Vulnerability Response remediation target rules

  • Release version: Xanadu
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response remediation target rules

    Remediation target rules in ServiceNow Vulnerability Response define specific time frames to remediate vulnerable items (VIs), similar to SLAs for vulnerabilities themselves. These rules help ensure compliance with regulatory requirements (e.g., PCI DSS) by setting deadlines for fixing vulnerabilities based on asset sensitivity or risk rating.

    Show full answer Show less

    Vulnerability managers create these rules by specifying the remediation target, reminder target, notification recipients, and the method for recalculating remediation dates when a VI’s risk rating changes. The remediation target dates appear in the VI form and list views, with color-coded indicators that visually track approaching or past due remediation deadlines.

    Key Features

    • Rule Definition: Define remediation and reminder targets, notification recipients, and recalculation methods for remediation dates.
    • Color-coded Status: VI remediation target dates are shown as green (not due), orange (approaching), or red (past due) dots in the list view.
    • Recalculation Methods: Administrators can configure how remediation target dates update when risk ratings change, with options to keep existing dates or adjust based on the new rating and earliest date logic.
    • Rule Application: When multiple rules apply to a VI, the most restrictive remediation target date is enforced.
    • Scheduled Evaluation: The Evaluate remediation targets scheduled job runs daily to assign or update remediation target dates on active VIs and triggers notifications accordingly.
    • Rule Management: Remediation target rules can be deactivated or deleted, affecting how dates are cleared or preserved for VIs in various states.
    • Reapplying Rules: Changes to remediation target rules can be reapplied across all active open VIs to update remediation dates promptly.
    • Vulnerability Manager Workspace: Vulnerability admins and analysts can efficiently obtain updated remediation target dates for selected VIs in the Workspace, avoiding time-consuming full rule re-evaluations.

    Key Outcomes

    • Customers can enforce compliance deadlines by creating precise remediation target rules tailored to asset risk and regulatory requirements.
    • The system provides clear visibility into remediation deadlines using color-coded indicators and automated email notifications, enabling proactive vulnerability management.
    • Configurable recalculation methods ensure remediation targets remain accurate as risk ratings change, supporting dynamic risk management.
    • Automated daily evaluation and notification streamline remediation tracking and help vulnerability teams prioritize actions effectively.
    • Rule deactivation and deletion options allow flexible management of remediation targets without losing critical historical data on closed or resolved VIs.
    • Tools like the Vulnerability Manager Workspace improve efficiency in updating remediation targets, reducing administrative overhead.

    Remediation target rules define the expected time frame for remediating vulnerable items (VI), much like SLAs provide a time frame for remediating the vulnerability itself. For example, if an asset contains PCI data (credit card data) then the vulnerability on that item must be fixed within 30 days according to PCI DSS.

    Vulnerability managers can create remediation target rules by defining:
    • The remediation target
    • The reminder target
    • The reminder and notification recipients: Who should be notified when the vulnerable items (VIs) are past the reminder or remediation target date and haven’t been remediated.
    • The recalculation method: How the system updates the remediation target (RT) date when a vulnerable item’s risk rating changes.

    Vulnerability analysts and managers can see the remediation target date in the vulnerability item form and list views, as long as the vulnerable items aren’t in Deferred, Resolved, or Closed state. Remediation target rules are run on import and rerun if a VI is reopened.

    The Remediation target date is color-coded on the VI list view as dots, as follows:
    • Vulnerable items that haven’t reached their notification date are shown in green.
    • Vulnerable items approaching the remediation target date are shown in orange.
    • Vulnerable items past the remediation target date are shown in red.

    A summary email, per remediation target rule, is sent when one or more VIs are either approaching their remediation target date or the remediation target date has passed.

    Recalculation of remediation target date

    Starting with Unified Security Exposure Management version 30.1.4 and Vulnerability Response version 26.4.4, administrators can configure how the system recalculates the remediation target date when a finding’s risk rating changes.

