Home Paris Security Incident Management Security Operations Vulnerability Response Vulnerability Response remediation overview Triage vulnerabilities automatically Ungrouped Vulnerability Response vulnerable items Automatically close stale vulnerable items

Automatically close stale vulnerable items

Starting with v10.3 of Vulnerability Response, the Auto-Close Stale Vulnerable Items module helps you clean up older, stale vulnerable items (VIs) not recently found by your third-party integrations. Moving these VIs to Closed reduces the number of active vulnerable items and vulnerability groups in your Now Platform instance and helps you reconcile assets in your CMDB.

Before you begin

Role required: sn_vul.vulnerability.admin or sn_vuln.admin (deprecated), or a vulnerability manager with the sn_vul.manage_auto_close_stale_vi granular role

Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

At times, assets (configuration items) may be decommissioned in your environment or purged by third party-scanners, and their associated vulnerable items are not updated by vulnerable item detections. As a result, the VI states on these items are not updated in Vulnerability Response, and they become inactive (stale).

To close these aged vulnerable items that have unchanged vulnerable item data, enable Auto-Close Stale Vulnerable Items. This feature automatically transitions vulnerable items not recently found or updated by your third-party scanner integrations to the Closed - Stale state based on search criteria and an age in number of days that you set.

Qualys users and Auto-Close Stale Vulnerable Items

Any activated Qualys third-party integrations that retrieve detection data can run with this module. There are no specific Qualys applications required.
You can optionally deploy multiple instances of the Qualys integrations across your environment.
Auto-Close Stale Vulnerable Items is not instance-specific, and it is either enabled or disabled across your environment. Stale VIs are automatically transitioned to Closed – Stale on all instances.

Tenable Vulnerability Integration users and Auto-Close Stale Vulnerable Items

Starting with v12.1 of Vulnerability Response, the Tenable Vulnerability Integration supports Auto-Close Stale Vulnerable Items.

Any activated integrations from the Tenable Vulnerability Integration that retrieve detection data can run with this module. There are no specific Tenable Vulnerability Integration applications required.
You can optionally deploy multiple instances of the Tenable Vulnerability Integration across your environment.
Auto-Close Stale Vulnerable Items is not instance-specific, and it is either enabled or disabled across your environment. Stale VIs are automatically transitioned to Closed – Stale on all instances.

Rapid7 users and Auto-Close Stale Vulnerable Items

To ensure detections on all configuration items (CIs) scanned since the last run are imported for Rapid7 users, two comprehensive integrations, the Rapid7 Comprehensive Vulnerable Item Integration and the Rapid7 Comprehensive Vulnerable Item Integration - API applications are available when you install the Rapid7 Integration for Security Operations application in Vulnerability Response. These integration applications are installed but disabled by default in your instance.

Starting with v12.0 of Vulnerability Response, and v11.0 of the Rapid7 Integration for Security Operations application, the ‘Rapid7 Vulnerable Item Integration - API’ comprehensive integration has been optimized to bring in only the assets that have been scanned. For Auto-close stale vulnerable items searches:

If you choose Assets last scanned to base your search on to close stale VIs, an integration run from of one of the Rapid7 Comprehensive Vulnerable Item Integrations is not required.
If you select Vulnerable items last found to base your search on to close stale VIs, this feature requires a successful integration run from one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days. Enable one of the comprehensive integrations for this module.

Prior to v12.0 of Vulnerability Response and v11.0 of the Rapid7 Integration for Security Operations application, in order for this feature to work accurately, the Last found date values for vulnerable items require regular updates. You are required to have one of the comprehensive integrations for this module enabled, regardless of which search option you chose, Vulnerable item last detected, or Asset last scanned.

Activate these integrations as required and described in the following table. For more information about Rapid7 integrations, see Understanding the Rapid7 Vulnerability Integration.

