- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 09:42 AM
Could someone explain the purpose of the Auto-Close Stale Vulnerable Items feature?
I thought this was a big win for me on 2 different issues:
1.) CI's that are Decommissioned and thus no longer able to be validated by Qualys as remediated.
2.) Vulnerabilities that are remediated thru removal of an offending application - at times Qualys does not mark these as Fixed since it can't verify it exists nor verify that it doesn't.
I currently have this set to 15 days and my application teams are noticing that they are remediating vulnerabilities thru those methods above and the VITs are changing to Closed, however the corresponding Vulnerability Groups are remaining in a Resolved or Open state and not moving to Closed.
State-Reason: Closed-Fixed will closed the VUL, but Closed-Stale does not effect the State of VUL.
Why not? Is there a setting I can check to Close VULs with Stale VITs? Or am I completely off-base here.
thanks!
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 01:14 PM
Check the Closed-fixed roll up to group level Business Rule on the VIT. Base configuration only checks if the substate / reason is Fixed.
Adding an Or clause for the Stale substate / reason should do the trick.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 10:30 AM
Hi Scott,
The below link provide the information on auto close vulnerabilities.
https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/task/vr-autoclosevi.html
Thanks
Chandra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 11:03 AM
I appreciate the referenced article, however the first paragraph is not accurate.
"Moving these VIs to Closed reduces the number of active vulnerable items and vulnerability groups in your Now Platform instance.."
The VIs are indeed moving to a Closed State, however this has no impact on the Vulnerability Group. If the VUL has 1 VIT and it is Closed-Stale, it will remain Open or Resolved, but not Closed. This also occurs if there are multiple VITs in the Group - if the VUL had 10 VIs and 9 of them were Closed-Fixed, but 1 was Closed-Stale - then the VUL will not move to a Close State.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 01:14 PM
Check the Closed-fixed roll up to group level Business Rule on the VIT. Base configuration only checks if the substate / reason is Fixed.
Adding an Or clause for the Stale substate / reason should do the trick.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2021 01:08 PM
Hi Jerald,
We have a similar issue at our company. I realize I can and an OR clause or even change so that ANY substate on CLOSE will also allow rollup to affect the VGroup.
However, we are wondering why none of the other substates besides FIXED do this rollup? We hate to just change out-of-the-box business rules is there is some other underlying reason why that aren't set like that.
Is there anything anyone knows about why none of the other substates aren't set like this?
Thanks.
Kevin
