Triage vulnerabilities automatically

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Triage vulnerabilities automatically

This process helps ServiceNow customers automatically triage vulnerabilities imported from third-party sources by transforming them into remediation tasks. It ensures efficient assignment, risk calculation, grouping, and tracking of vulnerable items (VIs) to support timely remediation and validation through scans.

Show full answer Show less

Key Features

Automated Vulnerable Item Assignment: Uses CI Lookup and Assignment rules to assign VIs to appropriate teams based on configuration items and predefined criteria.
Remediation Task Creation: Vulnerable items are grouped into remediation tasks automatically or manually if grouping rules do not apply.
Risk Score Management: Risk calculators evaluate and allow revision of vulnerability risk scores for prioritization.
Remediation Target Rules: Define targets and priorities to determine which vulnerabilities to address immediately or defer, based on risk and system impact.
Validation and Closing: Older vulnerabilities not detected recently can be automatically closed; validation scans confirm remediation completion.
Integration with Change and Security Incident Processes: Create Change Requests for remediation tasks or Security Incident Records if the Security Incident Response plugin is enabled.

How to Use

Log into the Vulnerability Response instance and validate CI Lookup and Assignment rules to ensure accurate mapping and assignment of VIs.
Validate remediation target rules to confirm proper prioritization and handling of vulnerabilities.
Review ungrouped vulnerable items; adjust grouping rules or manually group as needed to ensure all vulnerabilities are tracked.
Reassess and adjust risk scores for vulnerabilities to align remediation priorities with organizational risk tolerance.
Close outdated vulnerabilities that are no longer detected to maintain focus on current risks.
Research remediation steps, prioritize based on risk and operational constraints, and create Change Requests or Security Incident Records assigning them to appropriate groups.
After submitting change requests, update the remediation task status to “Under Investigation” to track progress.

Benefits for ServiceNow Customers

Streamlines vulnerability triage to reduce manual effort and improve accuracy in assigning remediation work.
Improves prioritization by incorporating risk scores and remediation targets, ensuring critical vulnerabilities receive prompt attention.
Enhances visibility and tracking of remediation activities through automated grouping and status updates.
Supports compliance and security posture by integrating with change management and security incident workflows.

Reviewing and triaging new vulnerabilities is necessary to ensure successful remediation. Transform vulnerability imports into remediation tasks with automated vulnerable item (VI) assignment, risk calculation, remediation targets, and VI grouping.

Starting with imported vulnerabilities, reconcile the assets not found in the CMDB, prioritize the results, translate that to remediation activities that are automatically assigned, orchestrate the remediation process, and confirm completion with a validation scan.

New vulnerable items are usually sorted into remediation tasks upon import, based on remediation tasks rules. Sometimes, vulnerable items cannot be grouped or do not contain a recognized configuration item.

An overview of the vulnerability triage process:

Log in to your Vulnerability Response instance.
Validate that your rules (CI Lookup, Assignment) for vulnerable item are working as expected. For information on revising CI Lookup Rules, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations. For information on Assignment rules, see Vulnerability Response assignment rules overview.
Note:
Due to the large volume in data imports, care should be taken with automated vulnerable item assignment.
Validate that your remediation targets are correct. See Vulnerability Response remediation target rules for information on how remediation target rules work and how to revise them.
View ungrouped vulnerable items.
- Looking at the ungrouped vulnerable items, consider revising your group rules and performing a rescan. See Create or edit Vulnerability Response remediation task rules for more information.
- Manually group the vulnerable items. Manually create a remediation task in Vulnerability Response for more information.
- Revise risk scores for the vulnerable items in your remediation tasks. See Vulnerability Response calculators and vulnerability calculator rules for more information.
- Close older vulnerable items not recently detected by your third-party integrations. See Automatic closing of vulnerable items and detections for more information.
View and reclassify unmatched configuration items.
Research what needs to be done for remediation.
This step can include:
- Determine what to deal with now and what you can defer. This determination is often based on risk score, affected systems, and patches with change windows.
  Note:
  Remediation target rules belong to vulnerable items. These rules are run when the vulnerable item is imported. These rules were created previously in the Setup Assistant.
- Refresh vulnerable items, if necessary, and View the remediation target status of a Vulnerability Response vulnerable item.
- Create a Change Request and assign the remediation task to an assignment group (IT Operations) for remediation.
  Note:
  If the vulnerability constitutes a security incident and the Security Incident Response plugin (com.snc.security_incident) is activated, you can create security incident records from the remediation tasks instead.
- After submitting one or more change requests, move the group state to Under Investigation.