Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Vulnerability groups and group rules

Vulnerability groups and group rules

Vulnerability groups (VG) drive the remediation process and monitor progress by placing vulnerable items together for remediation. Use a vulnerability group rule (VGR) to automatically create groups. Vulnerability group rules are most effective with third-party integration imports.

Vulnerability Group creation

Grouping vulnerable items has many advantages. You can remediate vulnerable items in bulk by using groups. You create groups containing specific vulnerabilities (the default rule), or you can organize by department or assignment group, or even create monitoring groups comprised of other groups.

Vulnerable items can belong to more than one vulnerability group giving you the flexibility to actively work with one group and monitor another. It all depends on your organizational needs. For example, you could group by department, and also create a group containing all currently exploitable vulnerabilities.

Vulnerability groups can also be created manually, for example, for vulnerable items that were created manually. See Ungrouped vulnerable items for more information.

Vulnerability groups are created as follows.
  • Automatically, using vulnerability group rules.
  • Manually, using one of three options, to add vulnerable items to the group.
    • Add vulnerable items to the group by hand.
    • Use a Condition filter that automatically adds vulnerable items to the vulnerability group.
    • Use a Filter group that automatically adds vulnerable items to the vulnerability group.
    Note: Manually added vulnerable items are not automatically removed from vulnerability groups by vulnerability group rules or group conditions.

From a vulnerability group, the group of vulnerable items may be assigned to a user, deferred until later, used to create a Change Request, and so on.

Vulnerable items can belong to more than one vulnerability group giving you the flexibility to actively work one group and monitor another. For example, you could group by department, and also create a group holding all currently exploitable vulnerabilities.

When it is determined that a new vulnerable item can be added to a group, the vulnerability item is included in the Associated Vulnerable Items list of the vulnerability group. Conversely, the vulnerability group appears in the Associated Vulnerability Group list of Vulnerable Items.

When updating the state of a vulnerability group, associated vulnerable items can have their state updated to match this vulnerability group. See Vulnerability group and vulnerable items states for more information on state changes.

You can create security incidents and change requests from vulnerability groups, as needed.

Vulnerable item refresh automation

Note: Vulnerable item refresh automation applies only to groups created using the Condition filter, Filter group, or vulnerability group rules. If the VIs are added manually, automation does not apply.

When the Automatically refresh vulnerable items check box is selected and the group is in Open state, new vulnerable items matching the vulnerability group criteria are automatically added to the group. Vulnerable items in the group that no longer match the group criteria are automatically removed from the group.

When a group is created using a group rule, the Automatically refresh vulnerable items check box is selected by default. Once the group state changes to any other state from Open, this check box is cleared automatically and disabled. No new vulnerable items can be added to the existing group nor can existing vulnerable items be removed from the group. At this point, for all the new VIs matching the group criteria, a new group is created.

When a group is created manually and VIs are added using the condition filter or filter group, you have a choice to select this box or not. Once the group state changes to any other state from Open, this check box is cleared automatically and disabled. No new vulnerable items can be added to the existing group, nor can existing vulnerable items be removed from the group.

Note: If you want vulnerable items to continue being added to the group, regardless of state, disable the Set auto refresh vulnerable items business rule.

Manual addition of vulnerable items to a group

When the Related Link, Refresh associated vulnerable items, is clicked from the Vulnerability Group page, any vulnerable items that match the group criteria are added. Items no longer matching the criteria are removed. This action allows an immediate update of the list of vulnerable items and can be used whether the Automatically refresh vulnerable item check box is selected or not.
Note: If a group is created by a vulnerability group rule, the Refresh associated vulnerable items, on the Vulnerability Group page is hidden. If the group filter type is condition or filter group, then it appears.

Manually created Vulnerability Groups using Condition or Filter Group filter types are refreshed once an hour.

Vulnerability Group Rules (VGR)

Vulnerability groups rules allow you to define the criteria by which groups can be automatically created for a set of vulnerable items. A default rule, Vulnerability, is included in the base system grouping vulnerable items based on its vulnerability. However, you can group by up to three basic group keys and/or two advanced keys, and any number of conditions.

Beginning with Kingston patch 6, you can automate group assignment, as well. See Create vulnerability group rules for more information.

For example, you can group your vulnerable items by the cost center of the vulnerable CI, or by the attack vector of the vulnerability. You can have one set of groups for low severity vulnerabilities or a group that contains low risk CIs.

Example of a vulnerability group rule that groups by cost center

A different set of rules can be used for vulnerable items that expose the company to more risk. The VGR name is appended to the vulnerability group key values to make the short description of the new vulnerability group. See Create a Vulnerability Response group for more information on available fields.

When a new vulnerable item is created, imported, or reopened after being closed, the vulnerability rules are evaluated against it. A VI is only evaluated once, unless it is reopened after being closed.

The following process is used for each new or reopened VI:
  • For each vulnerability group rule, the VI is compared to the VGR filter.
  • For each rule where the VGR condition matches, the rule pulls the data from the group key columns on the VI. It builds a group name and key (in this case, High priority: QID-32342: Accounting: Joan Doe – VGR Name, vulnerability name, department, and manager), to see if there is a matching Open vulnerability group.

    If the group is found, the VI is added to the existing group in the Open state.

    If no group in the Open state is found, then it creates a High priority: QID-32342: Accounting: Joan Doe group and places the VI in it.

More than one VGR can be defined, to group different kinds of vulnerabilities, but since each vulnerability needs to be compared with the VGR conditions before putting it in a group, too many VGRs may have a performance impact.

Beginning with Kingston patch 6, as part of the Vulnerability group rule, you can choose to define the assignment of these vulnerability groups. There are three different ways to assign the groups by:
  1. Assignment Group – This option allows you to select any of the existing platform user groups. All vulnerability groups created using the Group By keys are assigned to the one assignment group you select.
  2. Assignment Group Field – This option allows you to choose any assignment group field available using the cmdb_ci table. By default you will see the following three group fields:
    1. Configuration Item: Approval Group
    2. Configuration Item: Assignment Group
    3. Configuration Item: Support Group
  3. Assignment Rules – This option allows you to define the condition at the vulnerable item level and assign the group to the platform assignment group. You can define multiple rules and define the order in which they should be executed.

    For example, you can define:

    Assignment rule 1 as: Vulnerability Summary contains Java, Assignment group: IT Security, Order: 100.

    Assignment rule 2 as: Vulnerability Summary contains Microsoft Service Pack, Assignment group: IT Operations, Order: 200.