Vulnerable items closed and reopened by scanner

Go to solution
tkrishna29
Giga Guru

‎05-06-2022 07:18 AM

Hi,

Some of our Vulnerable items get closed by the scanner and got reopened by the scanner after a few days if it finds the detection. These VITs are already part of a Remediation task (a.k.a Vulnerability group). If the group is in the "Under Investigation" state, we see that when VIT got reopened, it is being assigned to the new group. For the same VIT, we will have 2 different groups and it gets confusing for the remediation owner assigned to the first group. 

Is there a way I can control that behavior so that the VIT will not have a new group created and set the state of this item to "Under Investigation"?

I'm just wondering which script includes/job controls this behavior and if needed I'll work on customizing it.

 

Regards,

Krishna

 

Labels:
  • 2,850 Views
1 ACCEPTED SOLUTION

Go to solution
tkrishna29
Giga Guru

‎05-06-2022 10:41 AM

Thank you, Chris. auto_refresh for the groups other than in the Open state is set to false which causes any newly opened VITs to be created in a new group.

I was thinking about implementing a solution along these lines.

Find all the open VITs in a group which is in the "Under investigation" state. Check if there is any other VUL group associated with that VIT using the same group rule. This indicates that the item is in duplicate groups (one group in the Open state and the other in the Under Investigation state). Mark the newly created group as duplicate (In description) and add the original group name in the work notes. This helps the remediation team to cancel to easily see that these VITs are related to a duplicate group.

 

 

View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎05-06-2022 09:22 AM

Hi,

On the Vulnerable Items table there is a Business Rule:

"Link to Remediation Tasks"

Thats calls Script Include:

"VulnerableGroupRule"

Just a reminder it is not a best practice to customize Script Includes

 

Go to solution
Jane24
Tera Contributor
In response to Chris McDevitt

‎06-08-2022 09:54 AM

Chris,

So, basically, if the Remediation Task status is anything other than "Open", and a VIT is reopened, it will link to a new Remediation Task, right?

 

If so, is there a link in Service Now documentation you can provide?  My team is getting confused on a VIT linked to multiple Remediation Tasks.

Thank you

0 Helpfuls

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to Jane24

‎06-09-2022 05:36 AM

Hi,

 

https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/concept/vulnerability-groups.html

 

find_real_file.png

 

Preview file
31 KB

Go to solution
Jane24
Tera Contributor
In response to Chris McDevitt

‎06-09-2022 07:51 PM

Awesome! Thank you Chris!!!

Jane

0 Helpfuls