The Vulnerability Response Integration with Tenable application developed by ServiceNow engineering for the Tenable Vulnerability Integration uses data imported from the Tenable.io, Tenable.sc, and Tenable.cs products to help you prioritize and remediate vulnerabilities for your assets. The application is available with a separate subscription from the ServiceNow® Store.

Note: Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
Table 1. Changes in terminology
Terminology prior to v14.9 Terminology v14.9 onwards
Test Result Group Remediation Task
Group Rules Remediation Task Rules
Policy Test group
The Tenable Vulnerability Integration employs three Tenable integrations, Tenable.io, Tenable.sc and Tenable.cs, to import third-party scanner data about your assets and vulnerabilities. The Vulnerability Response Integration with Tenable application supports the Tenable.sc product starting with version 5.13 and Tenable.cs product starting with version 5.0.1.
  • Tenable.io is a cloud-based enterprise integration.
  • Tenable.sc is an on-premises integration that gives you the option to use a MID Server if the Tenable.sc product and your ServiceNow AI Platform instance are in the same environment.
  • If the Tenable.sc product and your ServiceNow AI Platform instance aren’t in the same environment, you’re required to use a MID Server.
  • Tenable.cs is a cloud-based enterprise integration.

The Vulnerability Response Integration with Tenable application is available on the ServiceNow Store with a separate subscription.

For lists and descriptions of the integrations in the Tenable Vulnerability Integration, see Tenable.io integrations with the Vulnerability Response and Configuration Compliance applications and Tenable.sc integrations with the Vulnerability Response application.

Figure 1. Tenable Vulnerability Integration
Tenable Vulnerability Integration workflow.

Available versions for Yokohama

Release version Release notes

Vulnerability Response Integration with Tenable v3.13.1, v4.1, v5.0.1

For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Terms and Key features of the integrations

Vulnerable items and vulnerabilities
A vulnerable item is created in your ServiceNow AI Platform instance when:
  • An imported vulnerability from a third-party scanner is matched to an existing asset (a configuration item in your CMDB). The Tenable product refers to these matches as vulnerabilities.
  • An imported vulnerability from a third-party scanner isn’t matched to an existing asset in your CMDB. In this case, an unmatched CI is also created along with a vulnerable item.

    For unmatched CIs, you can also use the Identification and Reconciliation Engine (IRE) to create CIs in two new classes when an existing CI can’t be matched with a host. Otherwise, unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine.

Third-party vulnerability entries and plugins
Third-party vulnerability entries are imported from third-party scanners and listed in the Third-Party Vulnerability Entries table in your ServiceNow AI Platform instance. Starting with v24.0 of Vulnerability Response, the Softwares column in the Third-Party Vulnerability Entries table populates the Common Platform Enumerations (CPEs) associated with a third-party entry. Third-party vulnerability entries from Tenable are ingested into Vulnerability Response and matched to existing assets listed in your CMDB. Tenable refers to third-party vulnerability entries as Plugins.
Configuration item (CI)
Configuration items are the existing assets listed in your CMDB.
Discovered item
Assets ingested from the Tenable asset import are matched to existing configuration items in your CMDB. Imported assets are updated.

If a match isn’t found, a CI is created in the Unmatched CI class of the CMDB. If the CMDB CI Class Models plugin is enabled, the Identification and Reconciliation Engine (IRE) creates CIs using new classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. If the original, unmatched CI is reclassified, discovered item records are updated to reflect the state. Discovered items give you visibility into how assets are identified and mapped to CIs in the CMDB.

