Exception rules overview

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception rules overview

    Exception rules in Vulnerability Response automate the deferral process for vulnerable items (VIs) that cannot be immediately remediated or deferred. By defining conditions based on impacted vulnerabilities, configuration items (CIs), or VIs, you can automatically defer matching VIs, streamlining management and reducing manual effort.

    Show full answer Show less

    Using exception rules in your organization

    Exception rules automatically defer new and existing VIs that meet specific approved conditions for a defined period. This automation helps prevent missed service level agreements (SLAs) and simplifies handling multiple VIs. Rules have priority ordering—once a high-priority rule applies to a VI, no other rules are evaluated for that VI.

    Important: Exception rules can only be created if Vulnerability Response is selected in Exception Management configuration.

    When VIs are deferred by an exception rule, they are copied to a deferral remediation task (RT) but remain part of any prior RTs they belonged to.

    Lifecycle of an exception rule

    • Creation: Define conditions and deferral period, then submit the rule for approval.
    • Approval: A two-level approval process; if only a first-level approver exists, single approval suffices. Approval triggers creation of a remediation task.
    • Activation: Once approved, the remediation task starts in Deferred state. The rule applies from the "Valid from" date to all new and reopened VIs. An option exists to execute the rule on existing data at activation.
    • Deferral: VIs matching the rule conditions are deferred until the "Deferred until" date. At expiry, the RT is closed, and VIs return to Open state for reallocation by group rules.
    • Expiry: The exception rule stops running on new or reopened VIs after expiry; the associated RT remains Deferred until the deferral end date.

    Additional considerations

    • Starting from Vulnerability Response v15.0, the flow designer is enabled by default for exception management, replacing the workflow engine. This change is one-way.
    • You can configure approval rules for exception management and false positives to customize the approval process.
    • Post-approval actions include canceling or deleting the exception rule if needed.

    This functionality helps ServiceNow customers efficiently manage exceptions for vulnerabilities that require deferral, ensuring compliance and operational continuity while automating key remediation workflows.

    Exception rules for Vulnerability Response enable you to automate the deferral process for vulnerable items (VIs). Request an exception for the vulnerable items (VIs) that can't be remediated or deferred immediately, by identifying the impacted vulnerabilities, configuration items (CIs), or VIs. Defer the matching VIs based on the rule when the system identifies them by automating the VI deferral process.

    Using exception rules in your organization

    Use exception rules to automatically defer new and existing VIs for a specific period if they match the approved rule condition. Automation minimizes the risk of missing service level agreements and makes it easier to manage multiple items, because you are eliminating manual intervention.

    Deferral rules support ordering, that is, the rule with the highest priority is run first. When a high-priority rule is applied on a VI, no subsequent rules are applied on it again even if the condition matches the VI.
    Note:
    • You can only create rules if you select Vulnerability Response in the Exception Management configuration. For details, see Configure Exception Management for Vulnerability Response.
    • When VIs are deferred by an exception rule, they are copied to the deferral remediation task (RT) that is created. The VIs continue to be part of the RTs they were part of earlier.
    The life cycle of an exception rule is as follows:
    • Creating an exception rule
    • Approving an exception rule request
    • Activating an exception rule
    • Deferring an exception rule
    • Expiry of an exception rule
    Creating an exception rule

    You can create an exception rule to automatically defer the VIs that match the defined conditions for the specified period. After you create an exception rule, submit it for approval.

    Approving an exception rule request

    Approving an exception rule request is a two-level process. If only the first-level approver is present, the exception rule can be assessed and approved by a single approval. However, if there's no first-level approver, an exception rule approval can't be approved. After the rule is approved, a remediation task (RT) is created. See Approve an exception rule request for more information.

    Note:

    Starting from Vulnerability Response v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see Configure approval rules for Exception Management.

    After an exception rule request is approved, you can perform the following actions:
    • Cancel
    • Delete
    Activating an exception rule
    After an exception rule is approved, a remediation task is created in a Deferred state by default. Starting from the "Valid from" date, the exception rule runs on all the VIs that are created and also on the ones that are moved from the Closed to the Open state.
    Note:
    If you enable the Execute on existing data option, a scheduled job runs once on the existing data on the "Valid from" date.
    Deferring an exception rule

    You can defer VIs that match the conditions defined in this exception rule, up to the "Deferred until" date that is defined for the rule. On this date, the remediation task that you created for the exception rule is closed and all the VIs in this group move back to the Open state. Group rules are applied on them again to allocate them to the required RTs.

    Expiry of an exception rule

    After the exception rule expires, it no longer runs on new or reopened VIs. The associated RT remains in the Deferred state until the "Deferred until" date.

    Figure 1. Exception rules work flow prior to v15.0
    VR exception rules workflow that describes the differences between an approver rejecting or approving the exception rule, and whether the user wants to run the rule on existing data.