Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Vulnerability group and vulnerable item states

Log in to subscribe to topics and get notified when content changes.

Vulnerability group and vulnerable item states

Vulnerability Response offers a state model for the status of the vulnerability group, at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your vulnerable items (VI).

Vulnerability group states

Complex use cases can sometimes result in a vulnerable item being in a different state than its group. Understanding how states work helps to explain this behavior and can help with creating vulnerability groups and, creating or editing vulnerability group rules.

Vulnerability groups have many possible states.
Vulnerability Response state flow diagram
Note: Each group form contains Follow and Update buttons which are standard for ServiceNow tasks.

Starting with Vulnerability Response v9.0, there is a synchronized relationship between the State fields of vulnerability groups (VG) and the State fields of change requests (CHG) in the Vulnerability Response product. As a change request moves through its life cycle, it also moves the state of any related vulnerability groups automatically. After a change request is implemented, the vulnerability group is automatically resolved. See State synchronization between change requests and vulnerability groups for more information.

State Description
Open State upon creation. From this state you can:
Start Investigation
Assign this vulnerability group to a person or group to start investigating.
Create Change
Starting with Vulnerability Response v9.0, create a change request or associate a vulnerability group to an existing change request. See Create a change request from a vulnerability group and Associate a vulnerability group to an existing change request.
Split Group
Starting with Vulnerability Response v9.0, for a group with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a vulnerability group. The items that you select are automatically moved to a new VG. See Split a vulnerability group.
Defer
Select the Deferred state, a reopen date, a reason and, optionally, provide addition information. Defers the group state until the reopen date.
Close
Select the Closed state, a reason and provide addition information. Closes the group.
Delete
Confirm the deletion. Removes the group.
Under Investigation Triggered by the Start Investigation button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Create Change
Starting with Vulnerability Response v9.0, create a change request or associate a vulnerability group to an existing change request. See Create a change request from a vulnerability group and Associate a vulnerability group to an existing change request.
Split Group
Starting with Vulnerability Response v9.0, for a group with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a vulnerability group. The items that you select are automatically moved to a new VG. See Split a vulnerability group.
Awaiting Implementation
Changes state to Awaiting Implementation. This state indicates that the group remediation has been referred outside Vulnerability Response.
Defer
Select the Deferred state, a reopen date, a reason and, optionally, provide addition information. Defers the group state until the reopen date.
Close
Select the Closed state, a reason and provide addition information. Closes the group.
Delete
Confirm the deletion. Removes the group.
Deferred Triggered by the Close/Defer button. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved.

From this state you can:

Create a Security Incident
See Create a security incident for more information.
Create Change
Starting with Vulnerability Response v9.0, create a change request or associate a vulnerability group to an existing change request. See Create a change request from a vulnerability group and Associate a vulnerability group to an existing change request.
Split Group
Starting with Vulnerability Response v9.0, for a group with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a vulnerability group. The items that you select are automatically moved to a new VG. See Split a vulnerability group.
Reopen
Transitions back to an Open state.
Delete
Confirm the deletion. Removes the group.
Close
Select the Closed state, a reason and provide addition information. Closes the group.

Deferment information appears under the Close/Defer tab. On the defer date, the group reopens for remediation.

Awaiting Implementation Triggered by the Awaiting Implementation button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Create a Change Request
See Create a change request in Vulnerability Response (Prior to v9.0) for more information.
Create Change
Starting with Vulnerability Response v9.0, create a change request or associate a vulnerability group to an existing change request. See Create a change request from a vulnerability group and Associate a vulnerability group to an existing change request.
Split Group
Starting with Vulnerability Response v9.0, for a group with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a vulnerability group. The items that you select are automatically moved to a new VG. See Split a vulnerability group.
Defer
Select the Deferred state, a reopen date, a reason and, optionally, provide addition information. Defers the group state until the reopen date.
Close
Select the Closed state, a reason and provide addition information. Closes the group.
Resolve
Add notes. The state becomes Resolved. Notes appear under the Resolution tab.
Delete
Confirm the deletion. Removes the group.
Resolved Triggered from the Resolve button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Create Change
Starting with Vulnerability Response v9.0, create a change request or associate a vulnerability group to an existing change request. See Create a change request from a vulnerability group and Associate a vulnerability group to an existing change request.
Reopen
Transitions back to an Open state.
Close

The state becomes Closed. Closes the group.

Delete
Confirm the deletion. Removes the group.

Notes appear under the Notes tab. Resolution information appears under the Resolution tab.

Closed Triggered from the Close button. From this state you can:
Create a Security Incident
See Create a security incident for more information.
Reopen
Transitions back to an Open state.
Delete
Confirm the deletion. Removes the group.

Closure information appears under the Close/Defer tab.

  • If the vulnerability group is marked Closed, with the reasons Result Invalid or Canceled, the state of the vulnerable items in the group is updated to match the vulnerability group. The reason Fixed with Exceptions does not update the vulnerable items to match the vulnerability group state.
  • If you determine that the items are a low risk, waiting for a change window, or a patch, you can change their group to the Defer state for a defined amount of time, or immediately close the group.
    Note: When vulnerability groups are deferred or closed, you can specify resolutions to further define the reasons for doing so.
  • When a VI that is reopened, either manually or automatically, the following happens:
    • The VI state changed to Open. (The original VG state does not update.)
    • The VI is reevaluated and put into a new or existing group based on the active Vulnerability Group Rules.

    This preserves its history while allowing for further remediation.

Vulnerability groups and vulnerable item states

Vulnerability groups and vulnerable items states can affect each other. Most of the time, a vulnerability group state updates the vulnerable item state, with the highest precedence group state used to update the vulnerable items in the group.

