Assign application vulnerable items in Application Vulnerability Response automatically

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Assign application vulnerable items in Application Vulnerability Response automatically

    This feature in Application Vulnerability Response (AVR) automates the assignment of application vulnerable items (AVIs) to appropriate groups. It leverages application tags, Configuration Item (CI) assignment groups, or platform assignment groups to reduce mean time to assignment, improving vulnerability management efficiency. Note that the assignment recommendation feature available in Vulnerability Response is not supported for AVR.

    Show full answer Show less

    Assignment Methods

    • User Group: Assign AVIs to existing ServiceNow AI Platform® user groups.
    • User Group Field: Assign based on assignment group fields from the cmdbci table, including Approval Group, Assignment Group, or Support Group.
    • Script: Use custom scripting to define complex assignment conditions. This requires advanced ServiceNow expertise.

    When configuring assignment rules, prioritize high-risk or regulatory-compliance AVIs first, followed by general rules, and finally a default rule to handle any AVIs not matched by earlier conditions.

    Assignment Rule Evaluation Process

    Assignment rules are evaluated when an AVI is created, imported, or reopened. Each AVI is evaluated once unless reopened, with the rules processed in order from lowest to highest priority:

    • If an AVI matches a rule’s filter condition, it is assigned to that rule’s group and evaluation stops.
    • If no match is found, the AVI is assigned to the default assignment group if configured; otherwise, it remains unassigned.

    The AVI form includes Assignment type (Manual or Rule) and Assignment rule fields to track the origin of the assignment. This helps identify cases where manual reassignment occurred or the rules did not assign correctly.

    Reapplying Assignment Rules

    When assignment rules are updated, use the Apply Changes button to rerun affected rules against all active open AVIs, excluding those manually assigned. The first time you use this, a scheduled job runs all rules on all open AVIs except manually assigned ones. Subsequent uses apply only changed or dependent rules.

    The scheduled job Reapply all assignment rules is inactive by default and can be configured to run on various schedules (Daily, Weekly, Monthly, etc.). Proper scheduling is important to avoid performance impacts, especially in environments with many active AVIs.

    Automatically assign application vulnerabilities based on application tags, or any of the assignment groups in the Configuration Item [cmdb_ci] or platform assignment groups, to reduce the mean time to assignment.

    Assigning application vulnerable items automatically

    There are three different ways to assign AVIs using Assign using:
    Note:
    The assignment recommendation feature in Vulnerability Response is not available for Application Vulnerability Response.
    • User Group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
    • User Group Field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields in the list menu under User group field.
      • None: Indicates no default value for this mandatory field
      • Configuration Item: Approval Group
      • Configuration Item: Assignment Group
      • Configuration Item: Support Group
    • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise.

    Run high priority rules (items that need special handling, where risk is critical, or an AVI should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign AVIs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

    Assignment rule evaluation process

    When a new AVI is created, imported, or reopened after being closed, the assignment rules are evaluated against it. An AVI is only evaluated once, unless it is reopened after being closed. You can manually reapply rules after changes.

    The following process is used for each new, updated, or reopened AVI:
    • For each vulnerability assignment rule, the AVI is compared to the assignment filter, lowest order rule first.
    • Where the condition matches, the AVI is assigned an assignment group. The lookup stops.
    • Where the conditions do not find a match among all the other rules, the AVI is assigned to the default assignment group, if a default rule exists.
      Note:
      If there is no default rule, then the AVI remains unassigned.
    Assignment type, whether Manual or Rule and Assignment rule is available from the Form Layout slushbucket on the application vulnerable item (AVI) form. Any AVI that was originally assigned by a rule but later manually reassigned contains a reference to the original rule. Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. Or which rules had the most reassignments.
    Note:
    The assignment rules do not reevaluate manually created assignments.

    Reapplying assignment rules

    When you change an assignment rule, use the Apply Changes button on the Assignment Rules list view to rerun all the changed rules on all active Open AVIs (except those that were manually assigned).
    Note:

    If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open AVIs except those AVIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in an AVI matching a different unmodified rule.

    The scheduled job [Reapply all assignment rules] is inactive, by default. When activated, it applies all the rules to all open AVIs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active AVIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.