Configure Auto-Close Stale Detections

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Enable Auto-Close Stale Detections to automatically close stale vulnerable detections not recently found by your third-party integrations.

    Before you begin

    Role required: admin

    About this task

    The stale detections most likely result from a remediation targeted for a critical risk vulnerable item (VIT) that also addresses multiple additional lower criticality VITs with an Open state. Moving these VITs to Closed reduces the number of active VITs and vulnerability groups in your ServiceNow AI Platform instance.

    Procedure

    1. Navigate to All > Vulnerability Response > Administration > Auto-Close Configuration > Stale Detections.

      The Auto-Close Stale Configuration form is displayed.

    2. Fill in the fields.
    3. For the Auto-close stale detections based on field, select Detections last found in the list.
      This option searches for the most current, or latest date that detections were found again by the scanner.
      Note:
      The Devices last scanned option is not applicable for OT scanners.

      Starting from v22.0 of Vulnerability Response, you can configure additional options for your search. See Create auto-close rules for more information.

    4. To enable the module, select the Active check box.
    5. In the Detections last found (days ago) field, enter the age of older, stale detections in the number of days.

      The default is 90 days. You can enter any positive value for the number of days. This value is used to match a last detected date provided by Microsoft Defender for IoT. With 90 and Detections last found displayed, any vulnerable items not detected in the last 90 days are automatically closed.

    6. Optional: To ignore stale detections that are mapped to deferred VITs or VITs currently in review for deferral, select the Ignore the stale detections for deferred VIs check box.
      If you leave this option disabled, any detections that match your criteria will be closed that mapped to deferred VITs, or to VITs that are in review for deferral. The deferred VITs, or VITs that are in review that correspond to these detections are also automatically closed based on the rollup logic. For more information on roll up logic, see Closing stale detections in Vulnerability Response.

      If you enable this option, any detections that match your criteria that map to deferred VITs, or to VITs that are in review for deferral, are skipped during auto-close.

    7. Optional: Deselect the Ignore stale detections for closed VIs check box.
      By default, this check box is selected so that the closed VIT is not reopened when a new detection to this closed VIT is identified. For more information on roll up logic, see Closing stale detections in Vulnerability Response.
    8. Select Update.

      The Auto-Close Stale Detections scheduled job runs daily. The job determines whether you have selected the date when detections were last found or the date when assets were last scanned. It then transitions the corresponding detections to the Stale state. It's important to note that the Auto-Close Stale Detection feature only closes stale detections for active integration instances. Vulnerable items and detections associated with active integration instances are closed. Starting from v21.1 of Vulnerability Response the scheduled job has been modified to take into account the common table [sn_vul_cmn_auto_close_rule].

      After the detections are marked as Stale, if the scanner reports finding that detection again, the Status field of the detections transitions to Open. The detection's corresponding vulnerable items are also reopened.

      Additionally, if the detection is marked as Stale, and the scanner finds that it is Fixed, the detection transitions to Closed. The state also rolls up to the VITs.