How are the scanned applications mapped to the existing cmdb applications in AVR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-21-2022 01:58 AM
How are the scanned applications mapped to the existing cmdb applications in AVR
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-21-2022 02:15 AM
Hi akhil
Check the concept of CI Lookup rules - When data is imported from a third-party integration, Vulnerability Response automatically uses host data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules.
Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Rohila V
2022-25 ServiceNow Community MVP

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-21-2022 05:01 AM
Hi,
I think it is important to understand that your vulnerability scanner does not understand an organizations' definition of an application. Your vulnerability scanner simply reports a vulnerability on a device/host. When SN VR imports a vulnerability it comes with all sorts of metadata to help describe what that vulnerability is. Said simply, a device has 1-n vulnerabilities.
The first thing that SN VR does is process the incoming vulnerability through its CI Lookup Rules which associate the vulnerability to a device/host (i.e. something in the Hardware family on the CMDB).
A lot of times, organizations define layers of support on top of devices: OS and application. Then some hosts support more than one application on top of that host. The term application is often overloaded and reused to define an organizational concept. For example, an MS SQL database (an application) may support company X's "Lead Generation System". The "Lead Generation System" is supported by a different team than the OS that it rides on top of.
This is where SN Application Mapping comes in. If an organization has discovered its "applications" then in SN VR when you write your Assignment Rules, based on the vulnerability metadata, you can implement a script to navigate CI Relationships [cmdb_rel_ci] table to determine which support team supports that application.
In addition, take a look at Vulnerability Classification rules so you can preprocess your vulnerability library to determine what things look like in your organization.
https://docs.servicenow.com/bundle/rome-security-management/page/product/vulnerability-response/concept/vulnerability-classification-rules.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-23-2022 01:36 PM
Hi Chris McDevitt
You touched upon a very realistic scenario. Thanks for bringing the focus on this practically frequently observed scenario in most of the implementations.
Building on the scenario you aptly mentioned - "Organization has discovered its application" now leverages metadata coming from scanner to script the assignment rule. To understand further will you be able to share a few examples of metadata you have seen which could be leveraged?
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-23-2022 04:05 PM
Yes, I can.
First off, organizations must adopt an attitude of continuous process improvement. Second, do not expect perfection but strive towards perfection. Thrid, adapt a crawl, walk, run attitude as you mature your Vulnerability Response tool.
The first thing you need to understand is my vulnerable item formula: a VIT = a Vulnerability + a Configuration Item. This super object contains all your vulnerability scanner's knowledge (via Vulnerability) and your organization's knowledge about that asset (CMDB).
The first tool in our arsenal is the "Vulnerability Classification Rules." These rules allow us to "pre-process" the vulnerability library (Third-party) and determine a "classification" for this Vulnerability based on our organization's point of view. For example, is this Vulnerability an "OS" or an "Application" vulnerability? Not only have we expanded our information in VIT object, but we can also use that information in our Assignment Rules.
The second tool in our arsenal is the "Third-party vulnerability entries," again, this is the vulnerability part of our VIT object. Examine your Vulnerability closely. Look at all of the fields that can give you hints on which team would be best to remediate this issue. (These fields will be used in the Assignment Rules)
The third tool is the Assignment Rules themselves. Not only is the Condition Builder a powerful tool, once you add a scripted assignment to the mix, it becomes a super powerful tool. A long story short, I am working around insufficient data to produce the best assignment possible:
The following tool you can use is the Discovered Items module itself. I have written a white paper on it. The Discovered Items module is a great place to enhance your data. They use this data to either make assignments or drive the improvement process. I have different customers setting the Department, Business Unit, Data Center, subnets, and other things.
Now, this is getting out there, but it has proven successful; Enhancing your Configuration Items (The Configuration Item part of the formula). Sometimes we must make assumptions about the data and set CI attributes according. For example, I have applied a regular expression based on RFC 1819 to determine if the CI was internet-facing. (The customer is using that in risk score and an assignment). In another example, based on many factors, we guessed which Department an Incomplete IP Devices or Unclassified Hardware devices belonged to and set those attributes. Lacking other data, we used this as part of the assignment rule.
Here is the process improvement part; If the departments were unhappy with the assignments, they were instructed to work with the Discovery / CMDB team to get the host Discovered and identified correctly.
Finally, see this button:
Understand how to use it. Build the rules, get feedback, scratch your heads, make an improvement and push that button... Rinse and repeat.
I have a customer that I had to interview for an internal success story, and they told me that they had experienced a 90%+ reduction in the time it takes to assign vulnerabilities. This is a global customer with many many many "unique" business units. Due to many factors, the customer's CMDB is far from perfect. Now here is the even better news... this is not an uncommon story 😉
The bottom line is: Find a trusted coach/advisor then start a continuous process improvement journey backed up by OCM and an executive champion.
There is more, but that is best left to some beverages in the evening at the Knowledge conference.