    • Under normal conditions, the system calculates the RT date as:

      Remediation Target = Target from (date) + Target (days)

    • When the risk rating changes, the system calculates a new RT date using the formula below. The selected recalculation method determines whether this new date replaces the existing RT date.

      Recalculated RT date = Field change time + Target (days)

      Field change time captures when the risk rating changed. Target (days) uses SLA of new risk rating.

    The following options define how the system applies the recalculated RT date when a risk rating changes:
    Recalculation method Description
    Default calculation Retains the existing RT date. The recalculated date isn’t applied.
    Recalculate from risk change date Updates the Remediation Target date to: Field change time + Target (days) based on the new risk rating.
    Recalculate from risk change date and always set to earliest target date Compares the existing RT date with Field change time + Target (days) and applies the earlier date.
    Recalculate from risk change date and set to earliest target date only when risk rating increases If the risk increases: Compares the existing RT date and the recalculated RT date and applies the earliest date.

    If the risk decreases: Applies Field change time + Target (days) without comparison.

    For configuration steps, see Recalculate a remediation target date.

    Remediation target rules can be deactivated or deleted

    When a rule is deactivated, the current remediation target dates for the VIs it was applied to are cleared. If a VI satisfies any active rule that rule is applied, otherwise the VI has no rule or target date, and its status is No Target.

    When rules are deleted, the Remediation target date and related fields on closed, deferred, or resolved VIs are preserved. The Remediation target date and related fields on non-closed VIs are cleared and any dependent rules are reapplied.

    Remediation target rule scenario

    When multiple remediation target rules are applied to the same vulnerable item, the most restrictive rule is applied.
    Note:
    Remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments).

    Starting from V17.1, remediation targets are calculated from the Target from (date). The default value remains Last opened date.

    For example, if a vulnerable item meets the condition for two remediation target rules:

    Scenario: Vulnerable item last opened on 03/01/2018 at 10:00:00.
    • Remediation target rule 1: Last opened on 03/07/2018; remediation target is 15 days since it was last opened; calculated remediation target date is 03/16/2018 10:00:00.
    • Remediation target rule 2: Last opened on 03/10/2018; remediation target is 10 days since it was last opened; calculated remediation target date is 03/11/2018 10:00:00.
    In this scenario, the Remediation target rule 2 applies to the vulnerable item since it has the more restrictive date. 10 days since the vulnerable item was first identified versus 15 days.
    Note:
    Once the Remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job.

    About the Evaluate remediation targets scheduled job

    Evaluate remediation targets runs once at 4:00:00 daily.

    It iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all vulnerable items that:
    • Aren’t in a Closed, Deferred, or Resolved state.
    • Have no remediation target date.
    • Have a remediation target date that is later than the date in the remediation target rule.

    Evaluate remediation targets adds a remediation target date, if one doesn’t exist, or if a rule results in an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target and Remediation status fields in the vulnerable item form.

    Once the Evaluate remediation targets runs, available notifications are sent.

    Evaluate remediation targets clears the remediation fields on the VI and stops sending notifications.

    The sn_sec_cmn.evaluate_targetmissed_records property, when enabled, prevents the Remediation Target Rules scheduled job from evaluating missed VIs. This property is enabled by default.

    Reapplying remediation target rules

    When you change a remediation target rule, use the Apply Changes button on the Remediation Target Rules list page to rerun all the changed rules on all active Open VIs except those in the Closed, Deferred or Resolved state. Depending on how many VIs you have, this may take time.
    Note:

    If the scheduled job, Evaluate remediation targets is running, you can’t initiate a reapply process. However, if a reapply process is already running, and the scheduled job it triggered, they run in parallel.

    The reapply processes in Vulnerability Response and Application Vulnerability Response are independent and can run in parallel.

    Important:
    As a vulnerability admin and analyst, you can obtain the latest remediation target date for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Remediation Target Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.