CI lookup rules
When data is imported from a third-party integration, Vulnerability Response automatically uses host (asset) data to search for matches in the Configuration Management Database (CMDB). CI lookup rules are used to identify CIs and add them to VI records when VITs are created to aid you with remediation.
Rescan and remediation scan
You can initiate a targeted rescan command on a specific configuration item, remediation task, or third-party entry directly from vulnerable item, remediation task, and third-party vulnerability entry records in your ServiceNow AI Platform instance. Tenable refers to this rescan as a remediation scan.
Automatically close older VIs
With the Auto-Close Stale Vulnerable Items module in your ServiceNow AI Platform, you can clean up older, stale vulnerable items (VI)s not recently found by your third-party integrations. Moving these VIs to Closed helps you reduce the number of active vulnerable items and remediation tasks and reconcile assets in your CMDB. You can use all the integrations with the Vulnerability Response Integration with Tenable to close stale VIs automatically.
Instance
This term refers to a distinct occurrence of your ServiceNow AI Platform® application.
Integration
An integration is a product-specific reference to an integration, such as the Tenable.io Assets Integration, or the Tenable.sc Plugin Integration. These are the separate integrations that belong to specific Tenable products in the Tenable Vulnerability Integration in your instance.
Integration instance
This term refers to the separate Tenable integrations listed by their Tenable.io and Tenable.sc products.
Deployment
When an integration supports multi-source, a single, distinct integration existence is referred to as a deployment of your integration. The term is used to refer to the integration(s) and products across your environment. For example, you might have multiple deployments of various integrations of the Tenable.io and Tenable.sc products in your environment.

The Tenable.io, Tenable.sc, and Tenable.cs integrations also include the following key features:

  • Configuration assessment findings, that is, test results along with policies, configuration tests (controls), and citations with authoritative sources can be imported into the Configuration Compliance application with the Tenable.io product. See Tenable.io integrations with the Vulnerability Response and Configuration Compliance applications and Exploring Configuration Compliance for more information about how this integration works with the Configuration Compliance application.
  • Starting with v2.1 of the Tenable Vulnerability Integration, create unique configuration items (CIs) that include different network partition identifiers for assets in your environment that share the same IP address. Identify the distinct assets across your environment and update the CIs on your existing discovered item, vulnerable item, and detection records to give you more details about your vulnerabilities.
  • You can schedule when you want the jobs to run for all the Tenable.io, Tenable.sc and Tenable.cs integrations. You can also execute scheduled jobs manually on-demand.
  • For asset imports with Tenable.io, you can enable asset tags to organize and track the assets listed in your CMDB in the Tenable.io environment.
  • The Tenable.io, Tenable.sc and Tenable.cs integrations permit you to configure CI Lookup Rules to define how asset data from third-party sources are used to identify Configuration Items (CIs) in your ServiceNow AI Platform CMDB.
  • The Tenable.io, Tenable.sc and Tenable.cs integrations permit you to set import filters on the vulnerabilities import so that you import only the vulnerabilities from Tenable that you want. For Tenable.io, you have the option to import Fixed vulnerabilities from Tenable with the vulnerabilities import.
  • For Tenable.sc, you have the option to initiate rescans on-demand directly from a vulnerable item, remediation task, and third-party entry records in your ServiceNow AI Platform instance. If VIs have been transitioned to Closed/Fixed but aren’t yet updated in your instance, you can verify vulnerabilities on specific configuration items have been remediated. See Initiate rescan for the Tenable.sc integration.

The following sections list more details about the Tenable integrations.

Required ServiceNow AI Platform roles

The integration tasks require the following roles in your ServiceNow AI Platform instance.

admin
The system admin uses Setup Assistant to install the Vulnerability Response Integration with Tenable application. If not assigned, the admin assigns the vulnerability admin (sn_vul.vulnerability_admin) and other roles in Setup Assistant.
sn_vul.vulnerability_admin
Once assigned, the vulnerability admin completes the configuration of the Tenable integrations in Setup Assistant. This role has complete access to the Vulnerability Response (VR) application and its records. The vulnerability admin configures all VR applications and rules for installed third-party integrations.
sn_vul_tenable.configure_integration
This role contains the sn_vul_tenable.read_integration granular role and users with this role can configure the Vulnerability Response Integration with Tenable application.
sn_vul_tenable.read_integration
Users with this roles can view (read) but not edit records of the Vulnerability Response Integration with Tenable application.
Vulnerability Response group
By default, the Vulnerability Response group is available in Setup Assistant. Users assigned to the Vulnerability Response group inherit the sn_vul.read_all and sn_vul.remediation_owner roles automatically.

Vulnerable items

Vulnerable items are grouped into remediation tasks according to remediation task rules and assigned for remediation based on your assignment rules. For more information, see Vulnerability Response remediation tasks and remediation task rules overview and Vulnerability Response assignment rules overview.

