Mitigation controls to vulnerable item mapping

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mitigation Controls to Vulnerable Item Mapping

    This feature maps mitigation controls to vulnerable items (VITs) and their associated Common Vulnerabilities and Exposures (CVEs). It enables Security Posture Control to automatically identify which vulnerable items are mitigated by specific controls on assets. This functionality is particularly useful for vulnerability management teams to automatically reduce risk scores for vulnerabilities that have effective mitigation controls in place.

    Show full answer Show less

    Key Features

    • Vulnerable Item Mitigation Controls Table: The snvulvulnerableitemmitigationcontrol table stores mappings between mitigation controls and the vulnerable items they mitigate. It lists mitigated VITs, detected mitigation controls, and associated CVEs.
    • Mitigation Control Records: Each mitigation control record details how specific CVEs and related Common Weakness Enumeration (CWE) vulnerabilities are mitigated based on asset controls, such as Exploit Protection (EDR) or Web Application Firewall (WAF) policies.
    • Automatic Identification: When a mitigation control is detected on an asset, vulnerable items related to that control are automatically marked as mitigated, helping streamline vulnerability management.
    • Risk Calculator Integration: Mitigation information can be used to create customized risk calculator rules that adjust risk scores for VITs with specific mitigation controls, reflecting reduced risk levels.

    Practical Application

    ServiceNow customers can leverage this mapping to enhance their vulnerability response processes by:

    • Automatically recognizing mitigated vulnerabilities and reducing manual tracking effort.
    • Integrating mitigation data into risk scoring to dynamically recalculate risk based on effective controls, such as assigning a moderate risk score (e.g., 60) when an Exploit Protection (EDR) mitigation is detected.
    • Reviewing mitigation control records for detailed insights on how specific vulnerabilities and CWEs are addressed by controls on assets.

    This capability supports more accurate risk management and more efficient prioritization of remediation efforts within the Security Operations workflow.

    Mitigation controls data is mapped to vulnerable items. You can view a list of mitigation controls that are used to mitigate the vulnerabilities and underlying Common Vulnerabilities and Exposures (CVEs) associated with the vulnerable items.

    After identifying a specific mitigation control on an asset, Security Posture Control automatically identifies any vulnerable items that are mitigated by that control. For example, any vulnerable items with CVEs that are part of signatures in Web Application Firewall (WAF) policies are marked as mitigated vulnerable items. This identification might be useful for vulnerability management teams to help them automatically reduce risk scores for vulnerable items that are mitigated.

    Vulnerable item mitigation controls table

    The Vulnerable item mitigation controls [sn_vul_vulnerable_item_mitigation_control] table has been created to map mitigation control data to mitigated vulnerable items (VITs). This table lists mitigated VITs and the detected mitigation controls that were used to mitigate the vulnerabilities and their underlying CVEs associated with the vulnerable items. The mitigated CVE records contain references to the mitigation control used for the assets, for example, Exploit Protection (EDR).

    Example data is shown in the following table.

    Table 1. Vulnerable item mitigation controls data
    Mitigation control exists Mitigation control effectiveness Detected mitigation control type CVEs mitigated Vulnerable item
    Yes/No Moderate Exploit Protection (EDR) CVE-2009-3373 VIT0018323

    Open a mitigation control record (Detected mitigation control type) on the table to review details about how a CVE and its related Common Weakness Enumeration (CWE) vulnerability is mitigated by the mitigation control associated with an asset. The mitigation control record contains details about the CWEs that have been mitigated, for example, how a mitigation setting satisfies vulnerabilities specified in a CWE.

    Risk calculator and risk calculator rules

    Mitigation information might be used to help you set up customized risk calculator rules to help you recalculate the risk scores on VITs that have specific types of vulnerabilities and mitigation controls associated with them. For this example rule, which is based on the preceding table, the default risk calculator calculates a risk score of 60 for VITs that have the mitigation control type, Exploit Protection (EDR) on detected assets. This calculation score is due to the moderate risk that is associated with the vulnerability with this mitigation in place.

    Example risk calculator rule with the following conditions:

    [Mitigation control details] [is not] [empty] AND [Mitigation control details, Detected mitigation control type] [is] [Exploit Protection (EDR)].

    Values:

    [Risk score][is][60]

    See Define fields and weights for the risk rule for Vulnerability Response Risk Calculators for more information.