Closing stale detections in Vulnerability Response

  • Release version: Xanadu
  • Updated July 31, 2025
  • 8 minutes to read

    • The Auto-Close Stale Detections module helps you automatically clean up older, stale vulnerable detections not recently found by your third-party integrations. Moving these detections to Closed reduces the number of active vulnerable items and remediation tasks in your ServiceNow AI Platform instance and helps you reconcile assets in your CMDB.

    Overview and key terms

    In order to more accurately roll-up detection data to your vulnerable items, the Auto-Close Stale Detections module helps you clean up older, stale vulnerable item detections not recently found by your third-party integrations. For more information about this feature, see the use case below.

    In previous versions of Vulnerability Response, the Auto-Close Vulnerable Items module automatically transitioned vulnerable items not recently found or updated by your third-party scanner integrations to the Closed - Stale.

    Before you enable the Auto-Close Stale Detections feature, review the following terms, how states roll up to vulnerable items and remediation tasks, and the prerequisites for your third-party integrations that import detection data.

    To enable the feature, see Automatically close stale detections in Vulnerability Response.

    Key terms

    Stale detections
    Refers to detections associated with vulnerable items in your ServiceNow AI Platform® instance that are aged and have not been found, updated, or detected by third-party integration scans for a significant amount of time.
    Detections last found
    This search option uses a date and time provided by the third-party scanner. This term refers to the most current, or latest date and time that detections were found again by the scanner.
    Assets Last scanned
    This search option uses a date and time provided by the third-party scanner. This term refers the most current date and time an asset was last scanned by a third-party scanner.

    Use case

    At times, assets (configuration items) may be decommissioned in your environment or purged by third party-scanners, and their associated detections are not updated by vulnerable item detections. As a result, the detections and their related vulnerable items are not updated in the Vulnerability Response application, and they become inactive (stale).

    To close these aged detections that have unchanged vulnerable item data and next reduce the number of active VIs and remediation tasks (RTs), enable Auto-Close Stale Detections. This feature automatically closes vulnerable item detections not recently found or updated by your third-party scanner integrations based on search criteria and an age in number of days that you set.

    As an example, suppose a particular configuration item (CI) has multiple asset IDs, and one of these IDs has not been imported on a detection from a third-party scanner in the last 90 days. This feature automatically closes this detection that has no new vulnerability data so the associated VI can be closed.

    Since a VI can have more than one detection associated with it, this feature only transitions the detections determined to be stale by the parameters you set. For example, if a VI has four detections associated with it, and two detections are stale, that is, no new vulnerability data has been imported in the last 90 days, this feature only closes the stale detections. Before the VI can be closed, you must first remediate the other two open detections.

    Rollup of detection states to VIs

    To differentiate the auto-closed detections from detections closed by third-party scanners, a new value for the Status field, Stale, has been added. The possible values for this field are, Open, Closed, and Stale. Stale indicates that a detection closed by the auto-close detection feature.

    State precedence: Open > Closed > Stale.

    1. If any detections are Open, the associated VI state remains Open.
    2. If no detections are Open, some are Closed, and some are Stale, the associated VI state transitions to Closed - Fixed.
    3. If all the detections are Stale, the associated VI state transitions to Closed - Stale.

      Starting with Vulnerability Response 20.0, if the detection is Stale and its associate VI is in Closed state, the VI's state doesn't transition to Closed - Stale. This is to avoid the VI from reopening when a new detection is identified so that you can avoid going through the entire false positive request and approval process. To reverse this behavior, deselect the Ignore stale detections for closed VIs check box in the Auto-Close Configuration form. For more information, see Automatically close stale detections in Vulnerability Response.

    Rollup of VI states to remediation tasks (VUL)

    State precedence: Open > Closed - Fixed > Closed - Stale.

    1. If any VIs in a VUL (remediation task) are Open, the VUL state is not changed.
    2. If at least one VI is Closed - Fixed and the rest are Closed - Stale, the VUL state transitions to Closed - Fixed.
    3. If all the VIs in a VUL are Closed - Stale, the VUL state transitions to Closed - Canceled.
    4. If any VIs are closed as Closed – False Positive, the VUL does not auto-close.

    For more information on state rollup and rolldown scenarios, see, State roll-up and roll-down scenarios.

    Auto-Close detections and third-party integration requirements

    Microsoft TVM users and Auto-Close Stale Detections

    Checklist item Description
    The Microsoft TVM Vulnerability Integration With the Microsoft TVM Vulnerability Integration, if you select Detections last found to base your search on, this feature requires a successful run of the Microsoft TVM Machine Vulnerabilities Integration (Full import) within the last seven days. This integration runs weekly.