Table 1. Rapid7 integrations required for the Automatically close stale vulnerable items module
Checklist item	Description
V12.0 of Vulnerability Response and v11.0 of the Rapid7	Starting with v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, if you select Vulnerable items last found to base your search on, this feature requires a successful run of one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days. These comprehensive integrations run weekly: For Rapid7 Nexpose data warehouse, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration is required. For Rapid7 InsightVM, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration - API is required. If you select Assets last scanned to base your search on, no comprehensive Rapid7 integration run is required. To activate these integrations: Navigate to Rapid7 Vulnerability Integration > Administration > Integration. Locate and enable the Rapid7 Comprehensive Vulnerable Item Integration you need. Note: In addition to these integrations that run weekly, Rapid7 Nexpose and Rapid7 InsightVM each have VI integrations that run daily, the Rapid7 Vulnerable Item Integration, and the Rapid7 Vulnerable Item Integration - API. If both the daily and weekly Rapid7 integrations are enabled, only one integration runs at a time. If one of these integration jobs is running, the job for the other integration is skipped until the next scheduled job.
V10.3 of Vulnerability Response and v10.3 of Rapid7	Enable one of the following integrations for this module, regardless of which search option you chose to close stale vulnerable items. Depending on whether you use Rapid7 Nexpose or Rapid7 InsightVM, imported data from a successfully completed integration run within the last seven days is required. These comprehensive integrations run weekly. To enable these integrations: Navigate to Rapid7 Vulnerability Integration > Administration > Integration. Locate the two integrations and enable (Active) the one you need: For Rapid7 Nexpose data warehouse, enable the Rapid7 Comprehensive Vulnerable Item Integration. For Rapid7 InsightVM, enable the Rapid7 Comprehensive Vulnerable Item Integration - API. Note: In addition to these integrations that run weekly, Rapid7 Nexpose and Rapid7 InsightVM each have VI integrations that run daily, the Rapid7 Vulnerable Item Integration, and the Rapid7 Vulnerable Item Integration - API. If both the daily and weekly Rapid7 integrations are enabled, only one integration runs at a time. If one of these integration jobs is running, the job for the other integration is skipped until the next scheduled job.
(Optional) Deploy multiple instances of the Rapid7 integrations in your environment.	You can optionally deploy multiple instances of the comprehensive integrations across your environment. Auto-Close Stale Vulnerable Items is not instance-specific, and it is either enabled or disabled across your environment. Stale VIs are automatically transitioned to Closed – Stale on instances that have successfully completed integration runs. If Auto-Close Stale Vulnerable Items is enabled and you disable the integrations that run weekly in an instance, the scheduled job to close VIs still runs daily, but some VIs may not transition to Closed – Stale automatically as expected.

Key terms

Stale vulnerable items: Refers to vulnerable items and assets associated with vulnerable items in your Now Platform® instance that are aged and have not been found, updated, or detected by third-party integration scans for a significant amount of time.
Vulnerable items last found: This search option uses a date provided by the third-party scanner. Starting with v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, this date refers to the most current, or latest date that vulnerable items were found again by the scanner. Prior to v12.0 and v11.0, respectively, this search option was called, Vulnerable item last detected.
Assets Last scanned: This search option uses a date provided by the third-party scanner. This term refers the most current date an asset was last scanned by a third-party scanner. Prior to v12.0 and v11.0, respectively, this search option was called, Asset last scanned.

Procedure

Navigate to Vulnerability Response > Administration > Auto-Close Stale Vulnerable Items.
The Auto-Close Stale Vulnerable Items form is displayed.
Note: The messages displayed in the following images refer to the Rapid7 comprehensive integrations, and they are only displayed for Rapid7 users.
Figure 1. Version 12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations Auto-Close Stale Vulnerable Items form

