Vulnerability Response remediation target rules

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 12분

    • Remediation target rules define the expected time frame for remediating vulnerable items (VI), much like SLAs provide a time frame for remediating the vulnerability itself. For example, if an asset contains PCI data (credit card data) then the vulnerability on that item must be fixed within 30 days according to PCI DSS.

    Vulnerability managers can create remediation target rules by defining:
    • The remediation target
    • The reminder target
    • The reminder and notification recipients: Who should be notified when the vulnerable items (VIs) are past the reminder or remediation target date and haven’t been remediated.
    • The recalculation method: How the system updates the remediation target (RT) date when a vulnerable item’s risk rating changes.

    Vulnerability analysts and managers can see the remediation target date in the vulnerability item form and list views, as long as the vulnerable items aren’t in Deferred, Resolved, or Closed state. Remediation target rules are run on import and rerun if a VI is reopened.

    The Remediation target date is color-coded on the VI list view as dots, as follows:
    • Vulnerable items that haven’t reached their notification date are shown in green.
    • Vulnerable items approaching the remediation target date are shown in orange.
    • Vulnerable items past the remediation target date are shown in red.

    A summary email, per remediation target rule, is sent when one or more VIs are either approaching their remediation target date or the remediation target date has passed.

    Recalculation of remediation target date

    Starting with Unified Security Exposure Management version 30.1.4 and Vulnerability Response version 26.4.4, administrators can configure how the system recalculates the remediation target date when a finding’s risk rating changes.

    • Under normal conditions, the system calculates the RT date as:

      Remediation Target = Target from (date) + Target (days)

    • When the risk rating changes, the system calculates a new RT date using the formula below. The selected recalculation method determines whether this new date replaces the existing RT date.

      Recalculated RT date = Field change time + Target (days)

      Field change time captures when the risk rating changed. Target (days) uses SLA of new risk rating.

    The following options define how the system applies the recalculated RT date when a risk rating changes:
    Recalculation method Description
    Default calculation Retains the existing RT date. The recalculated date isn’t applied.
    Recalculate from risk change date Updates the Remediation Target date to: Field change time + Target (days) based on the new risk rating.
    Recalculate from risk change date and always set to earliest target date Compares the existing RT date with Field change time + Target (days) and applies the earlier date.
    Recalculate from risk change date and set to earliest target date only when risk rating increases If the risk increases: Compares the existing RT date and the recalculated RT date and applies the earliest date.

    If the risk decreases: Applies Field change time + Target (days) without comparison.

    For configuration steps, see Recalculate a remediation target date.

    Remediation target rules can be deactivated or deleted

    When a rule is deactivated, the current remediation target dates for the VIs it was applied to are cleared. If a VI satisfies any active rule that rule is applied, otherwise the VI has no rule or target date, and its status is No Target.

    When rules are deleted, the Remediation target date and related fields on closed, deferred, or resolved VIs are preserved. The Remediation target date and related fields on non-closed VIs are cleared and any dependent rules are reapplied.

    Remediation target rule scenario

    When multiple remediation target rules are applied to the same vulnerable item, the most restrictive rule is applied.
    주:
    Remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments).

    Starting from V17.1, remediation targets are calculated from the Target from (date). The default value remains Last opened date.

    For example, if a vulnerable item meets the condition for two remediation target rules:

    Scenario: Vulnerable item last opened on 03/01/2018 at 10:00:00.
    • Remediation target rule 1: Last opened on 03/07/2018; remediation target is 15 days since it was last opened; calculated remediation target date is 03/16/2018 10:00:00.
    • Remediation target rule 2: Last opened on 03/10/2018; remediation target is 10 days since it was last opened; calculated remediation target date is 03/11/2018 10:00:00.
    In this scenario, the Remediation target rule 2 applies to the vulnerable item since it has the more restrictive date. 10 days since the vulnerable item was first identified versus 15 days.
    주:
    Once the Remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job.

    About the Evaluate remediation targets scheduled job

    Evaluate remediation targets runs once at 4:00:00 daily.

    It iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all vulnerable items that:
    • Aren’t in a Closed, Deferred, or Resolved state.
    • Have no remediation target date.
    • Have a remediation target date that is later than the date in the remediation target rule.

    Evaluate remediation targets adds a remediation target date, if one doesn’t exist, or if a rule results in an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target and Remediation status fields in the vulnerable item form.

    Once the Evaluate remediation targets runs, available notifications are sent.

    Evaluate remediation targets clears the remediation fields on the VI and stops sending notifications.

    The sn_sec_cmn.evaluate_targetmissed_records property, when enabled, prevents the Remediation Target Rules scheduled job from evaluating missed VIs. This property is enabled by default.

    Reapplying remediation target rules

    When you change a remediation target rule, use the Apply Changes button on the Remediation Target Rules list page to rerun all the changed rules on all active Open VIs except those in the Closed, Deferred or Resolved state. Depending on how many VIs you have, this may take time.
    주:

    If the scheduled job, Evaluate remediation targets is running, you can’t initiate a reapply process. However, if a reapply process is already running, and the scheduled job it triggered, they run in parallel.

    The reapply processes in Vulnerability Response and Application Vulnerability Response are independent and can run in parallel.

    중요사항:
    As a vulnerability admin and analyst, you can obtain the latest remediation target date for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Remediation Target Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.