Vulnerability Response release notes

ServiceNow® Vulnerability Response product enhancements and updates in the Kingston release.

The Vulnerability Response application in Security Operations prioritizes vulnerable items and adds business context to help security determine whether business critical systems are at risk. Using the CMDB, it can easily identify dependencies across systems and quickly assess the business impact of changes or downtime. Vulnerability Response provides a comprehensive view of all vulnerabilities affecting a given service, as well as, the current state of all vulnerabilities affecting the organization.

Kingston upgrade information

For key information on upgrading to Kingston, see KB0680550. For an FAQ on the impact of changes to existing instances see KB0680543.

During upgrade the Vulnerable Item table is reparented to improve performance. If you have large numbers of vulnerable items, the upgrade process may take additional time. No special handling is needed, however, you should stop any Vulnerability Response activities prior to upgrade and record your vulnerable item count. Once complete, verify that your pre- and post-upgrade vulnerable item counts match each other.

To reduce upgrade time, if you have Qualys or a third-party integration installed, delete all attachments on your integration data sources. You can find them by navigating to System Import Sets > Administration > Data Sources and searching by integration. See Manage attachments for more information.

When upgrading from a version prior to Kingston, the Vulnerable Items by Remediation Target Status report does not appear in the Vulnerability Response Overview and must be added manually.

Activation information

Activate the Vulnerability Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription.

New in the Kingston release

Remediation Target Rules
Use the Remediation target rule to define the remediation target days for a selected group of vulnerable items. Once the target days are set, it calculates the remediation target date, based on when the vulnerability was first identified, and shows the target date across the system. It provides visibility of remediation status versus the defined target date.
Vulnerability Group Rules enhancement
Vulnerability Group Rules have two major enhancements.
  • Advanced group keys to group vulnerable items by:
    • CI class

      Added so that you can group by keys other than those keys available as part of the base CMDB_CI class. For example, you can select Operating System by selecting the CI Class CMDB_CI Computer.

    • Vulnerability class

      Added so that you can group by third-party vulnerability entry or NVD fields like vulnerability category.

  • Assignment rule functionality allows auto assignment of groups while defining the group rule. You can select the Assignment group, Assignment group fields or you can define your own Assignment rules.
Impacted Services
Impacted services for vulnerable items were populated, by default, prior to Kingston, as part of task. This same functionality is now implemented for Vulnerability Response so that impacted services are listed again on vulnerable items.
Tables installed with Vulnerability Response
Related Business Services [sn_vul_m2m_ci_services]: links CIs to Business Services
Assignment Rule[sn_vul_vgr_assignment_rule]: contains assignment rules
Remediation Target Rule [sn_vul_ttr_rule]: contains remediation target rules
Vulnerability Remediation Status [sn_vul_m2m_ttr_status]: maintains remediation target status of the vulnerable item associated with the remediation target rule
Vulnerability Group Rules
Use Vulnerability Group Rules to automatically create Vulnerability Groups, grouping all vulnerable items by up to three attributes. Support is available for an optional set of conditions to limit which vulnerable items are grouped.
CI Identifier Rules
Configure the tables and fields within the CMDB that are used to look up existing Configuration Items when importing Vulnerable Items with CI Identifier Rules. They are also used for other Security Operations integration use cases. Rules are extensible to accommodate attribution and data that may be unique to a customer environment.
Manual Vulnerability Groups
Manually add and remove Vulnerable Items from a group during the analysis phase of their remediation workflow using Vulnerability Groups.
Bulk Editing of Vulnerable Items
Modify the State, Priority, or Business impact of many vulnerable items at once. using Bulk Editing It also adds a Work note with the reasons for the change.
New Vulnerability fields
View new fields on a vulnerability that can indicate whether there are public or active exploits for it. Also, whether it can be remediated via a patch, configuration change, or combination of both.
Risk Score
View reports on risk posture by business and across the organization in the Risk Score field for vulnerable items was introduced to help drive prioritization of Vulnerability Response remediation. Calculators can be configured to compute the Risk Score based on any attribute of Vulnerable Item, Vulnerability, or related record.
Qualys Configuration and Diagnostics
Use the new Qualys integration configuration page for Vulnerability Response. It consolidates the most critical parameters for a deployment. A new Integration Run Status page provides diagnostics and counts for each import process.
Ungrouped Vulnerable Items
Easily identify Vulnerable Items that do not currently belong to an active Vulnerability Group for remediation and patching using Ungrouped Vulnerable Items.

Changed in this release

  • Tables installed with Vulnerability Response
    • Vulnerable Item [sn_vul_vulnerable_item]:
      • added a flag for impacted services
      • added new columns: ttr_applied_rule, ttr_status, ttr_target_date
  • Vulnerability Remediation: The following states for vulnerability group remediation have been renamed, along with new state transitions that are available as UI actions on vulnerability groups.
    Old state name New state name
    New Open
    Analysis Under Investigation
    Ignored Deferred
    Pending Confirmation Awaiting Implementation
    Pending Confirmation Resolved
    Note: Pending Confirmation was replaced with two states to more precisely show progress. It had represented both the case where a change had been requested, and the case where the vulnerability had been resolved and was pending a scanner result to confirm the fix.
    Upgrade impact of new state names:
    • Pending Confirmation is replaced with Awaiting Implementation.
    • Vulnerable items in a Resolved state reopen, if found as Open by the scanner, as items in the Pending Confirmation state previously did. Items in the Awaiting Implementation state do not reopen, if found as Open.
    • Any custom states remain as-is. There is no impact to custom states.
    Substates
    • The Canceled substate was added.
    • Substates for the Closed state of vulnerable items and vulnerability groups have changed as follows:
      Old substate name New substate name
      False Positive Results Invalid
      Irrelevant Results Invalid

      Upgrade impact of substate change: All other substates for Closed are automatically replaced with new substates.

  • Change Requests: Change Requests issued from a Vulnerability Group include a reference to the Vulnerability Group that created the request instead of the list of Vulnerable Items in the group.
  • Qualys Vulnerability Integration changes include the following:
    • the last_update_by_qualys parameter was deprecated in favor of last_update _by_source.
    • the HostImportReportProcessor script include replaced both the Host Import and Host Detection List Import transform maps.
  • Architectural change for vulnerable items: Due to performance and scale considerations, vulnerable items no longer inherit from the Task table. Vulnerability groups handle all task functionality now..
    Upgrade impact of architectural change:
    • SLAs no longer function on vulnerable items. Remediation target rules allow you to define the remediation target date and monitor progress.
  • NVD data feed URLs have changed. Downloads may stall due to outdated URLs. If you encounter this situation, see KB0683326 for more information on correcting the issue.

Removed in this release

  • Task fields on Vulnerable Item:
    Task fields and related lists no longer appear on vulnerable
 items including the following:
    • Assignment Group and Assigned to fields

      Upgrade impact of task fields on vulnerable items: If there is data in the Assignment group and/or Assignment to field before the upgrade, the data is preserved, but does not appear in the “Assigned to me or My work menus. Vulnerable items are no longer a task.

    • Task SLAs related list
  • The Create Change UI action was removed from the Vulnerable Item form.
  • The Create Problem UI action was removed from both the Vulnerable Groups and Vulnerable Items forms.