Vulnerability Response assignment rules overview

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Assignment Rules Overview

    The Vulnerability Response assignment rules automate the assignment of vulnerable items (VIs) to assignment groups for remediation based on defined criteria. A default rule, "Assign to CI Support Group," directs VIs to the CI Support Group associated with the corresponding configuration item (CI). Note that manually created assignments are not reevaluated by these rules.

    Show full answer Show less

    Key Features

    • Assignment Methods: VIs can be assigned automatically using user groups, user group fields from the cmdbci table, or custom scripts for advanced conditions.
    • Rule Execution Order: High-priority rules are executed first, followed by general and default rules to ensure proper handling of VIs.
    • Rule Evaluation Process: Each new, updated, or reopened VI is compared against assignment rules in order, with the first matching rule assigning the VI. If no match is found, the default assignment group is applied.
    • Reapplying Rules: Changes to assignment rules can be applied to open VIs using the Apply Changes button. A scheduled job can automate this process but excludes manually assigned VIs.
    • Regrouping Options: Enabling specific system properties and business rules allows for automatic regrouping of VIs when assignment group changes occur.

    Key Outcomes

    By utilizing assignment rules, ServiceNow customers can effectively streamline the process of managing VIs, ensuring that vulnerable items are accurately assigned for remediation. The ability to reapply rules and regroup VIs enhances operational efficiency and responsiveness to changing conditions. Additionally, the Vulnerability Manager Workspace offers a more efficient way to manage assignments than the classic UI.

    Define the criteria by which vulnerable items (VIs) are automatically assigned to an assignment group for remediation.

    A default assignment rule, Assign to CI support group, is included in the base system assigning vulnerable items to the CI Support Group. The Assign to CI support group rule assigns a VI to whatever support group is set for the configuration item (CI) that is associated with the VI.
    Note:
    The assignment rules do not reevaluate manually created assignments.

    Assignment type, whether Manual or Rule is available from the VI form and the list view. Any VI that was originally assigned by a rule but subsequently manually reassigned contains a reference to the original rule.

    Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. You can also use the information to identify which rules had the most reassignments.

    The Assignment groups set by Assignment Rules are used by Remediation Task Rules to assign owners to remediation tasks (VULs).
    Note:
    To make Rapid7 InsightVM asset tags available for use in the Condition filter for Assignment Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

    Case sensitivity for the search text you enter in the condition builder is not supported on this record or form.

    Assigning vulnerable items automatically

    There are three different ways to assign vulnerable items using Assign using:
    • User group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
    • User group field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields:
      • None: Indicates no default value for this mandatory field
      • Configuration Item: Approval Group
      • Configuration Item: Assignment Group
      • Configuration Item: Support Group
    • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise. For more information on how to use the script editor to define complex conditions, see the KB0965240 KB article.

    Run high priority rules (items that need special handling, where risk is critical, or a VI should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign VIs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

    Assignment rule evaluation process

    Assignment rules are used to evaluate and assign a VI when a new VI is opened, that is, imported, created manually, or reopened. Unless you manually reapply assignment rules after the VI or its state changes, a VI is evaluated once.

    The following process is used for each new, updated or reopened VI:
    • For each vulnerability assignment rule, the VI is compared to the assignment filter, lowest order rule first.
    • Where the condition matches, the VI is assigned an assignment group. The lookup stops.
    • Where the conditions do not find a match among all the other rules, the VI is assigned to the default assignment group, if a default rule exists.
      Once the vulnerable item has been assigned, the appropriate remediation task rule uses assignment as one of its criteria for placing the vulnerable items into a remediation task. See Vulnerability Response remediation tasks and remediation task rules overview and Filtering within Vulnerability Response for more information.
      Note:
      The default rule is the rule with the highest execution order value. A final rule to use that is a good catch-all is active=true. If there is no default rule, the VI remains unassigned when the remediation task rule makes the assignment.

    Reapplying assignment rules

    When you change an assignment rule, use the Apply Changes button on the Assignment Rules list page to rerun all the changed rules on all active Open VIs, except those that were manually assigned.
    Note:

    If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open VIs except those VIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in a VI matching a different unmodified rule. Reapplying assignment rules does not regroup the vulnerable items.

    The scheduled job [Reapply all vulnerability assignment rules] is inactive by default. When activated, it applies all the rules to all open VIs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active VIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.

    Upgrade customers should refer to the Vulnerability Response Release Notes for information regarding the impact of this feature on existing VIs.

    Important:
    As a vulnerability admin and analyst, you can obtain the latest assignments for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Assignment Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.

    When an assignment group on an assignment rule changes, the vulnerable items can be automatically reevaluated and regrouped by enabling the system property sn_vul.rerun_task_rules and business rule Link to Remediation Tasks.

    To enable the system property:
    1. Navigate to All > System Properties > All Properties.
    2. Open sn_vul.rerun_task_rules system property.
    3. In the Value field, set the value to true.
    When the system property is set to true, and the assignment rules are reapplied, the vulnerable items are unlinked from the remediation tasks, where the condition no longer matches.
    Note:
    By default, the system property sn_vul.rerun_task_rules is set to false.

    To automate the regrouping of vulnerable items, you must activate the business rule Link Remediation Tasks.

    To enable the business rule:
    1. Navigate to All > System Definition > Business Rules.
    2. Open Link to Remediation Tasks business rule.
    3. Select the Active check box to activate the business rule.
    The business rule on being enabled, regroups the vulnerable items by moving them to the relevant group or by creating a group if they can't be grouped under any existing group.
    Note:
    • The vulnerable items are removed from the groups without deleting the groups.
    • Only those items are removed which are created using remediation task rules or remediation effort.
    • Regrouping is done automatically only when the assignment group changes as part of an assignment rule and not when it is manually changed.
    Regrouping in workspaces is performed for remediation tasks, which are created from a Remediation effort.