Vulnerability Response Notifications

Khanna Ji
Tera Guru

‎12-22-2018 05:21 PM

Hi Team,

Can you please explain me the below vulnerability response notifications? I am finding it hard to understand them.

Appreciate your efforts and time.

find_real_file.png

Preview file
60 KB
0 Helpfuls
  • 1,789 Views
7 REPLIES 7

Uncle Rob
Kilo Patron

‎12-22-2018 08:08 PM

Haven't fully deconstructed this app, but here are my best guesses.

Vulnerable Item Deferment is Expiring - You can defer the warning on a vulnerable item.  Basically "I know, but authorize its vulnerable state temporarily".  This notification reminds you that the deferment interval is ending.

Remediation Target Rule - vulnerabilities will require remediation.  This rule notifies when the target date of the remediation is upcoming.

Vulnerable Item Reactivated - Self explanatory.  A previously vulnerable item has been reactivated and still vulnerable.  

Khanna Ji
Tera Guru
In response to Uncle Rob

‎12-22-2018 08:20 PM

1) At what interval the notification is sent? 2) When will it stop sending notification? Does it stop after deterred time? 3) What if the Deferred time is already elapsed or deferred time is in past date than current? 4) At what time system sends out notification in a day or week or what?
0 Helpfuls

Uncle Rob
Kilo Patron
In response to Khanna Ji

‎12-31-2018 07:07 AM

This would all depend on which of the notifications we're talking about.  Each of them could have different answers.

look at the firing conditions of each of them.  Are they database transaction based or event based?  If they're transaction based (on X update with conditions of X,Y,Z) then they aren't fired on intervals.  If they're event based then look through your scheduled jobs for scripts that contain the event names.  You'll also need to pound through any workflows related to that task table to see if any of them are firing that event as an activity.

 

0 Helpfuls

jonathanwalker
ServiceNow Employee
ServiceNow Employee

‎01-03-2019 09:15 AM

Robert is right on point with his replies.

These notifications are going out to the groups you as a customer have specified.

The notifications are triggered based on 

  • When a deferred vulnerable item (a vulnerable item that has an exception that has been "approved")...when that deferred date is coming up for expiration
  • When the Remediation Target (SLA) for a specified vulnerable item is going past target.
  • When a vulnerable item that was in a closed state, goes back to open (most likely because it was closed manually / in the record by a remediation owner, and the scanner found that vulnerability again on the host).

Thanks.

0 Helpfuls