Eliz Skogquist
ServiceNow Employee
Options
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 07-26-2024 12:39 PM
On July 16 & 17 Abhinav Ramaseshan, Principal Technical Curriculum Developer and myself hosted another "Success with VR" webinar highlighting the processing, configuration and learning curriculum for three different scanning sources, one for each of these applications: VR, AVR and Container VR. This was our opportunity to highlight the specifics for configuration and the new On Demand curriculum for these integrations, including demonstrating the set-up.
Agenda:
- Configuring Tenable integration for Host Vulnerabilities
- Configuring Veracode integration for Application Vulnerabilities
- Configuring Prisma integration for Container Vulnerabilities
The webinar recording can be viewed here:
Now Learning Resources
- Vulnerability Response Implementation – Instructor Led
- Vulnerability Response Implementation – On Demand
- Vulnerability Response Learning Bytes
- Vulnerability Response: Tenable Integration
- Vulnerability Response: Rapid7 Integration
- Application Vulnerability Response: Veracode Integration
- Vulnerability Response: Shodan Integration
- Container Vulnerability Response: Palo Alto Prisma Cloud Compute Integration (Releasing July 2024)
- Vulnerability Response: Microsoft Threat and Vulnerability Management Integration (Releasing September 2024)
ServiceNow Documentation
- Understanding the Tenable Vulnerability Integration
- Veracode Vulnerability Integration
-
Understanding the Vulnerability Response Integration with Palo Alto Prisma Cloud
Community
| Question | Answer |
| What are the tables that the Prisma integration loads? | Table names: Vulnerabilities [sn_vul_third_party_entry] CVIT’s [sn_vul_container_image_vulnerable_item] Image Findings [sn_vul_container_image_findings] Discovered Container Images [sn_vul_container_image] |
| Is there a learning module for greenfield integrations using the Integration Assistant Guide? | |
| Are these integrations part of VR Products SKUs or integration Hub Pro/Ent? | VR products SKU |
| What is the length of time that the xml attachments are saved and available because we use them for troubleshooting but they disappear and are not available after a period of time so we are wondering what is the default time they are saved before they are deleted? | On the integration process 14 days, import queue entries are persisted only for 7 days. You can increase this from the daily scheduled job "Cleanup attachment”. |
| When can we expect session on End to end VR implemention? | That would be a long session. However, take a look at the collection of webinars, that sequences the understanding needed to implement VR: https://www.servicenow.com/community/secops-articles/quot-success-with-vr-quot-webinar-series/ta-p/2... |
| Is there a way to pull veracode data in through this integration if we only have the old host/infra VR? can it be configured to be redirected to host VR and not AVITs? | This would be a customization to redirect Veracode data into VR and not AVR. AVR was designed to handle application type scans and have different fields on those tables than those of the VR solution. We have designed Watch Topics, Workspace and Dashboards to have all VR type data accessible from one screen, if that is your reasoning for bringing data together. |
| The "Start time" mentioned ealier - "you want to initial run the ingegration with no date and all opens will be brought in". Does it work same way for Tenable and Qualys ? And how the system will know to take into consideration only open / active and not alslo closed/fixed if the start date will not be provided ? | Yes, this works for all integrations initial run. There is a parameter on the integrations that ask if you want to bring in closed data. Since they do not have any actionable tasking for SN, its common you do not start loading those records and leave that option unchecked. |
| My understanding is the parallel processing is happening in the queue after the single threaded JSON payload is written to it. Is there a way to make parallel processing of API JSON payload retrieval as well? | At this time that is not possible. If you are looking to have the processing of the integration complete faster there is the consideration of increasing the data sources past the 4 which are configured OOB. This is dependent on the number of nodes that you have available in your instance, please log into Support, and review KB0995003 for details on how to do so. |
| What is the correct order of running Veracode jobs ? First CVS, Second VIs ... or it does not matter ? | Order of data loading does matter, and OOB they are configured to run in the preferred order. So if you don’t update that, you should be set to go. |
| Where would database scan results be stored in ServiceNow? AVI, VI, CC? Example scanner findings when database is scanned to identify risks related to unencrypted data in certain fields (i.e. PII or PIFI) | If your database scans are coming from Tenable or Qualys they will be loading into VR. |
| Once a vulnerability is scanned through Tenable Integration and comes to SN, a VI gets created. During the next scan, if the vulnerability no longer exists, does the VI gets closed automatically in SN? Are there any settings change that needs to be done in SN to do that? | Configure the Auto-Close Stale detections for having assets that get taken off the network, and will no longer have a scan to update the VI age out and close. This timeline is dependent on the frequency an asset would be scanned and set to be past the number of days where it would have been scanned for a second or third time. |
| What does SNow use to uniquely identify what a compute VIT is? is there an ID that compute sends per alert to correlate to a single row of data, or is SNow creating that through some concat of fields? | If this is for Prisma container, it is configurable, as you can choose to decide what constructs a unique record. 1.Configure the granularity of a vulnerable item. a. Navigate to Prisma Cloud Compute Integration > Configure Image Vulnerability Keys b. Configure the granularity of the CVITs by selecting the required check boxes. The vulnerable items are created based on the selected keys, during the next import. Note: By default, a CVIT is created for a combination of Image Repository, Vulnerability, and Image tag. You can add components to the key for further granularity. For example, you can create a CVIT for a combination of Image Repository, Vulnerability, Image tag, and Cluster. Once the vulnerable items or vulnerable item findings are created, the check boxes are no longer editable. https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/secops-integration-... |
| Do we have Dynamic and Static Search list for Veracode? | Veracode supports integration for DAST, SAST, SCA and manual (pen test) loads. |
| Is there connectors that integrate with DBMS tools not network scanners. | There are numerous integrations available on the store, not sure if you have looked their for your tool. We do provide guidance and certification for partner developed integrations, if you don't see one available and have an interest to request the vendor you work with to build one. |
| Vulnerability Importa data - Is for instructing ServiceNow how old of data it should import from Tenable ? | For determining how much history you bring in you can use the “Start time” field on the integration to go back to the historical data you want to begin import from. It’s common to start with only bringing in active findings, and not closed/fixed. With that being your preference you want to initial run the integration with no date and all opens will be brought in. Once a successful run has completed that Start will update to the time of the last successful load and only bring in delta data from the last run |
| Does the Container CVIT also force the use of Remediation Tasks like Config Compliance does? | No, currently Remediation Tasks for CVITs do not align with Configuration Compliance. If you were towant to create a Remediation Task for Container VIs, you could do so through Watch Topics. |
| How to convert unclassed Hardware and Incomplete IP Identified Device CI to populate as matched in discovered item? | As assets become defined in the CMDB as a CI, the IRE rules that follow the CI Lookup rules should update the classification when found. To reconcile unmatched discovered items on demand, please review: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-respo... |
