Data transformation for the Microsoft Threat and Vulnerability Management Vulnerability Integration

After you identify the data that you want to import, the data is retrieved from the ServiceNow® Microsoft Threat and Vulnerability Management (MS TVM) application, processed through a set of data sources, and transformed in your instance.

During installation, normalized severity maps are installed in the Normalized Severity Mapping module. These maps transform imported Microsoft third-party vulnerability severity levels to standard severity levels for processing in your instance. For information about creating severity maps, see Create a Vulnerability Response severity map.

MS TVM Machines Import

The data from the imported machines is first loaded into the MS TVM Machines Import [sn_vul_msft_tvm_machines_import] table.

The MS TVM Machines Transform is used to transform the imported machines information.
Note: Changes to this transform map alter how data from the MS TVM Machines import is processed.
To access this transform map, navigate to System Import Sets > Transform Maps and search for Microsoft TVM Machines Transform.

The following table lists the transform map fields by integration.

The following transform scripts are run during the transformation process.

MS TVM Machines transform map script timing and purpose

When the script is run Purpose
onStart (when an import set has started transformation). Script that is used to initialize the values in the scope variable (sn_vul_msft_tvm) for the integration process. This script is for internal use and should not be modified or deleted.
onBefore (before an import set has completed transformation). Script that is used to update values in the host and verify whether the host exists. Based on the results, this script modifies the values in the scope variable (sn_vul_msft_tvm). This script is for internal use and should not be modified or deleted.
onComplete (when an import set has completed transformation). Script that is used to set the number of CIs created, updated, and ignored. This script is for internal use and should not be modified or deleted.

The MicrosoftTVMMachinesProcessor script include is called from the onBefore transform script. It takes the output from the Microsoft TVM machines' integration and transforms it into a CI. Any changes to this script include may alter the transformation of the Microsoft TVM machines' data in the CI and Discovered item table.

MS TVM Vulnerabilities integration

The imported vulnerabilities data is first loaded into the Microsoft TVM CVE (Vulnerabilities) Import [sn_vul_msft_tvm_vulnerabilities_import] table.
Note: Changes to this transform map alter how data from the MS TVM Vulnerabilities import is processed.
To access this transform map, navigate to System Import Sets > Transform Maps and search for the Microsoft TVM Vulnerabilities Transform.

The following table lists the transform map fields by integration.

The following transform scripts are run during the transformation process.

When the script is run Purpose
onStart (when an import set has started transformation). Script that is used to initialize the values in the scope variable (sn_vul_msft_tvm) for the integration process. This script is for internal use and should not be modified or deleted.
onBefore (before an import set has completed transformation). Script that is used to create or update the values in the NVD or the third-party entry table. This script is for internal use and should not be modified or deleted.
onComplete (when an import set has completed transformation). Script that is used to set the values of the new items that were created and the items that have been updated and ignored. This script is for internal use and should not be modified or deleted.

MS TVM Recommendations import

The imported recommendation data is first loaded into the MS TVM Recommendations Import [sn_vul_msft_tvm_recom_import] table.
Note: Changes to this transform map alter how the data from the MS TVM Recommendations import is processed.
To access this transform map, navigate to System Import Sets > Transform Maps and search for MS TVM Recommendation Transform.

The following table lists the transform map fields by integration.

The following transform scripts are run during the transformation process.

Table 4. MS TVM Recommendation transform map script
When the script is run Purpose
onStart (when an import set has started transformation). Script that is used to initialize the values in the scope variable (sn_vul_msft_tvm) for the integration process. This script is for internal use and should not be modified or deleted.
onBefore (before an import set has completed transformation). Script that is used to update values in the recommendations and verify whether the recommendations exist. This script is for internal use and should not be modified or deleted.
onComplete (when an import set has completed transformation). Script that is used to set the values of items created, updated, and ignored. This script is for internal use and should not be modified or deleted.

MS TVM Machine Vulnerabilities import

The MS TVM Machine Vulnerabilities transform map is used to transform open and fixed vulnerabilities information that is imported from MS TVM.
Note: Changes to this transform map alter how data from the MS TVM Machine Vulnerabilities Import is processed.
To access the MS TVM Open and Fixed Vulnerabilities transform maps, navigate to System Import Sets > Transform Maps and search for the MS TVM Machine Vulnerabilities Transform.

The following table lists the transform map fields by integration.

The following transform scripts are run during the transformation process.

When the script is run Purpose
onStart (when an import set has started transformation). Script that is used to initialize the values in the scope variable (sn_vul_msft_tvm) for the integration process. This script is for internal use and should not be modified or deleted.
onBefore (before an import set has completed transformation). Script that is used to check if the Vulnerability Entry and Detections exist. If not, these records are created in their respective tables. This script is for internal use and should not be modified or deleted.
onComplete (when an import set has completed transformation). Script that is used to update the count of VIs and Detections as imported from MS TVM. This script is for internal use and should not be modified or deleted.