Assign application vulnerable items in Application Vulnerability Response automatically

Automatically assign application vulnerabilities based on application tags, or any of the assignment groups in the Configuration Item [cmdb_ci] or platform assignment groups, to reduce the mean time to assignment.

Assigning application vulnerable items automatically

There are three different ways to assign AVIs using Assign using:
Note: The assignment recommendation feature in Vulnerability Response is not available for Application Vulnerability Response.
  • User Group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
  • User Group Field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default, you see the following three group fields in the list menu under User group field.
    • None: Indicates no default value for this mandatory field
    • Configuration Item: Approval Group
    • Configuration Item: Assignment Group
    • Configuration Item: Support Group
  • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow expertise.

Run high priority rules (items that need special handling, where risk is critical, or an AVI should be handled by regulatory compliance) first. Next, run your general rules, where no special handling is required, and you know who should be responsible for them. Finally, create a default rule to assign AVIs to the group that will figure out what assignment group it should belong to. This group could add another rule to cover their decisions. This default rule would run last.

Assignment rule evaluation process

When a new AVI is created, imported, or reopened after being closed, the assignment rules are evaluated against it. An AVI is only evaluated once, unless it is reopened after being closed. You can manually reapply rules after changes.

The following process is used for each new, updated, or reopened AVI:
  • For each vulnerability assignment rule, the AVI is compared to the assignment filter, lowest order rule first.
  • Where the condition matches, the AVI is assigned an assignment group. The lookup stops.
  • Where the conditions do not find a match among all the other rules, the AVI is assigned to the default assignment group, if a default rule exists.
    Note: If there is no default rule, then the AVI remains unassigned.
Assignment type, whether Manual or Rule and Assignment rule is available from the Form Layout slushbucket on the application vulnerable item (AVI) form. Any AVI that was originally assigned by a rule but later manually reassigned contains a reference to the original rule. Use Assignment rule and Assignment type information to identify cases where the assignment rules did not find a correct match for the intended recipient. Or which rules had the most reassignments.
Note: The assignment rules do not reevaluate manually created assignments.

Reapplying assignment rules

When you change an assignment rule, use the Apply Changes button on the Assignment Rules list view to rerun all the changed rules on all active Open AVIs (except those that were manually assigned).
Note:

If the Reapply all vulnerability assignment rules scheduled job has not run before the first time you use Apply Changes, then it runs all the assignment rules on all Open AVIs except those AVIs that were manually assigned. After that, all subsequent uses of Apply Changes rerun only the changed rules and any dependent rules. Changes to one rule may result in an AVI matching a different unmodified rule.

The scheduled job [Reapply all assignment rules] is inactive, by default. When activated, it applies all the rules to all open AVIs except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once, or On Demand. Depending on how many active AVIs you have in your environment, remember to set the Run field appropriately following the initial run to prevent performance impacts.