How to whitelist a few CI’s on VR and permanently stop creating VIT’s for the same

Venkatesh4
Tera Expert

‎11-28-2023 10:18 PM

Hi All,

 

We need to whitelist few CI's in the vulnerability response application and the customer don't want to see any VIT or VUL record for the same.

 

Is there is any system property or any other alternate mechanism available to achieve this in OOB? or is there is any custom approach available?

 

Please advise

 

Thanks in advance.

0 Helpfuls
  • 389 Views
2 REPLIES 2

Aaron Molenaar
Mega Guru

‎11-29-2023 06:04 AM

Two thoughts-

 

Would using global Exceptions work, defining the exception to these devices? The VIT would still exist (and be documented - you have no 'blind spot') but would not be bothering remediation owners. Any new VIT created would be scooped up into the Exception as time goes on. https://docs.servicenow.com/bundle/vancouver-security-management/page/product/vulnerability-response...

 

Alternatively, depending on your vulnerability scanner, perhaps you can exception them there. In our case with Rapid7, if we exception vulnerabilities in Rapid7, they are no longer checked for and do not appear in the vulnerabilities for import to Vulnerability Response, therefore meet your criteria of not ever creating VIT.

 

Our preference is for the former solution though, so we have no blind spots in VR.

 

Hope that helps!

Aaron

0 Helpfuls

JMSogalow
Tera Contributor

‎12-19-2023 04:18 AM

Hello,

 

 

You can also use the following filtering capability from Rapid7: (most interesting in your case is the site filter)

 

 

Field

Description

Min CVSS score

Minimum vulnerable item Common Vulnerability Scoring System (CVSS) score used to filter vulnerable items during import.

Max CVSS score

Maximum vulnerable item Common Vulnerability Scoring System (CVSS) score used to filter vulnerable items during import.

Site filter

Limits the data to the Rapid7 InsightVM sites chosen from the Sites list.
The default (empty) brings in all sites. To pre-populate the Sites list, run the Rapid7 Site Integration — API prior to setting this field.

Auto-create CVE Entry

The system property to create a CVE Entry is active (true) by default. CVE placeholders are created automatically with the Rapid7 knowledge ingestion if the CVE ID does not exist.

To make this feature inactive, deactivate the property [sn_vul_r7.create_cve_for_vulnerabilities] from the System Properties list.

Reopen resolved by age

When selected, vulnerable items are automatically reopened when the number of days they have been resolved but not closed matches the value displayed in the Reopen resolved after field.

 

Regards

Jean Marc

0 Helpfuls