Mitigation controls to vulnerable item mapping

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mitigation Controls to Vulnerable Item Mapping

    Mitigation controls are linked to vulnerable items, allowing for the identification of controls that address vulnerabilities and associated Common Vulnerabilities and Exposures (CVEs). Security Posture Control automates the recognition of mitigated vulnerable items based on specific controls in place, such as those in Web Application Firewall (WAF) policies. This functionality aids vulnerability management teams in effectively reducing risk scores for mitigated items.

    Show full answer Show less

    Key Features

    • Vulnerable Item Mitigation Controls Table: This table maps mitigation control data to vulnerable items, documenting the controls used to address vulnerabilities and their related CVEs.
    • Mitigation Control Records: Users can access detailed records for detected mitigation controls, including information on how they satisfy vulnerabilities under the Common Weakness Enumeration (CWE).
    • Risk Calculator Integration: Mitigation information can be utilized to create customized risk calculator rules, allowing for the recalculation of risk scores based on specific vulnerabilities and mitigation controls.

    Key Outcomes

    By utilizing the mitigation controls mapping, ServiceNow customers can expect to:

    • Automatically identify and manage mitigated vulnerable items.
    • Enhance the effectiveness of vulnerability management by reducing risk scores for items that are adequately mitigated.
    • Leverage risk calculator rules to tailor risk assessments based on existing mitigation controls, thus improving overall security posture.

    Mitigation controls data is mapped to vulnerable items. You can view a list of mitigation controls that are used to mitigate the vulnerabilities and underlying Common Vulnerabilities and Exposures (CVEs) associated with the vulnerable items.

    After identifying a specific mitigation control on an asset, Security Posture Control automatically identifies any vulnerable items that are mitigated by that control. For example, any vulnerable items with CVEs that are part of signatures in Web Application Firewall (WAF) policies are marked as mitigated vulnerable items. This identification might be useful for vulnerability management teams to help them automatically reduce risk scores for vulnerable items that are mitigated.

    Vulnerable item mitigation controls table

    The Vulnerable item mitigation controls [sn_vul_vulnerable_item_mitigation_control] table has been created to map mitigation control data to mitigated vulnerable items (VITs). This table lists mitigated VITs and the detected mitigation controls that were used to mitigate the vulnerabilities and their underlying CVEs associated with the vulnerable items. The mitigated CVE records contain references to the mitigation control used for the assets, for example, Exploit Protection (EDR).

    Example data is shown in the following table.

    Table 1. Vulnerable item mitigation controls data
    Mitigation control exists Mitigation control effectiveness Detected mitigation control type CVEs mitigated Vulnerable item
    Yes/No Moderate Exploit Protection (EDR) CVE-2009-3373 VIT0018323

    Open a mitigation control record (Detected mitigation control type) on the table to review details about how a CVE and its related Common Weakness Enumeration (CWE) vulnerability is mitigated by the mitigation control associated with an asset. The mitigation control record contains details about the CWEs that have been mitigated, for example, how a mitigation setting satisfies vulnerabilities specified in a CWE.

    Risk calculator and risk calculator rules

    Mitigation information might be used to help you set up customized risk calculator rules to help you recalculate the risk scores on VITs that have specific types of vulnerabilities and mitigation controls associated with them. For this example rule, which is based on the preceding table, the default risk calculator calculates a risk score of 60 for VITs that have the mitigation control type, Exploit Protection (EDR) on detected assets. This calculation score is due to the moderate risk that is associated with the vulnerability with this mitigation in place.

    Example risk calculator rule with the following conditions:

    [Mitigation control details] [is not] [empty] AND [Mitigation control details, Detected mitigation control type] [is] [Exploit Protection (EDR)].

    Values:

    [Risk score][is][60]

    See Define fields and weights for the risk rule for Vulnerability Response Risk Calculators for more information.