎04-11-2023

Have you checked the Q2 program?

Success with Vulnerability Response: Deep-dive into Classification Rules and Assignment Rules

Vulnerability Response Recommended Practices webinars - Q2 2023 program now available.