Starting with v10.0, view all of the information that is gathered by third-party scans
in your Now Platform® instance. View the returned results of the scans on
detection and vulnerable item (VI) records in your instance as these results are viewed on the
scanners.
Overview
Starting with v10.0, the Vulnerability Response application supports third-party
Integrations that retrieve vulnerable item data from your enterprise environment. Detailed
data about detections, that is, single, distinct occurrences of vulnerabilities as reported
by the scanners of your third-party integrations, are imported and displayed on both the
detection and the vulnerable item records in your Now Platform instance.
Prior to v10.0 vulnerable item detections, the relationship between a CI (asset) in your
environment and an imported vulnerability from a third-party scanner created a unique
vulnerable item in your Now Platform instance. Starting with v10.0, the granularity of the
original data provided by the scanner is preserved. With detections, the detection data is
paired with vulnerable items. During an ingestion, if a vulnerable item is not found, a new
VI is created.
Supported versions of Vulnerability Response
Vulnerable item detections are supported by the Vulnerability Response application for
v10.0 for the Madrid, New York, and Orlando family releases. For more information about
installing or updating the Vulnerability Response application to v10.0, see Install and configure Vulnerability Response.
Supported third-party integrations
A supported third-party integration with your
Vulnerability Response application is
required for vulnerable item detections. Starting with v10.0, the following third-party
integrations are supported by the
Vulnerability Response application for vulnerable item
detections:
- Qualys Host Detection Integration
- Rapid7 Data Warehouse:
- Vulnerable Item Integration
- Vulnerable Item Resolution Integration
- Rapid7 Vulnerable Item Resolution Integration (InsightVM):
- Insight VM integration
- Vulnerable Item Integration - API
These third-party integrations are available with a separate subscription from the ServiceNow Store. For more information about these integrations, see Vulnerability Response integrations and Security Operations and the ServiceNow Store for more
information about obtaining entitlement.
To verify that your third-party scanner is configured for import, see Install and configure the Rapid7 Integration for Security Operations application
and Install the Qualys Vulnerability Integration.
Key terms for vulnerable item detections
- Vulnerability
- Data about weaknesses in software, operating systems, and assets imported from
internal and external sources. This data is imported and compared to existing assets
(configuration items, CIs) listed in the CMDB.
- Vulnerable item
- A vulnerable item is created or updated when an imported vulnerability matches a CI
in the CMDB.
- Detection
- A single, distinct occurrence of a vulnerability as reported by a scanner referred
to as a Vulnerable Item Detection within the Now Platform
environment. A detection includes enriched data about a vulnerability and any
corresponding vulnerable items. This data is displayed on the Detection record (VID#)
and the vulnerable item list view that includes the following details:
- First found (data)
- Last found (date)
- DNS name
- Net BIOSname
- IP address
- Port
- Protocol
- Proof
- SSL
- Times found
- Detection key
- A hashed combination of fields that provided a way to identify and tie a detection
to a vulnerable item. It is composed of: vulnerability entry, port, protocol,
discovered item, and proof.
- De dup
- The process used by the Vulnerability Response application of collapsing of
individual detections into a single VI when the data meets certain hard-coded
criteria.
- VI External ID
- The value stored in the External ID field of the VI table. This value is a hash
comprised of the combination of keys within a VI that represents what makes it unique
within the application. It is composed of a CI and a vulnerable entry.
