Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Vulnerability Response assignment rules overview

Log in to subscribe to topics and get notified when content changes.

Vulnerability Response assignment rules overview

Define the criteria by which vulnerable items are automatically assigned to an assignment group for remediation.

A default assignment rule, Assign to CI support group, is included in the base system assigning vulnerable items to the CI Support Group.

The Assignment groups set by Assignment Rules are used by Vulnerability Group Rules (VGR) to assign owners to vulnerability groups (VG).
Note: Version 9.0: To make Rapid7 InsightVM asset tags available for use in the Condition filter for Assignment Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

Assigning vulnerable items automatically

There are three different ways to assign vulnerable items using Assign using:
  • Assignment Group: This option allows you to select any of the existing Now Platform® user groups.
  • Assignment Group Field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default you see the following three group fields:
    • None: Indicates no default value for this mandatory field
    • Configuration Item: Approval Group
    • Configuration Item: Assignment Group
    • Configuration Item: Support Group
  • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise.

High priority rules, items that need special handling, where risk is critical, or a VI should be handled by regulatory compliance, to be run first. Next, run your general rules, where no special handling is required and you know who should be responsible for them. Finally, create a default rule to assign VIs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

Assignment rule evaluation process

An assignment rule is evaluated on initial VI creation (if Assignment group is empty), or when an associated CI or vulnerability changes.

The following process is used for each new or updated VI:
  • For each vulnerability assignment rule, the VI is compared to the assignment filter, lowest order rule first.
  • Where the condition matches, the VI is assigned an assignment group. The lookup stops.
  • Where the conditions do not find a match among all the other rules, the VI is assigned to the default assignment group, if a default rule exists.
    Once the vulnerable item has been assigned, the appropriate vulnerability group rule uses assignment as one of its criteria for placing the vulnerable items into a vulnerability group. See Vulnerability groups and group rules overview and Filtering within Vulnerability Response for more information.
    Note: If there is no default rule then the VI remains unassigned when the vulnerability group rule makes the group assignment.

Assignment rules and vulnerability group assignment

In most cases, you would assign your vulnerability group to the same assignment group as the vulnerable items in it. That is what vulnerability group rules do, by default. When you create a VGR, it groups the vulnerable items by the assignment group in addition to whatever other key columns you have selected. For example, if your VGR groups by configuration item class (laptop, Oracle Database, Linux Server and so on), the vulnerability group created is broken apart by the different assignment groups — an Oracle Database VG assigned to Group 1, and an Oracle Database VG assigned to Group 2.

If you want the VGR to create groups and assign them differently, you can. There is an Advanced Assignment view in VGRs that display your assignment options. See Create or edit vulnerability group rules for more information vulnerability group rule options.

Feedback