on - edited on by
Steph Morillo
Luke Kasper is back, this time with key advice on how to the get the best out of VR and SIR Dashboards and Reports.
13 minutes well spent, whether you are just getting started with your applications or have been using them for a while.
A call to think critically and strategically.
Luke is Principal Security Consultant at ServiceNow and already a veteran of the Community tutorials for Security Operations.
 |
Luke Kasper, Principal Security Consultant at ServiceNow |
------------------
Video contents
00:02 Introductions
00:34 Why you need to watch this
01:14 Refreshers - Maturity Framework, program structure
01:48 Dashboards demo - Home pages available out of the box: CISO reporting overview, Security Incident explorer, Security Incident manager overview, Security analyst overview, etc. ,
04:23 Reports demo - Out of the box: 22 reports for "Security Incident". Make your own.
05:43 Methodology: Goal - Question - Metric
07:31 Example for Security Incident Response
08:40 Example for Vulnerability Response
10:02 Do's and don'ts
11:28 What to do now
12:34 Reminders and conclusion
Please download the PDF version of the slides below.
Also, please find the webinar recording of the "Success with Vulnerability Response" VR Reports and Dashboard Recommendations, held in April 12 & 13, 2023 with Lisa Henderson, Sr. Staff Software Engineer and Elizabeth Skogquist, Sr. Product Success Manager, SecOps:
Recommended Links:
Community
ServiceNow Documentation
- Use Watch Topics in the Vulnerability Manager Workspace
- Reporting compared to Performance Analytics
- Configure Performance Analytics Fundamentals
- Data visualizations in configurable workspaces
- Getting started with Reports
NowLearning (learning.servicenow.com)
- Performance Analytics – On Demand courses (use checkbox in left nav)
- Platform Analytics Workspace
- Getting Started with Reports
The webinar pdf slides are attached below.
| Question | Answer |
| Where can I find the VR training curriculum? | The various VR training curriculum available to you on NowLearning can be found at: https://learning.servicenow.com/lxp?id=search&q=vulnerabilty%20response |
| Will the slides be shared for offline reference? | Slides are available on Community.servicenow.com for download along side the recording and the Q&A: https://www.servicenow.com/community/for-new-customers-vr-articles/tkb-p/secops-vulnerability-respon... |
| Where is the determination of "Internet Facing" coming from? (Under details, for a workstation, I see it states "Internet Facing = True"). Can this be influenced somehow? |
The information of Internet facing comes from a CMDB attribute. At this time it is not automatically updated. |
| Where is Docs located on the SN site? | To get to ServiceNow system documentation go to: docs.servicenow.com |
| What would be best practice for a dashboard for the TOC to be able to see Microsoft vulnerabilities for monthly patching. | Via solutions from Microsoft you can do that filter. For more information, go to: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/secops-integration-vr... |
| What was the name of that PA system property for limiting queries to 50,000? | The property: com.snc.pa.dc.max_row_count_indicator_source default is 50,000. Often when running Indicators on the Vulnerable Item table, this is too small. It is encouraged to not update the system property, as this will have it take affect on all PA jobs on the platform, but work with the Indicator Source, Records Collection tab, and check the Override Records Collection box, and update the Maximum numbers of fetched records on the job solely. This will allow you to size this job up to that of the VI table, and have control on the other PA jobs across the platform. |
| What role is needed to see Unit or Number format in Indicator properties? | Unit is not editable for benchmarking indicators, but you should be able to see the unit with pa_admin or pa_power_user role. |
| What are your thoughts on limiting VIs to only be created for non-retired CIs? | Considering VIs only be created on non-retired CIs could be dependent on your companies process for retiring a CI and removing it from the infrastructure. Otherwise, you can still scan for that asset and if found with vulnerabilities recognize that it remains active in the infrasture by allowing that VI to be created. We offer you the flexibility to choose your option. |
| What are the roles associated with being able to create a watchtopic? | To view Watch Topics requires role sn_vul.read_watch_topic; To create Watch Topics requires role sn_vul.create_watch_topic |
| What are the pros and cons between using the IT Remediation Owners Workspace and the native UI? Is one reccomended over the other? We have remediation owners already working in the native UI for all other ServiceNow ticket types (change, incident, problem, etc) so it didn't make sense to give them a separate space just for vulnerabilities. | Workspace allows them to have multiple records open at a time and work across them. In addition, it presents more condensed format of what is needed to complete the remediation. However, if they favor working in the native UI, the information is still available to them, it will simply be in a different format. |
| What are the filter criteria for the CISA KEV Top 15? | To filter for the CISA KEV Top 15 you can apply like VIT.vulnerability.TPE.cves in one of the CISA CVE or VIT.TPE.CISA Exists as true |
| We have a business need to report across all vulnerabilities so we have customized a way to report on AVITs and VITs which would be really great to have out of the box from ServiceNow in the future. | We are working on a unified dashboard to allow for VITs, AVITs and others to be displayed in a new executive dashboard. |
