The ServiceNow® Vulnerability Response application brings security and IT together to enable you to remediate your most critical vulnerabilities more quickly and efficiently. Vulnerability Response was enhanced and updated in the Xanadu release.

Vulnerability Response highlights for the Xanadu release

  • Reevaluate the risk score, assignments, remediation target date, exceptions, and remediation task for a set of vulnerable items in the Vulnerability Manager Workspace.
  • Reassess the vulnerable item records from the workspace.
  • Navigate to the Exposure Assessment page in the Vulnerability Manager Workspace or Vulnerability Assessment Workspace from the All menu with the Vulnerability Response Pro or Enterprise subscription.
  • View risk rating-related changes in the Work notes section.
  • Access information on how an item's risk score is adjusted according to modifications in the vulnerability calculators.

See Vulnerability Response for more information about Vulnerability Response. See the Vulnerability Response Compatibility Matrix and Release Schema Changes Knowledge Base article for more information about released Security Operations applications and their version compatibility.

Important: Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

New in the Xanadu release

Create solutions from scanners
Starting with v24.0.6 of Vulnerability Response, solution records can now be configured to be created from scanners such as Tenable, Qualys, and Microsoft Threat and Vulnerability Management (MS TVM). These solutions are set as preferred in the absence of options from software vendors.
Activate or deactivate CVEs for exposure assessment
Starting with version 4.0.1 of Vulnerability Exposure Assessment, if a Common Vulnerability Entry (CVE) has not been updated or had vulnerable items (VITs) created in the past 30 days, the exposure assessment record for that CVE is automatically marked as inactive. However, you can manually activate or deactivate these records. Additionally, the scheduled job Check potential vulnerability exposure regularly scans for such CVEs to designate them as inactive. If there is an update, it marks them as active.
Split detections from Tenable and Microsoft TVM scanners
Starting with v24.0.6 of Vulnerability Response, you can split the detections from Tenable and Microsoft Threat and Vulnerability Management (MS TVM) scanners, enabling the creation of a unique vulnerable item (VIT) for each detected vulnerability instance. This split enables the assignment of VITs to various remediation teams, enhancing the management and tracking of vulnerabilities. 
New Properties module
Starting with v24.0.6 of Vulnerability Response, a new Properties module has been added to the navigation menu under the Administration section. This module enables direct modification of the values, offering a user-friendly method to manage and update system properties directly from the interface.
Deletion of classification rules and application on discovered items
Starting with v24.0.6 of Vulnerability Response, if a classification rule is deleted or deactivated, it’s no longer applied to the discovered item and the data in the Classification and Classification_type fields get cleared.
Exceptions for CI creation
Starting with v24.0.6 of Vulnerability Response, if Identification and Reconciliation engine (IRE) encounters exceptions that prevent the creation of configuration items (CIs), the specifics of these exceptions are recorded in the Additional Information field.
View configuration item history
Starting with v24.0.6 of Vulnerability Response, you can view the updates to a CI in the Discovered Item table. Information including the previous CI, the updated CI, and the user who made the changes is documented in the Audit History related list.
Customize the calculation of Age and Age closed values of a vulnerable item
Starting with v24.0.6 of Vulnerability Response, the Age and Age Closed durations of a Vulnerable Item can be configured to be calculated from the date in the Created, Opened, or First Found fields.
Open the search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI
Starting with v24.0.6 of Vulnerability Response, automatically open your search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI, by adjusting the application scope in the unified navigation bar to Vulnerability Manager Workspace or IT Remediation Workspace respectively. These application scopes are available to you based on your assigned role.
Vulnerability Manager Workspace access to the sn_vul.read_all role
Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul.read_all role, you can view the host vulnerable items in the Vulnerability Manager Workspace.
IT Remediation Workspace access to the sn_vul.read_assigned role
Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul.read_assigned role, you can view the host vulnerable items assigned to you and your assignment groups in the IT Remediation Workspace and remediate them.
Navigate to the List page in the Vulnerability Manager Workspace or IT Remediation Workspace by selecting the links from the All menu
