The Vulnerability Response integration with Microsoft Threat and Vulnerability Management (MS TVM) application uses data imported from MS TVM to help you prioritize and remediate vulnerabilities for your assets. The application is available with a separate subscription from the ServiceNow Store.

You can use the MS TVM Vulnerability integration to import third-party scanner data about your assets and vulnerabilities. You can then view reports about vulnerabilities and vulnerable items on the Vulnerability Response dashboards.

MS TVM integration workflow that displays installing and configuring the application, viewing the ingested data in your Now Platform instance, and automatically prioritizing and remediating vulnerabilities for your assets.

Available versions

Release version Release notes

Vulnerability Response Integration with MS TVM v2.2

For more information about released versions of the Vulnerability Response application, compatibility, and schema changes, see the Vulnerability Response Compatibility Matrix and Release Schema Changes [KB0856498] article in the HI Knowledge Base.

Domain separation and MS TVM

Import vulnerability integration data to a specified domain by assigning a user in that domain to run the integrations. To create domain-separated imports for the MS TVM Vulnerability Integration, see Create domain-separated imports for an integration.

Terms and key features of the integrations

Vulnerable items and vulnerabilities
A vulnerable item is created in your Now Platform instance when:
  • An imported vulnerability from a third-party scanner is matched to an existing asset (configuration item) in your CMDB). The MS TVM product refers to these matches as vulnerabilities.
  • An imported vulnerability from a third-party scanner is not matched to an existing asset in your CMDB. In this case, an unmatched configuration item (CI) is also created with a vulnerable item.

    Use the Identification and Reconciliation Engine (IRE) to create CIs in two new classes when an existing CI can't be matched with a host. Otherwise, unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine.

Third-party vulnerability entries
Third-party vulnerability entries are imported from third-party scanners such as MS TVM and are listed in the Third-Party Vulnerability Entries table in your Now Platform instance. Also, National Vulnerability Database entries (CVEs) are imported from MS TVM. The exploit information that is associated with both these types of entries comes from MS TVM. This exploit information can be used for risk calculation.
Note: A third-party vulnerability is retrieved only for vulnerabilities that do not have a CVE assigned to them. MS TVM can add a temporary name for the vulnerability, for example, TVM-XXXX-XXXX. This name is updated after a CVE ID is assigned.
Configuration item (CI)
CIs are the existing assets that are listed in your CMDB.
Discovered item
Discovered items are the assets that are ingested from the MS TVM machine import that match existing CIs in your CMDB.

If a match is not found, a CI is created in the Unmatched CI class of the CMDB. Enable the CMDB CI Class Models plugin, the Identification and Reconciliation Engine (IRE) creates CIs by using new classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. If the original, unmatched CI is reclassified, the discovered item records are updated to reflect that state. Discovered items give you visibility into how assets are identified and mapped to CIs in the CMDB.

CI lookup rules
When data is imported from MS TVM, Vulnerability Response automatically uses machine (asset) data to search for matches in the CMDB. CI lookup rules are used to identify CIs and to add them to VI records when VIs are created.
Instance
An instance refers to multiple accounts of MS TVM. Each account can be an instance in the MS TVM application.
Integration
An integration is a scheduled job that retrieves information from a third-party source, such as the integration of the MS TVM machines.
Deployment
When an integration supports multi-source, a single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of MS TVM in your environment.

The MS TVM integration also includes the following key features:

  • You can identify the assets across your environment and update the CIs on your existing discovered items, vulnerable items, and detection records to give you more details about your vulnerabilities.
  • You can schedule when you want the jobs to run for all the MS TVM integrations. You can also execute scheduled jobs on-demand.
  • You can group vulnerable items.
  • You can configure CI lookup rules to define how the asset data from third-party sources is used to identify CIs in your CMDB.

Required Now Platform roles

The integration tasks require the following roles in your Now Platform instance.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

admin
The system admin uses Setup Assistant to install the MS TVM application. If not assigned, the admin assigns the vulnerability admin (sn_vul.vulnerability_admin) and other roles in Setup Assistant.
sn_vul.vulnerability_admin
Once assigned, the vulnerability admin completes the configuration of the MS TVM integrations in Setup Assistant. This role has complete access to the Vulnerability Response application and its records. The vulnerability admin configures all Vulnerability Response applications and rules for installed third-party integrations.
sn_vul_msft_tvm.configure_integration

This role contains the sn_vul_msft_tvm.read_integration granular role. Users with this role can configure the  Vulnerability Response Integration with the Microsoft Threat and Vulnerability Management application.

sn_vul_msft_tvm.read_integration

Users with this role can only view the  Vulnerability Response Integration with the Microsoft Threat and Vulnerability Management application records.

