Eliz Skogquist
ServiceNow Employee
Options
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
06-21-2023 05:21 PM - edited 05-20-2024 10:18 AM
The "Success with Vulnerability Response" series of recommended practices deep-dive webinars continues. Following your VR implementation, there are a number of maintenance considerations and processes to put in place to maintain a health VR implementation. Julian Azaret, Sr. Principal Outbound Product Manager, and myself, Sr. Product Success Manager, SecOps, presented the team's recommendations to be successful with on-going maintenance and processes of data in the VR application.
The webinar recording:
Recommended Links:
Community
ServiceNow Documentation
- Reconcile Unmatched Discovered Items
- Duplicate CIs
- Reapply CI lookup rules on selected discovered items
- Create, enable or modify VR auto delete rules
- Slow scripts log record detail
Support (requires log in)
- KB1001240 Manage Vulnerable Items with no Configuration Item
- KB0998706 CI Matching in Vulnerability Response
- KB1157979 Best Practices: Vulnerability Respone Implementation for better performance
| Question | Answer |
| Are there any best practices to improve the performance of VR application due to huge volume of data in vulnerable item table? | Yes, here is the best practices guide to improve VR performance: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1157979 |
| Can you explain the functionality of the detections table again? | The detection is an occurrence of a vulnerability reported by scanner. |
| We have one vulnerability that affects 10 servers, but each of these servers have their own remediation team. So, if we did the above we could create 10 remediation tasks? |
Here is the documentation around the remediation task rules: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons... Yes, if 10 servers have 10 different support groups, the VIs for each server would assign to the appropriate CI.Support_group (assuming data in CMDB is complete for these assignments), and remediation tasks are defined to group by vulnerability and assignment group causing a Remediation Task for each different remediation team. If the CI support group is different for each of these servers then the OOB assignment rule would assign each of the VIs to the appropriate remediation team. The remediation task rule breaks groupings out by different assignment group. So, for the scenario you describe you are utilizing two of the OOB rules. |
| Can you post what causes a Unclassed Hardware vs Incomplete IP | If the scanner returns only ‘IP’ information on an asset, the Vulnerability Response module creates CI records in the ‘Incomplete IP’ table. Else, if any additional attributes are found the records will be created in the Unclassed Hardware Table, if no CI in the CMDB matches the attributes being brought in by the scanner and defined as a match in the CI Lookup rules and IRE. |
| Could you please post the link for the white paper the discusses the Incomplete IP data? | https://www.servicenow.com/community/secops-forum/white-paper-incomplete-ip-identified-devices-and-w... |
| Does this ignoreCIClass then auto create mismatched cis? | If the CI is not rightly matched, then you should check your CI lookup rules and update those or an unmatched record is created. If you have defined a class for ignore, if the attributes don't have the asset match another CI an unmatched record is created. |
| For the first Discovered Item number is it in ascending order or descending order? | Discovered Items create with the numerical sequencing in ascending order. |
| For the "Auto-close VIs linked to retired CIs" functionality locked behind migrating to CSDM lifecycle standards...any chance of adding functionality for legacy fields like install status instead? | The guide from the CMDB is to follow the CSDM and hence we would want to follow those standards. The recommendation is to migrate to the new fields to get the best value out of the product. |
| What do you have for a vulnerability entry which doesn't yet exist in the Third-Party entry table, but there needs to be a manual VIT created? Ie. for log4j, the scanners didn't provide a Vulnerability Entry for like 2 days but people were aware of it, so the Vul team wanted to create a VIT to get log4j fixed but there was no Vul Entry so they couldn't include information. Is there a way to create manual Vul Entry or something? | We do have Exposure Assessment for the zero-day vulnerability use case. In this, you can identify the exposure by providing the software information and then create the vulnerability and VIs on click on a button. Here is the product documentation around the same: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons...; Another doc link: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons... |
| Thank you, but that requires using the SAM application? There is nothing in the VR application? | This is inside VR application but it queries againt SAM to identify your exposure. If you just want to upload the manual data inside VR, you can use : https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons... |
| I have values in Number column (SDI#'s) but empty Configuration Item value, and State fields show Matched. what does this mean. | This means that the CI has been deleted. |
| If we have the IRE capability activated then we wont ever have ‘empty’ CI will we? The IRE will create a CI for that but it will be in the ‘Unmatched’ state? | But its’ possible that the CI created/matched by CI is deleted by your CMDB team. In that case, the discovered item will have the empty CI. |
| Is KB0998706 available as a downloadable document? | Yes, you should be able to download this or else reach out to our support team. |
| Is there a recommended best practice on CI lookup rules order? | The recommender order is shipped OOB for each vendor integration. For details on how CI matching works, you can refer to this KB: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0998706 |
| Is there additional license associated with the VR Health Dashboard plugin? | There is no additional licensing for use of the VR Health Dashboard. It is available to all VR licenses at no cost. |
