Security Posture Control: Configuring and viewing your findings

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Posture Control: Configuring and viewing your findings

    Security Posture Control (SPC) enables you to evaluate security policies and generate findings based on asset compliance. These findings are reported as “Test Results” within the Configuration Compliance module, allowing you to assign remediation tasks, group issues, and manage exceptions using standard administrative controls. The findings help identify security gaps such as tool coverage, internet exposure, and high-risk combinations on your assets.

    Show full answer Show less

    Types of Findings and Configuration

    • Tool coverage: Identifies gaps in security tool deployment, linked to policies using ‘Reported-by-connector’ or ‘Not-reported-by-connector’ relationships.
    • Internet exposure: Detects public internet exposure of cloud assets, applicable when policies use ‘Has-internet-exposed-port’ on CloudVMs.
    • High-risk combination: Highlights assets with multiple risk factors simultaneously, such as critical vulnerabilities combined with missing endpoint protection.

    You can configure which types of findings a policy generates. For example, a policy detecting multiple risk factors can produce a single combined finding or separate findings for each risk factor. This flexibility allows targeted assignment of findings—for instance, routing tool coverage issues to IT operations and internet exposure issues to application teams.

    When one risk factor is remediated and its finding closed, related findings from the same combined policy are automatically closed to reflect the updated security posture. To track specific issues continuously, it is recommended to create dedicated policies per risk type.

    Viewing Findings

    Findings generated by policies can be accessed via multiple interfaces:

    • Security Posture Control Workspace under Lists > Findings > All
    • Directly from a policy record by selecting View findings
    • Configuration Compliance application by filtering Test Results sourced from ServiceNow SPC

    Dashboard and Insights

    The SPC Workspace Home dashboard provides key visualizations to monitor your security posture, including:

    • Total assets monitored both on-premises and in the cloud
    • Count and criticality of findings
    • Top reporting sources via Service Graph Connectors
    • Cloud accounts monitored across AWS and Azure
    • Open versus closed findings status

    Additional insights cover endpoint protection deployment, managed versus unmanaged assets, vulnerability scan coverage, count of assets with critical vulnerabilities, and vulnerability severity breakdowns. The dashboard also highlights the top policies generating the most findings, helping prioritize remediation efforts.

    Key Use Case Coverage

    You can further analyze your security posture by selecting visualizations and using the Help improve feature to review activated Service Graph Connectors and policies aligned with your key use cases.

    You can view the findings generated by the evaluation of policies in Security Posture Control in the Security Posture Control Workspace.

    Overview for findings

    Any matching assets are reported as 'Findings'. You can configure findings to be generated from the execution of policies so that these findings can be assigned to various teams for remediation or used for reporting. Security Posture Control publishes these findings as ‘Test Results’ in the Configuration Compliance module. All administrative controls in the Configuration Compliance application that are related to assignment, grouping (remediation task generation), remediation targets, exceptions are supported for findings that are generated by Security Posture Control.

    The types of findings:

    Tool coverage
    This type represents a security tool coverage gap. This finding type is applicable for policies using ‘Reported-by-connector’ and ‘Not-reported-by-connector’ relationships.
    Internet exposure
    This type represents internet exposure of a cloud asset. This finding type is applicable for policies using ‘Has-internet-exposed-port’ relationship on CloudVM.
    High-risk combination
    This type represents an issue having more than one risk factor associated, that is, assets with critical vulnerabilities and a missing endpoint protection agent.

    Depending on the relationships that are used in the policies, the available finding types are visible when you select, Configure findings. For example, if you select Configure findings on a policy that has more than one risk factor such as ‘Cloud assets with critical vulnerabilities, missing endpoint protection, and SSH port 22 open to internet’, the following options are displayed as finding types that can be generated.

    1. High-risk combination
    2. Tool coverage
    3. Internet exposure

    You can choose to generate findings of type ‘High-risk combination’ which creates one finding per every asset matching this policy. Alternatively, you can choose to create findings of the type, ‘Tool coverage’ and ‘Internet exposure’, which will result in two findings created per each asset that matches the policy: one of the type ‘Tool coverage’, and one of the type ‘Internet exposure’.

    By using the type of findings or Test Result, you can write assignment rules in Configuration Compliance to route these issues to respective teams for remediation. For example, you can send ‘Tool coverage’ findings to IT ops team, and ‘Internet exposure’ to the application team.

    However, if one of the remediation owners fixes the issue, the other finding is automatically closed, because these findings are generated from a policy looking for the combination. For example, if the IT ops team closes the ‘Tool coverage’ finding by installing the endpoint protection agent, the ‘Internet exposure’ finding generated from this policy is automatically closed even though the asset is internet-facing, since this finding is generated from a policy looking for a combination of issues. If you would like to keep track of internet exposure issue on assets, it is recommended you create another policy that looks for only internet exposure on the assets and not any other risk factor.

    Where to view findings

    You have these options to view the findings generated by the evaluation of policies.

    • Navigate to Security Posture Control Workspace > Lists > Findings > All.
    • On a policy record, select View findings.
    • In the Configuration Compliance application, select Test Results and filter the records by Source is ServiceNow SPC.

    The dashboard

    In the Security Posture Control Workspace, the Home (landing page) displays these visualizations:

    Overview
    • Assets: the number of assets monitored on-premise and in the Cloud.
    • Findings by criticality: The number of critical findings out of your total assets.
    • Assets monitored by top 5 sources: The top five Service Graph Connectors reporting on assets.
    • Cloud accounts: The number of Cloud accounts monitored by AWS and Azure.
    • Open vs closed findings: A comparison of records still in process or awaiting resolution and those that are resolved.
    Key insights
    • Endpoint protection agent installed: The total number of assets have or do not have endpoint protection.
    • Managed device coverage: The number of managed assets compared to those that are unmanaged.
    • Vulnerability scan coverage: The total number of scanned assets compared to the number that are not scanned for known vulnerabilities by a third-party vulnerability scanner.
    • Assets with critical vulnerabilities: The number of assets out of the total number of assets that have critical vulnerabilities.
    • Vulnerable items by criticality: The total number of vulnerable items broken down by their severity. A known vulnerability that matches an asset in your CMDB results in a vulnerable item.
    • Top 3 policies by findings: The policies that return the most findings (matches) on your assets.

    Key use case coverage

    Select a visualization and Help improve to view which service graph connectors and policies are activated for the key use cases.