Automatically close vulnerable items related to retired CIs

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 1 minute to read

    • If the Configuration Management Database (CMDB) changes the life cycle stage status of a configuration item (CI) to retired, you can choose to automatically close the associated vulnerable items (VIs) and detections.

    Before you begin

    Role required: sn_vul.admin

    About this task

    Starting with v22.0 of Vulnerability Response, to automatically close the associated VIs and detections, you must enable the system property sn_vul_cmn.auto_close_vis_linked_retired_cis to auto-close VIs that are associated with retired CIs. To enable the option, set the Value field to '1'. Conversely, to disable the option, set the Value field to '0'.

    During an upgrade if the system property sn_vul_cmn.auto_close_vis_linked_retired_cis is selected in v21.0 of Vulnerability Response, then the value remains as '1'. When this option is enabled, any new or existing VIs and detections reported for the same CI, are automatically created or updated with a status of 'Closed'. This is based on the Asset ID in the scanner payload and status of the Discovered Items entry. For more information on the impact of retired CIs, see Working with retired configuration items

    .
    Note:
    • The state of a DI is updated to 'CI decommissioned' whenever the life cycle state of a CI is updated. On the other hand, the state of a VI is updated to Closed only when the Auto-close VIs linked to retired CIs option is enabled.
    • The information provided in the following procedure is only applicable to versions prior to v22.0 of Vulnerability Response. Starting from v22.0 of Vulnerability Response, you have the option to configure additional search options. See Create auto-close rules for more information.

    Procedure

    1. Navigate to All > Vulnerability Response > Auto-Close Configuration > Configuration Item Lifecycle.
    2. To automatically close vulnerable items associated with the retired CIs, select the Auto-close VIs linked to retired CIs check box.
    3. Select Update.
      Note:
      If a CI is already retired before the Auto-close VIs linked to retired CIs option is enabled, VIs are created only for new detections from scanners. The state of these VIs is Closed and the substate is CI Decommissioned.

      You cannot manually reopen VIs whose state is CI decommissioned, using the Reopen or Bulk Edit options.

      Closed VIs with a substate of fixed or stale are reopened if a new detection is created and the VIs can be matched with the new vulnerability. See Detections, remediation tasks, and vulnerable item states for more information.