Vulnerability Response assignment rules overview

  • Release version: Zurich
  • Updated April 3, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response assignment rules overview

    Vulnerability Response assignment rules in ServiceNow automate the assignment of Vulnerable Items (VITs) to appropriate assignment groups for remediation. These rules enable efficient handling of vulnerabilities by directing them to the correct teams based on predefined criteria, such as configuration item support groups or custom conditions. The system includes a default rule assigning VITs to the CI Support Group based on the associated configuration item's support group.

    Show full answer Show less

    Key Features

    • Automatic Assignment: VITs are assigned automatically when created, imported, or reopened, based on rule conditions evaluated in order of priority. The process stops at the first matching rule, or assigns to a default group if no match is found.
    • Assignment Types and Tracking: The system tracks whether assignments are made manually or via rules, allowing identification of mismatches or frequent reassignments.
    • Assignment Methods:
      • User group selection from existing ServiceNow AI Platform groups.
      • Assignment group fields linked to configuration items, such as Approval Group or Support Group.
      • Script-based rules for advanced, condition-driven assignments requiring coding expertise.
    • Rule Execution Order: High priority rules run first for critical or regulatory cases, followed by general rules, and lastly a catch-all default rule to ensure coverage.
    • Reapplying Rules: Changes to assignment rules can be applied across active open VITs (excluding manually assigned ones) using the Apply Changes feature or a scheduled job, supporting regular updates and corrections.
    • Integration with Remediation Tasks: Assignment groups set by these rules help assign owners to remediation tasks (VULs), linking vulnerability response with remediation workflows.
    • System Properties for Automation: From version 30.x onwards, system properties and business rules can be enabled to automatically reevaluate and regroup vulnerable items when assignment groups change, streamlining remediation task management.
    • Limitations: Assignment rules do not apply to deferred VITs, which require manual assignment, and do not automatically regroup items when assignments are manually changed.

    Practical Implications for ServiceNow Customers

    Customers using ServiceNow Vulnerability Response can leverage assignment rules to automate and streamline the distribution of vulnerabilities to the correct remediation teams, improving response efficiency. Understanding how to configure and order these rules allows prioritization of critical vulnerabilities and ensures no item is left unassigned. The ability to reapply rules and activate system properties for automatic regrouping reduces manual overhead in maintaining accurate assignments.

    Customers should plan rule creation carefully, starting with high-risk cases, followed by general cases, and implementing a default catch-all as a safety net. They should also be aware of how manual assignments affect rule evaluation and that deferred items need manual handling. Proper use of these rules in conjunction with remediation task rules results in cohesive vulnerability management workflows that enhance overall security posture.

    Define the criteria by which vulnerable items (VITs) are automatically assigned to an assignment group for remediation.

    A default assignment rule, Assign to CI support group, is included in the base system assigning vulnerable items to the CI Support Group. The Assign to CI support group rule assigns a VIT to whatever support group is set for the configuration item (CI) that is associated with the VIT.
    Note:
    The assignment rules do not reevaluate manually created assignments.

    Assignment type, whether Manual or Rule is available from the VIT form and the list view. Any VIT that was originally assigned by a rule but subsequently manually reassigned contains a reference to the original rule.

    Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. You can also use the information to identify which rules had the most reassignments.

    The Assignment groups set by Assignment Rules are used by Remediation Task Rules to assign owners to remediation tasks (VULs).
    Note:
    To make Rapid7 InsightVM asset tags available for use in the Condition filter for Assignment Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

    Case sensitivity for the search text you enter in the condition builder is not supported on this record or form.

    Assigning vulnerable items automatically

    There are three different ways to assign vulnerable items using Assign using:
    • User group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
    • User group field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields:
      • None: Indicates no default value for this mandatory field
      • Configuration Item: Approval Group
      • Configuration Item: Assignment Group
      • Configuration Item: Support Group
    • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise. For more information on how to use the script editor to define complex conditions, see the KB0965240 KB article.

    Run high priority rules (items that need special handling, where risk is critical, or a VIT should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign VITs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

    Assignment rule evaluation process

    Assignment rules are used to evaluate and assign a VIT when a new VIT is opened, that is, imported, created manually, or reopened. Unless you manually reapply assignment rules after the VIT or its state changes, a VI is evaluated once.

    The following process is used for each new, updated or reopened VIT:
    • For each vulnerability assignment rule, the VIT is compared to the assignment filter, lowest order rule first.
    • Where the condition matches, the VIT is assigned an assignment group. The lookup stops.
    • Where the conditions do not find a match among all the other rules, the VIT is assigned to the default assignment group, if a default rule exists.
      Once the vulnerable item has been assigned, the appropriate remediation task rule uses assignment as one of its criteria for placing the vulnerable items into a remediation task. See Vulnerability Response remediation tasks and remediation task rules overview and Filtering within Vulnerability Response for more information.
      Note:
      The default rule is the rule with the highest execution order value. A final rule to use that is a good catch-all is active=true. If there is no default rule, the VIT remains unassigned when the remediation task rule makes the assignment.

    Reapplying assignment rules

    When you change an assignment rule, use the Apply Changes button on the Assignment Rules list page to rerun all the changed rules on all active Open VIs, except those that were manually assigned.
    Note:

    If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open VITs except those VIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in a VIT matching a different unmodified rule. Reapplying assignment rules does not regroup the vulnerable items.

    The scheduled job [Reapply all vulnerability assignment rules] is inactive by default. When activated, it applies all the rules to all open VITs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active VIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.

    Upgrade customers should refer to the Vulnerability Response Release Notes for information regarding the impact of this feature on existing VITs.

    Important:
    As a vulnerability admin and analyst, you can obtain the latest assignments for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Assignment Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.
    For v30.x and above (USEM), when an assignment group on an assignment rule changes, the vulnerable items can be automatically reevaluated and regrouped by activating the system property sn_sec_rem.rerun_task_rules and business rule Link to Remediation Tasks.
    Note:
    By default, the system property sn_sec_rem.rerun_task_rules is set to false.

    When an assignment group on an assignment rule changes, the vulnerable items can be automatically reevaluated and regrouped by enabling the system property sn_vul.rerun_task_rules and business rule Link to Remediation Tasks.

    To enable the system property:
    1. Navigate to All > System Properties > All Properties.
    2. Open sn_vul.rerun_task_rules system property.
      Note:
      By default, the system property is set to false.

      For versions earlier than 30.x (Core), this system property is named sn_vul.rerun_task_rules.

      For versions 30.x and later, this system property is renamed sn_sec_rem.rerun_task_rules.

    3. In the Value field, set the value to true.
    When the system property is set to true, and the assignment rules are reapplied, the vulnerable items are unlinked from the remediation tasks, where the condition no longer matches.

    To automate the regrouping of vulnerable items, you must activate the business rule Link Remediation Tasks.

    To enable the business rule:
    1. Navigate to All > System Definition > Business Rules.
    2. Open Link to Remediation Tasks business rule.
    3. Select the Active check box to activate the business rule.
    The business rule on being enabled, regroups the vulnerable items by moving them to the relevant group or by creating a group if they can't be grouped under any existing group.
    Note:
    • The vulnerable items are removed from the groups without deleting the groups.
    • Only those items are removed which are created using remediation task rules or remediation effort.
    • Regrouping is done automatically only when the assignment group changes as part of an assignment rule and not when it is manually changed.
    • Assignment rules do not apply to VITs in the Deferred state. If a VIT is deferred, you must manually assign it if needed.
    Regrouping in workspaces is performed for remediation tasks, which are created from a Remediation effort.