Vulnerable items and Vulnerability groups status changes

Khanna Ji · ‎01-20-2019

Hi All,

I have gone through the state changes between vulnerable item and group but have some questions unanswered.

https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/concept/vulnerabillity-states.html#VulnerabilityStates

1) When all vulnerable items associated to a group are closed, does system close group automatically? (When I manually closed items, it did not close the group. Does this happens when integration runs?)

2) When I open one of the vulnerable item from closed group, does system open the vulnerability group? (When I manually opened a vulnerable item, group did not open. Does this happen when integration runs?)

Please help me to understand these transition states.

jing3 · ‎04-05-2019

The out of box business rule to handle the change is "Closed-fixed roll up to group level" (on Madrid). Get to this via on Vulnerable Item list view, config---business rule.

View solution in original post

Chris McDevitt · ‎01-21-2019

What Andy said is correct. What I think you are missing is the Group concept. ServiceNow Vulnerability Response is designed to take an overwelling number of Vulnerabilities and group them into a related bundle that can be assigned to a team to remediate.

For example, you could create a group rule to create a number of groups by Vulnerability and Operating system (Vulnerability + CI = VIT, Related VIT = Vulnerability Group). So, if there is Vulnerability123 on Windows, then all host with Vulnerability123 would be grouped together as Vul123-Windows and could be auto-assigned to the Windows Server team from remediation. Further, let's pretend that Vulunerability123 is fixed by KB321 and I work for the Windows Server team.

I then look for My Team Vulnerability Groups and assign the GROUP to myself. I do the research, create the change and apply the fix of KB321. I then CLOSE the Vulnerability Group and all Vulnerabilities are also automatically closed. When closing the Group, I also set it to close now and wait for the next scan to verify.

When the Integration runs it looks for the matching Qualys State in the underlying vulnerability; if they are all closed then the Vulnerability Group stays Closed... but if a Vulnerability is still open, then the Vulnerability Group is re-opened.

Once a Group is closed it is CLOSED. You can not and should not all Vulnerabilities to a Closed Group. As a matter of fact, the Vulnerability integration run will create a NEW Group if the group rule matches on a Closed group.

In summary, have the teams work at the Vulnerability Group level. The Vulnerability Group level controls the underlying Vulnerabilities during the closing process. The integration run can verify or reopen the Vulnerability group if it is not close (resolved).

Please mark this as correct or useful so others can benefit from our conversation.

Nicole Allen1 · ‎03-03-2019

Hey Chris,

So when ServiceNow PS implemented Vulnerability Response at our organisation, they had changed the values of the sub-state. So I think the job which checks for the State = Closed, Substate = Fixed is looking for the integer value. So we are in a position now where the job is not closing a Vulnerability Group even though all Vulnerable Items are closed. Also tried raising a support ticket but the response was that it's unsupported (even though ServiceNow implemented it). So question is - where can I find this job in the VR module and how can I change it so that it only looks for a state change and ignores the sub-state value?

Thank you!!

andy_ojha · ‎03-03-2019

Hey Nicole,

Are the Vulnerable Items in your environment getting set to a State of Closed / Substate of Fixed?

If you check out the choices available on the {substate} field, for the Vulnerable Item table [sn_vul_vulnerable_item], what label do you see that corresponds to the value of 4?

You can swap your instance name in this URL to get the list of values:
- https://[INSTANCE_NAME].service-now.com/sys_choice_list.do?sysparm_query=nameSTARTSWITHsn_vul_vulnerable_item%5EelementSTARTSWITHsubstate

The auto-close behavior of the Vulnerability Group, is controlled by a Business Rule called "Closed-fixed roll up to group level" - e.g. close the Vulnerability Group (State = Closed, Substate = Fixed) when all associated Vulnerable Items are set to (State = Closed, Substate = Fixed).

jing3 · ‎04-05-2019

The out of box business rule to handle the change is "Closed-fixed roll up to group level" (on Madrid). Get to this via on Vulnerable Item list view, config---business rule.