Vulnerability Response assignment rules overview

  • Release version: Yokohama
  • Updated April 7, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response assignment rules overview

    Vulnerability Response assignment rules in ServiceNow automate the process of assigning Vulnerable Items (VITs) to the appropriate assignment groups for remediation. A default rule, "Assign to CI support group," assigns VITs to the support group linked to the associated Configuration Item (CI). These assignment rules ensure that vulnerabilities are routed correctly to streamline remediation efforts.

    Show full answer Show less

    Assignment rules evaluate VITs when they are created, imported, or reopened. Manually assigned VITs are not automatically reevaluated by these rules unless explicitly reapplied.

    Key Features

    • Assignment Methods: VITs can be assigned using three methods:
      • User group - select from existing ServiceNow AI Platform user groups.
      • User group field - select from assignment group fields related to the CI, such as Support Group or Assignment Group.
      • Script - define complex conditions using scripting, requiring advanced ServiceNow expertise.
    • Rule Execution Order: High priority rules for critical or regulatory cases are run first, followed by general rules, and finally a default catch-all rule runs last to assign remaining VITs.
    • Assignment Rule Evaluation: Rules are evaluated sequentially by order; the first matching rule assigns the VIT. If no match is found, the default rule assigns the VIT or it remains unassigned.
    • Reapplying Rules: Changes to assignment rules can be applied to all active open VITs (except manually assigned) via the "Apply Changes" button or a scheduled job. This helps keep assignments up to date after rule modifications.
    • Integration with Remediation Tasks: Assignment groups determined by these rules are used to assign owners to remediation tasks, ensuring alignment between vulnerability identification and remediation efforts.
    • Advanced Automation: For versions 30.x and above, a system property (snsecrem.reruntaskrules) and a business rule (Link to Remediation Tasks) can be enabled to automatically reevaluate and regroup VITs when assignment groups change, improving efficiency and accuracy.
    • Rapid7 InsightVM Integration: To use Rapid7 asset tags in assignment conditions, the Rapid7 InsightVM Asset List integration must be run before other InsightVM integrations.

    Important Considerations

    • Assignment rules do not apply to VITs in the Deferred state; these require manual assignment if needed.
    • Manually reassigned VITs keep a reference to the original assignment rule, enabling tracking of rule effectiveness and reassignments.
    • Case sensitivity is not supported in condition filters for assignment rules.
    • Reapplying assignment rules does not regroup VITs unless the system property and business rule for automatic regrouping are enabled.
    • Performance impact should be considered when running scheduled jobs to reapply rules on large numbers of VITs.
    • Vulnerability admins and analysts can efficiently update assignments using the Vulnerability Manager Workspace rather than the classic UI.

    Practical Benefits for ServiceNow Customers

    By leveraging assignment rules, customers can automate the routing of vulnerabilities to the right remediation teams, reduce manual workload, and ensure critical vulnerabilities receive priority attention. The ability to script complex conditions and integrate with CI data enables precise targeting of assignments. Automatic reevaluation and regrouping features enhance operational efficiency and maintain alignment between vulnerability data and remediation tasks, helping organizations to manage risk effectively and comply with regulatory requirements.

    Define the criteria by which vulnerable items (VITs) are automatically assigned to an assignment group for remediation.

    A default assignment rule, Assign to CI support group, is included in the base system assigning vulnerable items to the CI Support Group. The Assign to CI support group rule assigns a VIT to whatever support group is set for the configuration item (CI) that is associated with the VIT.
    Note:
    The assignment rules do not reevaluate manually created assignments.

    Assignment type, whether Manual or Rule is available from the VIT form and the list view. Any VIT that was originally assigned by a rule but subsequently manually reassigned contains a reference to the original rule.

    Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. You can also use the information to identify which rules had the most reassignments.

    The Assignment groups set by Assignment Rules are used by Remediation Task Rules to assign owners to remediation tasks (VULs).
    Note:
    To make Rapid7 InsightVM asset tags available for use in the Condition filter for Assignment Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

    Case sensitivity for the search text you enter in the condition builder is not supported on this record or form.

