Vulnerability Response assignment rules overview

Define the criteria by which vulnerable items (VITs) are automatically assigned to an assignment group for remediation.

A default assignment rule, Assign to CI support group, is included in the base system assigning vulnerable items to the CI Support Group. The Assign to CI support group rule assigns a VIT to whatever support group is set for the configuration item (CI) that is associated with the VIT.
Note: The assignment rules do not reevaluate manually created assignments.

Assignment type, whether Manual or Rule is available from the VIT form and the list view. Any VIT that was originally assigned by a rule but subsequently manually reassigned contains a reference to the original rule.

Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. You can also use the information to identify which rules had the most reassignments.

The Assignment groups set by Assignment Rules are used by Remediation Task Rules to assign owners to remediation tasks (VULs).
Note: To make Rapid7 InsightVM asset tags available for use in the Condition filter for Assignment Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

Case sensitivity for the search text you enter in the condition builder is not supported on this record or form.

Assigning vulnerable items automatically

There are three different ways to assign vulnerable items using Assign using:
  • User group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
  • User group field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields:
    • None: Indicates no default value for this mandatory field
    • Configuration Item: Approval Group
    • Configuration Item: Assignment Group
    • Configuration Item: Support Group
  • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise. For more information on how to use the script editor to define complex conditions, see the KB0965240 KB article.

Run high priority rules (items that need special handling, where risk is critical, or a VIT should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign VITs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

Assignment rule evaluation process

Assignment rules are used to evaluate and assign a VIT when a new VIT is opened, that is, imported, created manually, or reopened. Unless you manually reapply assignment rules after the VIT or its state changes, a VI is evaluated once.

The following process is used for each new, updated or reopened VIT:
  • For each vulnerability assignment rule, the VIT is compared to the assignment filter, lowest order rule first.
  • Where the condition matches, the VIT is assigned an assignment group. The lookup stops.
  • Where the conditions do not find a match among all the other rules, the VIT is assigned to the default assignment group, if a default rule exists.
    Once the vulnerable item has been assigned, the appropriate remediation task rule uses assignment as one of its criteria for placing the vulnerable items into a remediation task. See Vulnerability Response remediation tasks and remediation task rules overview and Filtering within Vulnerability Response for more information.
    Note: The default rule is the rule with the highest execution order value. A final rule to use that is a good catch-all is active=true. If there is no default rule, the VIT remains unassigned when the remediation task rule makes the assignment.

Reapplying assignment rules

When you change an assignment rule, use the Apply Changes button on the Assignment Rules list page to rerun all the changed rules on all active Open VIs, except those that were manually assigned.
Note:

If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open VITs except those VIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in a VIT matching a different unmodified rule. Reapplying assignment rules does not regroup the vulnerable items.

The scheduled job [Reapply all vulnerability assignment rules] is inactive by default. When activated, it applies all the rules to all open VITs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active VIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.

Upgrade customers should refer to the Vulnerability Response Release Notes for information regarding the impact of this feature on existing VITs.

Important: As a vulnerability admin and analyst, you can obtain the latest assignments for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Assignment Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.

When an assignment group on an assignment rule changes, the vulnerable items can be automatically reevaluated and regrouped by enabling the system property sn_vul.rerun_task_rules and business rule Link to Remediation Tasks.

To enable the system property:
  1. Navigate to All > System Properties > All Properties.
  2. Open sn_vul.rerun_task_rules system property.
  3. In the Value field, set the value to true.
When the system property is set to true, and the assignment rules are reapplied, the vulnerable items are unlinked from the remediation tasks, where the condition no longer matches.
Note: By default, the system property sn_vul.rerun_task_rules is set to false.

To automate the regrouping of vulnerable items, you must activate the business rule Link Remediation Tasks.

To enable the business rule:
  1. Navigate to All > System Definition > Business Rules.
  2. Open Link to Remediation Tasks business rule.
  3. Select the Active check box to activate the business rule.
The business rule on being enabled, regroups the vulnerable items by moving them to the relevant group or by creating a group if they can't be grouped under any existing group.
Note:
  • The vulnerable items are removed from the groups without deleting the groups.
  • Only those items are removed which are created using remediation task rules or remediation effort.
  • Regrouping is done automatically only when the assignment group changes as part of an assignment rule and not when it is manually changed.
  • Assignment rules do not apply to VITs in the Deferred state. If a VIT is deferred, you must manually assign it if needed.
Regrouping in workspaces is performed for remediation tasks, which are created from a Remediation effort.