| is this a scenario where we would want to remove discovered items then? | If you’re referring to the duplicate CI scenario - No. That Discovered item remains important to the platform remembering the match between that scanner payload, and the master CI that has been newly replaced in the reference field by remediating the de-duplication task. |
| Ive got some VULs in an Open State with No Open VITs - What is the Recommended way to Close these? | Were the VITs closed by the scanner with a Closed state and Fixed substate, or are the VITs in some other states apart from the Closed-Fixed? |
| Other States [Resolved | Deferred |Awaiting Implementation | Under Investigation | Open ] ... Found on Remediation Task Table Filter = Vulnerable Items < 1 and State !=Closed | The Remediation task will be closed automatically if the vulnerable items are closed by the scanner. Since in this case, the vulnerable items are still not closed, hence the remediation task will rightly remain open. |
| Our system auto-creates an "Unclassed CI" if the CI Lookup Rules fails. Is that a configuration that can be turned off so that we can find these empty discovered items? | The unclassed hardware is created by the IRE if the CI is not identified by both CI lookup rules and IRE. If there are too many records in this class getting created, you should check your CMDB health or the CI lookup rules to ensure that the matching is good. An Unclassed CI (legacy), Unmatched Hardware or Incomplete IP record will not create a discovered item with a missing CI, simply an unmatched CI. These are still valid vulnerabilities that should be assessed for remediation. To find the discovered items with empty CIs, you’ll have to query to get that on the Discovered items table list view. |
| Thanks for setting up this call! On May 24th, there was a "Success with VR Integrations" session. Is it possible to access the recording? |
Look for all Success with VR webinar recordings at: https://www.servicenow.com/community/for-new-customers-vr-articles/tkb-p/secops-vulnerability-respon... |
| Will the reapply ci look ups work to match to the correct ci when its already been matched to auto generated as a mismatched ci? | Yes, following the update of a CI lookup rule it will match to the right CI post update, or the CMDB health has improved (data updated). |
| We were told you could not assign a vulnerability[remediation task] to multiple remediation owners, would you use the Group vulnerable items by assignment rule for this? | Yes, you can group by assignment rule to have different remediation tasks created for different remediation owners. In fact, the OOB remediation task rule has the Assignment rule as one of the fields. |
| What circumstances cause a Closed VUL | VIT to toggle to Open | Closed VIT will be opened if reported by the scanner as being active. |
| What happens to deleted VIs? For audit purposes? | These will be available in the sys_audit_delete table. |
| What is M2M group item? | The table name is ‘sn_vul_m2m_vul_group_item’. It’s an m2m table defining the relationship between vulnerable item and remediation task. |
| What is the best path to troubleshoot slow scripts that are OOB? For example, we have one for Script Action: CalculateCountsVR that is taking 2.6mil ms on average. | This doesn’t look like it’s too much. But if feel that it is considerably slowing down, then you can raise a case for us to explore tuning could assist. |
| What is the difference between below 2 Remediation Task tables? 1. sn_vul_vulnerability 2. sn_vul_remediation_task |
The sn_vul_vulnerability is the main table. The Workspace fetches info from the new "sn_vul_remediation_task" table that stores info from multiple VR tables. |
| When talking about managing size of the vulnerable items table - I didn’t hear a recommendation to use archival rules or an archival table. Should we avoid archiving? | Archival should be planned with small chunks, if it is being put in place as an after thought. In catching up to the current period, recommend archiving a month at a time, until you are at your current time period. |
| When using CI Exposure, should that indicate an outbound internet connection or only inbound through something like a load balancer, or services that may be externally accesiable? The field on Configuration Item I found is "Internet Facing" which is true for all CI's, so not sure what we can utilize there, thanks! | This is more of a CMDB question. Would suggest to check with them on what fields can provide this information. Currently the field is not being auto populated by vulnerability scanners, so would need to be managed by the CMDB process. |
| When using PA for reporting can I reduce the closed days to 6 month and can still get the reports on records which are longer than 6 months | This is going to be difficult to achieve if you reduce the closed days to 6 months. |
| Where do you set the assignment rules? | Assignment rules are defined in Vulnerability Response> Administration > Assignment Rules. Encourage the use of Classification Rules ahead of Assignment rules. The assignment rules are triggered through the business rule on the vulnerable item. So, when the vulnerable item is created, the assignment rules are evaluated. |
| [VR ver 16.3 here] We have over 300K VITs attached to Retired CIs - We set the option to Close VITs attached to Retired CIs but the functionality is not working - Told by our Platform Team that this functionality relies upon Lifecycle Status [CSDM] and enabling this will not happen for quite some time... Question: Does the Auto Close functionality indeed rely upon Lifecycle and CSDM ... Question what is your recommendation for getting these VITs attached to Retired CIs closed | We have the following product documentation on how the VIs are auto-closed for Retired CIs: https://docs.servicenow.com/bundle/utah-security-management/page/product/vulnerability-response/conc... And yes this functionality relies on the Lifecycle management of CI. If you are using some other columns instead of these, you can migrate to using these as mentioned in the product documentation: https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/configuration-management/co... |
