Eliz Skogquist
ServiceNow Employee
Options
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-09-2023 10:48 AM - edited 08-09-2023 02:42 PM
The "Success with Vulnerability Response" series of recommended practices deep-dive webinars continues. One of the most requested topics by customers via our customer voice questionnaire is VR Integrations, and as a result, we conducted a recommended practices webinar regarding Integration Configuration on May 24 and 25. Shivam Sarawagi, Staff Software Engineer and Lisa Henderson, Sr. Staff Software Engineer shared their insights on VR integrations configuration, tuning and troubleshooting.
Here is the webinar recording:
Recommended Links:
ServiceNow Documentation
- Qualys Vulnerability Integration
- Resolving Qualys Vulnerability Integration Issues
- Understanding the Rapid7 Vulnerability Integration
- Understanding the Tenable Vulnerability Integration
- Understanding the MS TVM integration
Community
Questions & Answers
| Question | Answer |
| What is the rough, average processing metrics/minute i.e. how many records created/minute for importing from the scanner (Qual/ten/Rap7 etc) into VR and creating VIs? | Processing varies from the instance hardware settings and also the configuration of the rules. In the OOB with the ideal instance we are able to insert 250k VIs per hour. But this number can be more or less in different instances. |
| Please provide more details about scheduled import pools and can we access and configure scheduled import pools. | Scheduled import pools table stores the scheduled templates which can be used in the VR. https://support.servicenow.com/kb?id=kb_article_view_popup&sysparm_article=KB0995644 |
| What is the recommended pagination for a massive payload? | If with the OOB values you are getting attachment size of lets say 100mb then try to decrease the pagination to half, we should make sure the attachment size is always less than 50-70mb. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000704 |
| How successful are the integrations with Microsoft Defender via the TVM plugin? There are multiple restrictions from MDE which result in more API calls and reduce the performance of MDE, was this experienced or addressed by ServiceNow? | We have customers using the TVM, plugin. Currently the API doesn't support filters at the full import or delta import APIs, which is something we are trying to discuss with the MDE team. |
| Do the New/Imported/Existing CIs counts get updated intra job or only when it finishes? | Counts constantly updated on the run ,whenever a process is completed. |
| What are the recommended page sizes? Do we have any leading practices on that? | It varies from the instance and the scanner you using. But general practice is to make sure the attachment size is less than 50-70 mb. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000704 |
| We noticed that for our Tenable.sc integration only the very small Offset of 10 works, while the recommended value is 2000. Where can we check why that is? Is there a way to calculate the optimal page size? | If you get very large proofs this would happen. Probably check why the attachment size is big. In an ideal scenario 2000 should work |
| What exactly does the "Total import queue processing time" in the Integration Run status tell us? (I am seeing longer times in there than what is possible based on start time. In other words: If the integration started 10h ago, it may state "2 days, 10h" or the like). | "Total import queue processing time" means time taken by all the parallel threads to process the data. This would generally be large you could instead divide the total time/number of data sources to check how much time processing of the data is taking. https://support.servicenow.com/kb?id=kb_article_view_popup&sysparm_article=KB0993799 |
| Is the default timeout of individual processes 1 hour? I believe ours are timing out after 2 min of waiting. | This needs to be checked, currently we timeout after 1 hour. |
| What's your recommendation on sequence of vul integrations? i.e. what's the best order of operations for Qualys Host Detection, NVD, CWE, Redhat Solution, MSRC Solution? | Our recommended order for loading: NVD, CWE, REDHat, MSRC, Knowledge base, Host detection, Knowledgebase backfill |
| Do you have a recommendation on Scanner Integrations and API Calls in subprod environments? We constantly have our Qualys API Account locked out during clones down to subprod. | Recommendation is to not use the same account in the Prod and subprod. You should exclude the integration instance parameters table (sn_sec_int_impl_config) from the clone. |
- 4,038 Views
Comments
Patrik Z
Giga Guru
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
06-14-2023
04:41 AM
Hello,
are you planning to share the presentation PDF like you did in the past?
Thank you
Patrik
Eliz Skogquist
ServiceNow Employee
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
06-21-2023
04:02 PM
The presentation PDF and Recommended links have been included.
