Identify duplicate vulnerable items with generative AI

  • Release version: Australia
  • Updated March 24, 2026
  • 5 minutes to read

    • Use the Vulnerable item de-duplication generative AI skill to identify the primary (first-found) vulnerable items for configuration items along with duplicate vulnerable items that are imported by your vulnerability scanners.

    Before you begin

    Note:
    Depending on your license, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents. For more information, see ServiceNow product tiers.

    The Now Assist panel must be activated. For more information, see Activate the Now Assist panel standard chat.

    Important:
    This Now Assist skill is turned on by default. The skill will be automatically available to appropriate role users for the application. For more information, see Now Assist skills, agents, and agentic workflows on by default.

    For more information about configuring this skill, see Configure a generative AI skill.

    Roles required:
    Note:
    The sn_vul.vulnerability_admin and sn_vul.vulnerability_analyst inherit the following roles when you install the Now Assist for Vulnerability Response application.
    • View Vulnerable item deduplication module in the workspace - sn_vul_ai.now_assist_user
    • Create deduplication job configurations - sn_vul_ai.configure_vi_dedup
    • Run deduplication jobs - sn_vul_ai.run_vi_dedup_job
    • Review duplicate job records - sn_vul_ai.review_duplicate_vi

    Procedure

    1. Navigate to All > Workspaces > Vulnerability Manager Workspace.
    2. Select the Now Assist sparkle icon icon in the Navigation panel.
      The Now Assist panel is displayed. If you don't see the Now Assist icon Now Assist sparkle icon in the header on the page, you must activate the Now Assist panel. For more information, see Activate the Now Assist panel standard chat.

      The All job configurations, All jobs, and All duplicate review tabs are displayed on the Now Assist page. You must create a deduplication job as the first step for vulnerable item (VITs) deduplication.

      Note:
      You must have the sn_vul_ai.configure_vi_dedup role to create jobs.
    3. To create a job, select New and fill out the fields.
      Field Description
      Title Unique name to help you identify this job from other jobs.
      Email notification Select the check box to get email notifications when this job is completed. If selected, you can see the following information in an email:
      • Duplicate vulnerable items found
      • Total vulnerable items processed
      • Impacted configuration items
      • Select the Review duplicates link to view the list of duplicates in the workspace.

      Alternatively, you can select the Show notifications (bell) icon in the top banner to see messages with the duplicate vulnerable items found for completed jobs.
      Set conditions
      1. Select the Set conditions link to filter the vulnerable items you want to review for duplicates.

        An example might be: [Configuration item] [contains] [server-based-VIs].

        The Set conditions link is refreshed and displays a count with your matching results. You might prefer to rename your job based on your returned results.

        You can select the View matching results link to view vulnerable items that meet your conditions and more details such as a summary, configuration items, and risk ratings in the Condition modal.

      2. When you’re satisfied with the results, select Save.
    4. After you save the job, the Run job button is displayed and activated on the record.

      You’re ready to run a job.

      Note:
      You must have the sn_vul_ai.run_vi_dedup_job role to view Run job button and initiate jobs.
      1. To run a job, navigate to All > Workspaces > Vulnerability Manager Workspace > Now Assist > All job configurations.
      2. Locate the job that you want, select the record in the Number column to open it, and select Run Job.
        A message that the job is running in the background is displayed. For more information about your job's status, select the View progress link.

        After you select Run job, the Check vulnerable item deduplication job completion job is initiated and runs in the background.

        There’s another job that runs every 30 minutes to verify that the active jobs have been completed.

        After your job is successfully completed, you can review, evaluate, and close the duplicate VITs found by your job.
        Note:
        You must have the sn_vul_ai.review_duplicate_vi role to review duplicate VITs.
    5. Review duplicate VITs.
      1. To review completed jobs and the lists of duplicate vulnerable items, navigate to All > Workspaces > Vulnerability Manager Workspace > Now Assist > All jobs.
      2. Open a record (JOB#) and select the Duplicate Vulnerable Item Reviews related list.
      3. Optional: Select the links to open the vulnerable item (VIT#) records for review before you determine if the VITs on the record are duplicates.
      4. For a side-by-side comparison of the duplicate VIT records, select a (DUP#) record to open it.
        • The job number and State (Needs Review) is displayed.
        • The Confidence and Reason fields provide you with more information. The Reason column displays the generative AI and Now LLM Service reasoning for why these VITs are considered duplicates.
        • Information about the primary VIT and the duplicate VIT are side by side in the Vulnerable item details section.
        • First found date for the primary and the duplicate VITs. A primary VIT typically has the earliest First found date.
        • Select the information Small letter i icon in the Primary vulnerable item details and Duplicate fields if you want to open the VIT records from this page.
      5. Choose one.
        Option Description
        Mark not duplicate

        These are two distinct vulnerable items that represent at least two unique vulnerabilities. These two vulnerable items won’t be considered as duplicates in the jobs you create going forward.

        The State transitions from Needs Review to Not Duplicate for the DUP# record.
        Confirm duplicate

        Your review indicates these two VITs are duplicates. The VIT record that is displayed on the Duplicate record labeled Duplicate transitions to Closed.

        A work note with close notes is added to the closed VIT record.

        Any associated detections on the closed VIT are moved to the primary VIT record. Work notes are added to the primary VIT to indicate that a duplicate has been closed and its detections have been linked.

        Note:

        The sn_vul_ai.duplicate_vi_confidence_threshold System property automates the vulnerable item deduplication workflow.

        This system property is activated by default, but it has no threshold value for a confidence score. With no value for the threshold, the automated workflow closes no duplicates.
        Note:
        Confidence scores of 100 for VITs aren’t calculated by the Now Assist skill. This score is calculated by matching with deterministic logic.

        If you enter a threshold value, any duplicates that have confidence scores greater than the value you specify will be automatically closed and their detections are rolled up to the primary vulnerable item.

        You might prefer to leave this system property in its default setting with no threshold value until you’re familiar with the workflow and have some time to establish an accurate value. In its default setting, you can maintain control over the conditions under which your duplicate VITs are reviewed, marked, and processed.

        You must have the sn_vul_ai.configure_vi_dedup or the sn_vul_ai.review_duplicate_vi role to modify this system property.
      6. Optional: Alternatively, you can review duplicate items from the All duplicate reviews list tab from a DUP# record.
        This list permits you to perform a bulk edit on the duplicate records and their associated VIT records.