KEV's in Service-Now?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2022 01:23 PM
Hey experts,
Is anyone bringing in or ingesting KEV's(Known Exploited Vulnerability) in their Service-Now? We have been tasked to bring this data in so we know which Vulnerabilities have a KEV attached to them.
This is the website where they all reside: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
There is no easy API on that website.
Another big question is when I ingest these KVE's, where is the best place to put it? There are so many Vuln tables, where is the best location?
Any help or guidance is greatly appreciated!
-Adam
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2022 01:35 PM
Hi Adam,
It should be known that "KEVs" are really just CVEs that are being given special attention.
I actually just wrote a small integration to those JSON files using IntegrationHub and Flow last week. I'm looking to expand on it and write a scripted integration sometime this weekend, time permitting, and put it on ServiceNow Share.
I had my integration point at new fields on the CVE table "CISA" a boolean to confirm that it is listed and a "Added to Catalog" date field.
I am hoping to further expand the integration to include business rules that run based on what integration you have to update the third party rules that link to it. Qualys will be my first go.
Also vote my idea up: https://community.servicenow.com/community?id=view_idea&sysparm_idea_id=720b9e211b6a8d1056b699b8bd4bcb90&sysparm_idea_table=x_snc_com_ideation_idea&sysparm_module_id=enhancement_requests
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2022 01:45 PM
Voted. Done!
That seems like a great little integration you are doing. Please keep me posted if/when you put it on ServiceNow Share. This is exactly what we are wanting to do!
So do you have to manually download the JSON from the CISA website and then feed it into the Flow daily/weekly?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2022 02:21 PM
Hi,
The basics:
1. Create an Outbout REST Message
2. Build a Script Include to do some useful work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2022 03:00 AM
Hi,
Another solution to the problem would be the Shodan Exploit Integration for Security Operations app in ServiceNow store. This basically provides the similar type of information with the CISA KEV about vulnerabilities. Below is the summary for the integration capabilities.
By setting up this integration, you enrich your vulnerabilities with exploit information such as:
- Whether there are any exploits associated with a vulnerability.
- What the exploit code rank is. This tells you the skill level required to exploit the vulnerability (Novice, Intermediate, or Expert).
- Exploit Attack Vector. This helps you understand if the vulnerability can be remotely exploitable.
Kind regards,
Fatih.