Assigning findings to remediation teams using assignment rules
- UpdatedJul 31, 2025
- 4 minutes to read
- Yokohama
- Unified Security Exposure Management (USEM)
Assignment rules automatically assign findings, such as vulnerable items, application vulnerabilities, container vulnerabilities, and configuration test results, to the appropriate groups for remediation. This streamlined triage ensures that tasks are directed to the appropriate teams, and enhances consistency and visibility across security and compliance programs.
In the Security Exposure Management Workspace, you can set up a single assignment rule that applies to all types of findings, including vulnerable items (VITs), application vulnerabilities (AVITs), container vulnerabilities (CVITs), and configuration test results (CTRs). This rule can then be applied to all the findings or a specific combination of findings.
- Created (imported or manually)
- Reopened
- Modified (if rules are manually reapplied)
Assigning vulnerable items automatically
- User Group: Assign findings directly to a selected user group.
- User Group Field: Assign any assignment group field available using the cmdb_ci table. Assign based on the assignment group field available using the cmdb_ci table.
- Script: Use a script to define assignment conditions. This option requires coding or advanced ServiceNow® expertise. For more information on how to use the script editor to define complex conditions, see the KB0965240 KB article.Note: The options for assigning rules using the User group and User group field gets updated based on the tables selected in the Applies to field.
Assignment rule evaluation process
When a new or reopened finding is processed, the system evaluates assignment rules in the following order:
- Ascending order: Rules are processed starting with the lowest execution order.
- First match: The system applies the first rule that matches the finding.
- Default group: If no rule matches, the finding is assigned to a default group (if a default rule is configured).
- Unassigned: If no default rule exists, the finding remains unassigned.
- The default rule should have the highest execution order value to act as a fallback or catch-all.
- Manually assigned findings aren’t reevaluated by assignment rules.
Execution order recommendation
- High priority rules: Run these rules first for items that require special handling, where the risk is critical, or where findings must be addressed for regulatory compliance.
- General rules: Run these rules next for items that do not require special handling and where you have a clear understanding of the responsible parties.
- Default rules: Finally, create a default rule to assign findings to a group that determines the appropriate assignment group. This group can then add additional rules based on their decisions. The default rule should run last.
In the Security Exposure Management Workspace, you can set the execution order of the assignment rules by simply dragging and dropping them to reorder on the Rules list page.
Applying assignment rules
- A scheduled job: The Run assignment rules job runs daily to apply the assignment rules on the findings. It’s inactive by default. You can configure it to run on a set schedule (daily, weekly, monthly, on demand, and so on) based on the scale of your environment. Depending on how many active findings you have in your environment, remember to set the Run field appropriately following the initial run to avoid performance impacts. This job applies to all open findings, excluding those that have been manually assigned.
- The Reapply button: Use the Reapply button to reapply updated rules to all open findings. Manually assigned findings are excluded from this process.
- A business rule: The business rule Link to Remediation Tasks on the Findings table evaluates all the assignment rules and applies them to the newly created or modified findings. To enable the business rule:
- Navigate to .
- Enable Link to Remediation Tasks business rule.
- Select the Active check box to activate the business rule.
- Findings are automatically regrouped under a relevant remediation task or group. If they can't be grouped under an existing group, a new group is created.
- Manual changes don’t trigger regrouping—only rule-driven updates do.
- Remediation tasks themselves aren’t deleted. Only findings are removed or regrouped.
Automating regrouping after assignment group changes
You can automate the regrouping of findings when assignment groups change due to assignment rule reapplication by activating the system property sn_vul.rerun_task_rules.
- Navigate to .
- Open sn_vul.rerun_task_rules system property.
- In the Value field, set the value to true.
Assignment impact on remediation tasks
Assignment rules also influence how findings are grouped and managed in remediation tasks. Remediation task rules inherit assignment groups from findings. For example, if findings across multiple CIs are assigned to different groups, remediation tasks may be split accordingly.
- All findings within that task, sharing original assignment group, are also updated.
- These findings are marked as manually assigned and excluded from further automatic rule evaluation.
Special considerations by finding type
| Finding type | Notes |
|---|---|
| Vulnerable items (VITs) | Base system includes an Assign to CI Support Group rule. Use order to prioritize critical, general, and fallback rules. |
| Container vulnerable Items (CVITs) | Only one matching rule applies. Rules ignore non-Open or manually assigned CVITs. |
| Configuration Test Results (CTRs) | Uses similar logic. Default assignment rule is inactive. Terminology changes as of v14.9 (for example, "Group Rules" → "Remediation Task Rules"). |
Related Content
- Configuring assignment rules
By configuring assignment rules, you can automate the process of routing findings to the appropriate teams or individuals. By defining assignment criteria based on vulnerability attributes or affected assets, you can ensure timely and accurate ownership for remediation efforts.