Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home New York Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Vulnerability Solution Management

    Vulnerability Solution Management

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Vulnerability Solution Management

    Starting with Vulnerability Response v8.0, automatically correlate the vulnerabilities in your environment with solutions from the Microsoft Security Response Center. Starting with v10.3 of Vulnerability Response, you have access to Red Hat Solution Integration solutions. Identify the remediation actions that apply to your vulnerabilities and prioritize them by the greatest reduction in vulnerability risk.

    Security and IT teams often spend a significant amount of time researching vulnerability findings in order to identify the most effective treatments for their environment. Given the volume and complexity of vulnerabilities in large organizations, translating vulnerability findings into remediation tasks is a manual, tedious, and error-prone process.

    With Vulnerability Solution Management, you can automatically correlate your vulnerability findings with the solutions that remediate them. Identify the software patches, configuration updates, and other controls that have the highest impact for your organization without the manual overhead.

    Vulnerability Solution Management requirements

    Vulnerability Solution Management is a feature available within the Vulnerability Response application. Vulnerability Solution Management requires a separate subscription.

    For more information about getting entitlements for applications from the ServiceNow Store, see Get entitlement for a Security Operations product or application. See Install the Vulnerability Solution Management application for more information about installing the application after you have downloaded it onto your instance.

    After it is installed, Vulnerability Solution Management provides you access to Microsoft Security Response Center data from within Vulnerability Response. Starting with v10.3 of Vulnerability Response, the Red Hat solution data is also available.

    Note:

    You can configure both solution applications from within Setup Assistant. See Vulnerability Response configuration using the Setup Assistant.

    See Understanding the Microsoft Security Response Center Solution Integration and Understanding the Red Hat Solution Integration for more information on the imported solutions.

    Available versions

    For the most current version of Vulnerability Solution Management, verify you have the most current version of Vulnerability Response installed.

    Release version Release Notes

    Vulnerability Solution Management v10.3

    Vulnerability Solution Management v8.0

    Vulnerability Response release notes

    Understanding solutions and supersedence

    A superseded update is a complete replacement of a previous release or releases. For example, a hotfix update may be superseded by a Service Pack. Solutions are related to vulnerabilities. Solutions can also relate to other solutions in a supersedence chain. Solutions address vulnerabilities in preceding solutions as well since they’re cumulative. Vulnerability Solution Management automatically associates vulnerabilities from preceding solutions with superseding solutions. If an older vulnerability is found, any higher superseding solution can address it, but the highest supersedence solution is preferred, since it is the most cumulative.

    Potential versus Preferred Solutions

    A potential solution is one that could address a vulnerability. Vulnerabilities often have many potential solutions. A preferred solution is the single solution targeted for remediating a vulnerability or vulnerable item (VI). It communicates intention, and enables more detailed deployment metrics.

    Preferred Solutions

    Vulnerability Solution Management automatically sets the most effective solution (Preferred Solution) for the detected vulnerability based on highest-supersedence when only one highest-supersedence solution exists. If more than one highest-supersedence exists for the vulnerability, no value is set. In Vulnerability Response, Preferred Solution is the Microsoft Security Response Center solution with the highest supersedence derived from the solutions associated with the vulnerability.

    Preferred Solution values can be set on the vulnerable item or the vulnerability. When set on the vulnerability, all vulnerable items associated with the vulnerability inherit that solution. Starting with v10.0, you can change the Preferred Solution values for multiple vulnerable items using the bulk edit feature. When bulk edited, only the Preferred Solution on the vulnerable item is updated since setting the Preferred solution at the vulnerability entry level would set the Preferred solution for all new VIs going forward. Bulk editing only applies to current vulnerable items.
    Note: If multiple highest-supersedence solutions exist for a vulnerability, Preferred Solution values at the vulnerability level are cleared, since that solution depends on the affected asset. When multiple highest-supersedence solutions exist for a vulnerability, set a Preferred Solution on the vulnerable item. You can set a different solution using the Lookup list on the Vulnerable Item form.

    All preferred solutions for the vulnerable items in a vulnerability group are in a related list on the Vulnerability Group form.

    Not all solution imports result in full data refreshes. The supersedence process updates when:
    • A vulnerable item is created.
    • Data has changed on an active VI.
    • New solution data was released since last import.

    What does Vulnerability Solution Management do?

    • Automatically associates new vulnerable items and vulnerability groups with solutions during Microsoft Security Response Center Solution Integration and Red Hat Solution Integration import.import. Starting with Vulnerability Responsev10.0, solutions are associated with the latest bulletin the solution appears in.

