Vulnerability item(VIT) did not close after 90 days of last detection

bharanikumar20
Tera Expert

Hi, 

Vulnerability items needs to be closed after 90 days of last detected date as per the configuration but one of VIT did not close 

The VIT is currently under "In review" status

Under the detection tab, the last found date is 26-07-2024 21:38:55

4 REPLIES 4

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there...

 

On the Auto-Close Rule configuration, can you share what the configuration currently looks like for the "Condition" and "Ignore deferred items".

 

https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/vulnerability-respo...

 

Would start by confirming the setting employed for "Ignore deferred items" in your Auto-Close rule:

  • If the box is checked it will not close the VIT that is in Deferred for In Review State

 

----------------------------------------------------------


On the observed Vulnerable Item record here, how many Detection records are associated to it, is there only one Detection?

 

What are the Status and Last Found values on the associated Detections for that VIT?

 

 

Hi, Thanks for your reply

I have checked the Auto close configuration and

The option " Ignore stale detections for deferred VIs "  is enabled 

 

There is only one Detection and its status is "Open" also source status is also "Open"

The Last found date is 26-07-2024 21:38:55

Unfortunately am unable to share the screenshot.

 

Hey there - sounds good.

 

On your Auto-Close configuration - when you open the list of records, how many show Active = True?

What condition, have we specified on the Active Auto-Close Rules?

 

What is the "Integration Type" selected on the Auto-Close Rule?

There also is a check, depending on the 3rd party scanner being used - to see if we have recently run the "Comprehensive Job" that is shipped with the relevant Store App for that Scanner (e.g. Rapid7 Comprehensive Job)
- Can you check to see if you have a Comprehensive Job and if it was recently ran within the past 7d?

 

You can read which integrations require running the Comprehensive Job for the Auto-Close feature:

https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/vulnerability-respo...

This may help further diagnose what is occurring.

I'd also suggest opening a NOW Support Case in the interim to help triage the issue - as sometimes seeing the configurations hands-on will help identify what is occuring much quicker.

Hi, Thanks , I have submitted a case CS7905560.

Also any reason why am unable to access the link you provided

 

https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/vulnerability-respo...