    If Auto-Close Stale Detections are enabled and configured for Detections last found, and the Microsoft TVM Machine Vulnerabilities Integration is disabled, or a data import is not successfully completed within the last seven days, the scheduled job to close detections still runs daily but some stale detections might not be closed as expected.

    If you select Assets last scanned to base your search on, the Microsoft TVM Machine Vulnerabilities Integration run is not required.

    To activate this integration:

    1. Navigate to Microsoft TVM Vulnerability Integration > Administration > Integration.
    2. Locate and enable the Microsoft TVM Machine Vulnerabilities Integration (Full import).
    (Optional) Deploy multiple instances of the Microsoft TVM integrations in your environment. You can optionally deploy multiple instances of the integrations across your environment.

    Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on instances that have successfully completed integration runs.

    If Auto-Close Stale Detections are enabled and you disable the integrations that run weekly in an instance, the scheduled job to close detections still runs daily, but some detections may not transition to Stale automatically as expected.

    Qualys users and Auto-Close Stale Vulnerable Items

    • Any activated Qualys third-party integrations that retrieve detection data can run with this module. There are no specific Qualys applications required.
    • You can optionally deploy multiple instances of the Qualys integrations across your environment.
    • Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on all instances.

    Rapid7 users and Auto-Close Stale Detections

    Checklist item Description
    The Rapid7 Vulnerability Integration If you select Detections last found to base your search on, this feature requires a successful run of one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days. These comprehensive integrations run weekly:
    • For Rapid7 Nexpose data warehouse, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration is required.
    • For Rapid7 InsightVM, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration - API is required.

    If Auto-Close Stale Detections is enabled and configured for Detections last found, and the Rapid7 Comprehensive Vulnerable Item Integrations are disabled, or a data import is not successfully completed within the last seven days, the scheduled job to close detections still runs daily but some stale detections might not be closed as expected.

    If you select Assets last scanned to base your search on, no comprehensive Rapid7 integration run is required.

    To activate these integrations:

    1. Navigate to Rapid7 Vulnerability Integration > Administration > Integration.
    2. Locate and enable the Rapid7 Comprehensive Vulnerable Item Integration you need.
    Note:

    In addition to these integrations that run weekly, Rapid7 Nexpose and Rapid7 InsightVM each have VI integrations that run daily, the Rapid7 Vulnerable Item Integration, and the Rapid7 Vulnerable Item Integration - API.

    If both the daily and weekly Rapid7 integrations are enabled, only one integration runs at a time. If one of these integration jobs is running, the job for the other integration is skipped until the next scheduled job.
    (Optional) Deploy multiple instances of the Rapid7 integrations in your environment. You can optionally deploy multiple instances of the comprehensive integrations across your environment.

    Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on instances that have successfully completed integration runs.

    If Auto-Close Stale Detections is enabled and you disable the integrations that run weekly in an instance, the scheduled job to close detections still runs daily, but some detections may not transition to Stale automatically as expected.

    Tenable Vulnerability Integration users and Auto-Close Stale Vulnerable Items

    • Any activated integrations from the Tenable Vulnerability Integration that retrieve detection data can run with this module. There are no specific Tenable Vulnerability Integrations required.
    • You can optionally deploy multiple instances of the Tenable Vulnerability Integration across your environment.
    • Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on all instances.

    After you verify that your integrations are configured properly, see Automatically close stale detections in Vulnerability Response to enable the feature.

    Upgrade information from Auto-Close Stale Vulnerable Items to Auto-Close Stale Detections

    For the Auto-Close Stale Detections module, if you previously used Auto-Close Stale Vulnerable Items:
    • The value for the number of days you entered for the Assets last scanned option from Auto-Close Stale Vulnerable Items is preserved automatically for Assets last scanned in Auto-Close Stale Detections.
    • The value for the number of days you entered for the Vulnerable items last found option from Auto-Close Stale Vulnerable Items is preserved automatically for Detections last found in Auto-Close Stale Detections.
    • Existing open detections with Vulnerable items as Closed - Stale will be transitioned to Stale as per the auto-close close configuration settings when the Auto-Close Stale Detections scheduled job runs after upgrade.

    Rollup information

    • If a Vulnerable item was Closed - Stale prior to the upgrade, and all its detections are marked as Stale after upgrade, then the VI state remains Closed - Stale.
    • If a Vulnerable item was Closed - Stale prior to the upgrade, and only some of its detections are marked as Stale after upgrade and the rest were closed by the scanner, then the vulnerable item transitions to Closed - Fixed as per the rollup logic.