Vulnerability group and vulnerable items states

Vulnerability Response offers a state model for the status of the vulnerability group at any given time. Complex use cases can sometimes result in vulnerable items being in a different state than their group. Understanding how states work helps to explain this behavior and can assist in creating vulnerability groups and creating or editing vulnerability group rules.

Vulnerability Group States

Vulnerability group states control vulnerable item states based on precedence.

Vulnerability groups have many possible states.
Note: Each group form contains Follow and Update buttons which are standard for ServiceNow tasks.
State Description
Open State upon creation.
Under Investigation Triggered by the Start Investigation button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Create a Change Request
See Create a change request in Vulnerability Response for more information.
Defer
Provide a reason and select a reopen date. Defers the group until the reopen date.
Close
Provide a resolution and notes. Closes the group.
Delete
Confirm the deletion. Removes the group
Deferred Triggered by the Close/Defer button.
Note: If approvals are in use, deferred vulnerability groups first move into the In Review state until approved or declined.
From this state you can:
Create a Security Incident
See Create a security incident for more information.
Reopen
Transitions back to an Open state.
Close
Set the group to Closed. Provide a resolution and notes. Closes the group.
Delete
Confirm the deletion. Removes the group.

Deferment information appears under the Close/Defer related tab. On the defer date, the group reopens for remediation.

Awaiting Implementation Triggered by the Awaiting Implementation button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Create a Change Request
See Create a change request in Vulnerability Response for more information.
Resolve
Select a Resolution and add notes. Choices are
  • Result Invalid
  • Cancelled
  • Fixed

State becomes Resolved. Notes appear under the Resolution related tab.

Close
Select a Resolution and add notes. Choices are:
  • Result Invalid
  • Cancelled
  • Fixed

State becomes Closed. Notes appear under the Resolution related tab.

Delete
Confirm the deletion. Removes the group.
Resolved Triggered from the Resolve button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Reopen
Transitions back to an Open state.
Close
Select a Resolution and add notes. Choices are:
  • Result Invalid
  • Cancelled
  • Fixed

State becomes Closed. Notes appear under the Resolution related tab.

Delete
Confirm the deletion. Removes the group.

Notes appear under the Notes related tab. Resolution information appears under the Resolution related tab.

Closed Triggered from the Close button.
Note: If approvals are in use, closed vulnerability groups first move into the In Review state until approved or declined.
From this state you can:
Create a Security Incident
See Create a security incident for more information.
Reopen
Transitions back to an Open state.
Delete
Confirm the deletion. Removes the group.

Closure information appears under the Close/Defer related tab.

  • If the Vulnerability Group is marked as Closed, with a non-fixed resolution (such as False Positive, Risk Accepted, or Irrelevant), the state of the vulnerable items in the group is updated to match the vulnerability group.
  • If you determine that the items are a low risk, waiting for a change window, or a patch, you can change their group to the Defer state for a defined amount of time, or immediately Close them.
    Note: When vulnerability groups are deferred or closed, you can specify resolutions to further define the reasons for doing so.

Vulnerability Groups and Vulnerable Item States

Vulnerability groups and vulnerable items states can affect each other. Most of the time, a vulnerability group state updates the vulnerable item state, with the highest precedence group state used to update the vulnerable items in the group. But, when vulnerable item states are updated individually — as when a vulnerable item is individually deferred — the vulnerability group does not overwrite the deferral of that item with anything but a higher precedence state (Closed).
Vulnerable items updated only by groups
Items match the state of the group (provided they have not been updated individually) with two exceptions:
  • If the group changes its state to be Closed and its resolution to Fixed, the item is not affected and takes on the state of any other group containing it. If it is in no other group, it reverts to Open.
  • If the vulnerable item state is Closed/Fixed (updated by a scan or import), then when the group changes its state, the vulnerable item remains Closed/Fixed. This is true no matter what state the group is in.
Vulnerable items in states set individually
Vulnerable items, whose state was updated on the item, such as those items closed or deferred individually, do not match the state of the group automatically. Instead it compares its state to all associated groups to find the state with the highest precedence to apply. The state precedence is as follows.
Closed/Result Invalid > Deferred > Resolved > Awaiting Implementation > Under Investigation > Open
Note:

Closed/Fixed is a special case.

