Automate remediation target tracking in Application Vulnerability Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automate remediation target tracking in Application Vulnerability Response

    Application Remediation Target Rules in ServiceNow’s Application Vulnerability Response (AVR) enable App-Sec Managers to define expected timeframes for remediating application vulnerable items (AVIs) based on their risk ratings. This automation helps ensure vulnerabilities are addressed within appropriate deadlines, improving security posture and compliance.

    Show full answer Show less

    Key Features

    • Remediation Target and Reminder Setup: Managers can create rules specifying remediation targets and reminder dates for AVIs according to risk levels.
    • Visual Tracking: Remediation target dates are displayed on AVI forms and list views, with color-coded dots indicating status:
      • Green: Notification date not reached
      • Orange: Approaching remediation target
      • Red: Past remediation target
    • Default Rules: ServiceNow provides three inactive default rules for critical, medium-high, and low risk ratings with respective remediation targets of 15, 30, and 45 days, plus reminders set 7 days before the target date.
    • Rule Management: Rules can be deactivated or deleted. Deactivation clears remediation dates for affected AVIs, while deletion clears dates on non-closed AVIs but preserves them on closed ones.
    • Rule Application Logic: When multiple rules apply to an AVI, the most restrictive (earliest) remediation target is enforced, based on the “Last Opened” or configurable “Target from” date.
    • Automated Evaluation: The “Evaluate remediation targets” scheduled job runs daily at 4:00 AM to apply or update remediation targets on AVIs that are active and not closed, deferred, or resolved.
    • Manual Rule Reapplication: Changes to remediation rules can be manually applied using an “Apply Changes” button to recalculate targets on all relevant AVIs, except those closed, deferred, or resolved. This process runs independently and can operate in parallel with the scheduled job.

    Practical Benefits

    • Provides clear, automated remediation deadlines aligned with risk severity, helping security teams prioritize effectively.
    • Improves visibility into remediation progress through intuitive color-coded indicators.
    • Supports flexible rule management and ensures remediation targets remain accurate and up to date with automated job scheduling and manual reapplication options.
    • Helps maintain compliance by tracking and enforcing remediation timelines consistently across all open vulnerabilities.

    Application Remediation Target Rules define the expected timeframe for remediating application vulnerable items (AVIs), providing a timeframe for remediating the vulnerability itself. For example, if an application vulnerable item contains a critical risk rating then the vulnerability on that item needs to be fixed within 15 days.

    App-Sec Managers can create application remediation target rules by defining:
    • The remediation target.
    • The reminder target.

    App-Sec Managers can see the remediation target date in the AVI form and list views, however dates are not updated for AVIs in the Deferred, Resolved, or Closed state.

    The Remediation target date is color-coded coded on the AVI list view as dots, as follows:
    • AVIs that have not reached their notification date are shown in green.
    • AVIs approaching the remediation target date are shown in orange.
    • AVIs past the remediation target date are shown in red.

    Default rules

    Application Vulnerability Response ships with three default rules which are inactive by default:
    • Critical Risk Rating Rule: A remediation target with a 1-Critical risk rating, a remediation target of 15 days, and a reminder of 7 days before the target date.
    • Medium-High Risk Rating rule: A remediation target with either a 2-High or 3-Medium risk rating a remediation target of 30 days, and a reminder of 7 days before the target date.
    • Less Critical Risk Rating rule: A remediation target with a 4-Low risk rating a remediation target of 45 days, and a reminder of 7 days before the target date.

    Remediation target rules can be deactivated or deleted

    When a rule is deactivated, the current remediation target dates for the AVIs it was applied to, are cleared. If an AVI satisfies any active rule that rule is applied, otherwise the AVI has no rule or target date, and its status is No Target.

    When rules are deleted, the Remediation target date and related fields on closed AVIs are preserved. The Remediation target date and related fields on non-closed AVIs are cleared and any dependent rules are reapplied.

    Remediation rule scenario

    When multiple remediation target rules are applied to the same AVI, the most restrictive rule is applied.

    For example, if an AVI meets the condition for two application remediation target rules:

    Scenario: AVI last opened on 03/01/2018 at 10:00:00.
    • Application remediation target rule 1: Last opened on 03/07/2018; remediation target is 15 days since it was last opened; calculated remediation target date is 03/16/2018 10:00:00.
    • Application remediation target rule 2: Last opened on 03/10/2018; remediation target is 10 days since it was last opened; calculated remediation target date is 03/11/2018 10:00:00.
    In this scenario, the Application remediation target rule 2 applies to the AVI since it has the more restrictive date. 10 days since the AVI was first identified versus 15 days.
    Note:
    Application remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments). You can add this field to the AVI form from the Form Layout slushbucket. It is the date the AVI was most recently opened in your instance.

    Starting from V17.1, remediation targets are calculated from the Target from (date). The default value remains Last Opened date.

    Note:
    Once the application remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job or the Apply Changes button on the Remediation Target Rules list view.

    About the Evaluate remediation targets scheduled job

    Evaluate remediation targets runs once at 4:00:00 daily.

    Evaluate remediation targets iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all AVIs that:
    • Are not in a Closed, Deferred, or Resolved state.
    • Have no remediation target date.
    • Have a remediation target date that is later than the date in the application remediation target rule.

    Evaluate remediation targets adds a remediation target date, if one does not exist, or if this rule contains an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target date and Remediation status fields in the AVI form. For inactive rules, Evaluate remediation targets clears the remediation fields on the AVI.

    Reapplying remediation target rules

    When you change a remediation target rule, use the Apply Changes button on the Remediation Target Rules list page to rerun all the changed rules on all active Open AVIs except those in the Closed, Deferred or Resolved state.
    Note:

    If the scheduled job, Evaluate remediation targets is running, you cannot initiate a reapply process. However, if a reapply process is already running, and the scheduled job is triggered, they run in parallel.

    The reapply processes in Vulnerability Response and Application Vulnerability Response are independent and can run in parallel.