Create a Vulnerability Response assignment rule for service support

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 2 minutes de lecture

    • Use the following script to create a rule that assigns vulnerable items for remediation based on the business services they impact.

    Avant de commencer

    Role required: sn_vul.vulnerability_admin

    Starting with v30.0 of Vulnerability Response, the Administration console in the Security Exposure Management Workspace enables one-stop configuration for all Unified Security Exposure Management applications, including assignment rules, classification rules, and remediation targets. It provides consistent workflows across Vulnerability ResponseApplication Vulnerability ResponseContainer Vulnerability Response, and Configuration Compliance applications. For more information, see Configure rules to manage findings.

    Pourquoi et quand exécuter cette tâche

    You might prefer to perform this task only if you have advanced coding experience, or you have in-depth knowledge about the ServiceNow AI Platform and how assignment rules work.

    With this rule, VIs are assigned according to how closely they match to the business services listed in your CMDB. If no related services, departments, or support groups are matched, VIs are assigned to the Vulnerability Analyst group.

    This rule might help you reduce the number of VIs that are incorrectly assigned or remain unassigned after other assignment rules have already completed.

    Procédure

    1. Navigate to All > Vulnerability Response > Administration > Assignment Rules.
    2. Select New.
    3. Fill in the fields on the form, as appropriate.
      See Create or edit Vulnerability Response assignment rules for more information about these fields.
    4. From the Assign using choice list, select Script.
    5. In the editor, copy and paste the following script. 
      /*
Assigns Vulnerable Item based on related Business Service
Assigns to default Vulnerability Analyst group if no related Business Service
*/
assignToServiceSupport(current);

function assignToServiceSupport(vitGR) {
    var ci = vitGR.getValue('cmdb_ci');
    var defaultAssignmentGroup = 'Vulnerability Analyst';
    var defaultGR = new GlideRecord('sys_user_group');
    defaultGR.get('name', defaultAssignmentGroup);
    var defaultAssignmentGroupID = defaultGR.sys_id;

    var maxSizeValue = global.SecProperty.getProperty("sn_sec_cmn.services_affected_by_CI_max_size", 1000);
    var maxDepthValue = global.SecProperty.getProperty("sn_sec_cmn.services_affected_by_CI_max_depth", 10);
    var customValues = {
        "maxDepth": maxDepthValue,
        "maxSize": maxSizeValue
    };
    var ciu = new global.CIUtils();
    var services = ciu.servicesAffectedByCI(ci, customValues);
    var svc = new GlideRecord("cmdb_ci_service");
    var hasSvc = false;
    if (services && services.length > 0) {
        svc.addQuery("sys_id", "IN", services.join(",")); // returns the service with highest business criticality. Implement alternate logic here.
        svc.addNotNullQuery("busines_criticality"); // typo intended
        svc.orderBy("busines_criticality");
        svc.setLimit(1);
        svc.query();
        hasSvc = svc.next();
    }
    if (!hasSvc) {
        // If there are no services it should be assigned to a default assignent group
        return defaultAssignmentGroupID;
    } else {
        var serviceAssignmentGroup = hasSvc.getValue('support_group'); //Also consider managed_by_group, assignment_group, change_control
        return !gs.nil(serviceAssignmentGroup) ? serviceAssignmentGroup : defaultAssignmentGroupID; //Return the Service assignment group if it is not empty, return the default assignment group otherwise.
    }
}
    6. Select Submit.

    Que faire ensuite

    Review for more general information about assignment rules and the Reapply all vulnerability assignment rules scheduled job.