Figure 2. Versions 10.3 and 11.0 of Vulnerability Response and v10.3 of the Rapid7 integrations Auto-Close Stale Vulnerable Items form
Fill in the fields.
For the Auto-close stale items based on field, or, prior to v12.0, the Auto-close stale items by field, choose if you want to close older vulnerable items based on the date when vulnerable items were last found, or the date when assets were last scanned. Both searches match the age of older, stale VIs in number of days to a date provided by your scanner.
Choose one option:
- Vulnerable items last found. Prior to v12.0 of Vulnerability Response, this option was called Vulnerable item last detected, but both of these options refer to the most current, or latest date that vulnerable items were found again by the scanner.
- Assets last scanned. Prior to v12.0 of Vulnerability Response, this option was called Asset last scanned. This option refers the most current date an asset was last scanned by a third-party scanner.
For Rapid7 users only, verify any comprehensive integrations you require are enabled.
- Starting with v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, as shown in the preceding figure, if you select Vulnerable items last found to base your search on, this feature requires a successful integration run of one of the Rapid7 Comprehensive Vulnerable Item Integrations.
- Prior to v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, this feature requires a successful integration run of one of the Rapid7 Comprehensive Vulnerable Item Integrations, regardless of whether you choose Vulnerable item last found or Asset last scanned.
To enable the module, click the Active check box to select it.
In the days ago field, enter the age of older, stale VIs in number of days that you want to close.

Default is 90 days. You can enter any positive value for the number of days. This value is used to match a date provided by your scanner. With 90 and Vulnerable items last detected displayed, any vulnerable items not detected in the last 90 days are automatically closed. With 90 and Assets last scanned displayed, any vulnerable items associated with assets not scanned in the last 90 days are automatically closed.

Note:
There is a relationship between the days ago field and the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API. For this integration, the Import since field on the configuration page is empty by default.

If you do not enter a value, or the field has no value, then the data for the number of days configured in the days ago field is used.

For example, if the number of days defined in the auto-close configuration is 90, and the Import since field is empty on the Rapid7 Comprehensive Vulnerable Item Integration - API configuration page, then the first integration run imports the data for the last 90 days. The Import since field for the Rapid7 Comprehensive Vulnerable Item Integration - API is editable, so you can also provide whatever values you want. 90 days is provided as a default if the field remains empty so that the auto-close doesn’t close the false positives.

This relationship between the these fields applies only to the first integration run. After that, changing the days ago field on the Auto-Close Stale Vulnerable Items form doesn’t affect the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API configuration page. The field is changed to the first run’s start time so that the subsequent integration runs import only the delta information

The scheduled job, Auto-Close Stale Vulnerable Items, runs daily, identifies if you selected the date vulnerable items were last found, or the date assets were last scanned, and transitions the vulnerable items that match your criteria to Closed – Stale.

For the vulnerable items that are transitioned to Closed – Stale, if the scanner confirms that all the detections are fixed, the vulnerable items associated with the detection transition to Closed - Fixed.

After the vulnerable items that are transitioned to Closed – Stale, if the scanner finds any detection going forward for the vulnerable items, any vulnerable items associated with the detection transition back to Open.

Previous topic

Next topic

Release version

Automatically close stale vulnerable items

Before you begin

Role required: sn_vul.vulnerability.admin or sn_vuln.admin (deprecated), or a vulnerability manager with the sn_vul.manage_auto_close_stale_vi granular role

Qualys users and Auto-Close Stale Vulnerable Items

Any activated Qualys third-party integrations that retrieve detection data can run with this module. There are no specific Qualys applications required.
You can optionally deploy multiple instances of the Qualys integrations across your environment.
Auto-Close Stale Vulnerable Items is not instance-specific, and it is either enabled or disabled across your environment. Stale VIs are automatically transitioned to Closed – Stale on all instances.

Tenable Vulnerability Integration users and Auto-Close Stale Vulnerable Items

Starting with v12.1 of Vulnerability Response, the Tenable Vulnerability Integration supports Auto-Close Stale Vulnerable Items.

Any activated integrations from the Tenable Vulnerability Integration that retrieve detection data can run with this module. There are no specific Tenable Vulnerability Integration applications required.
You can optionally deploy multiple instances of the Tenable Vulnerability Integration across your environment.
Auto-Close Stale Vulnerable Items is not instance-specific, and it is either enabled or disabled across your environment. Stale VIs are automatically transitioned to Closed – Stale on all instances.

