Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

How can insert Vulnerability item data using rest API like incident ?

Deepak Paradhi2
Kilo Explorer

‎08-23-2022 09:52 AM

how we create servicenow vulnerability item and security incident response  via rest api ?

Thanks in advance for helping hand. 

0 Helpfuls
  • 2,320 Views
2 REPLIES 2

chrismcdevi
ServiceNow Employee

‎08-25-2022 07:14 AM

This is a pretty complex topic.
Typically VR works in a "pull" mode. i.e., SN VR "pulls" the vulnerabilities from the scanner. SN VR pulls the vulnerabilities in a batch, attaches the batch as a file, and then processes the file through the VR framework.
At the very core of all this is the concept of a Configuration Item [cmdb_ci] and a Vulnerability [sn_vul_nvd_entry]. These two things are mandatory and comprise a vulnerable item (forget Detections... a similar and more complete topic).
Back to your question, can you create a VIT via REST? Yes, you can. I have done this before. You have two choices (actually three... but the other one is not a good option): Scripted REST API or Import Set API. I recommend you use the Import Set API because you are going to want a record of the incoming data.
Create a Transform map with a Transform Script. You will need to transform the incoming host into a Configuration Item and the incoming vulnerability into an actual vulnerability.
You should create a "default" vulnerability in the Third-Party Entry table that you can use in case the incoming vulnerability does not match for whatever reason.

This is a more complex topic, but you can use the VR Framework / CI Lookup Rules to look up incoming hosts. I have an example here:

https://gist.github.com/cmcdevitt/72033b66335c2ab00af30214f76e4c2e

 

0 Helpfuls

qcj3
Kilo Guru

‎09-02-2022 01:13 PM

If I could suggest, focus on the VR integration and then have a Flow trigger off of the VIT to create an SIR OR SR based on criteria.  

VIT that equal a certain severity may warrant the SOC to look back in time to see if it was leveraged before it was identified.  You may pull all the VIT's up to a VUL then link them to a Major Security Incident or individually. 

The point is to get the VR integration running and allow ServiceNow to orchestrate the rest.

0 Helpfuls