VIT Reopened when new VIT should be created

Michael H1
Tera Guru

‎09-30-2024 10:32 AM

Hi,

 

The title may not be representative of what should necessarily be occurring but it's what I feel should occur based on the behavior. Has anyone seen an issue in which a VIT is reopened months or even a year after it was originally resolved, in which an entirely new VIT should be created in its place?

 

As an example, a machine may have a Microsoft Channel vulnerability listed and updating Office will result in the VIT auto-closing. It will, however, potentially reopen months or even a year (presumably even years later as we continue to use Vulnerability Response). This, in my opinion, should not be expected behavior, despite what https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1005922 may document. A VIT first discovered in, say, November of 2023 that is resolved, should not be re-opening nearly a year later just because the threat/summary is the same. An entirely new VIT should be opened, in my opinion. This hurts us because the remediation target dates are not updated so it appears that there are VITs nearly a year old when in reality the Office version/channel only recently became unsupported, not that a machine has been out of compliance for nearly a year.

 

We are on an older version of this integration and need to upgrade. Has anyone observed this same behavior in newer versions?

Example activity history of a VIT that will continue to re-open and re-close indefinitely:

VR_Activity_Example.png

0 Helpfuls
  • 1,040 Views
3 REPLIES 3

Vrushali Udapur
Tera Contributor

‎10-12-2024 10:39 AM

Hi @Michael H1, yes, this is expected behavior. Please check the detections associated with the VIT. Whenever a VIT is reopened, a new detection gets created. Since discovered item and VIT is available in ServiceNow, for a new detection system will re-open the VIT. 

0 Helpfuls

Michael H1
Tera Guru
In response to Vrushali Udapur

‎10-21-2024 10:45 AM - edited ‎10-21-2024 10:47 AM

Do you know if customization needs to be built out to update the remediation target date, then? Because when a VIT is rediscovered/resurfaced, that date does not also get updated for us, which does not seem correct.

Over time, rediscovered VITs will result in many machines being out of compliance because the original remediation date calculated was, say, November 2023, and then it is not updated when the VIT is rediscovered. I would think the remediation target date should be recalculated/reset based on when a VIT is rediscovered after having been previously resolved/closed.

kiransunkar
Tera Contributor

‎10-21-2024 12:58 PM

Hi Michael ,

yes I agree with your comment . remediation target needs to by dynamic based on the detection date if rediscovered 

0 Helpfuls