In partnership with the Tenable team, ServiceNow engineers have developed a new app to facilitate the integration of Tenable with ServiceNow Vulnerability Response. This tutorial by Ravi Kumar Kanukollu, Product Manager, explains the benefits of the new app and provides a step by step guide to start using it.
First of this a really good video to understand the difference between the connector and VR for Tenable. Before watching this video, I was in a confused to which one do I have to use for Schedule Imports.
Will be looking forward for the Risk Score Calculation Session.
Can I get some more help in understanding the risk rule for Tenable that gets activated on Tenable Plugin. Currently I'm working on Tenable for VR and I'm having a difficulty understanding, how the below script works for Tenable Risk Rule. Also would like to know, if on activating Tenable Risk Rule do we have to deactivate Default Risk Rule?
Where are the following field being called? Source Risk Score, Asset Exposure and Business Criticality.
Also how can I modify the below script to validate custom CI fields for Asset Exposure and Business Criticality?
//Rule Configuration
/* Begin - Weightage distribution */
//Sum of all the distributions should be equal to 100
var weightages = {
"Source Risk Score": 70, //VPR Score
"Asset Exposure": 15,
"Business Criticality": 15
};
/* End - Weightage distribution */
/* Begin - Asset Exposure Criteria */
//This is encoded query condition on CMDB_CI table to get consider the assets
//matching this be given appropriate weightage in Risk score calculator.
//This condition on CMDB_CI table has to be modified based on the customer requirements.
var exposureCondition = "nameSTARTSWITHexternal";
/* End - Asset Exposure Criteria */
/*
Available objects here are:
1. current --> GlideRecord of the VI.
Available APIs here are:
//These APIs are from Script Include - sn_vul.VulnerabilityCalculatorBase.
1. _getSeverityValue(weight, data //optional, useSourceRiskRating //Optional)
2. _getExploitValue(weight, data //optional)
3. _getExploitSkillValue(weight, data //optional)
4. _getExploitVectorValue(weight, data //optional)
5. _getBusinessCritValue(weight, data //optional)
6. _getExposureValue(weight, exposureCondition)
*/
function calculateRiskScore() {
//Donot remove this code. The below two lines are needed for backward
//compatibility with other script based rules.
//Issue observed - GlideFilter.checkRecord API throws an exception, if current is not unset here.
var vi = current;
delete current;
var riskScore = 0;
riskScore += getNormalizedVPRScore();
riskScore += getNormalizedAssetExposureScore();
riskScore += getNormalizedBusinessCriticalityScore();
vi.risk_score = Math.round(riskScore / 100);
current = vi;
}
function getNormalizedVPRScore() {
var score = 0;
var weight = weightages["Source Risk Score"];
if (weight)
score = _getSeverityValue(weight, null, true);
return score;
}
function getNormalizedAssetExposureScore() {
var score = 0;
var weight = weightages["Asset Exposure"];
if (weight)
score = _getExposureValue(weight, exposureCondition);
return score;
}
function getNormalizedBusinessCriticalityScore() {
var score = 0;
var weight = weightages["Business Criticality"];
if (weight)
score = _getBusinessCritValue(weight);
return score;
}
calculateRiskScore();
After activating the Tenable Risk Rule, we still need the Default Risk Rule. The reason being that the former(Tenable Risk Rule) is applicable for Vulnerable Items(VIs) coming from Tenable and the Tenable Vulnerability type(Third-party entry ex: TEN-144696) has a VPR Score(aka Source Risk Score in Third-party entry table) associated with it. For VIs from Tenable where there is no VPR score(Source Risk Score) available, in such cases, we will rely on the latter(Default Risk Rule) to calculate the risk score.
How does the Tenable Risk Rule works?
This work similar to the latter. Here is an example. Example: Weightage var weightages = { "Source Risk Score": 70, //VPR Score "Asset Exposure": 15, "Business Criticality": 15 };
Let us assume the below for the current VI: For Vulnerability, VPR score/rating - 7.5(Out of 10)/Rating = High(Code-2) For CI, Asset Criticality => starts with external -> Let us assume the name not starts with external(Not highly exposed) For CI, Business criticality => Calculated based on the data from the table : sn_vul_m2m_ci_services => Let us assume it is somewhat critical(Code - 2)How does it translate? For every VI, the method "calculateRiskScore" in the script is invoked. VI.Risk score = ( 70 * (Score based on VPR) + 15 * (Score based on Asset Exposure) + 15 * (Score based on Business criticality) )/100That is => VI.Risk score = ( 70 * (Severity - High/Code-2) + 15 * (100 If match with Asset exposure condition, else 0) + 15 * (Service Criticality -> Somewhat Crtical/Code-2) )/100VI.Risk score = ( 70 * (75) + 15 * (0) + 15 * (67) )/100 => 62.5 as risk score.
You can refer to the below APIs in sn_vul.VulnerabilityCalculatorBase on codes translate to numeric values. _getSeverityValue _getExposureValue _getBusinessCritValue
Also how can I modify the below script to validate custom CI fields for Asset Exposure and Business Criticality?
You can customize the exposure condition in the rule based on the relevant attributes from the cmdb_ci table. //var exposureCondition = "nameSTARTSWITHexternal"; If you want to have more customization of Asset Exposure, you can write a method that serves your business use case in the Rule script and call that from the getNormalizedAssetExposureScore function as below.function getNormalizedAssetExposureScore() { var score = 0; var weight = weightages["Asset Exposure"]; if (weight) //score = _getExposureValue(weight, exposureCondition); score = yourCustomMethod(weight, exposureCondition); return score; }
Can you me understand why I'm not able to find the field VPR Score. I looked into all the VR Tables (VI, VG and Third-party) and still not able to find the field. Is there something else I'm missing?
Can you help me understand why I'm not able to find the field VPR Score. I looked into all the VR Tables (VI, VG and Third-party) and still not able to find the field. Is there something else I'm missing?
We are using Tenable 2.7 plugin today and finding lot of issues when we upgraded to Tenable plugin 3.0 as it got rid of Assets pending approval tables and asking us to utilize IRE. We were thinking to switch to ServiceNow's integration plugin and your video is a good start for us. I see that we can do some mappings using CI matching rules with the new plugin. Thanks a lot for initiating these KB articles.
I was trying to access the migration scripts article as mentioned in the PDF and I cannot access it as it needs me to be part of VR group. I sent a request to be in the group and it was denied. Can you let me what should do be done from my end to be part of it?
We want to be the early adopters of this plugin. We are licensed to use SecOps Enterprise edition including Vulnerability Management module.
Can you please register with your corporate mail ID and drop a mail to me (ravi.kanukollu@servicenow.com) in case you are not able to access the validation forum.
Regarding the "Rescan" capabilities, could you share more details on the following use case:
How to avoid re-scanning non-routable IP addresses (esp. those used on backup NICs of the host CI), therefore only the routable IP addresses used on Primary NICs will be re-scanned.
Hi, How do I tell whether it's a Tenable built integration or SNow built integration? Is there an easy way to validate this information?
Is there any documentation on loading the data from the source import table to VR? Need to load some other fields from the data source in Snow to VR. I couldn't find anything in the Transform map.
@SM6 did you ever get an answer to your question about finding the VPR field?
I'm not able to find it either. I know it is used in calculating the risk score for the VI, but I would like to see the VPR score displayed as its own field.
@SM6@cyberchef@Ravi Kanukollu Can anyone help me to find the attribute for VPR in VR? I just can't seem to find anything on this. I need to implement VPR base scoring instead of cvss3. Thanks in advance.