Rapid7 users and Auto-Close Stale Vulnerable Items

If you choose Assets last scanned to base your search on to close stale VIs, an integration run from of one of the Rapid7 Comprehensive Vulnerable Item Integrations is not required.
If you select Vulnerable items last found to base your search on to close stale VIs, this feature requires a successful integration run from one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days. Enable one of the comprehensive integrations for this module.

Activate these integrations as required and described in the following table. For more information about Rapid7 integrations, see Understanding the Rapid7 Vulnerability Integration.

Table 1. Rapid7 integrations required for the Automatically close stale vulnerable items module
Checklist item	Description
V12.0 of Vulnerability Response and v11.0 of the Rapid7	Starting with v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, if you select Vulnerable items last found to base your search on, this feature requires a successful run of one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days. These comprehensive integrations run weekly: For Rapid7 Nexpose data warehouse, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration is required. For Rapid7 InsightVM, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration - API is required. If you select Assets last scanned to base your search on, no comprehensive Rapid7 integration run is required. To activate these integrations: Navigate to Rapid7 Vulnerability Integration > Administration > Integration. Locate and enable the Rapid7 Comprehensive Vulnerable Item Integration you need. Note: In addition to these integrations that run weekly, Rapid7 Nexpose and Rapid7 InsightVM each have VI integrations that run daily, the Rapid7 Vulnerable Item Integration, and the Rapid7 Vulnerable Item Integration - API. If both the daily and weekly Rapid7 integrations are enabled, only one integration runs at a time. If one of these integration jobs is running, the job for the other integration is skipped until the next scheduled job.
V10.3 of Vulnerability Response and v10.3 of Rapid7	Enable one of the following integrations for this module, regardless of which search option you chose to close stale vulnerable items. Depending on whether you use Rapid7 Nexpose or Rapid7 InsightVM, imported data from a successfully completed integration run within the last seven days is required. These comprehensive integrations run weekly. To enable these integrations: Navigate to Rapid7 Vulnerability Integration > Administration > Integration. Locate the two integrations and enable (Active) the one you need: For Rapid7 Nexpose data warehouse, enable the Rapid7 Comprehensive Vulnerable Item Integration. For Rapid7 InsightVM, enable the Rapid7 Comprehensive Vulnerable Item Integration - API. Note: In addition to these integrations that run weekly, Rapid7 Nexpose and Rapid7 InsightVM each have VI integrations that run daily, the Rapid7 Vulnerable Item Integration, and the Rapid7 Vulnerable Item Integration - API. If both the daily and weekly Rapid7 integrations are enabled, only one integration runs at a time. If one of these integration jobs is running, the job for the other integration is skipped until the next scheduled job.
(Optional) Deploy multiple instances of the Rapid7 integrations in your environment.	You can optionally deploy multiple instances of the comprehensive integrations across your environment. Auto-Close Stale Vulnerable Items is not instance-specific, and it is either enabled or disabled across your environment. Stale VIs are automatically transitioned to Closed – Stale on instances that have successfully completed integration runs. If Auto-Close Stale Vulnerable Items is enabled and you disable the integrations that run weekly in an instance, the scheduled job to close VIs still runs daily, but some VIs may not transition to Closed – Stale automatically as expected.

Key terms

Stale vulnerable items: Refers to vulnerable items and assets associated with vulnerable items in your Now Platform® instance that are aged and have not been found, updated, or detected by third-party integration scans for a significant amount of time.
Vulnerable items last found: This search option uses a date provided by the third-party scanner. Starting with v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, this date refers to the most current, or latest date that vulnerable items were found again by the scanner. Prior to v12.0 and v11.0, respectively, this search option was called, Vulnerable item last detected.
Assets Last scanned: This search option uses a date provided by the third-party scanner. This term refers the most current date an asset was last scanned by a third-party scanner. Prior to v12.0 and v11.0, respectively, this search option was called, Asset last scanned.

