View findings for Security Posture Control

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read

    • You can view the findings generated by the evaluation of policies in Security Posture Control in the Security Posture Control Workspace.

    Findings

    You can configure findings to be generated from the execution of policies so that they can be assigned to various teams for remediation or used for reporting. See Activate a policy included with the Security Posture Control application for more information about generating findings directly from your policies.

    Security Posture Control publishes these findings as ‘Test Results’ in the Configuration Compliance module. All administrative controls in the Configuration Compliance application that are related to the assignment, grouping (remediation task generation), remediation targets, and exceptions are supported for findings that are generated by Security Posture Control.

    The labels used for findings:

    Tool coverage
    This type represents a security tool coverage gap. This finding type is applicable for policies using ‘Reported by’ and ‘Not reported' connector relationships.
    Internet exposure
    This type represents internet exposure of a cloud asset. This finding type is applicable for policies using the ‘Has port exposed to internet’ relationship or connection.
    High-risk combination
    This type represents an issue having more than one associated risk factor, for example, assets with critical vulnerabilities and a missing endpoint protection agent.
    Integrated Risk Management (IRM) exception
    This type represents an asset with an approved exception from the Governance, Risk, and Compliance (GRC) product. If indicated, these exceptions are not included in your findings counts.
    Has vulnerability
    This type represents assets with associated vulnerable items (VITs) that have known vulnerabilities.

    Security posture labels are generated and attached to test results. A label of an appropriate type, 'Tool coverage', for example, is automatically assigned to test results based on the type of policy. Multiple labels are displayed on records for assets that have more than one label.

    By using security posture labels associated with the findings, you can write assignment rules in Configuration Compliance to route these issues to teams for remediation. For example, you can send ‘Tool coverage’ findings to an IT ops team, and ‘Internet exposure’ to an application team.

    Where to view findings

    You have these options to view the findings generated by the evaluation of policies.

    Roles required: SPC Admin Group or SPC Analyst Group

    • Navigate to Security Posture Control Workspace > Policies and findings > Findings > All.
    • On a policy record, select View findings. The list displays groups of findings that organize them into general categories such as 'High-risk combination', 'Internet exposure', and so on, but these groups are not formal groupings that can be used for remediation. You need to set up remediation and assignment rules in Configuration Compliance for findings.
    • In the Configuration Compliance application, select Test Results and filter the records by Source is ServiceNow SPC.

    The dashboard

    In the Security Posture Control Workspace, the Home (landing page) displays these visualizations:

    Overview
    • Assets: Number of assets monitored on-premise and in the Cloud.
    • Findings by criticality: Number of critical findings out of your total assets.
    • Assets monitored by top 5 sources: Top five Service Graph Connectors reporting on assets.
    • Cloud accounts: Number of Cloud accounts monitored by AWS and Azure.
    • Open vs closed findings: Comparison of records still in process or awaiting resolution and those that are resolved.
    Key insights
    • Endpoint protection agent installed: Total number of assets have or do not have endpoint protection.
    • Managed device coverage: Number of managed assets compared to those that are unmanaged.
    • Vulnerability scan coverage: Total number of scanned assets compared to the number that are not scanned for known vulnerabilities by a third-party vulnerability scanner.
    • Assets with critical vulnerabilities: Number of assets out of the total number of assets that have critical vulnerabilities.
    • Vulnerable items by criticality: Total number of vulnerable items broken down by their severity. A known vulnerability that matches an asset in your CMDB results in a vulnerable item.
    • Top 3 policies by findings: Policies that return the most findings (matches) on your assets.

    Key use case coverage

    Select a use case and select Help activate or Help improve to view which service graph connectors and policies should be activated for the key use cases.