Re-evaluating the exceptions for selected records in the Vulnerability Manager Workspace

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Re-evaluating the exceptions for selected records in the Vulnerability Manager Workspace

    In the Vulnerability Manager Workspace, you can re-evaluate exception rules for selected vulnerability records using theRe-evaluate and update the remediation propertiesmodal. This process updates the deferral status and the "until date" of deferral based on the latest exception rules, ensuring your vulnerability remediation aligns with current policies.

    Show full answer Show less

    How Exception Re-evaluation Works

    • Scenario 1: Records manually deferred that meet an exception rule remain deferred without changes.
    • Scenario 2: Records in non-deferral states (e.g., Open, In Review, Under Investigation) that match an exception rule are deferred until the rule’s defined date.
    • Scenario 3: Records already deferred by an exception rule remain deferred even if that rule expires or if another exception rule applies.
    • Scenario 4: If an exception rule changes such that records no longer qualify for deferral, re-evaluation moves them to the Open state and updates relevant deferral fields.

    Exception Rule Configuration

    Exception rules specify conditions under which vulnerabilities can be deferred. Key configuration elements include:

    • Name, Validity Period, and Reason: Define the rule’s identity, active dates, and justification.
    • Condition: Filters vulnerabilities by criteria such as risk rating.
    • Execution on Existing Data: Option to apply the rule retroactively on current vulnerabilities.
    • Deferred Until Date: Specifies when deferred vulnerabilities are reactivated for remediation.
    • Assignment Group and Additional Info: Indicates who handles the remediation tasks and any supplemental details provided to approvers.

    Practical Impact of Re-evaluation

    When multiple vulnerable items (VITs) are re-evaluated, their deferral states update according to the latest rules and conditions. For example:

    • Critical vulnerabilities matching a rule’s condition are deferred with an updated "until" date.
    • Vulnerabilities that do not meet conditions remain in their current state (Open, In Review, or Closed).
    • Changing the exception rule’s condition (e.g., risk rating threshold) dynamically updates which items are deferred.

    What This Means for ServiceNow Customers

    By using the re-evaluation feature, you can ensure that your vulnerability deferral statuses are accurate and reflect current exception policies. This capability helps maintain compliance, optimize remediation workflows, and automate deferrals for vulnerabilities matching specific criteria, improving overall vulnerability management efficiency.

    In the Vulnerability Manager Workspace, when you evaluate the exception rules for a set of records in the Re-evaluate and update the remediation properties modal, their deferral status and until date of deferral are updated as per the latest exception rules.

    Scenarios

    You may come across the following scenarios, when you evaluate the exceptions for a selected set of records in the Re-evaluate and update the remediation properties modal in the Vulnerability Manager Workspace:

    Scenario 1: When the selected records are already deferred manually and they match the condition of an exception rule, these records remain in the Deferred state without any changes.

    Scenario 2: When the selected records match the condition in the exception rules and these records are in a non-deferral state (such as open, In Review, Under Investigation), then these records are deferred until the date defined in the exception rule.

    Scenario 3: When the selected records are already in the Deferred state (that are deferred using the exception rule A), they remain in the Deferred state in the following scenarios:
    • the exception rule expires and the records do not match the condition
    • the exception rule expires and the records match the condition
    • the exception rule A expires and records match the condition of another exception rule B.
    Scenario 4: Consider that the records are deferred using an exception rule. When you change the exception rule condition such that the Deferred state of the records is no longer valid and then reevaluate the exception rules for these records:
    • the records move to the Open state
    • the Until date, Deferral date, Deferral count and other fields are updated.

    Consider that you are evaluating the exceptions for following host vulnerable items (VITs)

    Consider the exception rule with the following details:
    Table 1. Exception rule details
    Field Description Value
    Name Name of the exception rule. Deferring critical VITs
    Valid from Date from which this rule is active to defer the VIs. 20-08-2024
    Valid to Date from which the remediation task stops accepting new VIs. 30-11-2024
    Reason Reason to create this exception rule. Risk Accepted
    Assignment group Group that the remediation task that was created for tracking the deferred VIs is assigned to. Remediation Group 1
    Additional information Additional information that the requester wants to provide to the approver. This information is populated in the description field of the remediation task. This rule has been created to defer the critical VITs automatically.
    Condition Filter condition for the VIs that can be defined while processing the VIs. Risk rating = 5 - Critical
    Execute on existing data Option that enables you to run this rule on existing data the first time that this rule is run. Yes
    State State of the exception rule. Approved
    Execution order Unique order for each exception rule. 100
    Deferred until Date until when the VULs and VIs are deferred. On this date, the created VUL is closed, all the VIs move out of the group, and group rules are reapplied. 2024-12-23 16:10:29
    The following table shows how the state changes when the exception rules are reevaluated for multiple VITs simultaneously:
    Table 2. Records for which exceptions are reevaluated
    VIT Number State Risk Rating Updated state after reevaluating the exceptions -1 Until date - 1
    VIT120067 Open 2 - Low Open -
    VIT120068 In Review 3 - Medium In Review -
    VIT120069 Under Investigation 5 - Critical Deferred 2024-12-23 16:10:29
    VIT120070 Deferred 5 - Critical Deferred 2024-12-23 16:10:29
    VIT120071 Deferred 2 - Low Deferred 2024-10-02 16:10:29 (Deferred manually)
    VIT120072 Closed 5 - Critical Closed -
    When the condition in the preceding exception rule is modified to Risk rating = 2 - Low and Deferred until is modified to 2024-12-31 14:10:23 the records are updated as follows:
    Table 3. Records for which exceptions are reevaluated
    VIT Number Updated state after reevaluating the exceptions -1 Risk-rating Updated state after reevaluating the exceptions - 2 until date - 2
    VIT120067 Open 2 - Low Deferred 2024-12-31 14:10:23
    VIT120068 In Review 3 - Medium In Review -
    VIT120069 Deferred 5 - Critical Deferred 2024-12-23 16:10:29
    VIT120070 Deferred 5 - Critical Deferred 2024-12-23 16:10:29
    VIT120071 Deferred 2 - Low Deferred (No change in the state) 2024-10-02 16:10:29 (No change in the until date)
    VIT120072 Closed 5 - Critical Closed -