Configuration item (CI) lookup rules

CI Lookup Rules identify CIs and determine when to add them to a vulnerable item. For more information on how CI lookup rules work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.
Note: Rules, once removed, can’t be recovered. Rather than removing existing rules, disable them when creating ones.
The following Tenable.io lookup rules are shipped with the base system.
  • MAC_ADDRESS
  • FQDN
  • NetBIOS
  • HostName
  • DNS
  • IP
Note: The Tenable.io CI lookup rules prioritize and populate the non-empty network interface values (FDQN, IPV4, and MacAddress) over the regular FDQN, IPV4, and MacAddress values for a discovered item. When these network interface values are empty, the regular FDQN, IPV4, and MacAddress values are populated for a discovered item.
The following Tenable.sc lookup rules are shipped with the base system.
  • MAC_ADDRESS
  • FQDN
  • NetBIOS
  • IP
Note: Multiple values for ip_address, mac_address, fqdns and network_interfaces are used for an asset. All values are considered in CI lookup rules for matching. All values are used to create multiple network adapters using IRE.

The Tenable.cs lookup rule Cloud Resource Id is shipped with the base system.

For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

New properties to ignore IP addresses

In Tenable.io, there are two properties available if you want to ignore multiple IP addresses or multiple Mac addresses as part of your CI lookup rules:
ignoreIPAddress
A list of IP addresses to be ignored for CI lookup and CI creation.
ignoreMacAddress
A list of MAC addresses to be ignored for CI lookup or CI creation.

Discovered items

This module lists configuration items detected during import from the Tenable Vulnerable Item integrations and the Tenable Asset integrations.
Note: The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.
For more information on the Discovered Items module, see Discovered Items.

Asset tags

Asset tags (also referred to as host tags) are used for organizing and tracking the assets in your organization. You can assign tags to your assets. Then, when launching the scans, you can select tags associated with the assets you want to scan. The Asset Tags module enables you to download asset tag data from Tenable.io to your instance on a scheduled basis. Asset data that includes asset tags is pulled from Tenable.io and transformed using the Tenable.io Asset Transform integration transformation maps.

All Asset tags are imported as part of the Tenable.io Asset integration. Asset tags are used for filtering in Vulnerability Response assignment rules and Remediation Task Rules. The tags are displayed in the Discovered Item form.
Note: Run the Tenable.io Asset Integration prior to creating Vulnerability Response assignment rules or remediation task rules in the Vulnerability Response application so that all tags are available for these rules before vulnerable items are imported and grouped. Also note the following points about tags:
  • Tag storage isn’t case-sensitive. For example, if you create a tag to describe assets in your San Diego location, and you create the San Diego tag, you can't also create a SAN DIEGO tag and store it in the Asset tag table. San Diego and SAN DIEGO are considered to be the same asset tag by the system. Whichever tag is imported first is the tag that is stored and recognized going forward.
  • Using asset tags as a Group Key in a remediation task rule may have unexpected results. Asset tags are intended for use only in the condition builder.
  • Asset tags are controlled by the global system property sn_vul.import_asset_tags. This property is set to true by default. Disabling tags disables them across all ServiceNow AI Platform® instances.

Data retrieval filters

Data retrieval settings help you determine specifically the type and scope of data you want to import from the Tenable application to your ServiceNow AI Platform® instance. For a list of the most commonly used settings, see Data retrieval settings for the Tenable Vulnerability Integration.

Vulnerability Priority Rating (VPR)

The Vulnerability Priority Rating (VPR) is an attribute from the Tenable product that is imported and used with a new default risk calculator in Vulnerability Response. The Tenable Risk Rule is installed with the Vulnerability Response Integration with Tenable application as part of the Default Risk Calculator in the Vulnerability Calculators from Vulnerability Response.

This risk rule is inactive by default.

By enabling the Tenable risk calculator rule, the imported VPR values are used to calculate the Risk Score for vulnerable items. The default weight distribution for this risk calculator: VPR = 70%, Asset=15%, and Business Criticality=15%. Enabling this Tenable Risk Calculator rule may impact your data ingestion performance. For more information about Vulnerability Response calculators and the Tenable risk calculator rule, see Vulnerability Response calculators and vulnerability calculator rules.

Installation and configuration

After you download the Vulnerability Response Integration with Tenable from the ServiceNow® Store, installation and configuration is supported by the Setup Assistant in Vulnerability Response. See Configuring Vulnerability Response using the Setup Assistant for more information.