Business Impact and Priority on Vulnerable Items
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-20-2019 02:08 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-20-2019 02:21 AM
Hi,
Procedure to create vulnerability calculator:
- Navigate to Vulnerability > Administration > Vulnerability Calculator Groups.
- Click the name of the group for which you want to create a calculator, or create a new groupand then create a calculator for that group using the following steps.
- In the Vulnerability Calculators related list, click New.
- Fill in the fields on the form, as appropriate.
Hope the following link will help you:
https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/task/t_CreateVulnCalculator.html
https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/concept/c_VulnCalcGroup.html
Mark it as correct/helpful,if it helps for you.
Regards,
Ragini

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-21-2019 07:39 AM
Hi Swathi - Good question and observation here.
The Vulnerable Item 'Priority' is typically calculated from the third-party integration you are working with, so that you can map a 'vulnerability severity or risk rating' from a solution like Qualys, Tenable or Rapid7 to a normalized Vulnerable Item 'Priority' value. It would depend on the third party integration plug-in you are using, some may use a Business Rule to translate the vendor's risk value to a ServiceNow Vulnerable Item Priority, where some may use a Transform Map to do this.
The Vulnerable Item 'Business Impact' is controlled by a Calculator Group called (Risk Score). Within the Calculator Group there is a calculator record that controls how this is computed in the baseline:
- Computed Risk Score - Calculator (London)
- Basic Risk Score - Calculator (Kingston)
This particular page on the product docs site, describes how the Vulnerable Item's 'Business Impact' value is calculated:
- https://docs.servicenow.com/bundle/kingston-security-management/page/product/vulnerability-response/concept/c_VulnCalcGroup.html
- The script performs the following functions:
- First, it creates a list of all CIs that are linked to the vulnerable item and any business services that are marked as depending on the CI.
- It queries and gets results of services that have business criticality (where criticality is not null), and orders them with the most critical ones first.
- It gets the choice lists for the vulnerable item and business criticality fields.
- If there are no business services in the list, the criticality is set to the lowest level.
- If there are business services in the list, the business criticality for all services is calculated.
- The weight of each vulnerable item is picked up from its CVSS score and is used to compute the new criticality.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-21-2019 08:24 AM
I am pulling the data from Qualys. Can you help me to understand how priority is set for a vulnerability? Does it comes from Qualys itself?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-24-2019 07:34 AM
Hey Swathi - specifically for the Qualys integration -> there is a business rule called (Map Qualys Values) that handles taking the Qualys severity value provided to ServiceNow, and translating that to Vulnerable Item Priority value.
Note that Qualys rates Severity of 5 as the highest value; so the Qualys Severities are flipped when translated into Priority in ServiceNow - e.g. Qualys Severity of 5 -> ServiceNow Priority of 1 (Critical)...