For items set to Closed/Fixed, if all vulnerable items within a group are set to Closed/Fixed — as when a scanner finds that all the vulnerabilities have been remediated — the vulnerability group is automatically marked Closed/Fixed.

Vulnerability group state examples

When a group of vulnerable items are in one vulnerability group and are not altered at an individual level, they have the same state as their group.

When the VG goes from Open to Awaiting Implementation — all the VIs in the group move to Awaiting Implementation.

When the VG is deferred, the VI is likewise deferred.

When a VI is in multiple groups, and its own state has not been set, the higher precedence group state determines the state of that VI, as illustrated as follows:
Vulnerability Groups State Vulnerable Item State
Group A: Open > Under Investigation

Group B: Open

Under Investigation

When Group A is Under Investigation and Group B is Open, the VI changes to Under Investigation. After the search, between Group A and Group B, Group A has the state with the highest precedence.

Group A: Under Investigation

Group B: Open > Under Investigation

Under Investigation

When Group B is Under Investigation and Group A is Under Investigation, the VI stays as Under Investigation. After the search, between Group A and Group B, they have the state with the same precedence.

Group A: Under Investigation

Group B: Under Investigation > Awaiting Implementation

Awaiting Implementation

When Group B is Awaiting Implementation and Group A is Under Investigation, the VI changes to Awaiting Implementation. After the search, between Group A and Group B, Group B has the state with the highest precedence

Group A: Under Investigation > Deferred

Group B: Awaiting Implementation

Deferred

When Group A is Deferred and Group B is Awaiting Implementation, the VI changes to Deferred. After the search, item 1 found out that between Group A and Group B, Group A has the state with the highest precedence

Group A: Deferred

Group B: Awaiting Implementation > Closed (Result Invalid)

Closed/Result Invalid > Deferred

When Group B is Closed and the resolution is Result Invalid, and Group A is Deferred, the VI changes to Closed/Result Invalid. After the search, between Group A and Group B, Group B has the state with the highest precedence.

Group A: Deferred

Group B: Closed (Result Invalid) > Open (via Reopen)

Deferred

When Group B is reopened and its state changes to Open, and Group A is Deferred, the VI changes to Deferred. After the search, between Group A and Group B, Group A has the state with the highest precedence.

Table 1. Vulnerable item state special cases
Vulnerability Group State Vulnerable Item State
Group A: Under Investigation

Group B: Awaiting Implementation > Closed (Fixed or Cancelled)

Under Investigation

When Group B is Closed/Fixed or Closed/Cancelled, and Group A is Under Investigation, the VI changes from Awaiting Implementation (previously the highest precedence) to Under Investigation (currently the highest precedence).

Group A: any state

Group B: any state

If the vulnerable item source status is Fixed (updated by a scan or import), then when the group changes its state, the vulnerable item changes its state to Closed/Fixed. This is true no matter what states the other associated groups are in. The vulnerable item search for group state does not occur.
When a VI state is set individually, its state is considered when evaluating precedence, as with any other group. When a VI belongs to more than one group, the following updates are made.
Table 2. Vulnerable item state special cases
Vulnerability item state within a group Vulnerable item final state
Group A state: Under Investigation

Group B state: Under Investigation > Awaiting Implementation

Original VI state: Under Investigation > (set on the VI)

Awaiting Implementation

When Group B moved to Awaiting Implementation, and Group A remained Under Investigation, the VI changes to Awaiting Implementation (the highest precedence).

Group A: Under Investigation

Group B: Under Investigation > Awaiting Implementation

Original VI state: Deferred > (set on the VI)

Deferred

When Group B moved to Awaiting Implementation, and Group A remained Under Investigation, the VI remains in the Deferred state (the highest precedence).