Mitigation controls to vulnerable item mapping

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mitigation Controls to Vulnerable Item Mapping

    This feature enables users to map mitigation controls to vulnerable items, allowing for efficient identification of vulnerabilities and related Common Vulnerabilities and Exposures (CVEs). When a specific mitigation control is identified on an asset, Security Posture Control automatically recognizes vulnerable items that are being mitigated, which aids vulnerability management teams in reducing risk scores for those items.

    Show full answer Show less

    Key Features

    • Vulnerable Item Mitigation Controls Table: This table provides a mapping of mitigation control data to mitigated vulnerable items (VITs). It includes information on detected mitigation controls and the associated CVEs.
    • Mitigation Control Records: Access detailed records of mitigation controls to understand how specific vulnerabilities are addressed, including links to related Common Weakness Enumeration (CWE) vulnerabilities.
    • Risk Calculator Integration: Utilize mitigation information to create customized risk calculator rules for recalculating risk scores based on specific vulnerabilities and their associated mitigation controls.

    Key Outcomes

    By implementing these mitigation controls, ServiceNow customers can enhance their vulnerability management processes, leading to reduced risk scores for vulnerable items. This results in more effective risk assessment and management, ensuring a stronger security posture for assets impacted by CVEs.

    Mitigation controls data is mapped to vulnerable items. You can view a list of mitigation controls that are used to mitigate the vulnerabilities and underlying Common Vulnerabilities and Exposures (CVEs) associated with the vulnerable items.

    After identifying a specific mitigation control on an asset, Security Posture Control automatically identifies any vulnerable items that are mitigated by that control. For example, any vulnerable items with CVEs that are part of signatures in Web Application Firewall (WAF) policies are marked as mitigated vulnerable items. This identification might be useful for vulnerability management teams to help them automatically reduce risk scores for vulnerable items that are mitigated.

    Vulnerable item mitigation controls table

    The Vulnerable item mitigation controls [sn_vul_vulnerable_item_mitigation_control] table has been created to map mitigation control data to mitigated vulnerable items (VITs). This table lists mitigated VITs and the detected mitigation controls that were used to mitigate the vulnerabilities and their underlying CVEs associated with the vulnerable items. The mitigated CVE records contain references to the mitigation control used for the assets, for example, Exploit Protection (EDR).

    Example data is shown in the following table.

    Table 1. Vulnerable item mitigation controls data
    Mitigation control exists Mitigation control effectiveness Detected mitigation control type CVEs mitigated Vulnerable item
    Yes/No Moderate Exploit Protection (EDR) CVE-2009-3373 VIT0018323

    Open a mitigation control record (Detected mitigation control type) on the table to review details about how a CVE and its related Common Weakness Enumeration (CWE) vulnerability is mitigated by the mitigation control associated with an asset. The mitigation control record contains details about the CWEs that have been mitigated, for example, how a mitigation setting satisfies vulnerabilities specified in a CWE.

    Risk calculator and risk calculator rules

    Mitigation information might be used to help you set up customized risk calculator rules to help you recalculate the risk scores on VITs that have specific types of vulnerabilities and mitigation controls associated with them. For this example rule, which is based on the preceding table, the default risk calculator calculates a risk score of 60 for VITs that have the mitigation control type, Exploit Protection (EDR) on detected assets. This calculation score is due to the moderate risk that is associated with the vulnerability with this mitigation in place.

    Example risk calculator rule with the following conditions:

    [Mitigation control details] [is not] [empty] AND [Mitigation control details, Detected mitigation control type] [is] [Exploit Protection (EDR)].

    Values:

    [Risk score][is][60]

    See Define fields and weights for the risk rule for Vulnerability Response Risk Calculators for more information.