Automatically closing stale test results in Configuration Compliance

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automatically closing stale test results in Configuration Compliance

    The Auto-Close Stale Test Results feature in Configuration Compliance helps ServiceNow customers automatically close older, inactive test results that have not been recently updated or detected by third-party integrations. By moving these test results to aClosed-Stalestate, customers can reduce the volume of active test results and remediation tasks, thereby simplifying asset reconciliation within the Configuration Management Database (CMDB).

    Show full answer Show less

    Key Features

    • Automatic Closure of Stale Test Results: Test results that have not been found or updated by third-party scanners within a user-defined timeframe can be automatically closed.
    • Configurable Condition Builder: Customers can define filter conditions such as the duration since last detection to determine which test results should be closed.
    • Resolution Field Enhancement: A new resolution value, Closed-Stale, distinguishes test results closed by this auto-close feature from those closed directly by scanners.
    • State Rollup Logic: The feature intelligently updates test result group (TRG) states based on the states of individual test results (TRs), following the precedence Open > Closed > Fixed-Closed > Closed-Stale.
    • Support for Key Integrations: Compatible with third-party scanners such as Qualys and Tenable.io, ensuring seamless integration with popular vulnerability detection tools.
    • Terminology Updates: Starting with version 14.9, terms like Test Result Group and Rules have been renamed to Remediation Task Group and Remediation Task Rules, aligning with updated nomenclature.

    Key Outcomes

    • Reduced Noise and Workload: By automatically closing stale test results, customers maintain a cleaner and more manageable set of active findings and remediation tasks.
    • Improved Asset Reconciliation: Closing outdated results supports more accurate CMDB alignment with the current state of assets.
    • Clear Differentiation of Closure Causes: Distinct resolution states help teams understand whether results were closed by scanners or by the auto-close feature.
    • Enhanced Operational Efficiency: The feature streamlines remediation processes by focusing efforts on relevant and current test results.

    Practical Application

    To leverage this feature, ServiceNow customers need to activate the Auto-Close Stale Test Results module and configure appropriate filter conditions based on their environment and scanning frequency. For example, setting the condition to close test results not updated in the last 90 days will automatically transition these results to a closed state, reducing clutter and focusing attention on active compliance issues.

    You can activate the Auto-Close Stale Test Results feature to automatically close older test results not recently found by your third-party integrations. Moving these test results to Closed-Stale reduces the number of active test results and remediation tasks in your instance and helps you reconcile assets in your Configuration Management Database (CMDB).

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Overview

    The Auto Close Stale Test Results module helps you automatically close older, stale test results not recently found by your third-party integrations. Test results are moved to Closed-Stale based on the conditions you set in the condition builder.

    Key terms

    Test result
    Tests results are imported results from libraries of configuration tests that are mapped to frameworks, policies, and authoritative sources that define how a class of technology assets should be governed. The Configuration Compliance application does not calculate the test results but imports them with third-party integrations.
    Asset last scanned date
    Refers to the value of Last configuration compliance scan date column of the Discovered Item table that is related to the test result. This date refers the most current date and time an asset was last scanned by a third-party scanner.
    Last failed date
    Refers to the Last seen column date of the Test Results table when the Result field value is [failed].
    Stale test results
    Refers to test results in your instance that are aged and have not been found, updated, or detected by third-party integration scans for a significant amount of time.
    Test Results last found
    This search option uses a date and time provided by the third-party scanner. This term refers to the most current, or latest date (days ago) that test results were found again by the scanner. This parameter can be configured.

    Use case

    At times, assets (configuration items) might be decommissioned in your environment or purged by third party-scanners. When this happens, the assets' associated configuration test results are not updated in the Configuration Compliance application by imported detections and they become inactive (stale).

    To reduce the number of active test results (TRs) and remediation tasks (RTs) in your instance, activate the Auto-Close Stale Test Results feature. This feature closes aged test results automatically that have unchanged states or have not been recently imported by your integrations.

    As an example, suppose a particular configuration item (CI) has multiple asset IDs, and one of these IDs has not been imported on detections from a third-party scanner in the last 90 days. If you set the condition builder in the Auto-Close Stale Test Results module to close tests results that have not been found or updated in the past 90 days or more, this feature automatically closes any test results that match this filtering.

    Note:
    This feature only closes test result detections based on the filter conditions that you set in the condition builder and are detected by your third-party scanner integrations.

    The Resolution field

    To differentiate between the detections that are closed by third-party scanners such as the Qualys and Tenable.io products and the Auto-Close Stale Test Results feature in your instance, a new value for the Resolution field, [Closed-Stale], has been added. Closed-Stale indicates that a TR was closed by the auto-close feature. Closed or Fixed-Closed indicates that a TR was closed by a scanner.

    Rollup of TR states to TRGs with the Auto-Close feature

    The state progression and precedence for test results is: Open > Closed > Fixed-Closed > Closed-Stale.

    1. If any TRs in a TRG are Open, the TRG state is not changed.
    2. If at least one TR is Closed - Fixed and the rest are Closed - Stale, the TRG state transitions to Closed - Fixed.
    3. If all the TRs in a TRG are Closed - Stale, the TRG state transitions to Closed - Canceled.

    Supported integrations

    For more information on the third-party integrations that support this feature, see Understanding the Qualys Vulnerability Integration and Tenable.io integrations with the Vulnerability Response and Configuration Compliance applications.