Create a Vulnerability Response assignment rule for service support

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Use the following script to create a rule that assigns vulnerable items for remediation based on the business services they impact.

    Before you begin

    Role required: sn_vul.vulnerability_admin

    About this task

    You might prefer to perform this task only if you have advanced coding experience, or you have in-depth knowledge about the ServiceNow AI Platform and how assignment rules work.

    With this rule, VIs are assigned according to how closely they match to the business services listed in your CMDB. If no related services, departments, or support groups are matched, VIs are assigned to the Vulnerability Analyst group.

    This rule might help you reduce the number of VIs that are incorrectly assigned or remain unassigned after other assignment rules have already completed.

    Procedure

    1. Navigate to All > Vulnerability Response > Administration > Assignment Rules.
    2. Select New.
    3. Fill in the fields on the form, as appropriate.
      See Create or edit Vulnerability Response assignment rules for more information about these fields.
    4. From the Assign using choice list, select Script.
    5. In the editor, copy and paste the following script. 
      /*
Assigns Vulnerable Item based on related Business Service
Assigns to default Vulnerability Analyst group if no related Business Service
*/
assignToServiceSupport(current);

function assignToServiceSupport(vitGR) {
    var ci = vitGR.getValue('cmdb_ci');
    var defaultAssignmentGroup = 'Vulnerability Analyst';
    var defaultGR = new GlideRecord('sys_user_group');
    defaultGR.get('name', defaultAssignmentGroup);
    var defaultAssignmentGroupID = defaultGR.sys_id;

    var maxSizeValue = global.SecProperty.getProperty("sn_sec_cmn.services_affected_by_CI_max_size", 1000);
    var maxDepthValue = global.SecProperty.getProperty("sn_sec_cmn.services_affected_by_CI_max_depth", 10);
    var customValues = {
        "maxDepth": maxDepthValue,
        "maxSize": maxSizeValue
    };
    var ciu = new global.CIUtils();
    var services = ciu.servicesAffectedByCI(ci, customValues);
    var svc = new GlideRecord("cmdb_ci_service");
    var hasSvc = false;
    if (services && services.length > 0) {
        svc.addQuery("sys_id", "IN", services.join(",")); // returns the service with highest business criticality. Implement alternate logic here.
        svc.addNotNullQuery("busines_criticality"); // typo intended
        svc.orderBy("busines_criticality");
        svc.setLimit(1);
        svc.query();
        hasSvc = svc.next();
    }
    if (!hasSvc) {
        // If there are no services it should be assigned to a default assignent group
        return defaultAssignmentGroupID;
    } else {
        var serviceAssignmentGroup = hasSvc.getValue('support_group'); //Also consider managed_by_group, assignment_group, change_control
        return !gs.nil(serviceAssignmentGroup) ? serviceAssignmentGroup : defaultAssignmentGroupID; //Return the Service assignment group if it is not empty, return the default assignment group otherwise.
    }
}
    6. Select Submit.

    What to do next

    Review Vulnerability Response assignment rules overview for more general information about assignment rules and the Reapply all vulnerability assignment rules scheduled job.