Vulnerability Response ACTIVE definition

Joe Kline
Kilo Guru

‎01-05-2023 12:45 PM

Thanks in advance to anybody that can clarify what I thought I knew versus what I am finding because a few dashboard widget reports are giving me grossly different results.  This may sound like a total newbie situation, but ....

 

I have three reports that generate data from the Vulnerable Items table to attempt to present quantities of VITs sliced and diced by different perspectives - with titles that would imply I should see the same volume of counts.  In one case it groups them by the Risk Rating, another groups them by the State, and a third multi-pivots them by Company/Rating and Remediation Status.  Since the order of magnitude of the various displays was "off" - I dug deeper into how each report is filtered to try and confirm what is happening to cause the unexpected differences in total.

In one report, I do not use Active = True as a filter where both the other reports did have that.  In the one without it, I limit by filtering for State not in (Closed, Deferred).  An obvious reason for some of my discrepancies in total counts when the group by State report was only filtering out Closed.  But while digging in - I found in that third report there is not State filter, only Active = True and grouped by the Risk Rating - where I found a bunch of "Closed" VIT records being included.

 

I thought Active = False and Closed had at least some equivalence to the concept of an active record is "open" and going through the process at any one of the states along the way and once Closed, they are no longer "Active".

 

Did I just totally over simplify that understanding, or do I have it thought out correctly and thus have some other processing issue where a Closed VIT is not setting the Active field correctly to correspond?  If not, then I would have to ask why so much emphasis on using Active = True, indexing that field in the database ... rather than utilize other more appropriate fields (like State), and index that field for performance to ensure we get the correct consistency in how we report things?

 

Appreciate any education y'all might offer,

Joe

0 Helpfuls
  • 861 Views
2 REPLIES 2

andy_ojha
ServiceNow Employee
ServiceNow Employee

‎01-12-2023 05:41 AM

Hey there - your assumptions about Active (False, True) are certainly valid for Vulnerable Items, along with relying on the Active flag for indexes (and even a bunch of core logic within the VR app itself)...

 

Two items caught my eye here:

1) In your report, filtered by [STATE | NOT IN | (Closed, Deferred)]
   -> That is not equivalent to [ACTIVE | IS | TRUE]
   -> Deferred records have their Active flag, set to True (not False)
   -> As you noted, this would cause some discrepancy across those reports 

 

2) Where you have records with Active set to True, and State set to Closed
  -> This is concerning and generally should not occur for Vulnerable Items 
  -> Perhaps you can spot check values such as the (Reason, Closed By, Close Notes, Closed (date)) on those records
  -> Any chance we have ran some script in the past, to modify the States of records (perhaps to force close them, retrofit values on them, etc) and maybe bypassed executing biz rules?
  -> If you were to look at all records with State = Closed, and perhaps Group by 'Active' .. what % have Active set to True?

Joe Kline
Kilo Guru
In response to andy_ojha

‎02-06-2023 11:40 AM

Thanks!  That at least makes me feel better that I am not totally out in left field, and really need to scrutinize reports (not only those I write, but that SN writes that I try to take advantage of).

 

To your point of forcing things and not running biz rules - I don't "think" we have done any of that, but I can't swear to it given the number of my team members that also have admin rights in places.  Given the level of customizations done when we implemented, I certainly won't discount the possibility, as you have asked it.

 

Doing the Closed, group by Active suggestion - I have 7.9M+ closed active false, and 51,648 Closed Active True (0.645%).  So it is at least a very small portion of my mess here, thankfully.  Although small percentage then also adds to the difficulty in gaining traction, priority, and detailed analysis to figure out just what is different on those values.  To your item 2 second arrow bullet - I have mostly "empty" values in Reason, Close, and Closed By for those 51K records.

0 Helpfuls