    • Automatically associates vulnerable items and vulnerability groups with solutions when vulnerability records are associated manually with solutions.
      Note: Vulnerable items manually re-assigned to another solution are not automatically updated with solution changes at the vulnerability level.
    • MSRC: Creates supersedence chains during import that you can view in the solution's related list.
    • Indicates whether a solution is a highest-supersedence solution or not.
    • Lists the Solution Risk score associated with each solution to provide you with the biggest opportunities for risk reduction.
    • Maintains Remediation Status for solutions on Third-party Vulnerability Entries and Vulnerability Solution records so you can track remediation progress.

      It contains:
      • Vulnerable item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
      • Configuration Item (CI) counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
      • Vulnerable item counts by percent remediated, for those VIs with Potential Solutions, with and without those VIs in the Deferred state.
      • Configuration Item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.

    What can you do with Vulnerability Solution Management?

    • Create, update, view, or delete solutions associated with vulnerabilities, so that you can track vulnerability solutions that are not covered by third-party solution content.
    • Associate third-party vulnerabilities and NVD entries with a solution record.
    • Remove and reassociate vulnerable items and vulnerability groups with a solution.
    • View the Preferred Solution applicable to a given vulnerability on the vulnerability and vulnerable item forms.
    • View a Preferred Solutions related list on vulnerability group forms that lists all the solutions that have been preferred by at least one active VI within that group.
    • View the Remediation Status details on a solution that show the risk reduction associated with deploying the Preferred Solution on vulnerability, vulnerable item, vulnerability group, and solution forms.
    • View vulnerabilities applicable to a given solution on the solution form.
    • MSRC: View the superseding solutions for a given solution on a vulnerability, to find the latest update to deploy, or an earlier, more focused, efficient update.
    • View lists of solutions sorted for different characteristics.
      • All: Solutions sorted by Date published and Number.
      • MSRC: Highest Supersedence: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence, Date published, and Number.
      • With Vulnerable Items: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence or Preferred, Risk Score, and Number. If deployed, the top entries in the list provide the largest risk reduction for the assets in your environment.

    Solution record Risk score and Risk rating

    Note: The Solution record Risk score and Risk rating are distinct from those fields used for vulnerabilities, vulnerable items, and vulnerability groups.

    The Solution record Risk score is a weighted calculation based on the vulnerable item Risk score and a count of active vulnerable items with this solution as their Potential Solution. Solution Risk score provides an estimation of the reduction in risk that the solution is expected to accomplish.

    Solution record Risk score is calculated as follows:
    • It starts by taking 85% of the highest or maximum Risk score of a vulnerable item with that potential solution.
    • Solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
      • 0–09 vulnerable items adds no points
      • 10–99 vulnerable items adds 5 points
      • 100–999 vulnerable items adds 10 points
      • 1000 and beyond vulnerable items adds 15 points

      For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution record Risk score would be 78.

    The Solution record Risk rating separates the Solution record Risk score into ranges from Critical to None. Solution Risk rating rates the risk reduction for the vulnerable items that this solution remediates.

    Risk ratings separate the resulting Solution Risk score into the following ranges:
    • 1 — Critical (90+ Solution Risk score)
    • 2 — High (70-89 Solution record Risk score)
    • 3 — Medium (30-69 Solution record Risk score)
    • 4 — Low (1-29 Solution record Risk score)
    • 5 — None (0 Solution record Risk score)

    Use Cases

    View the status deployment progress of a current patch cycle using the highest-supersedence module, sorted by date.

    View highest value solutions using the With Vulnerable Items module, sorted by risk score.

    Solution lists communicate key solution details, risk scores, and deployment metrics. Use Risk score and active VI counts for prioritization. See which solutions in the current patch cycle are not progressing, possibly an indication of a missed deployment prerequisite.
    Note: Add %VIs remediated(percent_nd_pref_vis_remediated) from the Personalize List Columns menu for remediation progress on the Vulnerability Solutions form.
    • Understanding the Microsoft Security Response Center Solution Integration

      Review and implement proposed remediation solutions provided by the Microsoft Security Response Center Solution Integration.

    • Understanding the Red Hat Solution Integration

      Starting with V10.3 of Vulnerability Response, you can review and implement proposed remediation solutions provided by the Red Hat Solution Integration.

    Related concepts
    • Vulnerability Response personas and granular roles
    • Vulnerability Response assignment rules overview
    • Vulnerability Response groups and group rules overview
    • Vulnerability groups and group rules overview (Prior to v10.0)
    • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
    • Discovered Items
    • Vulnerability Response group and vulnerable item states
    • Vulnerability Response calculators and vulnerability calculator rules
    • Vulnerability Response vulnerable item detections from third-party integrations
    • Vulnerability Response remediation target rules
    • Introduction to Exception Management
    • Introduction to False Positive
    • Change management for Vulnerability Response
    • Software exposure assessment using Software Asset Management (SAM)
    • Domain separation and Vulnerability Response

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Vulnerability Solution Management

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Vulnerability Solution Management

      Starting with Vulnerability Response v8.0, automatically correlate the vulnerabilities in your environment with solutions from the Microsoft Security Response Center. Starting with v10.3 of Vulnerability Response, you have access to Red Hat Solution Integration solutions. Identify the remediation actions that apply to your vulnerabilities and prioritize them by the greatest reduction in vulnerability risk.

