Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home New York Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Vulnerability Response groups and group rules overview

    Vulnerability Response groups and group rules overview

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Vulnerability Response groups and group rules overview

    Starting with Vulnerability Response v10.0, configure vulnerability groups (VG) to help analysts and remediation specialists organize vulnerable items (VI) and analyze them in bulk. The criteria by which groups are formed is configured so that you do not have to manually assign vulnerable items into groups. Using vulnerability groups, you can monitor progress and drive the remediation process more efficiently.

    Understanding vulnerability groups

    Note: For information on vulnerability groups and group rules prior to v10.0, see Vulnerability groups and group rules overview (Prior to v10.0).

    Vulnerability groups represent a set of vulnerable items to remediate. Grouping vulnerable items has many advantages. You can move vulnerable items through the remediation states, mark them under investigation, defer them, mark them resolved in bulk by using groups. You can create conditions to automatically group all items with specified vulnerabilities, departments, locations, and any other data related to the vulnerable item. Vulnerable items can belong to more than one vulnerability group giving you the flexibility to actively work with one group and monitor another. It all depends on your organizational needs. For example, you could group by department, and also create a group containing all currently exploitable vulnerabilities.

    Vulnerability groups are created as follows.
    • Manually, using one of three options, to add vulnerable items to the group.
      • Add vulnerable items to the group by hand.
      • Use a Condition filter that automatically adds vulnerable items to the vulnerability group.
      • Use a Filter group that automatically adds vulnerable items to the vulnerability group.
      Note: Manually added vulnerable items are not automatically removed from vulnerability groups by vulnerability group rules or group conditions.
    • Automatically, using vulnerability group rules (VGR). This option is the easiest option, once configured, vulnerability group rules create all desired vulnerability groups.

    From a vulnerability group, the group of vulnerable items may be assigned to a user, deferred until later, used to create a Change Request, and so on.

    Starting with version 10.0, when a group is formed based on a specific vulnerability, that vulnerability is listed on the VG form.

    When it is determined that a new vulnerable item can be added to a group, the vulnerability item is included in the Vulnerable Items list of the vulnerability group. Conversely, the vulnerability group appears in the Vulnerability Group list of Vulnerable Items.

    When updating the state of a vulnerability group, associated vulnerable items can have their state updated to match this vulnerability group. See Vulnerability Response group and vulnerable item states for more information on state changes.

    You can create security incidents and change requests from vulnerability groups, as needed.

    Refreshing vulnerable items automatically

    Note: Vulnerable item refresh automation applies only to groups created using the condition filter or filter group. Automation does not apply to VIs that were added manually or grouped using vulnerability group rules (VGRs).

    When the Automatically refresh vulnerable items check box is selected, new VIs matching the vulnerability group filter criteria are automatically added to the group. Vulnerable items in the group that no longer match the filter criteria are automatically removed from the group.

    By default, when the group leaves the Open state, the check box is cleared. If you want vulnerable items to continue being added to the group, regardless of state, disable the Set auto refresh vulnerable items business rule.

    You can select the check box again manually from the Under Investigation state. Automatically refresh vulnerable items is not disabled when the group moves into the Awaiting Implementation state. Once in the Awaiting Implementation state, no new vulnerable items can be added to the existing group, nor can existing vulnerable items be removed from the group.
    Note: When a group is created manually, and VIs are added using the Condition filter or Filter Group, the check box is unchecked. You have the choice to select the box or not.

    Refreshing vulnerable items manually

    For manually created vulnerability groups with a Filter Group or Condition filter, when you click the Re-scan vulnerable items related link on the Vulnerability Group page, any vulnerable items that match the filter criteria are added. Items no longer matching the criteria are removed. This action allows an immediate update of the list of vulnerable items and is used whether the Automatically refresh vulnerable item check box is selected or not.

    Manually created vulnerability groups using Condition or Filter Group filter types are refreshed once an hour.

    Understanding vulnerability group rules

    Vulnerability groups rules allow you to define how vulnerable items are automatically grouped and assigned. A default rule, Vulnerability, is included in the base system grouping vulnerable items based on its vulnerability. However, you can group by any other set of values in columns accessible from the VI. These values could include configuration item (CI) support group, vulnerability severity, and, so on. You can use up to six Group by selections and any number of conditions. You can automate group assignment, as well. See Create or edit Vulnerability Response group rules and Filtering within Vulnerability Response for more information.
    Note: To make Rapid7 InsightVM asset tags available for use in the Condition filter for Vulnerability Group Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

    For example, you can group your vulnerable items by the cost center of the vulnerable CI, or by the attack vector of the vulnerability. You can have one group rule for low severity vulnerabilities or low risk CIs. You can have another group rule for critical servers, and vulnerabilities with exploits — vulnerable items that expose the company to more risk.

    A different set of rules can be used for vulnerable items that expose the company to more risk. The VGR name is appended to the VGR Group by values to make the short description of the new vulnerability group. See Create a Vulnerability Response group for more information on available fields.