Starting with v24.0.6 of Vulnerability Response, when you enable the 'sn_vul_cmn_ws.navigate_to_workspace' system property, selecting predefined filter links in the Vulnerability Response module from the 'All' menu will automatically open these links in the List page in the Vulnerability Manager Workspace or IT Remediation Workspace based on your role.
Hide the record count on the Host Vulnerable Items list in the Vulnerability Manager Workspace and IT Remediation Workspace
Starting with v24.0.6 of Vulnerability Response, you can hide the record count on the lists in the List page of the Vulnerability Manager Workspace and IT Remediation Workspace by adding the table names to the glide.ui.list.seismic.omit.count system property.
Enable automatic refresh for the Home page dashboard in the Vulnerability Manager Workspace
Starting with v24.0.6 of Vulnerability Response, when creating and editing filters in the Host Vulnerabilities tab on the Home page of the Vulnerability Manager Workspace, you can configure the widgets to refresh automatically. Otherwise, you can manually refresh the widgets by selecting the Refresh button on the Host Vulnerabilities tab.
Re-evaluating remediation properties for all records in the Vulnerability Manager Workspace
Starting with v24.0.6 of Vulnerability Response, you can evaluate the remediation properties for all the Vulnerable Items from the Host Vulnerable Items list by selecting the All items option in the Record selection field of the Re-evaluate remediation properties modal in the Vulnerability Manager Workspace.
Reevaluate the remediation properties for vulnerable items in the Vulnerability Manager Workspace
Select the vulnerable items conditionally for reevaluating the following remediation properties in the Vulnerability Manager Workspace:
  • Assignments
  • Remediation tasks
  • Remediation target date
  • Exceptions (Vulnerability Response v24.0.6)
  • Risk score
Navigate to the Exposure Assessment page in workspaces from the All menu
With the Vulnerability Response Pro or Enterprise subscription, you’re redirected to the Exposure Assessment page in the Vulnerability Manager Workspace or Vulnerability Assessment Workspace based on your role, on selecting the Exposure Assessment link in the All menu.
Common Security Advisory Framework (CSAF) scanner mapping is optional
The Scanner mapping field is now optional for the following Common Security Advisory Framework (CSAF) import methods:
  • File import
  • Advisories
  • CSAF URL
Multiple vendors supported for CSAF through Rolie feed
Import vulnerability solutions from CSAF aggregators or trusted providers via URL import supporting Resource-Oriented Lightweight Information Exchange (ROLIE) feed. These vulnerability solutions are automatically mapped to the correct vendor and vulnerable items (VITs) based on the Common Vulnerabilities and Exposures (CVEs).
Enhanced processing performance of scheduled job
The Rollup vulnerable item values to vulnerability and group scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade involves segmenting the job into several smaller child jobs, which are executed either in parallel or concurrently. This modification enables processing of multiple records simultaneously, thus significantly speeding up the overall task.
Workflow deprecation and replacement by flow designer
The following workflows have been deprecated and replaced by the flow designer:
  • Exception Rule State Approval
  • Remediation Task State Approval
  • Vulnerability Response - Scan Vulnerability
  • Vulnerable Item State Approval
  • Vulnerability Response - Scan Vulnerable Item
.
Risk score updates in the Notes section
Access information on how an item's risk score is adjusted according to modifications in the vulnerability calculators. These details are available in the Notes section and include:
  • Calculator group name
  • Calculator name
  • Field values along with their weightage and impact on the risk score
  • Final risk score
Vulnerability Crisis Management (VCM) is available as a separate subscription in the store
Starting with v1.0.1 of Vulnerability Crisis Management, the application is available as a separate subscription in the store. You can access Vulnerability Crisis Management from the Vulnerability Assessment workspace only if you have fine- grained entitlement or have installed the application from the store. Previously, Vulnerability Crisis Management was included with the Vulnerability Emergency Response plugin.
Vulnerability Exposure Response is renamed as Vulnerability Exposure Assessment
Starting with v3.2.2, the Vulnerability Emergency Response plugin has been renamed as Vulnerability Exposure Assessment.

Changed in this release

Deprecated the privilege to delete a vulnerable item for the Admin role
As a vulnerability admin [sn_vul.vulnerability_admin], you can’t delete a vulnerable item. This privilege is now given to the sn_vul.delete granular role.
Deprecated the privilege to delete source records for the sn_vul.admin and sn_vul.admin_solutions roles
The privilege to delete the source records has been deprecated for the sn_vul.admin and sn_vul.admin_solutions roles. This privilege is given to the sn_vul_cmn.delete granular role.

Removed in this release

The Close button has been removed for a remediation task in the Classic UI, Vulnerability Manager Workspace, and IT Remediation Workspace.