Rapid7 and ServiceNow Vulnerability response integration

Go to solution
Alex150
Mega Sage

ā€Ž10-01-2018 12:51 PM

Hello.

I've integrated SN and Rapid 7 successfully, but I'm trying find out how perform repadiation process properly.

When I'm closing Vulnerable Item or Vulnerable group I have two option for closure:

  • Wait for confirmation from next scan 
  • Close vulnerabilities now, reopen if found

find_real_file.png

It's clear but, how can I run scan a specific vulnerability item/group without waiting for the next scan? 

Do I need to create a third-party vulnerability scanner for Rapid7? Does somebody faced with this issue?

Labels:
Preview file
30 KB
0 Helpfuls
  • 1,823 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Refocused Dad

ā€Ž10-04-2019 03:12 PM

Hey there, 

It would depend on if you are working from a Vulnerability Group or Vulnerable Item, the particular version of ServiceNow VR you have, and in some cases the third-party integration you are working with (Rapid7, Tenable SC, Tenable IO, Qualys, custom integration, etc)...

One way to approach / think of this for Rapid7:

- Users move identified vulnerabilities to [Resolved]

- Scanner / "the system", will move identified vulnerabilities to [Closed], with a {Fixed} substate 

Where the general [State Flow] appears as:

..... Open -> Under Investigation -> Awaiting Implementation -> Resolved -> Closed

-------------------------------------------------------

Users have the ability to move Vulnerability Groups and Vulnerable Items to a `Resolved` State; where they can signal they have performed their remediation activities to the best of their knowledge.

The scanner can then take these Vulnerable Items from [Resolved] -> to [Closed] / {Fixed}.

When all Vulnerable Items in a Vulnerability Group, are set to [Closed] / {Fixed} -> the Vulnerability Group should automatically be set to [Closed] / {Fixed}.

-------------------------------------------------------

There are some alternative paths that users can take with the baseline functionality (for Madrid / New York), and these can be adjusted with some configuration to meet your requirements and general user experience that you prefer ...

- Users can nav to a Vulnerable Item, and either set it to [Resolved] or to [Closed] / {Fixed}

- Users can nav to a Vulnerability Group, and set it to [Resolved]

     -> Once in [Resolved], a button called "Close" appears 

     -> Selecting this will set the Vulnerability Group to State of [Closed], with an empty substate

- Users can also request to Defer, either a Vulnerable Item or Vulnerability Group (i.e. buy more time, to perform mitigation activities)...

     -> If their request to Defer is approved, the respective Vulnerable Item, or Vulnerability Group will get set to [Deferred]

 

View solution in original post

7 REPLIES 7

Go to solution
Refocused Dad
Kilo Expert
In response to andy_ojha

ā€Ž10-04-2019 12:15 PM

Andy,

In the case of Rapid7, what is the "correct" option since scans can't be initiated from ServiceNow? I understand that VITs get updated as data is brought in. Would best practice be to close it and allow SNow to reopen or leave open and allow SNow to close? 

Thanks.

0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Refocused Dad

ā€Ž10-04-2019 03:12 PM

Hey there, 

It would depend on if you are working from a Vulnerability Group or Vulnerable Item, the particular version of ServiceNow VR you have, and in some cases the third-party integration you are working with (Rapid7, Tenable SC, Tenable IO, Qualys, custom integration, etc)...

One way to approach / think of this for Rapid7:

- Users move identified vulnerabilities to [Resolved]

- Scanner / "the system", will move identified vulnerabilities to [Closed], with a {Fixed} substate 

Where the general [State Flow] appears as:

..... Open -> Under Investigation -> Awaiting Implementation -> Resolved -> Closed

-------------------------------------------------------

Users have the ability to move Vulnerability Groups and Vulnerable Items to a `Resolved` State; where they can signal they have performed their remediation activities to the best of their knowledge.

The scanner can then take these Vulnerable Items from [Resolved] -> to [Closed] / {Fixed}.

When all Vulnerable Items in a Vulnerability Group, are set to [Closed] / {Fixed} -> the Vulnerability Group should automatically be set to [Closed] / {Fixed}.

-------------------------------------------------------

There are some alternative paths that users can take with the baseline functionality (for Madrid / New York), and these can be adjusted with some configuration to meet your requirements and general user experience that you prefer ...

- Users can nav to a Vulnerable Item, and either set it to [Resolved] or to [Closed] / {Fixed}

- Users can nav to a Vulnerability Group, and set it to [Resolved]

     -> Once in [Resolved], a button called "Close" appears 

     -> Selecting this will set the Vulnerability Group to State of [Closed], with an empty substate

- Users can also request to Defer, either a Vulnerable Item or Vulnerability Group (i.e. buy more time, to perform mitigation activities)...

     -> If their request to Defer is approved, the respective Vulnerable Item, or Vulnerability Group will get set to [Deferred]

 

Go to solution
Refocused Dad
Kilo Expert
In response to andy_ojha

ā€Ž10-16-2019 09:53 AM

Thanks Andy. 

0 Helpfuls