    Example of a vulnerability group rule showing the Group By entries

    When a new vulnerable item is created, imported, or reopened after being closed, the vulnerability rules are evaluated against it. A VI is only evaluated once, automatically, unless it is reopened after being closed or the rules are reapplied manually.

    The following process is used for each new or reopened VI:

    • For each vulnerability group rule, the VI is compared to the VGR filter.
    • For each rule where the VGR condition matches, the rule pulls the data from the Group by selections on the VI. It builds a group name and field. In this case, High Risk: QID-32342:Summary of QID-3242 (Name:vulnerability ID:vulnerabilty summary).
      Note: The short description field is limited to 160 characters. Longer vulnerability summaries are truncated.
      The rule checks to see if there is a matching Open vulnerability group that is assigned to the same assignment group as the VI.
      • If the group is found, the VI is added to the existing group in the Open state.
      • If no group in the Open state is found, the rule creates a High Risk: QID-32342 group, assigns it to the same assignment group as the VI, and places the VI in the vulnerability group.

    More than one VGR can be defined, to group different kinds of vulnerabilities. Since each vulnerability is compared with the VGR conditions before putting it in a group, too many rules may have a performance impact.

    By default, VGRs use the assignment group set by the Assignment Rules on the vulnerable item when grouping the items, and assigns the vulnerability group to match the vulnerable items.

    As part of the default group rule, the assignment of these vulnerability groups is controlled by the rules in the Assignment Rules module. For more information on assignment rules, see Vulnerability Response assignment rules overview.

    When a group rule is deleted, from the form or list view, you have the option to delete all Open groups created by that rule. Groups not in the Open are excluded.

    Reapplying vulnerability group rules

    When you want to change a vulnerability group rule, use the Reapply button on the vulnerability group rule page to rerun the changed rule on all active Open vulnerability groups created by that rule. It deletes and recreates vulnerability groups based on the changed rule automatically.

    Related concepts
    • Vulnerability Response personas and granular roles
    • Vulnerability Response assignment rules overview
    • Vulnerability groups and group rules overview (Prior to v10.0)
    • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
    • Discovered Items
    • Vulnerability Response group and vulnerable item states
    • Vulnerability Response calculators and vulnerability calculator rules
    • Vulnerability Response vulnerable item detections from third-party integrations
    • Vulnerability Response remediation target rules
    • Vulnerability Solution Management
    • Introduction to Exception Management
    • Introduction to False Positive
    • Change management for Vulnerability Response
    • Software exposure assessment using Software Asset Management (SAM)
    • Domain separation and Vulnerability Response

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Vulnerability Response groups and group rules overview

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Vulnerability Response groups and group rules overview

      Starting with Vulnerability Response v10.0, configure vulnerability groups (VG) to help analysts and remediation specialists organize vulnerable items (VI) and analyze them in bulk. The criteria by which groups are formed is configured so that you do not have to manually assign vulnerable items into groups. Using vulnerability groups, you can monitor progress and drive the remediation process more efficiently.

      Understanding vulnerability groups

      Note: For information on vulnerability groups and group rules prior to v10.0, see Vulnerability groups and group rules overview (Prior to v10.0).

      Vulnerability groups represent a set of vulnerable items to remediate. Grouping vulnerable items has many advantages. You can move vulnerable items through the remediation states, mark them under investigation, defer them, mark them resolved in bulk by using groups. You can create conditions to automatically group all items with specified vulnerabilities, departments, locations, and any other data related to the vulnerable item. Vulnerable items can belong to more than one vulnerability group giving you the flexibility to actively work with one group and monitor another. It all depends on your organizational needs. For example, you could group by department, and also create a group containing all currently exploitable vulnerabilities.

      Vulnerability groups are created as follows.
      • Manually, using one of three options, to add vulnerable items to the group.
        • Add vulnerable items to the group by hand.
        • Use a Condition filter that automatically adds vulnerable items to the vulnerability group.
        • Use a Filter group that automatically adds vulnerable items to the vulnerability group.
        Note: Manually added vulnerable items are not automatically removed from vulnerability groups by vulnerability group rules or group conditions.
      • Automatically, using vulnerability group rules (VGR). This option is the easiest option, once configured, vulnerability group rules create all desired vulnerability groups.

      From a vulnerability group, the group of vulnerable items may be assigned to a user, deferred until later, used to create a Change Request, and so on.

      Starting with version 10.0, when a group is formed based on a specific vulnerability, that vulnerability is listed on the VG form.

      When it is determined that a new vulnerable item can be added to a group, the vulnerability item is included in the Vulnerable Items list of the vulnerability group. Conversely, the vulnerability group appears in the Vulnerability Group list of Vulnerable Items.

      When updating the state of a vulnerability group, associated vulnerable items can have their state updated to match this vulnerability group. See Vulnerability Response group and vulnerable item states for more information on state changes.

      You can create security incidents and change requests from vulnerability groups, as needed.

      Refreshing vulnerable items automatically

      Note: Vulnerable item refresh automation applies only to groups created using the condition filter or filter group. Automation does not apply to VIs that were added manually or grouped using vulnerability group rules (VGRs).

