Triage vulnerabilities automatically

Release version: Washingtondc

Updated February 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Triage Vulnerabilities Automatically

This feature allows ServiceNow customers to automate the triage of vulnerabilities by converting vulnerability imports into actionable remediation tasks. This process includes assigning vulnerable items (VIs), calculating risk, setting remediation targets, and grouping VIs for streamlined management and remediation efforts.

Show full answer Show less

Key Features

Automated Assignment: VIs are automatically assigned for remediation tasks upon import, based on predefined rules.
Configuration Item (CI) Reconciliation: Assets not present in the Configuration Management Database (CMDB) are identified and reconciled.
Validation Scans: Completion of remediation tasks is confirmed through validation scans.
Manual Adjustments: Users can manually group VIs and create remediation tasks as needed.
Risk Scoring: Risk scores for VIs can be revised to prioritize remediation efforts effectively.

Key Outcomes

By utilizing this automated triage process, ServiceNow customers can achieve efficient vulnerability management, reducing the time and effort required to address security risks. Customers can expect to streamline their remediation workflows, improve accuracy in vulnerability assessments, and ensure that critical vulnerabilities are addressed promptly. Additionally, the ability to create change requests and assign tasks to IT Operations enhances collaboration and accountability in the remediation process.

Reviewing and triaging new vulnerabilities is necessary to ensure successful remediation. Transform vulnerability imports into remediation tasks with automated vulnerable item (VI) assignment, risk calculation, remediation targets, and VI grouping.

Starting with imported vulnerabilities, reconcile the assets not found in the CMDB, prioritize the results, translate that to remediation activities that are automatically assigned, orchestrate the remediation process, and confirm completion with a validation scan.

New vulnerable items are usually sorted into remediation tasks upon import, based on remediation tasks rules. Sometimes, vulnerable items cannot be grouped or do not contain a recognized configuration item.

An overview of the vulnerability triage process:

Log in to your Vulnerability Response instance.
Validate that your rules (CI Lookup, Assignment) for vulnerable item are working as expected. For information on revising CI Lookup Rules, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations. For information on Assignment rules, see Vulnerability Response assignment rules overview.
Note:
Due to the large volume in data imports, care should be taken with automated vulnerable item assignment.
Validate that your remediation targets are correct. See Vulnerability Response remediation target rules for information on how remediation target rules work and how to revise them.
View ungrouped vulnerable items.
- Looking at the ungrouped vulnerable items, consider revising your group rules and performing a rescan. See Create or edit Vulnerability Response remediation task rules for more information.
- Manually group the vulnerable items. Manually create a remediation task in Vulnerability Response for more information.
- Revise risk scores for the vulnerable items in your remediation tasks. See Vulnerability Response calculators and vulnerability calculator rules for more information.
- Close older vulnerable items not recently detected by your third-party integrations. See Automatic closing of vulnerable items and detections for more information.
View and reclassify unmatched configuration items.
Research what needs to be done for remediation.
This step can include:
- Determine what to deal with now and what you can defer. This determination is often based on risk score, affected systems, and patches with change windows.
  Note:
  Remediation target rules belong to vulnerable items. These rules are run when the vulnerable item is imported. These rules were created previously in the Setup Assistant.
- Refresh vulnerable items, if necessary, and View the remediation target status of a Vulnerability Response vulnerable item.
- Create a Change Request and assign the remediation task to an assignment group (IT Operations) for remediation.
  Note:
  If the vulnerability constitutes a security incident and the Security Incident Response plugin (com.snc.security_incident) is activated, you can create security incident records from the remediation tasks instead.
- After submitting one or more change requests, move the group state to Under Investigation.