Vulnerability Response remediation tasks and remediation task rules overview

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Remediation Tasks and Remediation Task Rules Overview

    Vulnerability Response remediation tasks in ServiceNow help analysts and remediation specialists efficiently organize and analyze vulnerable items (VIs) in bulk. These tasks group VIs based on configurable criteria, eliminating the need for manual assignment and enabling more effective monitoring and driving of remediation efforts.

    Show full answer Show less

    Key Features

    • Automated Deferral Tracking: The system tracks how many times VIs or remediation tasks are deferred, updating deferral counts daily and displaying records with multiple deferrals for Vulnerability Response (VR), Application Vulnerability Response (AVR), and Container Vulnerability Response (CVR).
    • Automatic Vulnerable Item Refresh: For remediation tasks created using condition filters or filter groups, new matching VIs are automatically added, and non-matching VIs are removed. This automatic update stops once the task leaves the Open state unless business rules are adjusted.
    • Manual Vulnerable Item Refresh: Users can manually refresh the list of VIs for a remediation task anytime, ensuring immediate updates regardless of the automatic update setting. Manually created tasks with filters refresh hourly.
    • Remediation Task Rules: Rules define how VIs are automatically grouped and assigned to remediation tasks based on VI attributes such as CI support group, severity, or vulnerability details. Multiple conditions and up to six "Group by" selections can be configured.
    • Rule Execution Control: You can configure whether all matching remediation task rules are applied or only the first match, optimizing task grouping and assignment strategies.
    • Integration with Rapid7 InsightVM: To use InsightVM asset tags in remediation task filters, ensure the Rapid7 InsightVM Asset List integration runs before other InsightVM integrations.
    • Task Naming and Assignment: Remediation tasks are named using the rule’s group by values combined with vulnerability details, aiding in quick identification. Tasks are assigned based on the vulnerable item's assignment group, controlled through assignment rules.
    • Rule Reapplication: When remediation task rules change, the Reapply function allows rerunning the rule on all active Open tasks created by that rule, automatically updating task groupings and assignments.

    Practical Benefits for ServiceNow Customers

    • Efficiency: Automating the grouping and assignment of vulnerable items reduces manual workload and accelerates remediation workflows.
    • Visibility: Tracking deferrals and task progress helps prioritize vulnerabilities that require attention based on risk and deferral history.
    • Flexibility: Customizable remediation task rules allow tailoring task grouping by various vulnerability and asset attributes to align with organizational risk management strategies.
    • Integration: Support for Rapid7 InsightVM asset tags enhances the ability to filter and assign vulnerabilities using external asset intelligence.
    • Control: Options to automate or manually refresh vulnerable item lists and control rule execution provide adaptability to different remediation processes.

    Usage Recommendations

    • Configure remediation task rules carefully to balance comprehensive vulnerability grouping with system performance.
    • Use the automatic vulnerable item refresh feature for dynamic tasks but disable it if you require task contents to remain static after a certain state.
    • Leverage the Reapply button to update remediation task groupings after modifying rules, ensuring all Open tasks reflect current criteria.
    • Evaluate remediation task rules for selected vulnerable items in the Vulnerability Manager Workspace for efficient analysis without the overhead of full rule reapplication.

    Configure remediation tasks (VULs) to help analysts and remediation specialists organize vulnerable items (VI) and analyze them in bulk. The criteria by which remediation tasks are formed is configured so that you do not have to manually assign vulnerable items into remediation tasks. Using remediation tasks, you can monitor progress and drive the remediation process more efficiently.

    Tracking deferral counts for vulnerable items and remediation tasks

    Track the number of times a vulnerable item, application vulnerable item, a container vulnerable item, or a remediation task is deferred. A scheduled job, set deferral counts, runs daily to post counts for the records that are deferred more than once in the Deferral count column. Records are displayed in the Multiple deferrals modules for VR, AVR, and CVR.

    Refreshing vulnerable items automatically

    Note:
    Vulnerable item refresh automation applies only to remediation tasks created using the condition filter or filter group. Automation does not apply to VIs that were added manually or grouped using Remediation Task Rules.

    When the Automatically update related vulnerable items check box is selected, new VIs matching the remediation task filter criteria are automatically added to the task. Vulnerable items in the remediation task that no longer match the filter criteria are automatically removed from the task.

    By default, when the remediation task leaves the Open state, the check box is cleared. If you want vulnerable items to continue being added to the remediation task, regardless of state, disable the Set auto refresh vulnerable items business rule.

