False Positive overview

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of False Positive Overview

    A false positive occurs when a scanner indicates a vulnerability that does not actually exist in the system. This can be due to incorrect classification or scanner logic. ServiceNow customers can mark vulnerable items (VIs) or remediation tasks (RTs) as false positives individually or in bulk using the Vulnerability Manager Workspace.

    Show full answer Show less

    Key Features

    • Marking as False Positive: Users can mark VIs or RTs as false positives, which updates their state to Closed and substate to False Positive.
    • Reopen/Delete/Update: Once marked, VIs or RTs can be reopened, deleted, or updated with an expiry date.
    • Approval Workflow: Approvers can manage false positives through an approval workflow, with automatic updates in the system based on their responses.
    • Expiry Management: Approvers can set an expiry date for false positives. If this date passes without action, the state reverts to Open.
    • Automated Closure: If all VIs pass the next scan, they will automatically close regardless of their previous state.

    Key Outcomes

    By effectively managing false positives, ServiceNow customers can reduce unnecessary alerts, streamline remediation tasks, and maintain accurate vulnerability tracking. The ability to bulk mark false positives enhances efficiency in handling vulnerabilities, while the approval process ensures proper oversight. Implementing expiry dates helps keep the vulnerability list current and relevant.

    A false positive is a condition wherein the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability. There can be multiple reasons like incorrect classification, improper logic or algorithm in the scanner. The remediation owner can mark vulnerable items (VIs) or remediation tasks (RTs) as false positives.

    Important:
    You can mark the host vulnerable items as false positive in bulk in the Vulnerability Manager Workspace. For more information on how to mark the host vulnerable items as false positive in bulk, see Bulk edit for false positive in the Vulnerability Manager Workspace.

    Life cycle of a false positive

    Meaning of false positive
    The scanner sometime gives a warning, when in reality there is no vulnerability. For example, if a configuration item has been decommissioned but the scanner is still raising an issue related to it, mark it as a false positive.
    Marking as a false positive
    For details on marking a VI or RT as a false positive, see Mark as a false positive.
    Working with the false positive
    Once a VI or RT is marked as a false positive, the state is updated to Closed and the substate is changed to False Positive. The following actions can be performed:
    • Reopen
    • Delete
    • Update the date in the Until field. This date is then used as the expiry date for the false positive.
    Note:
    If not approved, the VI or RT reverts to its previous state.
    Approving a false positive
    The approver can approve the false positive from their approval workflow.
    Note:

    Starting from Vulnerability Response v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see Configure approval rules for Exception Management.

    Reopening a false positive
    A VI or RT in a false positive substate can be reopened anytime.
    Tracking a false positive
    Use the State Change Approvals section to track the status of the false positive. Once approved, the state of the VI or RT is updated to Closed and the reason is False Positive.
    Expiry of a false positive
    Only the false positive approver can set an Until date for the false positive, for the VI or RT to expire. Also, only false positives for which the approver has provided an Until date can expire. This date can be provided after the false positive is approved.
    A false positive without an Until date is a permanent false positive. After the false positive expires, the state of the VI or VR moves back to Open.
    Note:

    Starting from v21.0 of Vulnerability Response, you can configure the time frames for approving false positives and exceptions, along with email notifications for both the approver and requester after a set number of days. When a request is raised, the vulnerable item changes to In-Review status and a state change record is created. If the approver doesn't respond within the configured time frame, the vulnerable item or remediation task reverts to Open status. The previous state is stored in the backup_state field. For more information, see Configure approval rules for Exception Management.

    Figure 1. False positive approval process prior to v15.0
    Life cycle of a false positive.

    The approval process is automatic if all VIs pass the next scan. The VIs auto-close regardless of the current state. The VIs or, where applicable, the RT State fields change to Closed with the substate Fixed.

    For more information, see Marking and approving a false positive.