The state precedence is as follows.

Closed/Result Invalid > Deferred > Resolved > Awaiting Implementation > Under Investigation > Open

  • When a group of vulnerable items are in one vulnerability group and are not altered at an individual level, they have the same state as their group.
  • When the vulnerability group goes from the Open state to Awaiting Implementation, all the VIs in the group move to the Awaiting Implementation state.
  • When the vulnerability group is deferred, the VI is likewise deferred.
Vulnerable items updated only by groups
Items match the state of the group (provided they have not been updated individually) with these exceptions:
  • If the group changes its state to be Closed and its resolution to Canceled or Fixed with Exceptions, the item is not affected and takes on the state of any other group containing it. If the vulnerable item is in no other group, it reverts to the Open state.
  • If the vulnerable item state is Closed/Fixed (updated by a scan or import), then when the group changes its state, the vulnerable item remains in the Closed/Fixed state. This condition is true no matter what state the group is in.
Vulnerable items in states set individually
Vulnerable items, in a state updated on the item, such as those items closed or deferred individually, do not match the state of the group automatically. Instead it compares its state to all associated groups to find the state with the highest precedence to apply.
Note: The Closed/Fixed state is a special case. For vulnerable items set to the Closed/Fixed state, if all vulnerable items within a group are set to Closed/Fixed — such as when a scanner finds that all the vulnerabilities have been remediated — the vulnerability group is automatically marked Closed/Fixed.

Vulnerability group state for VIs in multiple groups

When a VI is in multiple groups, and its own state has not been set, the higher precedence group state determines the state of that VI, as illustrated in the following table.
Table 1. Vulnerable item states examples
Vulnerability groups state Vulnerable item state
Group A: Open > Under Investigation

Group B: Open

Under Investigation

When Group A is Under Investigation and Group B is Open, the VI changes to Under Investigation. After the search, between Group A and Group B, Group A has the state with the highest precedence.

Group A: Under Investigation

Group B: Open > Under Investigation

Under Investigation

When Group B is Under Investigation and Group A is Under Investigation, the VI stays as Under Investigation. After the search, between Group A and Group B, they have the state with the same precedence.

Group A: Under Investigation

Group B: Under Investigation > Awaiting Implementation

Awaiting Implementation

When Group B is Awaiting Implementation and Group A is Under Investigation, the VI changes to Awaiting Implementation. After the search, between Group A and Group B, Group B has the state with the highest precedence.

Group A: Under Investigation > Deferred

Group B: Awaiting Implementation

Deferred

When Group A is Deferred and Group B is Awaiting Implementation, the VI changes to Deferred. After the search, between Group A and Group B, Group A has the state with the highest precedence.

Group A: Deferred

Group B: Awaiting Implementation > Closed (Result Invalid)

Closed/Result Invalid

When Group B is Closed and the reason is Result Invalid, and Group A is Deferred, the VI changes to Closed/Result Invalid. After the search, between Group A and Group B, Group B has the state with the highest precedence.

Group A: Deferred

Group B: Closed (Result Invalid) > Open (via Reopen)

Deferred

When Group B is reopened and its state changes to Open, and Group A is Deferred, the VI changes to Deferred. After the search, between Group A and Group B, Group A has the state with the highest precedence.

Table 2. Vulnerable item in multiple groups special cases
Vulnerability Group State Vulnerable Item State
Group A: Under Investigation

Group B: Awaiting Implementation > Closed (Fixed or Cancelled)

Under Investigation

When Group B is Closed/Fixed or Closed/Cancelled, and Group A is Under Investigation, the VI changes from Awaiting Implementation (previously the highest precedence) to Under Investigation (currently the highest precedence).

Group A: any state

Group B: any state

If the vulnerable item source status is Fixed (updated by a scan or import), then when the group changes its state, the vulnerable item changes its state to Closed/Fixed. This condition is true no matter what states the other associated groups are in. The vulnerable item search for group state does not occur.
When a VI state is set individually, its state is considered when evaluating precedence, as with any other group. When a VI belongs to more than one group, the following updates are made.
Table 3. Vulnerable item state set individually special cases
Vulnerability item state within a group Vulnerable item final state
Group A state: Under Investigation

Group B state: Under Investigation > Awaiting Implementation

Original VI state: Under Investigation > (set on the VI)

Awaiting Implementation

When Group B moved to Awaiting Implementation, and Group A remained Under Investigation, the VI changes to Awaiting Implementation (the highest precedence).

Group A: Under Investigation

Group B: Under Investigation > Awaiting Implementation

Original VI state: Deferred > (set on the VI)

Deferred

When Group B moved to Awaiting Implementation, and Group A remained Under Investigation, the VI remains in the Deferred state (the highest precedence).

When two groups with common vulnerable items are deferred, the state is deferred until the latest date is reached.
Table 4. Vulnerable item deferred state special cases
Vulnerability item state within a group Vulnerable item final state
Group A state: In Review (until April 10)

Group B state: Under Investigation > In Review (until April 30)

Original VI state: In Review (until April 10) > (set on the VI)

Deferred (until April 30)

When Group B moved to Deferred (until Apr-30), and Group A remains Deferred (until Apr-10), the VI changes from Deferred (until Apr-05) to Deferred state (until Apr-30).

Group A: In Review (until July 15)

Group B: Under Investigation > In Review (until July 10

Original VI state: Deferred > (until July 15)

Deferred (until July 15)

When Group B moved to Deferred (until Jul-10), and Group A remains Deferred (Jul-15), the VI remains in Deferred (until Jul-15).

Feedback