    You can select the check box again manually from the Under Investigation state. Automatically update related vulnerable items is not disabled when the remediation task moves into the Awaiting Implementation state. Once in the Awaiting Implementation state, no new vulnerable items can be added to the existing task, nor can existing vulnerable items be removed it.
    Note:
    When a remediation task is created manually, and VIs are added using the Condition filter or Filter Group, the check box is unchecked. You have the choice to select the box or not.

    Refreshing vulnerable items manually

    For manually created remediation tasks with a Filter Group or Condition filter, when you click the Refresh associated vulnerable items related link on the Remediation Task page, any vulnerable items that match the filter criteria are added. Items no longer matching the criteria are removed. This action allows an immediate update of the list of vulnerable items and is used whether the Automatically update related vulnerable items check box is selected or not.

    Manually created remediation tasks using Condition or Filter Group filter types are refreshed once an hour.

    Understanding remediation task rules

    Remediation task rules allow you to define how vulnerable items are automatically grouped and assigned. A default rule, Vulnerability, is included in the base system that gathers vulnerable items based on their vulnerabilities. However, you can group by any other set of values in columns accessible from the VI. These values could include configuration item (CI) support group, vulnerability severity, and, so on.

    You can create any number of conditions. Once you set a Group by selection, another row appears. You can have up to six Group by selections. You can automate group assignment, as well. See Create or edit Vulnerability Response remediation task rules and Filtering within Vulnerability Response for more information.

    You can control whether all matching rules are evaluated or only the first match is applied by setting the execution mode on the remediation task rules page. This setting is configured in the Security Exposure Management Workspace. For more information, see Grouping multiple findings as remediation tasks for easy processing using remediation task rules.

    Note:
    To make Rapid7 InsightVM asset tags available for use in the Condition filter for Remediation Task Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

    For example, you can group your vulnerable items by the cost center of the vulnerable CI, or by the attack vector of the vulnerability. You can have one task rule for low severity vulnerabilities or low risk CIs. You can have another task rule for critical servers, and vulnerabilities with exploits — vulnerable items that expose the company to more risk.

    A different set of rules can be used for vulnerable items that expose the company to more risk. The remediation task name is appended to the remediation task rule Group by values to make the short description of the new record. See Manually create a remediation task in Vulnerability Response for more information on available fields.

    Figure 1. Condition builder example for Group By entries
    Condition builder for remediation task rule showing the Group By entries

    When a new vulnerable item is created, imported, or reopened after being closed, the vulnerability rules are evaluated against it. A VI is only evaluated once, automatically, unless it is reopened after being closed or the rules are reapplied manually.

    The following process is used for each new or reopened VI:

    • For each remediation task rule, the VI is compared to the remediation task rule filter.
    • For each rule where the remediation task rule condition matches, the rule pulls the data from the Group by selections on the VI. It builds a group name and field. In this case, High Risk: QID-32342:Summary of QID-3242 (Name: vulnerability ID:vulnerability summary).
      Note:
      The short description field is limited to 160 characters. Longer vulnerability summaries are truncated.
      The rule checks to see if there is a matching Open remediation task that is assigned to the same assignment group as the VI.
      • If the task is found, the VI is added to the existing task in the Open state.
      • If no task in the Open state is found, the rule creates a High Risk: QID-32342 task, assigns it to the same assignment group as the VI, and places the VI in the remediation task.

    More than one remediation task rule can be defined, to group different kinds of vulnerabilities. Since each vulnerability is compared with the remediation task rule conditions before putting it in a remediation task, too many rules may have a performance impact.

    By default, remediation task rules use the assignment group set by the Assignment Rules on the vulnerable item when grouping the items, and assigns the remediation task to match the vulnerable items.

    As part of the default task rule, the assignment of these remediation tasks is controlled by the rules in the Assignment Rules module. For more information on assignment rules, see .

    When a task rule is deleted, from the form or list view, you have the option to delete all Open tasks created by that rule. Tasks not in the Open are excluded.

    Reapplying remediation task rules

    When you want to change a remediation task rule, use the Reapply button on the remediation task rule page to rerun the changed rule on all active Open remediation tasks created by that rule. It deletes and recreates remediation tasks based on the changed rule automatically.

    Important:
    As a vulnerability admin and analyst, you can evaluate the remediation task rules for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than reapplying the Remediation Task Rules in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.