Closing stale detections in Vulnerability Response

  • Release version: Xanadu
  • Updated July 31, 2025
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Closing stale detections in Vulnerability Response

    The Auto-Close Stale Detections module in ServiceNow Vulnerability Response helps automatically identify and close older, inactive vulnerability detections that have not been updated or found by third-party scanners for a specified period. This cleanup reduces the number of active vulnerable items (VIs) and remediation tasks (RTs), streamlining your vulnerability management process and improving asset reconciliation in your CMDB.

    Show full answer Show less

    Key Concepts and Functionality

    • Stale detections: Vulnerability detections that have not been recently found or updated by third-party scanner integrations.
    • Detections last found: The latest date/time a detection was identified by a scanner.
    • Assets last scanned: The last scan date/time of an asset by a third-party scanner.
    • The module selectively closes only those detections meeting your criteria for staleness, allowing other active detections tied to the same vulnerable item to remain open until remediated.
    • To activate this feature, you configure search criteria and an age threshold (in days) for stale detection closure.

    State Rollup Logic

    • Detection statuses include Open, Closed, and a new Stale status indicating auto-closure by this feature.
    • Rollup precedence for vulnerable items: Open > Closed > Stale. If any detection is Open, the VI remains Open.
    • If all detections are Stale, the VI transitions to Closed - Stale; if some are Closed and some Stale, the VI transitions to Closed - Fixed.
    • Remediation tasks (VUL) roll up states from associated VIs similarly, with special handling to avoid reopening VIs unnecessarily.
    • You can configure whether to ignore stale detections for already closed VIs to prevent reopening during new detection events.

    Integration Requirements and Considerations

    Auto-Close Stale Detections supports multiple third-party vulnerability integrations, including Microsoft TVM, Qualys, Rapid7, and Tenable. Key points include:

    • Microsoft TVM: If basing closure on "Detections last found," ensure the Microsoft TVM Machine Vulnerabilities Integration runs successfully at least once every seven days to guarantee accurate stale detection identification.
    • Qualys: No specific integration requirements; any active Qualys detection integrations work with this module.
    • Rapid7: Similar to Microsoft TVM, a successful weekly run of the Rapid7 Comprehensive Vulnerable Item Integration is needed when using "Detections last found" as the criterion.
    • Tenable: Any active Tenable Vulnerability Integrations retrieving detection data are compatible without additional requirements.
    • Multiple instances of integrations can be deployed, but auto-close functionality applies globally across your environment and depends on successful integration runs.

    Upgrade Information

    When upgrading from the previous Auto-Close Stale Vulnerable Items module to Auto-Close Stale Detections:

    • Configured day thresholds for "Assets last scanned" and "Vulnerable items last found" are preserved automatically.
    • Open detections previously marked Closed - Stale transition to the new Stale status based on your auto-close settings after upgrade.
    • Vulnerable items maintain consistent state behavior based on the new detection states, following the updated rollup logic.

    Practical Benefits for ServiceNow Customers

    • Automatically cleans up stale vulnerability detections, reducing clutter and improving focus on active vulnerabilities requiring remediation.
    • Helps maintain accurate and current vulnerability data by closing outdated detections tied to decommissioned or rescanned assets.
    • Supports multiple popular third-party vulnerability scanners with clear integration requirements to maximize effectiveness.
    • Provides configurable parameters to tailor auto-closure behavior to your environment and compliance needs.
    • Improves efficiency in vulnerability management workflows by reducing false positives and avoiding unnecessary reopening of closed items.

    The Auto-Close Stale Detections module helps you automatically clean up older, stale vulnerable detections not recently found by your third-party integrations. Moving these detections to Closed reduces the number of active vulnerable items and remediation tasks in your ServiceNow AI Platform instance and helps you reconcile assets in your CMDB.

    Overview and key terms

    In order to more accurately roll-up detection data to your vulnerable items, the Auto-Close Stale Detections module helps you clean up older, stale vulnerable item detections not recently found by your third-party integrations. For more information about this feature, see the use case below.

    In previous versions of Vulnerability Response, the Auto-Close Vulnerable Items module automatically transitioned vulnerable items not recently found or updated by your third-party scanner integrations to the Closed - Stale.