      Security and IT teams often spend a significant amount of time researching vulnerability findings in order to identify the most effective treatments for their environment. Given the volume and complexity of vulnerabilities in large organizations, translating vulnerability findings into remediation tasks is a manual, tedious, and error-prone process.

      With Vulnerability Solution Management, you can automatically correlate your vulnerability findings with the solutions that remediate them. Identify the software patches, configuration updates, and other controls that have the highest impact for your organization without the manual overhead.

      Vulnerability Solution Management requirements

      Vulnerability Solution Management is a feature available within the Vulnerability Response application. Vulnerability Solution Management requires a separate subscription.

      For more information about getting entitlements for applications from the ServiceNow Store, see Get entitlement for a Security Operations product or application. See Install the Vulnerability Solution Management application for more information about installing the application after you have downloaded it onto your instance.

      After it is installed, Vulnerability Solution Management provides you access to Microsoft Security Response Center data from within Vulnerability Response. Starting with v10.3 of Vulnerability Response, the Red Hat solution data is also available.

      Note:

      You can configure both solution applications from within Setup Assistant. See Vulnerability Response configuration using the Setup Assistant.

      See Understanding the Microsoft Security Response Center Solution Integration and Understanding the Red Hat Solution Integration for more information on the imported solutions.

      Available versions

      For the most current version of Vulnerability Solution Management, verify you have the most current version of Vulnerability Response installed.

      Release version Release Notes

      Vulnerability Solution Management v10.3

      Vulnerability Solution Management v8.0

      Vulnerability Response release notes

      Understanding solutions and supersedence

      A superseded update is a complete replacement of a previous release or releases. For example, a hotfix update may be superseded by a Service Pack. Solutions are related to vulnerabilities. Solutions can also relate to other solutions in a supersedence chain. Solutions address vulnerabilities in preceding solutions as well since they’re cumulative. Vulnerability Solution Management automatically associates vulnerabilities from preceding solutions with superseding solutions. If an older vulnerability is found, any higher superseding solution can address it, but the highest supersedence solution is preferred, since it is the most cumulative.

      Potential versus Preferred Solutions

      A potential solution is one that could address a vulnerability. Vulnerabilities often have many potential solutions. A preferred solution is the single solution targeted for remediating a vulnerability or vulnerable item (VI). It communicates intention, and enables more detailed deployment metrics.

      Preferred Solutions

      Vulnerability Solution Management automatically sets the most effective solution (Preferred Solution) for the detected vulnerability based on highest-supersedence when only one highest-supersedence solution exists. If more than one highest-supersedence exists for the vulnerability, no value is set. In Vulnerability Response, Preferred Solution is the Microsoft Security Response Center solution with the highest supersedence derived from the solutions associated with the vulnerability.

      Preferred Solution values can be set on the vulnerable item or the vulnerability. When set on the vulnerability, all vulnerable items associated with the vulnerability inherit that solution. Starting with v10.0, you can change the Preferred Solution values for multiple vulnerable items using the bulk edit feature. When bulk edited, only the Preferred Solution on the vulnerable item is updated since setting the Preferred solution at the vulnerability entry level would set the Preferred solution for all new VIs going forward. Bulk editing only applies to current vulnerable items.
      Note: If multiple highest-supersedence solutions exist for a vulnerability, Preferred Solution values at the vulnerability level are cleared, since that solution depends on the affected asset. When multiple highest-supersedence solutions exist for a vulnerability, set a Preferred Solution on the vulnerable item. You can set a different solution using the Lookup list on the Vulnerable Item form.

      All preferred solutions for the vulnerable items in a vulnerability group are in a related list on the Vulnerability Group form.

      Not all solution imports result in full data refreshes. The supersedence process updates when:
      • A vulnerable item is created.
      • Data has changed on an active VI.
      • New solution data was released since last import.

      What does Vulnerability Solution Management do?

      • Automatically associates new vulnerable items and vulnerability groups with solutions during Microsoft Security Response Center Solution Integration and Red Hat Solution Integration import.import. Starting with Vulnerability Responsev10.0, solutions are associated with the latest bulletin the solution appears in.

      • Automatically associates vulnerable items and vulnerability groups with solutions when vulnerability records are associated manually with solutions.
        Note: Vulnerable items manually re-assigned to another solution are not automatically updated with solution changes at the vulnerability level.
      • MSRC: Creates supersedence chains during import that you can view in the solution's related list.
      • Indicates whether a solution is a highest-supersedence solution or not.
      • Lists the Solution Risk score associated with each solution to provide you with the biggest opportunities for risk reduction.
      • Maintains Remediation Status for solutions on Third-party Vulnerability Entries and Vulnerability Solution records so you can track remediation progress.

