This is an overview of domain separation and Vulnerability Response. Domain
separation enables you to separate data, processes, and administrative tasks into logical
groupings called domains. You can then control several aspects of this separation, including
which users can see and access data.
Overview
Support: Level 2
Domain separation is
supported in this application. Not all ServiceNow applications support domain
separation; some include limitations on the data and administrative settings that can be
domain separated. To learn more, see Application support for domain
separation.
How domain separation works in Vulnerability Response
With domain separation you can standardize Vulnerability Response (VR) procedures,
across the customer base you serve, with lowered operational costs and a higher quality of
service.
Separate customer work spaces for workflows, dashboards, reports, and so on, ensures that
customer data is separated and never exposed to other clients.
Table 1. Domain separation support in Vulnerability Response by version releases
Release |
Support level |
Notes |
Geneva, Helsinki |
No support |
|
Istanbul |
Data only |
Initiation of data-level domain separation |
Jakarta |
Level 2 (Data, Requestor, Fulfiller) |
New features: 3rd-party Integrations support with Level 2
domain separation under single instance of integration. |
Kingston |
Level 2 (Data, Requestor, Fulfiller) |
New features: 3rd-party scanner integration can be enabled
with multiple instances of Qualys, for example, but all
instances still live under a single domain. |
London |
Level 2 (Data, Requestor, Fulfiller) |
|
Madrid |
Level 2 (Data, Requestor, Fulfiller) |
|
Domain separation for the Vulnerability Response application covers
the following product functionality:
- Ingests the vulnerable items from third-party scanners (Qualys, Rapid7 or Tenable) in the correct
domain
- The data ingests in the same domain as that of the integration user, whose credentials
are used for integration.
- Re-scans specific assets from Vulnerability Response in the domain from
which it was requested.
- Uses the CMDB CI lookup process to ensure that the CI information from the scanners matches
the CIs in CMDB of the integration user’s domain.
- Calculates risk scores at the vulnerable item level as per the risk score calculator
defined in the same domain as that of the integration user.
- Remediation target rules are executed on vulnerable items as per the remediation target
rules defined in the same domain as that of the integration user.
- Vulnerability group rule(s) can be defined, and stay in, the same domain as the domain of
the integration user.
- Vulnerability groups created using the vulnerability group rules stay in the same domain as
where the group rules are created.
- Deferral workflow goes through the approval process in the same domain for which the
deferral is requested.
- Reports and dashboards display the vulnerable item-states such as age of vulnerable item,
open vulnerable items by CI, vulnerabilities by impact, and remediation target date status in
the domain to which it belongs.
- Knowledge from third-party scanners or the National Vulnerability database (NVD) can be
ingested in the global domain and data can be shared across multiple clients.
Note: In all the above cases the overarching principles of visibility in separated domains
separation in the NOW Platform apply.
Use cases
The Vulnerability Response application
manages the life cycle of a vulnerability item end to end. The following use cases are
domain-separation aware:
- Ingest vulnerable items (vulnerabilities on asset) from either Qualys, Rapid7 or Tenable
- Ingest data from multiple instances
- De-duplicate the vulnerable item
- Match up with CMDB CI
- Enrichment of vulnerable item with risk scores and remediation
target dates
- Asset enrichment (CMDB)
- Risk score and remediation target date enrichment
- Group vulnerable items and assign the vulnerability group
- Automatically group the vulnerable items
- Automatically assign the vulnerability group
- Remediate
- Vulnerability group assigned as a remediation task
- Comprehensive remediation life cycle
- Deferral workflow
- Measure the security posture of the organization and vulnerability
management program
- Vulnerability trend, most vulnerable asset, vulnerability by age
- Remediation status by the remediation target date
Setup
Setting up domain separation for Vulnerability Response does not require any
additional steps. All Vulnerability Response tables acquire the
Domain column after the instance is domain separated. You can direct vulnerability integration
import data to specific domains. See Create domain-separated imports for the Qualys Host Detection Integration for more information.
Domain-separated data
Data can be domain separated, which means:
- Vulnerable item ingested from third-party scanners stays in the same domain as the domain
of the integration user, and is not accessible from any other domain.
- Vulnerabilities, vulnerable items (instances) or assets in one domain cannot be viewed from
other domains.
- The risk scoring algorithm, the vulnerability group rules and the remediation target rules
cannot be viewed by anyone outside the domain.
- Vulnerability information from the NVD can exist in the global domain and be shared with
all customers.
- Remediation tasks in one domain cannot be viewed from another domain.
- Deferral workflows created in one domain are not visible in another domain.
- All email notifications are contained within the domain they belong to.
How vulnerability analysts manage their own application data
- Analysts create their own application installation, multi-source application management,
and CI lookup rules.
- Analysts can configure specific integrations exclusively for use within the domain.
- Analysts can create their own deferral and change management workflows.
- Analysts can create their own vulnerability group rules, risk-scoring logic to accurately
prioritize vulnerabilities, auto-assign vulnerability groups and assign to the correct
assignment group.
- Domain users create a manual vulnerability item and then close the item.
Business logic and processes that can be domain-separated by instance owner
- Vulnerability Response users and
groups
- Vulnerability Response integrations
(starting with the Madrid release)
- Complete setup configuration (user and group management, application installation,
multi-source application management, CI lookup rules, vulnerability group rules, risk
calculators, remediation target rules etc.)
- Complete remediation life cycle including deferral
- Vulnerability Response Remediation Target Rules