Invicti - ServiceNow Application Vulnerable item source severity change by SecCommon System user

prit123 · 3 weeks ago

When AVIT is created from Invicti, the source severity was High. But then it shows user SecCommon System updated Risk Score and Risk Rating from High to Medium. When checked we could see changes in Vulnerability table sn_vul_app_vul_entry. It too shows sam user has updated the record. When checked with Invicti, the source severity is high at there end. Can anyone tell what does it mean by updated by SecCommon System user. Does source severity gets change after creation and from where it gets changed?

MiravTMehta · 3 weeks ago

Source severity is not changed but is translated into a target severity based on severity mapping shipped for Invicti - so for source severity there would be a target severity for that entry. check the columns on the on app vul entry from Invicti using Show XML to understand better.

At AVIT level, the risk calculators kicks in and use the various params to stamp risk score on AVITs and then based on the risk score the risk rating gets stamped (this is based on how vuln calculators have been configured). These are computed via BRs on the AVIT table.

prit123 · 3 weeks ago

@MiravTMehta - What we saw when AVIT is created from Invicti it shows user as VR.System and the based on the mapping of invicti severity(High) servicenow risk rating(High) and risk score is set. But next day the risk rating got modified (from High to Medium) by user SecCommon System in 'AVIT' table and same thing in 'Vulnerability' table- sn_vul_app_vul_entry.

In 'sn_vul_app_vul_entry' xml, all 3 fields -normalized severity, source normalized severity and source severity shows "Medium".

MiravTMehta · Monday

Hi @prit123

Can you open a case-task on servicenow portal with above information, so that our team can look into it. Please do add additional logs / values coming from payload that could help bring this issues to closure.

Thanks
Mirav T. Mehta

MiravTMehta · 3 weeks ago

Can you please open a Servicenow case task with necessary details. We'll have right folks look into this.