Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home Madrid Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Domain separation and Vulnerability Response

    Domain separation and Vulnerability Response

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Domain separation and Vulnerability Response

    This is an overview of domain separation and Vulnerability Response. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.

    Overview

    Support: Level 2

    Domain separation is supported in this application. Not all ServiceNow applications support domain separation; some include limitations on the data and administrative settings that can be domain separated. To learn more, see Application support for domain separation.

    How domain separation works in Vulnerability Response

    With domain separation you can standardize Vulnerability Response (VR) procedures, across the customer base you serve, with lowered operational costs and a higher quality of service.

    Separate customer work spaces for workflows, dashboards, reports, and so on, ensures that customer data is separated and never exposed to other clients.

    Table 1. Domain separation support in Vulnerability Response by version releases
    Release Support level Notes
    Geneva, Helsinki No support
    Istanbul Data only Initiation of data-level domain separation
    Jakarta Level 2 (Data, Requestor, Fulfiller) New features: 3rd-party Integrations support with Level 2 domain separation under single instance of integration.
    Kingston Level 2 (Data, Requestor, Fulfiller) New features: 3rd-party scanner integration can be enabled with multiple instances of Qualys, for example, but all instances still live under a single domain.
    London Level 2 (Data, Requestor, Fulfiller)
    Madrid Level 2 (Data, Requestor, Fulfiller)

    Domain separation for the Vulnerability Response application covers the following product functionality:

    • Ingests the vulnerable items from third-party scanners (Qualys, Rapid7 or Tenable) in the correct domain
      • The data ingests in the same domain as that of the integration user, whose credentials are used for integration.
    • Re-scans specific assets from Vulnerability Response in the domain from which it was requested.
    • Uses the CMDB CI lookup process to ensure that the CI information from the scanners matches the CIs in CMDB of the integration user’s domain.
    • Calculates risk scores at the vulnerable item level as per the risk score calculator defined in the same domain as that of the integration user.
    • Remediation target rules are executed on vulnerable items as per the remediation target rules defined in the same domain as that of the integration user.
    • Vulnerability group rule(s) can be defined, and stay in, the same domain as the domain of the integration user.
    • Vulnerability groups created using the vulnerability group rules stay in the same domain as where the group rules are created.
    • Deferral workflow goes through the approval process in the same domain for which the deferral is requested.
    • Reports and dashboards display the vulnerable item-states such as age of vulnerable item, open vulnerable items by CI, vulnerabilities by impact, and remediation target date status in the domain to which it belongs.
    • Knowledge from third-party scanners or the National Vulnerability database (NVD) can be ingested in the global domain and data can be shared across multiple clients.
    Note: In all the above cases the overarching principles of visibility in separated domains separation in the NOW Platform apply.

    Use cases

    The Vulnerability Response application manages the life cycle of a vulnerability item end to end. The following use cases are domain-separation aware:

    • Ingest vulnerable items (vulnerabilities on asset) from either Qualys, Rapid7 or Tenable
      • Ingest data from multiple instances
      • De-duplicate the vulnerable item
      • Match up with CMDB CI
    • Enrichment of vulnerable item with risk scores and remediation target dates
      • Asset enrichment (CMDB)
      • Risk score and remediation target date enrichment
    • Group vulnerable items and assign the vulnerability group
      • Automatically group the vulnerable items
      • Automatically assign the vulnerability group
    • Remediate
      • Vulnerability group assigned as a remediation task
      • Comprehensive remediation life cycle
      • Deferral workflow
    • Measure the security posture of the organization and vulnerability management program
      • Vulnerability trend, most vulnerable asset, vulnerability by age
      • Remediation status by the remediation target date

    Setup

    Setting up domain separation for Vulnerability Response does not require any additional steps. All Vulnerability Response tables acquire the Domain column after the instance is domain separated. You can direct vulnerability integration import data to specific domains. See Create domain-separated imports for the Qualys Host Detection Integration for more information.

