You can manage patches and patch deployments for critical vulnerabilities for large groups of your assets with Patch orchestration with Vulnerability Response. Vulnerability Response Patch Orchestration and the patch orchestration integrations are available on the ServiceNow® Store.

Understanding patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response uses data from scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. This data is correlated in the Vulnerability Response application. This organization of data permits you to complete the steps of the vulnerability remediation cycle. Start with identifying vulnerabilities, then apply patches and updates, and finally close vulnerable items using third-party scanner data all from within your ServiceNow AI Platform® instance.

Patch orchestration overview image that shows the following stages: install, configure, import data, view, and use.

Patch orchestration with Vulnerability Response is supported in both the classic environment and the Vulnerability Response workspaces.

For information about patch orchestration in the workspaces, see Patch orchestration with the Vulnerability Response Workspaces.

With patch orchestration in Vulnerability Response, vulnerability managers and analysts and IT remediation specialists can perform the following remediation tasks:
  • See more context and information about the types of patches and vendors that make up their solutions (patches).
  • View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces or in the classic environment.
  • Deploy patches supported by third-party solution vendors for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals. You can schedule patches during off-hours to avoid conflicts with those at work.
  • Using imported detection data provided by third-party scanners, identify assets that have vulnerabilities and are not patched or are not successfully updated by scheduled patches.
  • Initiate and schedule available patches for assets that require updates from Patch Update, remediation task, and discovered item records in the Vulnerability Response application.
  • Monitor patch deployments with an optional approval process for patch requests submitted by your remediation specialists.

Key terms

Configuration item (CI)
CIs are the existing assets that are listed in your Configuration Management Database (CMDB).
Vulnerable item (VI)
An imported vulnerability that matches an existing asset in your CMDB. Vulnerable items (VITs) are grouped into remediation tasks, or lists, according to certain criteria that specify remediation actions for VIs.
Instance
Refers to a distinct account of a solution vendor application. For example, each user account can be an instance in the HCL BigFix application. This term also refers to a unique, secure web address for a ServiceNow AI Platform® instance.
Solution
There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
Patch
Software updates that fix vulnerabilities. Patch vendors use their own names for patches, for example, In the HCL BigFix application, patches are called, Fixlets.
Preferred patch
Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
Deployment
Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine.

Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of a third-party scanner or a solution vendor integration in your environment.

Available versions of applications and dependencies required for the patch orchestration integration

Roles required

Users need roles that are specific to the patch orchestration integration you are using to view data and schedule patches from the Vulnerability Response application. See the configuration information for the supported integrations you are using listed below for more information.

There is a submission and approval process for patch requests included with the applications. By default, a system property is activated [sn_vul_patch_orch.patch_approval_required] in the Vulnerability Response Patch Orchestration application in your ServiceNow AI Platform instance.

This system property is activated so that when patch deployments are scheduled, they are submitted for review and approval to users assigned to the Level 1 - Patch update approval group. If you want users with the sn_vul_patch_orch.configure_patch role to schedule patches without approval, you can deactivate the [sn_vul_patch_orch.patch_approval_required] property. You might prefer to leave approvals activated so that scheduled patches do not conflict with normal working hours. If you deactivate the approval system property, any user with the sn_vul_patch_orch.configure_patch role can schedule and deploy patches without review and approval.

For more information, and how to deactivate this system property, see the configuration topic for your supported integration.

Schedule patches from Vulnerability Response records

Remediation specialists can schedule patch updates to resolve vulnerable items and monitor remediation progress all from records in the Vulnerability Response application.

You can schedule patches from the following records:

  • Patch Update
  • Remediation task
  • Discovered item

Records that roll up active VI counts in Vulnerability Response

To avoid potential performance issues with rolling up all the patches to all the vulnerabilities, the scheduled job that picks up changes only modifies the active VI count. These count changes and related data are rolled up to the following records in the Vulnerability Response application:

  • VIT (vulnerable item)
  • RT (remediation task)
  • Vulnerability solution
  • Patch Update

For more information about viewing patch data and patch data roll up to records, and viewing patches without solutions, see the following topics.

Bulk edit vulnerable items with patches

You can bulk edit vulnerable items in the classic environment that have patches from the classic environment. For more information about how bulk editing works, see Edit vulnerable items in bulk in Vulnerability Response. The preferred patches for all the VIs selected for bulk edit. This option for edit only works if there are preferred patches mapped to all the VIs selected.

Patch Management Data Model Enhancements

The Patch Management Data Model plugin — a standalone, free plugin that encapsulates the data model currently used in the VR Patch Orchestration application. This includes key tables such as Collection, Patch Update, Patch Deployment, and others.

This plugin can be used by patch management tools to ingest the Patch Management data to be used by applications such as ITSM, Vulnerability Response and so on for the existing workflows.

Key Enhancements:
  • Tables such as, collection device, patch update, patch deployment tables in the existing patch orchestration plugin will be moved to the new data model plugin.
  • The data from the old table will be migrated to the new tables for the existing VR patch orchestration feature.