Vulnerability Response group
By default, the Vulnerability Response group is available in Setup Assistant. Users assigned to the Vulnerability Response group inherit the sn_vul.read_all and sn_vul.remediation_owner roles automatically.

MS TVM integrations

Multi-source is supported for all the MS TVM integrations. You can add and deploy multiple instances of the following integrations across your environment from Setup Assistant in Vulnerability Response. You also install and configure the Vulnerability Response Integration with the MS TVM application from Setup Assistant.

To view the MS TVM integrations, navigate to Microsoft TVM Vulnerability Integration > Administration > Integrations. Vulnerability Response provides integrations with MS TVM end points to import the data according to the scheduled time intervals. The following integrations are included in the base system.

Table 1. MS TVM integrations
Run sequenceScheduleIntegrationDescription
1 Daily Microsoft TVM Recommendations Integration Retrieves a list of all the actionable security recommendations to remediate the vulnerabilities.
2 Daily Microsoft TVM Vulnerability (CVE) Integration Retrieves a list of the national vulnerability database entries and third-party vulnerability entries, as well as their exploit information.
3 Daily Microsoft TVM Machines Integration Retrieves all asset (machine) data, including machine tags, from the Microsoft TVM and processes it in your instance.
4 Weekly
Note: After installation, this integration is run automatically after the machines import.
 Microsoft TVM Machines Vulnerabilities Integration (Full Import) Retrieves all the open vulnerabilities on all the assets.
5 Daily Microsoft TVM Machines Vulnerabilities Integration (Delta Import) Retrieves all the information that has changed in the full vulnerability import of the organization, including the new, fixed, and updated vulnerabilities.

Vulnerable items are grouped into remediation tasks according to the group rules that you set and are assigned for remediation based on your assignment rules. For more information, see Vulnerability Response remediation tasks and remediation task rules overview and Vulnerability Response assignment rules overview.

CI lookup rules

When data is imported from MS TVM, Vulnerability Response automatically uses machine (asset) data to search for matches in the Configuration Management Database (CMDB). CI lookup rules are used to identify CIs and add them to VI records when VIs are created. For more information on how CI lookup rules work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.
Note: Once you remove a rule, you can't recover it. Instead of removing an existing rule, you should disable it.
The following MS TVM lookup rules are shipped with the base system:
  • MAC_ADDRESS
  • FQDN
  • IP
Note: You can use multiple values for the IP_ADDRESS and MAC_ADDRESS of an asset. A CI lookup rule considers all values for matching.

Discovered items

You can see the CIs that were detected during an import from the MS TVM Machines integration.
Note: The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.
For more information, see Discovered Items.

Machine tags

Machine tags, also known as host tags, are used for organizing and tracking the assets in your organization. You assign tags to your machines.

All machine tags are imported as part of the MS TVM Machines integration. Machine tags are generally used for filtering in Vulnerability Response assignment rules and vulnerability group rules. The tags are displayed in the Discovered Item form.
Note: Run the MS TVM Machine integration before you create Vulnerability Response assignment or remediation task rules in the Vulnerability Response application so that all tags are available for these rules before vulnerable items are imported and grouped. Also note the following points about tags:
  • Tag storage is not case sensitive. If a Paris tag is created, then a PARIS tag cannot be stored in the Machine tag table. Paris and PARIS are considered to be the same machine tag by the system. Whichever tag is imported first is the tag that is stored and recognized.
  • Using machine tags as a group key in a remediation task rule may have unexpected results. Group keys are columns in the remediation tasks table, whereas machine tags are intended for use only in the condition builder.
  • Machine tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Disabling tags disables them across all Now Platform® instances.

What to do next

After you download the Vulnerability Response integration with Microsoft Threat and Vulnerability Management from the ServiceNow® Store, installation and configuration are supported by Setup Assistant in Vulnerability Response. For more information, see Install and configure the Vulnerability Response Integration with the MS TVM application using Setup Assistant.