    Domain-separated data

    Data can be domain separated, which means:
    • Vulnerable item ingested from third-party scanners stays in the same domain as the domain of the integration user, and is not accessible from any other domain.
    • Vulnerabilities, vulnerable items (instances) or assets in one domain cannot be viewed from other domains.
    • The risk scoring algorithm, the vulnerability group rules and the remediation target rules cannot be viewed by anyone outside the domain.
    • Vulnerability information from the NVD can exist in the global domain and be shared with all customers.
    • Remediation tasks in one domain cannot be viewed from another domain.
    • Deferral workflows created in one domain are not visible in another domain.
    • All email notifications are contained within the domain they belong to.

    How vulnerability analysts manage their own application data

    • Analysts create their own application installation, multi-source application management, and CI lookup rules.
    • Analysts can configure specific integrations exclusively for use within the domain.
    • Analysts can create their own deferral and change management workflows.
    • Analysts can create their own vulnerability group rules, risk-scoring logic to accurately prioritize vulnerabilities, auto-assign vulnerability groups and assign to the correct assignment group.
    • Domain users create a manual vulnerability item and then close the item.

    Business logic and processes that can be domain-separated by instance owner

    • Vulnerability Response users and groups
    • Vulnerability Response integrations (starting with the Madrid release)
    • Complete setup configuration (user and group management, application installation, multi-source application management, CI lookup rules, vulnerability group rules, risk calculators, remediation target rules etc.)
    • Complete remediation life cycle including deferral
    • Vulnerability Response Remediation Target Rules
    Related concepts
    • Vulnerability Response assignment rules overview
    • Vulnerability Response groups and group rules overview
    • Vulnerability groups and group rules overview (Prior to v10.0)
    • Vulnerability Response vulnerability group and vulnerable item states overview
    • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
    • Discovered Items
    • Vulnerability Vulnerability Response calculators and vulnerability calculator rules
    • Vulnerability Response vulnerable item detections from third-party integrations
    • Vulnerability Response calculator groups and vulnerability calculators
    • Vulnerability Response Rollup Calculators
    • Vulnerability Response remediation target rules
    • Vulnerability Solution Management
    • Change management for Vulnerability Response
    • Software Exposure Assessment using Software Asset Management (SAM)
    Related topics
    • Domain separation

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Domain separation and Vulnerability Response

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Domain separation and Vulnerability Response

      This is an overview of domain separation and Vulnerability Response. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.

      Overview

      Support: Level 2

      Domain separation is supported in this application. Not all ServiceNow applications support domain separation; some include limitations on the data and administrative settings that can be domain separated. To learn more, see Application support for domain separation.

      How domain separation works in Vulnerability Response

      With domain separation you can standardize Vulnerability Response (VR) procedures, across the customer base you serve, with lowered operational costs and a higher quality of service.

      Separate customer work spaces for workflows, dashboards, reports, and so on, ensures that customer data is separated and never exposed to other clients.

      Table 1. Domain separation support in Vulnerability Response by version releases
      Release Support level Notes
      Geneva, Helsinki No support
      Istanbul Data only Initiation of data-level domain separation
      Jakarta Level 2 (Data, Requestor, Fulfiller) New features: 3rd-party Integrations support with Level 2 domain separation under single instance of integration.
      Kingston Level 2 (Data, Requestor, Fulfiller) New features: 3rd-party scanner integration can be enabled with multiple instances of Qualys, for example, but all instances still live under a single domain.
      London Level 2 (Data, Requestor, Fulfiller)
      Madrid Level 2 (Data, Requestor, Fulfiller)

      Domain separation for the Vulnerability Response application covers the following product functionality:

      • Ingests the vulnerable items from third-party scanners (Qualys, Rapid7 or Tenable) in the correct domain
        • The data ingests in the same domain as that of the integration user, whose credentials are used for integration.
      • Re-scans specific assets from Vulnerability Response in the domain from which it was requested.
      • Uses the CMDB CI lookup process to ensure that the CI information from the scanners matches the CIs in CMDB of the integration user’s domain.
      • Calculates risk scores at the vulnerable item level as per the risk score calculator defined in the same domain as that of the integration user.
      • Remediation target rules are executed on vulnerable items as per the remediation target rules defined in the same domain as that of the integration user.
      • Vulnerability group rule(s) can be defined, and stay in, the same domain as the domain of the integration user.
      • Vulnerability groups created using the vulnerability group rules stay in the same domain as where the group rules are created.
      • Deferral workflow goes through the approval process in the same domain for which the deferral is requested.
      • Reports and dashboards display the vulnerable item-states such as age of vulnerable item, open vulnerable items by CI, vulnerabilities by impact, and remediation target date status in the domain to which it belongs.
      • Knowledge from third-party scanners or the National Vulnerability database (NVD) can be ingested in the global domain and data can be shared across multiple clients.
      Note: In all the above cases the overarching principles of visibility in separated domains separation in the NOW Platform apply.