    Assigning vulnerable items automatically

    There are three different ways to assign vulnerable items using Assign using:
    • User group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
    • User group field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields:
      • None: Indicates no default value for this mandatory field
      • Configuration Item: Approval Group
      • Configuration Item: Assignment Group
      • Configuration Item: Support Group
    • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise. For more information on how to use the script editor to define complex conditions, see the KB0965240 KB article.

    Run high priority rules (items that need special handling, where risk is critical, or a VIT should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign VITs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

    Assignment rule evaluation process

    Assignment rules are used to evaluate and assign a VIT when a new VIT is opened, that is, imported, created manually, or reopened. Unless you manually reapply assignment rules after the VIT or its state changes, a VI is evaluated once.

    The following process is used for each new, updated or reopened VIT:
    • For each vulnerability assignment rule, the VIT is compared to the assignment filter, lowest order rule first.
    • Where the condition matches, the VIT is assigned an assignment group. The lookup stops.
    • Where the conditions do not find a match among all the other rules, the VIT is assigned to the default assignment group, if a default rule exists.
      Once the vulnerable item has been assigned, the appropriate remediation task rule uses assignment as one of its criteria for placing the vulnerable items into a remediation task. See Vulnerability Response remediation tasks and remediation task rules overview and Filtering within Vulnerability Response for more information.
      Note:
      The default rule is the rule with the highest execution order value. A final rule to use that is a good catch-all is active=true. If there is no default rule, the VIT remains unassigned when the remediation task rule makes the assignment.

    Reapplying assignment rules

    When you change an assignment rule, use the Apply Changes button on the Assignment Rules list page to rerun all the changed rules on all active Open VIs, except those that were manually assigned.
    Note:

    If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open VITs except those VIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in a VIT matching a different unmodified rule. Reapplying assignment rules does not regroup the vulnerable items.

    The scheduled job [Reapply all vulnerability assignment rules] is inactive by default. When activated, it applies all the rules to all open VITs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active VIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.

    Upgrade customers should refer to the Vulnerability Response Release Notes for information regarding the impact of this feature on existing VITs.

    Important:
    As a vulnerability admin and analyst, you can obtain the latest assignments for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Assignment Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.
    For v30.x and above (USEM), when an assignment group on an assignment rule changes, the vulnerable items can be automatically reevaluated and regrouped by activating the system property sn_sec_rem.rerun_task_rules and business rule Link to Remediation Tasks.
    Note:
    By default, the system property sn_sec_rem.rerun_task_rules is set to false.
    To activate the system property:
    1. Navigate to All > System Properties > All Properties.
    2. Open the sn_sec_rem.rerun_task_rules system property.

      For versions earlier than 30.x (Core), this system property is named sn_vul.rerun_task_rules.

    3. In the Value field, set the value to true.
    When the system property is set to true, and the assignment rules are reapplied, the vulnerable items are unlinked from the remediation tasks, where the condition no longer matches.

    To automate the regrouping of vulnerable items, you must activate the business rule Link Remediation Tasks.

    To enable the business rule:
    1. Navigate to All > System Definition > Business Rules.
    2. Open Link to Remediation Tasks business rule.
    3. Select the Active check box to activate the business rule.
    The business rule on being enabled, regroups the vulnerable items by moving them to the relevant group or by creating a group if they can't be grouped under any existing group.
    Note:
    • The vulnerable items are removed from the groups without deleting the groups.
    • Only those items are removed which are created using remediation task rules or remediation effort.
    • Regrouping is done automatically only when the assignment group changes as part of an assignment rule and not when it is manually changed.
    • Assignment rules do not apply to VITs in the Deferred state. If a VIT is deferred, you must manually assign it if needed.
    Regrouping in workspaces is performed for remediation tasks, which are created from a Remediation effort.