Procedure

Navigate to Vulnerability Response > Administration > Auto-Close Stale Vulnerable Items.
The Auto-Close Stale Vulnerable Items form is displayed.
Note: The messages displayed in the following images refer to the Rapid7 comprehensive integrations, and they are only displayed for Rapid7 users.
Figure 1. Version 12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations Auto-Close Stale Vulnerable Items form

Figure 2. Versions 10.3 and 11.0 of Vulnerability Response and v10.3 of the Rapid7 integrations Auto-Close Stale Vulnerable Items form
Fill in the fields.
For the Auto-close stale items based on field, or, prior to v12.0, the Auto-close stale items by field, choose if you want to close older vulnerable items based on the date when vulnerable items were last found, or the date when assets were last scanned. Both searches match the age of older, stale VIs in number of days to a date provided by your scanner.
Choose one option:
- Vulnerable items last found. Prior to v12.0 of Vulnerability Response, this option was called Vulnerable item last detected, but both of these options refer to the most current, or latest date that vulnerable items were found again by the scanner.
- Assets last scanned. Prior to v12.0 of Vulnerability Response, this option was called Asset last scanned. This option refers the most current date an asset was last scanned by a third-party scanner.
For Rapid7 users only, verify any comprehensive integrations you require are enabled.
- Starting with v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, as shown in the preceding figure, if you select Vulnerable items last found to base your search on, this feature requires a successful integration run of one of the Rapid7 Comprehensive Vulnerable Item Integrations.
- Prior to v12.0 of Vulnerability Response and v11.0 of the Rapid7 integrations, this feature requires a successful integration run of one of the Rapid7 Comprehensive Vulnerable Item Integrations, regardless of whether you choose Vulnerable item last found or Asset last scanned.
To enable the module, click the Active check box to select it.
In the days ago field, enter the age of older, stale VIs in number of days that you want to close.

Default is 90 days. You can enter any positive value for the number of days. This value is used to match a date provided by your scanner. With 90 and Vulnerable items last detected displayed, any vulnerable items not detected in the last 90 days are automatically closed. With 90 and Assets last scanned displayed, any vulnerable items associated with assets not scanned in the last 90 days are automatically closed.

Note:
There is a relationship between the days ago field and the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API. For this integration, the Import since field on the configuration page is empty by default.

If you do not enter a value, or the field has no value, then the data for the number of days configured in the days ago field is used.

For example, if the number of days defined in the auto-close configuration is 90, and the Import since field is empty on the Rapid7 Comprehensive Vulnerable Item Integration - API configuration page, then the first integration run imports the data for the last 90 days. The Import since field for the Rapid7 Comprehensive Vulnerable Item Integration - API is editable, so you can also provide whatever values you want. 90 days is provided as a default if the field remains empty so that the auto-close doesn’t close the false positives.

This relationship between the these fields applies only to the first integration run. After that, changing the days ago field on the Auto-Close Stale Vulnerable Items form doesn’t affect the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API configuration page. The field is changed to the first run’s start time so that the subsequent integration runs import only the delta information

The scheduled job, Auto-Close Stale Vulnerable Items, runs daily, identifies if you selected the date vulnerable items were last found, or the date assets were last scanned, and transitions the vulnerable items that match your criteria to Closed – Stale.

For the vulnerable items that are transitioned to Closed – Stale, if the scanner confirms that all the detections are fixed, the vulnerable items associated with the detection transition to Closed - Fixed.

After the vulnerable items that are transitioned to Closed – Stale, if the scanner finds any detection going forward for the vulnerable items, any vulnerable items associated with the detection transition back to Open.

How search works:

Topics are ranked in search results by how closely they match your search terms

Automatically close stale vulnerable items

Automatically close stale vulnerable items

On this page

Automatically close stale vulnerable items

Automatically close stale vulnerable items

Log in to personalize your search results and subscribe to topics