| We find that Remediation Owners prefer to view Vulnerable Items, rather than Remediation Tasks. It gives them true picture of number and criticality of open vulns. Tasks are only used if they want to seek exception for group of VITs. Do others have the same experience or are Remediation Tasks your main focus? | A Remediators preference to work on a Remediation Task or a list of VIs varies by usage, style and scale. For example, some organizations distribute work in very small chunks so starting from individual vulns is manageable. Others share a huge amount by group and its less desirable to use the list. Regardless, you can create your own list views in Workspaces, and this could be useful for some teams. Note that, as Lisa mentioned, list views can run slower in very large environments when filters are not used… so a good use case would be a list for Vulnerable Items assigned to me + OR + Assigned to one of my groups |
| Was the risk calculator webinar ever posted? | All previous sessions are available on Community.servicenow.com in this articles library: https://www.servicenow.com/community/for-new-customers-vr-articles/tkb-p/secops-vulnerability-respon... Please share the link with others who may benefit! |
| Regading Reporting Future: Aggregation.... are you referring to what is commonly known in SQL as "History" or "Summary" tables? | The future reporting capability using Aggregation is what is known in SQL as Summary tables. It will allow a more timely response to be surfaced on groupings across large tables. |
| I have been trying to figure out a way to create a report that displays records in the unclassed hardware table that are not linked to a corresponding discovered item (orphaned unmatched CI). We purged records from the discovered items table (where state = unmatched and the Discovered Item was NOT related to a Vuln Item) and the related CI was supposed to be deleted as well but we found that the CI was NOT getting deleted. | We don’t have reference delete on the discovered items. You would need to delete the unclassed hardware CIs, as well. The reason we don't do that is we are not sure if its being referenced anywhere else like change requests etc. You can check this as well https://docs.servicenow.com/bundle/tokyo-servicenow-platform/page/product/configuration-management/c... |
| Can you show us how to setup PA VR for CISO? | To set up PA VR for CISO, see this lin :https://docs.servicenow.com/bundle/utah-security-management/page/use/dashboards/application-content-... - effectively this requires installing the “Performance Analytics for Vulnerability Response” app and enabling scheduled jobs. Based on the size of your VI table, you may need to update the Indicator Source Records Collection Max fetched records. |
| OOTB it does not seem possible to use the Vulnerability.Summary field (Vulnerability Title) as a breakdown. This means we cannot provide meaningful PA reports such as a breakdown scorecard widget on the top 10 vulnerabilties. The only option is (this may be Qualys specific) the "Vulnerability" top level field which is just a uniqie ID for a vulnerability. This means that the scorecard breakdown widget would just display "QID-123456" instead of "Windows Secvurity Update for March 2023". As you can guess, that means we cannot use the title of vulenrabililiteis on any PA widgets which is a huge loss. |
The Vulnerability.Summary field is a large text field, so not applicable for a break down field. |
| One client has 5Mn+ records in VI table, where the three primary OOTB VR dashboards (non PA) have lots of report widgets which are failing to load completely saying it failed with Timeout error on those partcular widgets, what would be the best way to handle those load errors since its all OOTB reports ? | For standard reports, they do have limits to the size of tables they can work with effectively. Limiting the condition to exclude more records may help. |
| May we please have the link to the registration for the other webinars? | Here is the link to Community where registration for upcoming webinars is available: https://www.servicenow.com/community/secops-articles/2023-q3-product-success-events-program/ta-p/260... |
| Is there any way to watch the recordings from the previous 4 monthly Success with VR sessions? | You are able to watch all previous Success with VR webinars out on the Community.servicenow.com. They are stored together in Articles: https://www.servicenow.com/community/for-new-customers-vr-articles/tkb-p/secops-vulnerability-respon... |
| Is there any documentation about perfomance Analytics VR step by step instruction to set it up? | Documentation for setting up Performance Analytics for VR can be found at: https://docs.servicenow.com/bundle/utah-security-management/page/use/dashboards/application-content-... Effectively this requires installing the “Performance Analytics for Vulnerability Response” app and enabling scheduled jobs. |
| Is there any capabilit-y/-ies one could leverage with the Security Module/Vul Mgmt to enable traceability of VI to CI to patching. | To see a VI through to Change and automated patching, take a look at: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons... |
| Is there a way to breakout a multiple detections to a single VIs? | Today you can control how granular your detections form into VIs. Information on this can be found at: https://docs.servicenow.com/bundle/utah-security-management/page/product/vulnerability-response/task... |
