You can manage patches and patch deployments for critical vulnerabilities for large groups of assets with the Vulnerability Response patch orchestration integration with the HCL BigFix product.

Patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response uses scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. Scanner detection data match the assets in your environment to vulnerabilities and to the patch updates that can fix them. Submit patch requests for approval, schedule patch updates to resolve vulnerable items, and monitor remediation progress all from records in the Vulnerability Response application in your ServiceNow AI Platform®.

Vulnerability Response Patch Orchestration with HCL BigFix

When the Vulnerability Response Patch Orchestration with HCL BigFix integration application is used with the ServiceNow® Vulnerability Solution Management, Patch Orchestration, and Vulnerability Response applications, vulnerability managers and analysts can perform the following tasks:

  • See more context and information about the types of patches and vendors' solutions (patches).
  • View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces.

IT specialists and remediation owners can perform the following tasks:

  • Deploy patches supported by the BigFix product for their Windows, CentOS, MAC, Oracle, and other assets at regular, scheduled intervals during off-hours to avoid work conflicts.
  • Identify unpatched assets with vulnerabilities, or assets that or were not successfully updated by scheduled patches from imported detection data from third-party scanners.
  • Schedule available patches from either the IT Remediation Workspace or from the classic environment for vulnerable, unpatched assets from patch update, remediation task, and discovered item records.

Key terms in the Vulnerability Response and BigFix applications

Configuration item (CI)
CIs are the existing assets that are listed in your  Configuration Management Database (CMDB). BigFix calls CIs, computers.
Computer groups
Terminology used in the BigFix product that refers to a group of assets.
Vulnerable item
An imported vulnerability that matches an existing asset in your CMDB.
Instance
A distinct account of the BigFix application. Each user account can be an instance in the BigFix application. This term also refers to a unique, secure web address for a ServiceNow AI Platform instance.
Integration
An integration is a scheduled job in the ServiceNow AI Platform that retrieves information from a third-party source, such as the integration with the BigFix machines.
Solution
There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
Patch
Software updates that fix vulnerabilities. In the BigFix application, patches are called, Fixlets. For example, BigFix has Fixlets for Windows, CentOS, MAC, Oracle and other products.
Preferred patch
Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
Remediation task
Lists of vulnerable items in the Vulnerability Response application of actions that are required to fix vulnerabilities.
Deployment
Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine. BigFix calls these deployments, actions. You can deploy (create actions) for the patches you downloaded from BigFix in your ServiceNow AI Platform. Navigate to discovered items, patches, or remediation tasks from individual records in Vulnerability Response. You can deploy patches with scheduled jobs to individual machines or to computer groups.

Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of the BigFix Vulnerability integration in your environment.

Vulnerability Solution Management and the Vulnerability Response Patch Orchestration with HCL BigFix Integration

Solution management is provided by the Vulnerability Solution Management application, a ServiceNow AI Platform application that correlates your vulnerability findings with the breakdown of the solutions (patches) that remediates them. Identify the software patches from third parties for products and services, configuration updates, and other controls that have the highest impact for your organization. Along with third-party scanner information, the Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration with HCL BigFix applications work together to roll preferred patches up from the solution, to the vulnerability, to the vulnerable item to help you fix and close vulnerabilities to your environment.

The Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration with HCL BigFix Integration are all available in the ServiceNow® Store.

Required ServiceNow AI Platform roles

The integration installation, configuration, and remediation tasks require the following roles in your  ServiceNow AI Platform instance.

admin
Users with this role get entitlements for applications in the ServiceNow Store and downloads them to ServiceNow AI Platform instances.
sn_vul.vulnerability_admin
Users with this role activate applications in the ServiceNow AI Platform instance and completes the configuration of the Vulnerability Response application. This role has complete access to the Vulnerability Response (VR) application and its records. This admin user configures all VR applications, rules, and third-party integrations.
sn_vul_bigfix.configure_integration
Users with this role configure the BigFix Patch Orchestration Integration application. This role contains the sn_vul_bigfix.read_integration granular role.
sn_vul_bigfix.read_integration
Users with this role can view (read only) the  records of the Vulnerability Response and the BigFix Patch Orchestration Integration application and patch orchestration data.
sn_vul_patch_orch.configure_patch
Users with this role can configure and apply patches.
sn_vul_patch_orch.read_patch
Users with this role can view (read only) patch information.
Approvers
Assign uses to the Approver level 1 and Approver level 2 approver groups if you want submitted patch requests approved prior to deployment.

For more information about assigning these roles using the Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about the Vulnerability Response roles in your ServiceNow AI Platform, see Vulnerability Response personas and granular roles.

CI lookup rules

When data is imported from the BigFix application,  the Vulnerability Response application automatically searches for matches in the  Configuration Management Database (CMDB) using machine (asset) data. CI lookup rules are used to identify CIs (assets) and add them automatically to vulnerable item (VI) records when VIs are created.

The following CI lookup rules are shipped with the base system and are used to identify CIs (assets) and add them to the Vulnerability Response application:
  • MAC_ADDRESS
  • IP_ADDRESS
  • DNS_NAME

You can use multiple values for the IP_ADDRESS of an asset. A CI lookup rule considers all values for matching. For more information about how CI lookup rules and how they work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.

MID Server

The Vulnerability Response Patch Orchestration with HCL BigFix integration is an on-premises integration. It requires a standalone MID Server that is not part of a MID Server cluster. The MID server is required to runs scripts on remote machines from your instance in order to import data from the BigFix server. APIs for this integration are called using MID Servers that you set up in your ServiceNow AI Platform instance. See Prepare for the Vulnerability Response Patch Orchestration integration with HCL BigFix for more information.