Assign application vulnerable items in Application Vulnerability Response automatically

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Assign application vulnerable items in Application Vulnerability Response automatically

    This feature in Application Vulnerability Response (AVR) enables automatic assignment of application vulnerable items (AVIs) to appropriate groups based on predefined rules. This automation reduces the mean time to assignment, ensuring vulnerabilities are promptly addressed by the correct teams.

    Show full answer Show less

    Assignment Methods

    AVIs can be assigned automatically using three methods:

    • User Group: Select from existing ServiceNow AI Platform® user groups.
    • User Group Field: Choose from assignment group fields in the cmdbci table such as Approval Group, Assignment Group, or Support Group.
    • Script: Define custom assignment conditions via scripting, which requires advanced ServiceNow expertise.

    Note that the assignment recommendation feature available in Vulnerability Response is not supported in AVR.

    Assignment Rule Evaluation Process

    When a new AVI is created, imported, or reopened, the system evaluates assignment rules in order of priority:

    • High priority rules: For critical or regulatory compliance cases.
    • General rules: For standard assignments with known responsible groups.
    • Default rule: Assigns AVIs to a fallback group if no other rules match.

    The evaluation stops once a matching rule is found and the AVI is assigned. If no match and no default rule exists, the AVI remains unassigned.

    Managing Assignments and Rules

    • Assignment type (Manual or Rule) and the assignment rule source are tracked on the AVI form, helping identify reassignments and rule effectiveness.
    • Manually assigned AVIs are not re-evaluated by assignment rules.
    • To update assignments after rule changes, use the Apply Changes button to rerun rules on all open AVIs except those manually assigned.
    • A scheduled job named Reapply all assignment rules can be activated and configured to periodically apply all assignment rules to open AVIs, supporting ongoing accuracy without manual intervention.

    Practical Considerations

    ServiceNow customers should set assignment rules carefully, prioritizing critical vulnerabilities first, followed by general cases, and establishing a default handler group. Regularly applying and reviewing assignment rules ensures AVIs are routed efficiently, improving response times and vulnerability management effectiveness. Customers should also monitor the scheduled job frequency to balance assignment accuracy with system performance.

    Automatically assign application vulnerabilities based on application tags, or any of the assignment groups in the Configuration Item [cmdb_ci] or platform assignment groups, to reduce the mean time to assignment.

    Assigning application vulnerable items automatically

    There are three different ways to assign AVIs using Assign using:
    Note:
    The assignment recommendation feature in Vulnerability Response is not available for Application Vulnerability Response.
    • User Group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
    • User Group Field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields in the list menu under User group field.
      • None: Indicates no default value for this mandatory field
      • Configuration Item: Approval Group
      • Configuration Item: Assignment Group
      • Configuration Item: Support Group
    • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise.

    Run high priority rules (items that need special handling, where risk is critical, or an AVI should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign AVIs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

    Assignment rule evaluation process

    When a new AVI is created, imported, or reopened after being closed, the assignment rules are evaluated against it. An AVI is only evaluated once, unless it is reopened after being closed. You can manually reapply rules after changes.

    The following process is used for each new, updated, or reopened AVI:
    • For each vulnerability assignment rule, the AVI is compared to the assignment filter, lowest order rule first.
    • Where the condition matches, the AVI is assigned an assignment group. The lookup stops.
    • Where the conditions do not find a match among all the other rules, the AVI is assigned to the default assignment group, if a default rule exists.
      Note:
      If there is no default rule, then the AVI remains unassigned.
    Assignment type, whether Manual or Rule and Assignment rule is available from the Form Layout slushbucket on the application vulnerable item (AVI) form. Any AVI that was originally assigned by a rule but later manually reassigned contains a reference to the original rule. Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. Or which rules had the most reassignments.
    Note:
    The assignment rules do not reevaluate manually created assignments.

    Reapplying assignment rules

    When you change an assignment rule, use the Apply Changes button on the Assignment Rules list view to rerun all the changed rules on all active Open AVIs (except those that were manually assigned).
    Note:

    If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open AVIs except those AVIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in an AVI matching a different unmodified rule.

    The scheduled job [Reapply all assignment rules] is inactive, by default. When activated, it applies all the rules to all open AVIs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active AVIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.