Auto - Close Stale Detections Product Success Playbook Auto - Close Stale Detections A step-by-step guide to analyze and remediate Stale Vulnerable Items Table of Contents Summary Goal of this Playbook Audience Problem Overview Executive Summary How this playbook can help you achieve business goals How this playbook is structured Problem Analysis Upstream Causes Downstream Consequences Impact on Your Business Engagement Questions Remediation Plays Summary Play 1: Review your data Play 2: Fix Play – Enable scheduled job Play 3: Fix Play – Enable Auto close configuration Data Governance References<optional> Summary Goal of this Playbook This playbook helps in reducing the stale Vulnerable Detections present in the instance Details about this playbook Author Bibu Punnachalil Reviewer Ravi Kumar Kanukollu Date 22/09/2022 Addresses HSD # HSD0011360 Applicable ServiceNow Releases Vulnerability Response V14.0 or above Prerequisites Time Required Approximately 1 to 8 hours (depends on your environment) Audience Vulnerability Administrator, Vulnerability Manager ServiceNow Administrator Problem Overview Auto-Close Stale Detections module, was introduced with the v14.0 of Vulnerability Response. Prior to the introduction of the Auto-Close Stale Detections module, vulnerable items not found or updated by your scanners were automatically closed by the Auto-Close Vulnerable Items module in the Vulnerability Response application. In order to more accurately roll up detection data to your vulnerable items, the Auto-Close Stale Detections module is available to help you close older, stale vulnerable item detections. Unhandled vulnerable detections not recently found by your third-party integrations become stale and does not serve any purpose. Moving these detections to "Closed" reduces the number of active vulnerable items and remediation tasks and helps to reconcile assets in CMDB. Executive Summary How this playbook can help you achieve business goals This playbook recognizes the need to reduce the stale Vulnerable Item records in order to get best value from a VR implementation. It will help in removing the existing stale records and help remediation teams can focus on vulnerabilities without clutter from stale records. This, in turn, will contribute in improving the vulnerability profile of your organization. How this playbook is structured This Playbook will guide you through 4 plays. Play 1 (a review data play) helps you review stale Vulnerable Detection recordsPlay 2 (remediation) provides steps required to enable Auto-Close for stale Vulnerable Detections scheduled jobPlay 3 (remediation) provides remediation steps to enable Auto-Close for stale Vulnerable DetectionsPlay 4 (a Data Governance play) lists the guidelines and processes for continuing to have lesser stale Vulnerable Detection records Problem Analysis Upstream Causes The drivers of a low DIs-to-CI matching rate are (by decreasing order of business impact): Auto-Close Vulnerable item module is still used instead of Auto-Close Vulnerable Detection moduleStale detection is not active in configurationScheduled job “Auto-Close Stale Detections” is not active or not scheduled to run frequentlyAuto-close Vulnerable Detection is set for days more than 90 daysRapid7 Comprehensive Vulnerable Item Integration - API should have at least one completed successful run within the last 7 days. Downstream Consequences Data Consequence Presence of non-actionable Vulnerable Items Operation Consequence Non-actionable tasks are forwarded to remediation teamsRemediation is not possible since CI linked to VI is retiredFrustration, lack of confidence in the VR implementation App Consequence Dashboards & reports using VI Status information for vulnerability response analysis will be of limited use Impact on Your Business More VIs active but are stale will negatively impact the effectiveness and efficiency of your Vulnerability Remediation teams, vulnerability teams and audits. Also these records Security MTTR Delay in vulnerability identification.Team’s productivity impacts with focus on stale Vulnerable DetectionsSlower response to vulnerability remediation Audit/Compliance Incomplete DI data Engagement Questions: Consider the answers to these questions: Are you on Vulnerability Response V14.0 or above?Did you upgradeDid the VR implementation follow the "crawl-walk-run" approach? Remediation Plays SummaryThe table below lists and summarizes each of the remediation plays in the playbook. Details are included later. Play Name Review your data What this play is about Review the stale vulnerable detection records Required tasks List the Vulnerable Detection records applying appropriate filter conditions Fix Play What this play is about Enable Auto-Close for stale Vulnerable Detections scheduled job Required tasks Active the scheduled job from the job definition Fix Plays What this play is about Enable Auto-Close for stale Vulnerable Detections Required tasks Open and review the configuration Data Governance What this play is about Ongoing monitoring and governance of stale detections Required tasks Execute the steps provided in the play Play 1 - Review your data What this Play is about List stale Vulnerable Item Detections records Required tasks On the Navigator type sn_vul_detection.list. This will list all the Vulnerable Item Detections recordsAdapt the filter to list only the active stale records Play 2 – Activate scheduled job What this Play is about Review & activate “Auto-Close Stale Detections” scheduled job, if not active Required tasks In the Navigator type “Scheduled Jobs” and click on System Definition Scheduled Jobs In the list of scheduled job search for the job “Auto-Close Stale Detections” by applying the appropriate filter Open the scheduled job and ensure that the “active” flag is checked Play 3 – Enable Auto-Close for stale Vulnerable Detections What this Play is about Review “Auto close configuration” and activate the configuration if not already active Required tasks In the Navigator type “Auto-Close Configuration” . Click “Auto-Close Configuration”. Update forms with the appropriate selections and values and check the active flag. Click “Update” to save the form Note : For the Auto-Close Stale Detections module, if you previously used Auto-Close Stale Vulnerable Items, The value for the number of days you entered for the Assets last scanned option from Auto-Close Stale Vulnerable Items is preserved automatically for Assets last scanned in Auto-Close Stale Detections.The value for the number of days you entered for the Vulnerable items last found option from Auto-Close Stale Vulnerable Items is preserved automatically for Detections last found in Auto-Close Stale Detections.Existing open detections with Vulnerable items as Closed - Stale will be transitioned to Stale as per the auto-close close configuration settings when the Auto-Close Stale Detections scheduled job runs after upgrade. Data Governance What this Play is about Provides the list of guidelines and processes for continuing to have lesser stale Vulnerable Detection records Required tasks Regularly execute play 1 to review stale detectionsSetup a process to review and update vulnerability configurations Congratulations You have completed this Product Success Playbook.