Manage patches and patch deployments for the critical vulnerabilities on your assets with the Vulnerability Response integration with the Microsoft System Center Configuration Manager (SCCM) product.

Patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response uses scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. Scanner detection data match the assets in your environment to vulnerabilities and to the patch updates that can fix them. You submit patch requests for approval, schedule patch updates to resolve vulnerable items, and monitor remediation progress all from your ServiceNow AI Platform® instance.

Vulnerability Response patch orchestration with Microsoft SCCM

When the Vulnerability Response Patch Orchestration with the Microsoft SCCM application is used with the ServiceNow® Vulnerability Solution Management, Patch Orchestration, and Vulnerability Response applications, vulnerability managers and analysts can perform the following tasks:
  • See more context and information about the types of patches and vendors' solutions (patches).
  • View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces.

IT specialists and remediation owners can perform the following tasks:

  • Deploy patches supported by the Microsoft SCCM product for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals during off-hours to avoid conflicts with work.
  • Identify unpatched assets with vulnerabilities, or assets that or were not successfully updated by scheduled patches from imported detection data from third-party scanners.
  • Schedule available patches from either the IT Remediation Workspace or from the classic UI for vulnerable, unpatched assets from patch update, remediation task, and discovered item records.

Key terms in the Vulnerability Response and Microsoft SCCM applications

Configuration item (CI)
CIs are the existing assets that are listed in your  Configuration Management Database (CMDB). Microsoft SCCM calls CIs, devices.
Collections and device collections
Terminology used in the Microsoft SCCM product that refers to a group of assets.
Vulnerable item
An imported vulnerability that matches an existing asset in your CMDB.
Instance
A distinct account of the Microsoft SCCM application. Each user account can be an instance in the Microsoft SCCM application. This term also refers to a unique, secure web address for a ServiceNow AI Platform instance.
Integration
An integration is a scheduled job in the ServiceNow AI Platform that retrieves information from a third-party source, such as the integration with the Microsoft SCCM machines.
Solution
There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
Patches
Software updates that fix vulnerabilities. In the Microsoft SCCM application, patches are called, Patches. For example, Microsoft SCCM has patches for Windows, CentOS, MAC, Oracle and other products.
Preferred patch
Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
Remediation task or, prior to v15.0 of Vulnerability Response, vulnerability groups
Lists of vulnerable items in the Vulnerability Response application of actions that are required to fix vulnerabilities.
Deployment
Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine. You can deploy the patches you downloaded from Microsoft SCCM in your ServiceNow AI Platform by navigating to discovered items, patches, or remediation tasks from individual records in Vulnerability Response. You can deploy patches with scheduled jobs to individual machines or to computer groups.

Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of the Microsoft SCCM Vulnerability integration in your environment.

Vulnerability Solution Management and the Vulnerability Response patch orchestration integration with Microsoft SCCM

The Vulnerability Solution Management application is a ServiceNow AI Platform application that correlates your vulnerability findings with the breakdown of the solutions (patches) that remediate them. Identify the software patches from third parties for products and services, configuration updates, and other controls that have the highest impact for your organization. Along with third-party scanner information, the Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration with Microsoft SCCM applications work together to roll preferred patches up from the solution, to the vulnerability, to the vulnerable item to help you fix and close vulnerabilities to your environment. The Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration Microsoft SCCM integration applications are all available in the ServiceNow® Store.

Required ServiceNow AI Platform roles

The integration installation, configuration, and remediation tasks require the following roles in your  ServiceNow AI Platform instance.

admin
Users with this role get entitlements for applications in the ServiceNow Store and downloads them to ServiceNow AI Platform instances.
sn_vul.vulnerability_admin
Users with this role activate applications in the ServiceNow AI Platform instance and completes configuration of the Vulnerability Response application. This role has complete access to the Vulnerability Response (VR) application and its records. This admin user configures all VR applications, rules, and third-party integrations.
sn_vul_sccm.configure_integration
Users with this role configure the Microsoft SCCM Patch Orchestration Integration application. This role contains the sn_vul_sccm.read_integration granular role.
sn_vul_sccm.read_integration
Users with this role can view (read only) the  records of the Vulnerability Response and the Microsoft SCCM Patch Orchestration Integration application and patch orchestration data.
sn_vul_patch_orch.configure_patch
Users with this role can configure and apply patches.
sn_vul_patch_orch.read_patch
Users with this role can view (read only) patch information.
Approvers
Assign uses to the Approver level 1 and Approver level 2 approver groups if you want submitted patch requests approved prior to deployment.

For more information about assigning these roles using the Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant.

CI lookup rules

When data is imported from the Microsoft SCCM application,  the Vulnerability Response application automatically searches for matches in the  Configuration Management Database (CMDB) using Resource ID data. CI lookup rules are used to identify CIs (assets) and add them automatically to vulnerable item (VI) records when VIs are created. The following CI lookup rules are shipped with the base system and are used to identify CIs (assets) and add them to the discovered items.

This lookup rule relies on the data brought in by the Service graph connector with SCCM. You must install and run the CMDB integration prior to running the SCCM integrations. If you have multiple installations of the SCCM server, you can configure the Service graph connector connection alias in the SCCM patch orchestration configuration page.

MID Server

The Vulnerability Response Patch Orchestration with Microsoft SCCM is an on-premises integration. It requires a standalone Windows MID Server that is not part of a MID Server cluster. The MID server is required to runs scripts on remote machines from your instance to import data from the SCCM server. APIs for this integration are called using MID Servers that you set up in your ServiceNow AI Platform instance. Prepare for the Vulnerability Response patch orchestration integration with Microsoft SCCM.