View Configuration Compliance tests

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read

    • Use this module to research detailed information about these tests. Included are the expert source citations that were used when creating them, the third-party configuration policies in which they are used, and the results obtained from the scan.

    Before you begin

    Role required:
    • sn_vulc.admin to update
    • sn_vulc.remediation_owner to view
    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Procedure

    1. Navigate to All > Configuration Compliance > Controls.
    2. Navigate to All > Configuration Compliance > Tests
    3. From the list, open the control (compliance test) you want to view.

      Starting with version 12.0, to update these values on-demand, below the Remediation status tab, click the Update Status Related link. A message is displayed that indicates the data is being refreshed. Click the View status link to view progress on the update. After a few moments, any data that has changed or been updated since the last scheduled job are refreshed on the record. Field values such as theRisk Score, Risk Rating, Remediation target date, State, and the fields on the Remediation Status tab are refreshed.

      Table 2. Configuration Compliance test form fields
      Field Description
      Number Number assigned to the control during the import process.
      Result Status of the scan. Pass or Fail. If this test belongs to multiple remediation tasks, then its state is determined following an order of precedence.
      Source System name of the third-party integration application, or the name entered in the plugin for the API that is used to communicate with Configuration Compliance.
      Criticality Severity of the configuration issue or issues associated with the control as defined in the third-party integration. The level of criticality is adjusted to match the granularity of similar vulnerability indicators available in Vulnerability Response. The possible levels are:
      Critical
      The configuration issue associated with the control is causing a disruption to one or more business-critical CIs.
      High
      The configuration issue associated with the control is a threat, but is not causing a shutdown of critical network resources.
      Moderate
      The configuration issue associated with the control is a risk, but is not an immediate threat.
      Low
      The configuration issue associated with the control is a low-level threat and can be ignored in favor of CIs that are at greater risk.
      Minor
      The configuration issue associated with the control is a minor risk and can be ignored if necessary.
      Source ID Identifier assigned to the control by the third-party integration.
      Category Major classification category given to this type of control by the third-party vendor.
      Risk score This is a rollup risk score. This risk score is weighted, with 85% of the score from the max risk score across all Test Results not 'Closed' (Open, Under Investigation, Awaiting Implementation, Deferred, Resolved), and 15% of the score from the number of test results that are not 'Closed'.Value calculated by risk score calculators that is based on the business criticality and test criticality values of test results.
      Sub-category Sub-category assigned to this class of test by the third-party vendor.
      Risk rating Based on a range of risk scores on a 1-5 numeric scale that rates overall risk based on a range of risk scores as 1 - Critical to 5 - None. This field replaces the Priority field in previous versions.
      Technologies List of technologies covered by this test.
      Source created Date the test was first defined in the third-party integration.
      Source updated Date the test was last updated in the third-party integration.
      Short description Summary description or title entered or assigned to the test in the third-party integration.
      Remediation Status (v 12.0)
      Excludes Deferred

      These values do not include deferred test results.

      • Open test results: The number (count) of active (any state other than Closed) test results for this configuration test.
      • % Test results remediated: The percent of remediated test results for this remediation task.
      • Total test results: The total number of test results for this remediation task.
      Includes Deferred

      These values include deferred test results.

      • Open test results: The number (count) of all active (any state other than Closed) test results for this remediation task.
      • % Test results remediated: The percent of remediated test results for this remediation task.
      • Total test results: The total number of test results for this remediation task.
      Description Long description of the test. For the Qualys Vulnerability Integration, this field defaults to the contents of the Qualys Cloud Platform cover page.
      Remediation Steps instructions describing how to remediate the non-compliance.
      Related Tabs
      Citations List of citations entered for each authoritative source associated with the test.
      Test Groups List of Configuration Compliance test groups that use this test.
      Test Results List of CIs affected by the configuration issue or issues associated with this test. You can access individual tests, ServiceNow configuration items, or the list of affected technologies, if necessary.
      GRC Policy Statements If the GRC Policy and Compliance Management plugin is installed, this tab contains the related GRC policy. You can edit this list to add or remove policy statements.