| Is there a side by side comparison of what PAR is intended for vs the dashboards inside VR itself? | Performance Analytics is going to be beneficial to view any time series data, as well as a means to get reporting on large scale implementations. |
| Is there a option to create a vulnerability manually? | To create a vulnerability manually, review the option of Manual ingestion in docs, you can also create it via script.https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons... |
| In product documentation, there’s a part called “Optimizing data collection”. On the page it says that optimized data collector supports over 10 million records. My question is: What is actually the maximum record limit for optimized data collection and standard data collection for PA? |
In the San Diego release, the platform improved the data collection limit and we are using the java based DB internally to improve the data collection memory consumption. We have tested with large amounts of data successfully. You can increase and test it for your data, and please let us know if you find any issues. There should not be any limit as of San Diego or later releases. |
| I would also like to know how to track the CISA KEV in a watch topic. CISA KEV is a whoel different table. | To track CISA KEV in Watch Topic: CISA values are present on the Vulnerability, so you can dot walk to them from a VI, like VI.vulnerability.TPE.cves in one of the CISA CVE or VI.TPE.CISA Exists as true |
| how do you setup personas for different teams to view their vulnerabilities? Apps vs servers vs network gear, etc.? | Assignment groups OOB limit access to VUL or VIT records via ACL to only those assigned to a User or their groups. Assuming that each group: Application Team, Server Team, Network Gear Team are separate assignment groups, each will have limited access to VIs or Remediation Tasks (VULs) by design. |
| How can you assign a watch topics for a group or individual from admin side? | You could assign a Watch Topic for a group or individual by filtering for the CI’s “assigned to” or "assignment group". This could be useful in certain cases, however keep in mind that when you create remediation efforts for a Watch topic - those automatically break out into assignable chunks. So often we watch things at a high level in watch topics… and use Remediation Efforts/Tasks to assign and track the distributed work. |
| Do you recommend removing OOTB breakdowns if we aren't using them? Or should we keep them for future upgrade purposes? | Yes, it is recommended to remove OOTB breakdowns that aren't being used. They can be activated at the time they are needed in the future. |
| Do we need to have the CISA App installed to track the CISA Top 15(KEV) when creating a watch topic? | You need to have the CISA application installed in order to track CISA Top 15 (KEV) in Watch Topics. |
| Could you explain again how to get to the CISA KEV info? | You can get the CISA KEV info via the app in the store: https://store.servicenow.com/sn_appstore_store.do#!/store/application/86d3a33138730110f57bbd9937bef5... |
| Can you share watch topics views with other team members? | At this point you are not able to share your Watch Topic views with other team mates. It is being considered for future. |
| Can you explain the function of the watchlist and owning group fields of watch topics? Do they restrict access to the watch topic? | The Owning Group field on Watch Topics determines who owns this Watch Topic. It does not restrict the UI access. |
| Can VIs be filtered based on watch topics to identify the VIs related to the specified watch topic? | Watch Topics are created to filter VIs related to a specific topic. |
| Are Watch Topics viewable for other roles besides Analysts and VR Admins? Is that configurable? | Watch Topics are available to VR Analyst and VR Admin. You can add the ability for viewing by any other role. The users can read all VIs, so allow to only those who are able to see these VIs. |
| Are the watch topics customizable ? | Each WatchTopic is defined for it's unique use for tracking a group of VIs. |
| Are the VR dashboarding and reporting concepts the same in AVR? | Yes, the dashboarding and reporting concepts for VR are the same vor Application VR. |
| Would one of the intents behind the future aggregation/summary tables be to enable the ability to show proper historic trending in reports... (think line graph of VI's by month) | Currently there is no plan to have the aggregated reporting feature for trending. |
| Do you know of an option that would allow me to display some sort of widget, ideally on a breakdown dashboard (breakdown by Assignment Group) to show the vulnerability title and trending information? I think it may be possible to include regular reports on a PA dashboard but I am not sure if they are compatiable with breakdown dashboards. I know reports wouldn't have trending information either though but the end goal would be to have a single dashboard that could be used by any AG to view only their vulnerability information by using the dashboard breakdown by their group or department | The upcoming aggregated reporting feature is a way to do that as well. Standard reports are able to be shown on PA dashboards. |
Is there an update on the Aggregated Reporting future feature that is discussed in the April 2023 session "Success with Vulnerability Response: Reports and Dashboards"? This feature does not appear to be in Innovation Labs any more, but I also cannot find anything about it in the June store release notes. If there is documentation that provides more detail on this feature, can you please provide a link?
Or have plans changed regarding this feature?
