KEV's in Service-Now?

Adam Peterson
Kilo Sage

‎04-04-2022 01:23 PM

Hey experts,

Is anyone bringing in or ingesting KEV's(Known Exploited Vulnerability) in their Service-Now? We have been tasked to bring this data in so we know which Vulnerabilities have a KEV attached to them. 

This is the website where they all reside: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

There is no easy API on that website.

Another big question is when I ingest these KVE's, where is the best place to put it? There are so many Vuln tables, where is the best location? 

Any help or guidance is greatly appreciated!

-Adam

Labels:
0 Helpfuls
  • 2,415 Views
6 REPLIES 6

Michael297
Tera Contributor

‎04-04-2022 01:35 PM

Hi Adam,

 

It should be known that "KEVs" are really just CVEs that are being given special attention.

I actually just wrote a small integration to those JSON files using IntegrationHub and Flow last week. I'm looking to expand on it and write a scripted integration sometime this weekend, time permitting, and put it on ServiceNow Share.

I had my integration point at new fields on the CVE table "CISA" a boolean to confirm that it is listed and a "Added to Catalog" date field.

I am hoping to further expand the integration to include business rules that run based on what integration you have to update the third party rules that link to it. Qualys will be my first go.

 

Also vote my idea up: https://community.servicenow.com/community?id=view_idea&sysparm_idea_id=720b9e211b6a8d1056b699b8bd4bcb90&sysparm_idea_table=x_snc_com_ideation_idea&sysparm_module_id=enhancement_requests

Adam Peterson
Kilo Sage
In response to Michael297

‎04-04-2022 01:45 PM

Voted. Done! 

That seems like a great little integration you are doing. Please keep me posted if/when you put it on ServiceNow Share. This is exactly what we are wanting to do!

So do you have to manually download the JSON from the CISA website and then feed it into the Flow daily/weekly? 

0 Helpfuls

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎04-04-2022 02:21 PM

Hi,

The basics:

1. Create an Outbout REST Message

find_real_file.png

2. Build a Script Include to do some useful work

try {
varr=new sn_ws.RESTMessageV2('KEVS', 'Default GET');
varresponse=r.execute();
varresponseBody=response.getBody();
varhttpStatus=response.getStatusCode();
}
catch(ex) {
varmessage=ex.message;
}
//gs.info(responseBody);
var KEVS = JSON.parse(responseBody);
for(property in KEVS){
gs.info(property + " " + typeof(property));
}
//Array of objects
var cves = KEVS['vulnerabilities'];
//Take the first item - of course you would loop through the Array
gs.info(cves[0].cveID);

//Match on the NVD Table
var nvd = new GlideRecord('sn_vul_nvd_entry');
nvd.get('id',cves[0].cveID);
gs.info(nvd.summary);
//Add a new Boolean Field like keves and mark this as true!
 
 
3. I am guessing you should probably track what you have processed into a new table
find_real_file.png
 
4. Setup a Scheduled job Run the integration daily and see if you need to process the results.
 
Done
🙂 
Preview file
21 KB
Preview file
61 KB
0 Helpfuls

Fatih Karacaer
ServiceNow Employee
ServiceNow Employee

‎04-05-2022 03:00 AM

Hi, 

Another solution to the problem would be the Shodan Exploit Integration for Security Operations app in ServiceNow store. This basically provides the similar type of information with the CISA KEV about vulnerabilities. Below is the summary for the integration capabilities.

By setting up this integration, you enrich your vulnerabilities with exploit information such as:

  • Whether there are any exploits associated with a vulnerability.
  • What the exploit code rank is. This tells you the skill level required to exploit the vulnerability (Novice, Intermediate, or Expert).
  • Exploit Attack Vector.  This helps you understand if the vulnerability can be remotely exploitable.

Kind regards,

Fatih.