How is the 'Vulnerable Item.Last Found' field supposed to be populated from Qualys, especially with multiple Detection Records?

Kevin Lillis · ‎09-09-2022

Hi,

We use Qualys integration with Vulnerability Response and have used the Vulnerable Item.Last Found field to determine the last time a vulnerability was found on the vulnerable item.

However, if the Vulnerable Item has multiple detection records, how is the date calculated for the 'Vulnerable Item.Last Found' field? Is it the most recent of the multiple detection records? Is there an integration document that I can validate how it is supposed to be populated?

Thanks in advance.

Kevin Lillis

tkrishna29 · ‎09-14-2022

Hi,

VIT last found is updated from the most recent detection record. here is the code that would help you.

This is in Scheduled Script execution: Swap First Found and Last found of VIs for Tenable SC

var detection = new GlideRecord("sn_vul_detection");
detection.addQuery("source", "Tenable.sc");
detection.addEncodedQuery('last_foundLT_FIELDfirst_found');
detection.setLimit(10000);
detection.query();
if (!(detection.hasNext())) {
    var autoScript = new GlideRecord("sysauto_script");
    autoScript.get("686d397153b21010937addeeff7b12d5");
    autoScript.setValue("active", false);
    autoScript.update();
}
while (detection.next()) {
    var firstFound = new GlideDateTime(detection.getValue("last_found"));
    var lastFound = new GlideDateTime(detection.getValue("first_found"));
    detection.first_found = firstFound;
    detection.last_found = lastFound;
    detection.update();

    var vi = new GlideRecord("sn_vul_vulnerable_item");
    vi.get(detection.getValue("vulnerable_item"));
    var firstFoundVI = new GlideDateTime(vi.getValue("first_found"));
    var lastFoundVI = new GlideDateTime(vi.getValue("last_found"));
    if (firstFoundVI.getNumericValue() > firstFound.getNumericValue()) {
        vi.first_found = firstFound;
    }
    if (lastFoundVI.getNumericValue() < lastFound.getNumericValue()) {
        vi.last_found = lastFound;
    }
    vi.update();
}

Hope this helps.

Kevin Lillis · ‎04-08-2024

Hi,
Circling back to this question. I am finding several (most?) occurrences where a Vulnerable Item (from Qualys) has only one detection record. And that detection record 'Last Found' date shows a 'datetime' field. And that datetime field from Detection Record shows yesterday as the date it was last found (ex. 2024-04-07 19:13:54).

However the Vulnerable Item shows a 'Last Found' date of 2024-04-08.

NOTE: The ingestion from Qualys to ServiceNow runs at around 4 AM daily.

So is it using the ingestion date? I wouldn't think it would do that.

Or is the Detection Record 'my current time zone) (ex. CDT) but the Last Found is using GMT?

Thoughts?

andy_ojha · ‎04-08-2024

Hey there,

There have been some functionality improvements since the time of the original post here.

As you mentioned Qualys, the VR Qualys integration uses the explicit date/times provided by the scanner (rather than the ingestion / load time in ServiceNow).

There is actually a newer Last Found / First Found field on the Vulnerable Item (VIT) record, that captures the Date AND Time now - prior we only had the "Date" format on the Vulnerable Item records, but this caused issues with not having the *date + time*, when used in certain queries or logic like Remediation Target Rules.

Perhaps reviewing these newer Date / Time fields on the VIT table in your environment may shore up the missing bit you spotted.

Keep in mind, in ServiceNow those date / time fields are displayed in your timezone based on your profile / preferences - but in the backend they are stored in UTC (Z) time.

Reference - Release Notes, Version 17.1.4 - November 2022

- https://docs.servicenow.com/bundle/store-release-notes/page/release-notes/store/security-operations/...

Kevin Lillis · ‎04-08-2024

Thank you for your response. I'll review and comment later if clarification needed or mark this as helpful and accept the solution. Thanks again!