Grouping multiple findings as remediation tasks for easy processing using remediation task rules

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Grouping multiple findings as remediation tasks for easy processing using remediation task rules

    Remediation task rules in ServiceNow Yokohama release help vulnerability analysts and remediation teams efficiently manage multiple findings by automatically grouping them into remediation tasks. This automation reduces manual task creation, streamlines remediation efforts, and ensures consistent handling of findings based on customizable criteria.

    Show full answer Show less

    Key Features

    • Customizable Grouping Criteria: Define up to six "Group by" attributes for findings such as vulnerability severity, configuration item (CI), assignment group, risk score, technology, or attack vector.
    • Rule Execution Modes:
      • Match All (default): Evaluates all applicable rules for each finding, potentially assigning it to multiple remediation tasks.
      • Match First: Evaluates rules sequentially and applies only the first matching rule, assigning each finding to one remediation task.
    • Automatic Task Creation and Updating: Findings that match rule conditions are either added to existing open remediation tasks or trigger the creation of new ones.
    • Rule Reapplication: Allows updating groupings by reapplying rules on open remediation tasks, with different behaviors depending on execution mode.
    • Assignment Synchronization: Assignment groups and assignees defined in remediation tasks roll down to associated findings unless findings already have different assignments.
    • State Synchronization: Changes in remediation task states roll down to findings, and terminal states of findings roll up to remediation tasks, ensuring consistent status tracking.

    Practical Use and Considerations

    • The system includes a default remediation task rule based on vulnerability, but users can create additional rules tailored to their environment and risk management strategy.
    • Rules are evaluated after important processes like CI matching, risk calculation, and assignment, ensuring accurate grouping.
    • Excessive or inefficient rules can impact performance; it is important to optimize and avoid duplication.
    • Rules can be managed through the Remediation task rules page, advanced settings, or system properties, providing flexibility in execution mode configuration.
    • When deleting a remediation task rule, you can opt to delete only the open tasks created by that rule, preserving tasks already closed or resolved.
    • Remediation tasks can also be created manually using the IT Remediation Workspace, though automation via rules is recommended for efficiency.

    Expected Outcomes

    By leveraging remediation task rules, ServiceNow customers can expect:

    • Improved efficiency in handling multiple vulnerability findings through automated grouping.
    • Consistent assignment and status synchronization between tasks and findings, enhancing transparency and accountability.
    • Flexible control over task grouping logic and execution, allowing alignment with organizational policies and workflows.
    • Reduced manual workload for remediation teams, enabling focus on resolving vulnerabilities rather than administrative overhead.

    Remediation tasks help vulnerability analysts and remediation teams manage findings in bulk. By configuring remediation task rules, you can automatically group findings into remediation tasks, eliminating the need for manual task creation and streamlining remediation efforts.

    Remediation task rules define how findings are grouped into tasks. A default rule based on vulnerability is included in the system, but rules can also use other attributes such as:
    • Vulnerability severity or summary
    • Configuration item (CI) or product model
    • Assignment group
    • Risk score
    • Technology or attack vector
    You can define up to six "Group by" criteria and apply multiple conditions. Once a match is found, the system either adds the finding to an existing Open remediation task or creates a new one. These rules apply to newly created findings or the ones updated with attributes that impact task assignment: Task rules can be reapplied to update groupings as needed. Rules are evaluated after CI matching, risk calculation, and assignment.
    Note:
    Excessive rules may impact performance. Ensure that rules are optimized to avoid duplication and inefficiency.

    Remediation task rule execution mode

    You can configure how remediation task rules are evaluated during finding ingestion by setting the execution mode. Two modes are available:
    • Match All (default): All applicable rules are evaluated and executed for each finding. A finding can be assigned to multiple remediation tasks if it matches more than one rule.
    • Match First: Rules are evaluated sequentially by execution order and only the first matching rule is applied. Each finding is assigned to exactly one remediation task.
    You can change the execution mode using any of the following methods:
    • Switch between modes using the label link: Match All or Match First rule on the Remediation task rules page.
    • Navigate to Security Exposure Management > Administration > Advanced Settings and update the Remediation Task Rule Mode setting.
    • Update the sn_sec_rem.remediation_task_rule_mode system property directly All > System Properties. Valid values are match-all and match-first.

    How remediation task rules work

    When a new finding is created, imported, or reopened, the system evaluates it against the defined remediation task rules. In Match All mode, all rules are evaluated. In Match First mode, evaluation stops at the first matching rule based on execution order. For each rule where the condition matches, the system pulls the relevant data from the "Group by" selections and builds a group name. If a matching open remediation task exists, the finding is added to it. Otherwise, a new task is created. By default, remediation task rules use the assignment group set by the assignment rules on the finding. The assignment of these remediation tasks is controlled by the assignment rules. When a task rule is deleted, you have the option to delete all open tasks created by that rule.

    Managing remediation task rules

    Reapplying rules: Use the Reapply button on the rule form to rerun the rule on all open remediation tasks it created. The reapplication process deletes and recreates tasks based on the updated rule. Reapply behavior depends on the execution mode:
    • Match First: All rules are reapplied sequentially by execution order. You cannot selectively reapply individual rules. Use the drag handles on the rules list to reorder rules by priority before reapplying.
    • Match All: You can select specific rules to reapply using the checkboxes on the rules list, or reapply all rules at once.

    Deleting rules: When deleting a rule, you may also delete the open tasks created by it. Tasks not in the Open state remain unaffected.

    Creating and managing remediation tasks

    Remediation tasks can be created in the following ways:

    State synchronization

    • Rolldown: When a remediation task state changes (for example, from Open to Under Investigation, this change is pushed to all associated findings.)
    • Rollup: When all associated findings share a common terminal state (for example, Deferred, Closed - Fixed), their state rolls up to the remediation task. Rollup jobs run at scheduled intervals (for example, every 15 minutes).

    Assignment management

    Assignment groups and assignees from remediation tasks are rolled down to associated findings unless those findings already have different assignments. This roll down helps standardize ownership across all related records.