      Use cases

      The Vulnerability Response application manages the life cycle of a vulnerability item end to end. The following use cases are domain-separation aware:

      • Ingest vulnerable items (vulnerabilities on asset) from either Qualys, Rapid7 or Tenable
        • Ingest data from multiple instances
        • De-duplicate the vulnerable item
        • Match up with CMDB CI
      • Enrichment of vulnerable item with risk scores and remediation target dates
        • Asset enrichment (CMDB)
        • Risk score and remediation target date enrichment
      • Group vulnerable items and assign the vulnerability group
        • Automatically group the vulnerable items
        • Automatically assign the vulnerability group
      • Remediate
        • Vulnerability group assigned as a remediation task
        • Comprehensive remediation life cycle
        • Deferral workflow
      • Measure the security posture of the organization and vulnerability management program
        • Vulnerability trend, most vulnerable asset, vulnerability by age
        • Remediation status by the remediation target date

      Setup

      Setting up domain separation for Vulnerability Response does not require any additional steps. All Vulnerability Response tables acquire the Domain column after the instance is domain separated. You can direct vulnerability integration import data to specific domains. See Create domain-separated imports for the Qualys Host Detection Integration for more information.

      Domain-separated data

      Data can be domain separated, which means:
      • Vulnerable item ingested from third-party scanners stays in the same domain as the domain of the integration user, and is not accessible from any other domain.
      • Vulnerabilities, vulnerable items (instances) or assets in one domain cannot be viewed from other domains.
      • The risk scoring algorithm, the vulnerability group rules and the remediation target rules cannot be viewed by anyone outside the domain.
      • Vulnerability information from the NVD can exist in the global domain and be shared with all customers.
      • Remediation tasks in one domain cannot be viewed from another domain.
      • Deferral workflows created in one domain are not visible in another domain.
      • All email notifications are contained within the domain they belong to.

      How vulnerability analysts manage their own application data

      • Analysts create their own application installation, multi-source application management, and CI lookup rules.
      • Analysts can configure specific integrations exclusively for use within the domain.
      • Analysts can create their own deferral and change management workflows.
      • Analysts can create their own vulnerability group rules, risk-scoring logic to accurately prioritize vulnerabilities, auto-assign vulnerability groups and assign to the correct assignment group.
      • Domain users create a manual vulnerability item and then close the item.

      Business logic and processes that can be domain-separated by instance owner

      • Vulnerability Response users and groups
      • Vulnerability Response integrations (starting with the Madrid release)
      • Complete setup configuration (user and group management, application installation, multi-source application management, CI lookup rules, vulnerability group rules, risk calculators, remediation target rules etc.)
      • Complete remediation life cycle including deferral
      • Vulnerability Response Remediation Target Rules
      Related concepts
      • Vulnerability Response assignment rules overview
      • Vulnerability Response groups and group rules overview
      • Vulnerability groups and group rules overview (Prior to v10.0)
      • Vulnerability Response vulnerability group and vulnerable item states overview
      • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
      • Discovered Items
      • Vulnerability Vulnerability Response calculators and vulnerability calculator rules
      • Vulnerability Response vulnerable item detections from third-party integrations
      • Vulnerability Response calculator groups and vulnerability calculators
      • Vulnerability Response Rollup Calculators
      • Vulnerability Response remediation target rules
      • Vulnerability Solution Management
      • Change management for Vulnerability Response
      • Software Exposure Assessment using Software Asset Management (SAM)
      Related topics
      • Domain separation

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login