    Before you enable the Auto-Close Stale Detections feature, review the following terms, how states roll up to vulnerable items and remediation tasks, and the prerequisites for your third-party integrations that import detection data.

    To enable the feature, see Automatically close stale detections in Vulnerability Response.

    Key terms

    Stale detections
    Refers to detections associated with vulnerable items in your ServiceNow AI Platform® instance that are aged and have not been found, updated, or detected by third-party integration scans for a significant amount of time.
    Detections last found
    This search option uses a date and time provided by the third-party scanner. This term refers to the most current, or latest date and time that detections were found again by the scanner.
    Assets Last scanned
    This search option uses a date and time provided by the third-party scanner. This term refers the most current date and time an asset was last scanned by a third-party scanner.

    Use case

    At times, assets (configuration items) may be decommissioned in your environment or purged by third party-scanners, and their associated detections are not updated by vulnerable item detections. As a result, the detections and their related vulnerable items are not updated in the Vulnerability Response application, and they become inactive (stale).

    To close these aged detections that have unchanged vulnerable item data and next reduce the number of active VIs and remediation tasks (RTs), enable Auto-Close Stale Detections. This feature automatically closes vulnerable item detections not recently found or updated by your third-party scanner integrations based on search criteria and an age in number of days that you set.

    As an example, suppose a particular configuration item (CI) has multiple asset IDs, and one of these IDs has not been imported on a detection from a third-party scanner in the last 90 days. This feature automatically closes this detection that has no new vulnerability data so the associated VI can be closed.

    Since a VI can have more than one detection associated with it, this feature only transitions the detections determined to be stale by the parameters you set. For example, if a VI has four detections associated with it, and two detections are stale, that is, no new vulnerability data has been imported in the last 90 days, this feature only closes the stale detections. Before the VI can be closed, you must first remediate the other two open detections.

    Rollup of detection states to VIs

    To differentiate the auto-closed detections from detections closed by third-party scanners, a new value for the Status field, Stale, has been added. The possible values for this field are, Open, Closed, and Stale. Stale indicates that a detection closed by the auto-close detection feature.

    State precedence: Open > Closed > Stale.

    1. If any detections are Open, the associated VI state remains Open.
    2. If no detections are Open, some are Closed, and some are Stale, the associated VI state transitions to Closed - Fixed.
    3. If all the detections are Stale, the associated VI state transitions to Closed - Stale.

      Starting with Vulnerability Response 20.0, if the detection is Stale and its associate VI is in Closed state, the VI's state doesn't transition to Closed - Stale. This is to avoid the VI from reopening when a new detection is identified so that you can avoid going through the entire false positive request and approval process. To reverse this behavior, deselect the Ignore stale detections for closed VIs check box in the Auto-Close Configuration form. For more information, see Automatically close stale detections in Vulnerability Response.

    Rollup of VI states to remediation tasks (VUL)

    State precedence: Open > Closed - Fixed > Closed - Stale.

    1. If any VIs in a VUL (remediation task) are Open, the VUL state is not changed.
    2. If at least one VI is Closed - Fixed and the rest are Closed - Stale, the VUL state transitions to Closed - Fixed.
    3. If all the VIs in a VUL are Closed - Stale, the VUL state transitions to Closed - Canceled.
    4. If any VIs are closed as Closed – False Positive, the VUL does not auto-close.

    For more information on state rollup and rolldown scenarios, see, State roll-up and roll-down scenarios.

    Auto-Close detections and third-party integration requirements

    Microsoft TVM users and Auto-Close Stale Detections

    Checklist item Description
    The Microsoft TVM Vulnerability Integration With the Microsoft TVM Vulnerability Integration, if you select Detections last found to base your search on, this feature requires a successful run of the Microsoft TVM Machine Vulnerabilities Integration (Full import) within the last seven days. This integration runs weekly.

    If Auto-Close Stale Detections are enabled and configured for Detections last found, and the Microsoft TVM Machine Vulnerabilities Integration is disabled, or a data import is not successfully completed within the last seven days, the scheduled job to close detections still runs daily but some stale detections might not be closed as expected.

    If you select Assets last scanned to base your search on, the Microsoft TVM Machine Vulnerabilities Integration run is not required.