      When the Automatically refresh vulnerable items check box is selected, new VIs matching the vulnerability group filter criteria are automatically added to the group. Vulnerable items in the group that no longer match the filter criteria are automatically removed from the group.

      By default, when the group leaves the Open state, the check box is cleared. If you want vulnerable items to continue being added to the group, regardless of state, disable the Set auto refresh vulnerable items business rule.

      You can select the check box again manually from the Under Investigation state. Automatically refresh vulnerable items is not disabled when the group moves into the Awaiting Implementation state. Once in the Awaiting Implementation state, no new vulnerable items can be added to the existing group, nor can existing vulnerable items be removed from the group.
      Note: When a group is created manually, and VIs are added using the Condition filter or Filter Group, the check box is unchecked. You have the choice to select the box or not.

      Refreshing vulnerable items manually

      For manually created vulnerability groups with a Filter Group or Condition filter, when you click the Re-scan vulnerable items related link on the Vulnerability Group page, any vulnerable items that match the filter criteria are added. Items no longer matching the criteria are removed. This action allows an immediate update of the list of vulnerable items and is used whether the Automatically refresh vulnerable item check box is selected or not.

      Manually created vulnerability groups using Condition or Filter Group filter types are refreshed once an hour.

      Understanding vulnerability group rules

      Vulnerability groups rules allow you to define how vulnerable items are automatically grouped and assigned. A default rule, Vulnerability, is included in the base system grouping vulnerable items based on its vulnerability. However, you can group by any other set of values in columns accessible from the VI. These values could include configuration item (CI) support group, vulnerability severity, and, so on. You can use up to six Group by selections and any number of conditions. You can automate group assignment, as well. See Create or edit Vulnerability Response group rules and Filtering within Vulnerability Response for more information.
      Note: To make Rapid7 InsightVM asset tags available for use in the Condition filter for Vulnerability Group Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.

      For example, you can group your vulnerable items by the cost center of the vulnerable CI, or by the attack vector of the vulnerability. You can have one group rule for low severity vulnerabilities or low risk CIs. You can have another group rule for critical servers, and vulnerabilities with exploits — vulnerable items that expose the company to more risk.

      A different set of rules can be used for vulnerable items that expose the company to more risk. The VGR name is appended to the VGR Group by values to make the short description of the new vulnerability group. See Create a Vulnerability Response group for more information on available fields.

      Example of a vulnerability group rule showing the Group By entries

      When a new vulnerable item is created, imported, or reopened after being closed, the vulnerability rules are evaluated against it. A VI is only evaluated once, automatically, unless it is reopened after being closed or the rules are reapplied manually.

      The following process is used for each new or reopened VI:

      • For each vulnerability group rule, the VI is compared to the VGR filter.
      • For each rule where the VGR condition matches, the rule pulls the data from the Group by selections on the VI. It builds a group name and field. In this case, High Risk: QID-32342:Summary of QID-3242 (Name:vulnerability ID:vulnerabilty summary).
        Note: The short description field is limited to 160 characters. Longer vulnerability summaries are truncated.
        The rule checks to see if there is a matching Open vulnerability group that is assigned to the same assignment group as the VI.
        • If the group is found, the VI is added to the existing group in the Open state.
        • If no group in the Open state is found, the rule creates a High Risk: QID-32342 group, assigns it to the same assignment group as the VI, and places the VI in the vulnerability group.

      More than one VGR can be defined, to group different kinds of vulnerabilities. Since each vulnerability is compared with the VGR conditions before putting it in a group, too many rules may have a performance impact.

      By default, VGRs use the assignment group set by the Assignment Rules on the vulnerable item when grouping the items, and assigns the vulnerability group to match the vulnerable items.

      As part of the default group rule, the assignment of these vulnerability groups is controlled by the rules in the Assignment Rules module. For more information on assignment rules, see Vulnerability Response assignment rules overview.

      When a group rule is deleted, from the form or list view, you have the option to delete all Open groups created by that rule. Groups not in the Open are excluded.

      Reapplying vulnerability group rules

      When you want to change a vulnerability group rule, use the Reapply button on the vulnerability group rule page to rerun the changed rule on all active Open vulnerability groups created by that rule. It deletes and recreates vulnerability groups based on the changed rule automatically.

      Related concepts
      • Vulnerability Response personas and granular roles
      • Vulnerability Response assignment rules overview
      • Vulnerability groups and group rules overview (Prior to v10.0)
      • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
      • Discovered Items
      • Vulnerability Response group and vulnerable item states
      • Vulnerability Response calculators and vulnerability calculator rules
      • Vulnerability Response vulnerable item detections from third-party integrations
      • Vulnerability Response remediation target rules
      • Vulnerability Solution Management
      • Introduction to Exception Management
      • Introduction to False Positive
      • Change management for Vulnerability Response
      • Software exposure assessment using Software Asset Management (SAM)
      • Domain separation and Vulnerability Response

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login