Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Vulnerability Response basics

Log in to subscribe to topics and get notified when content changes.

Vulnerability Response basics

The ServiceNow® Vulnerability Response application imports and automatically groups vulnerable items according to group rules allowing you to remediate vulnerabilities quickly. Vulnerability data is pulled from internal and external sources, such as the National Vulnerability Database (NVD) or third-party integrations.

Compare vulnerability data pulled from internal and external sources. For any vulnerable items, create change requests and security incidents using vulnerability groups to remediate issues and mitigate risk.
Note: Activation of the Vulnerability Response plugin (com.snc.vulnerability) on production instances may require a separate license.

Watch an overview of the typical vulnerability response within an enterprise versus the vulnerability response with ServiceNow®. It defines vulnerable items, vulnerability groups, and their lifecycles.

Vulnerability Response and the Now Platform®

Vulnerability Response is one member of the Security Operations application suite. Together these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.

Security Operations overview

Vulnerability Response flow

You use Vulnerability Response to follow the flow of information, from integration through investigation, and then on to resolution.

Vulnerability Response flow

Integrate your Vulnerability scanner

After vulnerability data is imported, you can compare the data to CIs and software identified in the ServiceNow® Asset Management application. You can perform the following tasks.
  • Compare vulnerability-related data, if a vulnerability is found on a configuration item.
  • Escalate issues by creating change requests, and security incident records (if the ServiceNow® Security Incident Response application is activated).
  • Manage vulnerable items grouped by the vulnerability, or CI, or individually. Each vulnerability represents a vulnerability entry in the NVD, Common Weakness Enumeration (CWE), or third-party libraries.
  • Relate a single third-party vulnerability to multiple Common Vulnerabilities and Exposure (CVE) entries.
  • Use CWE records, downloaded from the CWE database, for reference when deciding whether a vulnerability must be escalated. Each CWE record also includes an associated knowledge article that describes the weakness. You cannot escalate a vulnerability from the Common Weakness Enumerations page. That page is for reference only.
  • If the Qualys Vulnerability Integration is installed, and you have multiple deployments of the same application, you can add an integration for each deployment. Qualys Cloud Platform is the only third-party integration supporting this feature, so far. Setup for multi-source integration is available within the Setup Assistant. Assets identified by multiple Qualys deployments and their vulnerabilities are consolidated and reconciled with your CMDB. This happens even when scan processes overlap between the multiple deployments. Qualys vulnerability integration KnowledgeBase records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability.

Prioritize vulnerabilities

Vulnerability Response data correlation is performed using groups, calculators, and libraries. You can perform the following tasks.
  • Create vulnerability groups to contain vulnerable items from NVD, CWE, and third-party integrations.
  • Assign prioritization, rules, and access.
  • Create vulnerability group rules based on vulnerabilities, filters, filter conditions, and group keys.
  • Use calculator groups to determine business impact, specify varying conditions using filters, apply simple calculations, or use a script.
  • View ungrouped vulnerable items and vulnerabilities.

Create change requests and coordinate planning

Vulnerability Response remediation is primarily a manual process performed at the group level. There are multiple ways to remediate vulnerability groups. From the Under Investigation state, create change requests, defer, or close the group.

If the vulnerability is a security incident and Security Incident Response is activated, you can create security incident records.

Assignment rules are used to automate vulnerable item or vulnerability assignments. Due to the large volume in data imports, care should be taken with automated vulnerable item assignment.

Confirm vulnerability resolution

Vulnerability Response provides several useful reports, charts, and an Explorer dashboard for you to analyze and monitor data before and after remediation. You can also return Vulnerability Response-related information using the global search feature.

Automated rescan confirms that your changes have taken effect or the need to reschedule.

Vulnerability Response terminology

The following terms are used in Vulnerability Response.
Common Vulnerability and Exposure (CVE)
Dictionary of publicly known information-security vulnerabilities and exposures.
Common Vulnerability Scoring System (CVSS)
Open framework for communicating the characteristics and severity of software vulnerabilities.
Common Weakness Enumeration (CWE)
List of software vulnerabilities.
Discovery models
Software models used to help normalize the software you own by analyzing and classifying models to reduce duplication.
Vulnerability calculator groups, vulnerability calculators, and the rollup calculator
Calculators used to prioritize and categorize vulnerabilities based on user-defined criteria.
Vulnerability groups and group rules overview
Used to group vulnerable items based on vulnerability, vulnerable item conditions, or filter group.
Manually create a vulnerability integration
A process that pulls report data from a third-party system, generally to retrieve vulnerability data.
Vulnerabilities
Records of potentially vulnerable software downloaded from the National Institute of Standards and Technology (NIST) NVD, or third-party integrations.
Vulnerable items
Pairings of vulnerable entries, downloaded from the NIST NVD or third-party integrations, and potentially vulnerable configuration items and software in your company network.
Feedback