Create, delete, and cancel an exception rule for Application Vulnerability Response

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read

    • Create a rule to request an exception automatically for application vulnerable items (AVI)s that meet specific conditions.

    Before you begin

    As an example, you might create a rule with a condition that is based on a specific known or critical vulnerability that you know you cannot fix immediately. With this rule, you can defer new and existing AVIs automatically if they match the approved rule condition.

    • The exception rule is applied from the Valid from until the Valid to date that you enter on the rule record.
    • The remediation task (AVUL) is created after the rule is approved for matching AVIs in the Deferred state.
    • The grouping method for this AVUL is known as Exception Rules.
    • You can't close, reopen, or delete this AVUL. New and reopened AVIs are deferred and added to this AVUL from the Valid from date until the group expires on the Valid to date.
    Note:

    Email notifications are sent at every stage of the exception rule workflow. These emails provide the status and other details of a request. For example, when an exception rule is requested, the requester receives an email that confirms that the request is submitted.

    If the rule is rejected, you can reopen it in the Draft state, update it, and then resubmit it for approval.

    Roles required: App SEC Manger sn_vul.app_sec_manager and Security Champion sn_vul.app_security_champion.

    Procedure

    1. Navigate to All > Application Vulnerability Response > Administration > Exception Rules.
    2. On the Exception Rule new record page, select New.
    3. Fill in the fields.
      Field Description
      Name Name of the exception rule.
      State Read-only: Draft
      Valid from Date from which this rule is active to defer AVIs.
      Execution order Unique order for each exception rule. A lower value precedes a higher one.
      Valid to Date on which the remediation task stops accepting new AVIs.
      Deferred until Date until the remediation tasks and AVIs are deferred. On this date, the AVULs are closed and all the AVIs move out of the tasks and are reopened. Group rules are reapplied to these AVIs.
      Reason Reason to create this exception rule.
      Assignment group Group the remediation task is assigned to for tracking the deferred AVIs.
      Additional information Additional information that the requester wants to provide to the approver. This information is populated in the description field of the remediation task.
      Condition Filter conditions to specify which AVIs match this rule.
      Execute on existing data

      Option that enables you to run this rule on existing data the first time that this rule is run.

      If you leave this option deactivated, your rule runs daily by the scheduled job Associate existing AVIs with Auto Exception Rule starting with new data.

      If you enable the Execute on existing data option, a scheduled job runs one time on the existing data on the Valid from date.
    4. Add the assignment group when you are creating the rule.
    5. Choose one.
      OptionDescription
      Save the rule Save your changes and the rule is displayed on the Exception rule list [sn_vul_auto_exception_rule]. Until you submit the exception rule for approval, it remains in the Draft state.
      Submit the rule

      If you submit the rule, the status of the request changes to In review. An exception rule approval requires two levels of approval, one from Application Exception Approver - Level 1, and another from Application Exception Approver Level -2.

      After the rule is approved, it moves to the Approved state. Your rule evaluates AVIs with the Associate existing AVIs with Auto Exception Rule scheduled job. If you selected Execute on existing data, it evaluates existing AVIs. A remediation task is automatically created for the rule, and any matching AVIs that meet its conditions are associated with the task.

      The scheduled job runs the exception rule once on existing data. The rule does not run again on existing data even if no AVIs are found. It only evaluates new data because the existing AVIs that matched the rule have already been deferred.

    6. To delete a rule, select Delete on the exception rule record.
      The following message appears: If you delete the rule, the associated remediation task will be deleted and the related vulnerable items will be reopened. The remediation task rules will then be applied to the individual AVIs and the exception rule is deleted.
    7. SelectKeep rule to stop or Delete rule to continue.
    8. To deactivate a rule but keep it on the Exception rules list, select Cancel.
      The following message appears: If you cancel this rule, the associated remediation task will be deleted and the related vulnerable items will be reopened. The remediation task rules will then be applied to the individual vulnerable items and the exception rule will be moved to the draft state.
    9. SelectKeep rule to stop or Cancel to move the rule to Draft and deactivate it.