Create a vulnerability group

Creating a vulnerability group manually is done when you want to group vulnerable items by something other than the Vulnerability Group Rules criteria. For example, you can create groups for a particular manager, or for active, new exploits, such as ransomware, that include different vulnerabilities.

Before you begin

Role required: sn_vuln.admin

If the system property (sn_vul.autocreate_vul_centric_group) is set to true, each vulnerability entry with a vulnerable item creates a group associated with it.

If it is set to false, you create groups manually as follows.

Procedure

  1. Navigate to Vulnerability > Vulnerabilities > Vulnerability Groups.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Number The automatically generated vulnerable item number for this record.
    Priority Select the priority for the group. The priority determines the sequence in which the vulnerability is addressed based on its impact and urgency.
    Change approval Automatically displays the change approval currently used for this vulnerability group.
    State This field defaults to New, but you can change it to Analysis if the group is ready for immediate remediation.
    Resolution This field provides additional details when a vulnerability is marked as Closed or Deferred. For example, if the vulnerability was fixed, or, if it is a non-fixed closure such as False Positive, Risk Accepted, or Irrelevant.
    Assignment group Select the group to work this vulnerability group.
    Assigned to Select the individual from the selected assignment group that works this vulnerability.
    Short description Brief description of this vulnerability group.
    Description A description of this vulnerability group.
    Group Configuration — associates filters, CI groups, vulnerabilities with this group.
    Filter type Select the type of filtering you want to use to select vulnerabilities for the group:
    Condition
    Define your own criteria for grouping. An example selecting for high priority vulnerabilities is shown in the screenshot. For more information see, Condition Builder and Dot-walking examples
    Note: Refreshes once an hour.
    Filter group
    Reusable across multiple Security Operations features. Enter a filter group. For more information see, Create and define filter groups in Security Operations.
    Note: Refreshes once an hour.
    Manual
    Once you save the record, add new or existing vulnerable items using the Associated Vulnerable Items related list. All updates to the vulnerable items must be made manually also.
    Vulnerable item condition Define conditions that must be true for a vulnerable item to be included in this group.

    This field displays only if you selected Condition from the Filter type choice list.

    Automatically refresh vulnerable items When checked, vulnerable items are automatically evaluated against this vulnerability group when vulnerable items are added or updated. This box is automatically unchecked when the group leaves the Open state.
    Notes
    Additional comments (Customer visible) Customer visible comments about the group.
    Work notes Work notes for this group. Updates are recorded here.
    • If a work note is added to a vulnerability group, a work note is added to the associated vulnerable items of that group.
    • If a work note is added to a vulnerable item, a work note is added to the associated vulnerability groups of that item.
    Vulnerability Group form
  4. Click Submit.
    When the group is created, using the Condition or Filter Group filter type the Associated Vulnerable Item related list searches for and displays all matching vulnerable items.
    Associated vulnerable items

    You can use the Related Link, Scan for Vulnerabilities to manually trigger a ServiceNow®-initiated scan. For information on how to configure a vulnerability scanner, see Manage Vulnerability scanners and scans.

    A default scanner is pre-installed in the Vulnerability > Vulnerability Scanning > Scanners module when the Qualys Vulnerability Integration is installed and activated. This scanner is disabled by default. Select the Active and Default check boxes to enable the Qualys Cloud Platform scanner to work using the Scan for Vulnerabilities related link on the vulnerability group and vulnerable item forms.

    If you open an associated vulnerable item, any associated vulnerability group entries appear under the Associated Vulnerable Group related list tab.

    Associated Vulnerable Group related list on a vulnerable item