    To activate this integration:

    1. Navigate to Microsoft TVM Vulnerability Integration > Administration > Integration.
    2. Locate and enable the Microsoft TVM Machine Vulnerabilities Integration (Full import).
    (Optional) Deploy multiple instances of the Microsoft TVM integrations in your environment. You can optionally deploy multiple instances of the integrations across your environment.

    Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on instances that have successfully completed integration runs.

    If Auto-Close Stale Detections are enabled and you disable the integrations that run weekly in an instance, the scheduled job to close detections still runs daily, but some detections may not transition to Stale automatically as expected.

    Qualys users and Auto-Close Stale Vulnerable Items

    • Any activated Qualys third-party integrations that retrieve detection data can run with this module. There are no specific Qualys applications required.
    • You can optionally deploy multiple instances of the Qualys integrations across your environment.
    • Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on all instances.

    Rapid7 users and Auto-Close Stale Detections

    Checklist item Description
    The Rapid7 Vulnerability Integration If you select Detections last found to base your search on, this feature requires a successful run of one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days. These comprehensive integrations run weekly:
    • For Rapid7 Nexpose data warehouse, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration is required.
    • For Rapid7 InsightVM, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration - API is required.

    If Auto-Close Stale Detections is enabled and configured for Detections last found, and the Rapid7 Comprehensive Vulnerable Item Integrations are disabled, or a data import is not successfully completed within the last seven days, the scheduled job to close detections still runs daily but some stale detections might not be closed as expected.

    If you select Assets last scanned to base your search on, no comprehensive Rapid7 integration run is required.

    To activate these integrations:

    1. Navigate to Rapid7 Vulnerability Integration > Administration > Integration.
    2. Locate and enable the Rapid7 Comprehensive Vulnerable Item Integration you need.
    Note:

    In addition to these integrations that run weekly, Rapid7 Nexpose and Rapid7 InsightVM each have VI integrations that run daily, the Rapid7 Vulnerable Item Integration, and the Rapid7 Vulnerable Item Integration - API.

    If both the daily and weekly Rapid7 integrations are enabled, only one integration runs at a time. If one of these integration jobs is running, the job for the other integration is skipped until the next scheduled job.
    (Optional) Deploy multiple instances of the Rapid7 integrations in your environment. You can optionally deploy multiple instances of the comprehensive integrations across your environment.

    Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on instances that have successfully completed integration runs.

    If Auto-Close Stale Detections is enabled and you disable the integrations that run weekly in an instance, the scheduled job to close detections still runs daily, but some detections may not transition to Stale automatically as expected.

    Tenable Vulnerability Integration users and Auto-Close Stale Vulnerable Items

    • Any activated integrations from the Tenable Vulnerability Integration that retrieve detection data can run with this module. There are no specific Tenable Vulnerability Integrations required.
    • You can optionally deploy multiple instances of the Tenable Vulnerability Integration across your environment.
    • Auto-Close Stale Detections is not instance-specific, and it is either enabled or disabled across your environment. Stale detections are automatically transitioned to Stale on all instances.

    After you verify that your integrations are configured properly, see Automatically close stale detections in Vulnerability Response to enable the feature.

    Upgrade information from Auto-Close Stale Vulnerable Items to Auto-Close Stale Detections

    For the Auto-Close Stale Detections module, if you previously used Auto-Close Stale Vulnerable Items:
    • The value for the number of days you entered for the Assets last scanned option from Auto-Close Stale Vulnerable Items is preserved automatically for Assets last scanned in Auto-Close Stale Detections.
    • The value for the number of days you entered for the Vulnerable items last found option from Auto-Close Stale Vulnerable Items is preserved automatically for Detections last found in Auto-Close Stale Detections.
    • Existing open detections with Vulnerable items as Closed - Stale will be transitioned to Stale as per the auto-close close configuration settings when the Auto-Close Stale Detections scheduled job runs after upgrade.

    Rollup information

    • If a Vulnerable item was Closed - Stale prior to the upgrade, and all its detections are marked as Stale after upgrade, then the VI state remains Closed - Stale.
    • If a Vulnerable item was Closed - Stale prior to the upgrade, and only some of its detections are marked as Stale after upgrade and the rest were closed by the scanner, then the vulnerable item transitions to Closed - Fixed as per the rollup logic.