        It contains:
        • Vulnerable item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
        • Configuration Item (CI) counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.
        • Vulnerable item counts by percent remediated, for those VIs with Potential Solutions, with and without those VIs in the Deferred state.
        • Configuration Item counts by percent remediated, for those VIs with Preferred Solutions, with and without those VIs in the Deferred state.

      What can you do with Vulnerability Solution Management?

      • Create, update, view, or delete solutions associated with vulnerabilities, so that you can track vulnerability solutions that are not covered by third-party solution content.
      • Associate third-party vulnerabilities and NVD entries with a solution record.
      • Remove and reassociate vulnerable items and vulnerability groups with a solution.
      • View the Preferred Solution applicable to a given vulnerability on the vulnerability and vulnerable item forms.
      • View a Preferred Solutions related list on vulnerability group forms that lists all the solutions that have been preferred by at least one active VI within that group.
      • View the Remediation Status details on a solution that show the risk reduction associated with deploying the Preferred Solution on vulnerability, vulnerable item, vulnerability group, and solution forms.
      • View vulnerabilities applicable to a given solution on the solution form.
      • MSRC: View the superseding solutions for a given solution on a vulnerability, to find the latest update to deploy, or an earlier, more focused, efficient update.
      • View lists of solutions sorted for different characteristics.
        • All: Solutions sorted by Date published and Number.
        • MSRC: Highest Supersedence: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence, Date published, and Number.
        • With Vulnerable Items: Solutions with active, non-deferred vulnerable items. Sorted by Highest supersedence or Preferred, Risk Score, and Number. If deployed, the top entries in the list provide the largest risk reduction for the assets in your environment.

      Solution record Risk score and Risk rating

      Note: The Solution record Risk score and Risk rating are distinct from those fields used for vulnerabilities, vulnerable items, and vulnerability groups.

      The Solution record Risk score is a weighted calculation based on the vulnerable item Risk score and a count of active vulnerable items with this solution as their Potential Solution. Solution Risk score provides an estimation of the reduction in risk that the solution is expected to accomplish.

      Solution record Risk score is calculated as follows:
      • It starts by taking 85% of the highest or maximum Risk score of a vulnerable item with that potential solution.
      • Solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
        • 0–09 vulnerable items adds no points
        • 10–99 vulnerable items adds 5 points
        • 100–999 vulnerable items adds 10 points
        • 1000 and beyond vulnerable items adds 15 points

        For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution record Risk score would be 78.

      The Solution record Risk rating separates the Solution record Risk score into ranges from Critical to None. Solution Risk rating rates the risk reduction for the vulnerable items that this solution remediates.

      Risk ratings separate the resulting Solution Risk score into the following ranges:
      • 1 — Critical (90+ Solution Risk score)
      • 2 — High (70-89 Solution record Risk score)
      • 3 — Medium (30-69 Solution record Risk score)
      • 4 — Low (1-29 Solution record Risk score)
      • 5 — None (0 Solution record Risk score)

      Use Cases

      View the status deployment progress of a current patch cycle using the highest-supersedence module, sorted by date.

      View highest value solutions using the With Vulnerable Items module, sorted by risk score.

      Solution lists communicate key solution details, risk scores, and deployment metrics. Use Risk score and active VI counts for prioritization. See which solutions in the current patch cycle are not progressing, possibly an indication of a missed deployment prerequisite.
      Note: Add %VIs remediated(percent_nd_pref_vis_remediated) from the Personalize List Columns menu for remediation progress on the Vulnerability Solutions form.
      • Understanding the Microsoft Security Response Center Solution Integration

        Review and implement proposed remediation solutions provided by the Microsoft Security Response Center Solution Integration.

      • Understanding the Red Hat Solution Integration

        Starting with V10.3 of Vulnerability Response, you can review and implement proposed remediation solutions provided by the Red Hat Solution Integration.

      Related concepts
      • Vulnerability Response personas and granular roles
      • Vulnerability Response assignment rules overview
      • Vulnerability Response groups and group rules overview
      • Vulnerability groups and group rules overview (Prior to v10.0)
      • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
      • Discovered Items
      • Vulnerability Response group and vulnerable item states
      • Vulnerability Response calculators and vulnerability calculator rules
      • Vulnerability Response vulnerable item detections from third-party integrations
      • Vulnerability Response remediation target rules
      • Introduction to Exception Management
      • Introduction to False Positive
      • Change management for Vulnerability Response
      • Software exposure assessment using Software Asset Management (SAM)
      • Domain separation and Vulnerability Response

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login