VRM Application Behavior - False Positive Closure | Reopen of VIT | Best Practice on SLA

VIVEK ANAND
Mega Guru

Version: Orlando

  1. VIT or VUL is tagged as Closed Manually and reason for closure is a false positive. What will happen in the next Vulnerability Import?   Will the system re-open the manually closed item or it doesn't do anything?
  2. VIT is remediated and Vulnerability Scanner acknowledged the remediation and the VIT is marked as closed by the system automatically. How will the system behave if the same vulnerability is identified after a few months?
  3. What is the best way to track SLA at the group level considering the vulnerability Deferment scenario? i.e. At VIT level once the target is set by the remediation rule system doesn't really change it when your VIT deferment gets approved. What's the best way to make SLA not get breached? What's the best practice suggested by ServiceNow?
1 ACCEPTED SOLUTION

Target Rules conditions were set to exclude VIT deferred state. This automatically removes the deferment date and deferment status field. Doing this helped to resolve the above issue. 

 

Just posting the details here to make sure it helps others. 

 

Thanks!

View solution in original post

5 REPLIES 5

VIVEK ANAND
Mega Guru

Have raised Hi tickets and checked different sources and understood the behavior of VRM Application,

Questions:

  1. VIT or VUL is tagged as Closed Manually and reason for closure is a false positive. What will happen in the next Vulnerability Import?   Will the system re-open the manually closed item or it doesn't do anything?
  2. VIT is remediated and Vulnerability Scanner acknowledged the remediation and the VIT is marked as closed by the system automatically. How will the system behave if the same vulnerability is identified after a few months?
  3. What is the best way to track SLA at the group level considering the vulnerability Deferment scenario? i.e. At VIT level once the target is set by the remediation rule system doesn't really change it when your VIT deferment gets approved. What's the best way to make SLA not get breached? What's the best practice suggested by ServiceNow?

Correct Answers:

  1. VIT closed manually as False Positive will not reopen(Source: Tenable Support and ServiceNow HI Ticket)
  2. Any VIT closed as Fixed will be reopened if it is observed again in the environment (Source: Tenable Support and Pending Confirmation from Tenable Support). Also, OOTB reopened boolean field at the VIT table supports this confirmation from Tenable support so it makes sense.

(Not Sure on the below - but haven't seen a better suggestion than below)

For 3rd Question: SLA run at the VUL will look at the remediation target date at VUL (This is the earliest target from VITs) and ServiceNow traditional SLA is just helping in terms of sending the reminder to the remediation owner. There is no pause condition to it upon deferment.

As customers treat remediation SLA as a number game, having no pause condition or ability to adjust the remediation target upon deferment at the item level is the root cause for having no pause condition of SLA at the Group level.

Any better suggestions on question 3 are welcomed!.. 

 

Regards,

Vivek