Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Remediation target rules

Log in to subscribe to topics and get notified when content changes.

Remediation target rules

Remediation target rules define the expected timeframe for remediating a vulnerable item, much like SLAs provide a timeframe for remediating the vulnerability itself. For example, if an asset contains PCI data (credit card data) then the vulnerability on that item needs to be fixed within 30 days according to PCI DSS.

Vulnerability managers can create remediation target rules by defining:
  • The remediation target
  • The reminder target
  • The reminder and notification recipients — Who should be notified when the vulnerable items (VI) are past the reminder or remediation target date and have not been remediated.
A summary email, per remediation target rule, is sent when one or more vulnerable items are either approaching its remediation target date or the remediation target date has passed.
  • Remediation target rules can be deactivated but not deleted.
    Note: When a rule is deactivated, it is no longer applied to new vulnerable items. It does continue tracking existing vulnerable items, to which the rule was applied.
  • When multiple remediation target rules are applied to the same vulnerable item, the most restrictive rule is applied.

    For example, if a vulnerable item meets the condition for two remediation target rules:

    Scenario 1: Vulnerability first identified on 03/01/2018 at 10:00:00.
    • Remediation target rule 1: Defined on 03/07/2018; remediation target is 15 days since first identified; calculated remediation target date is 03/16/2018 10:00:00.
    • Remediation target rule 2: Defined on 03/10/2018; remediation target is 10 days since first identified; calculated remediation target date is 03/11/2018 10:00:00.
    Note: Remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments).

    In this scenario, the Remediation target rule 2 applies to the vulnerable item since it has the more restrictive date. 10 days since the vulnerable item was first identified versus 15 days.

  • Vulnerability analysts and managers can see the remediation target date in the vulnerability item form and list views, as long as the vulnerable items are not in Deferred, Resolved, or Closed state.
    The Remediation target date is color coded as follows:
    • Vulnerable items that have not reached their notification date are shown in green.
    • Vulnerable items approaching the remediation target date are shown in orange.
    • Vulnerable items past the remediation target date are shown in red.
Note: Once the Remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job.

Evaluate remediation targets runs once at 4:00:00 daily.

It iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all vulnerable items that:
  • Are not in a Closed state
  • Have no remediation target date
  • Have a remediation target date that is later than the date in the remediation target rule

Evaluate remediation targets adds a remediation target date, if one does not exist, or if this rule contains an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target date and Remediation status fields in the vulnerable item form.

Once the Evaluate remediation targets runs, available notifications are sent.

Feedback