Tenable ITSM incident rules are not triggering when vulnerability occurs in servicenow

ManikandanS
Tera Contributor

I've created incident rules in ServiceNow to automatically generate incidents when Tenable vulnerabilities are detected. However, the rules don't seem to be triggering incidents even though the vulnerabilities are showing up correctly in ServiceNow. Could you please assist me in troubleshooting this issue?

4 REPLIES 4

Eliz Skogquist
ServiceNow Employee
ServiceNow Employee

Are you licensed for ServiceNow's Vulnerability Response solution?

Yes,Licensed only. we have already integrated Tenable.io with ServiceNow. We are receiving vulnerability details from Tenable within ServiceNow. Our requirement is for incidents to be created automatically when new vulnerabilities occur, using incident rules. I don't have enough knowledge about incident rules. By that, I mean the incident rule should only trigger when a vulnerability is transmitted from Tenable, not when vulnerabilities are imported manually. Since I don't have credentials for Tenable to create test vulnerabilities, I tried exporting vulnerabilities from production and importing them into the development ServiceNow instance, but the incident rule wasn't triggered. Could you please provide me with the complete workflow details about how incident rules create incidents?

ManikandanS
Tera Contributor

Please assist me .

Eliz Skogquist
ServiceNow Employee
ServiceNow Employee

Look into how the Vulnerability Response integrations work: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/secops-integration-... .  You won't need to create an incident rule.  As the VR integrations run, they will load:

1) Third-Party entry table, all vulnerabilities being scanned for by Tenable.io

2) Discovered Items table, all assets being scanned by Tenable.io

3) Vulnerable Item table, all findings of a vulnerability on an asset.  These are the "incident" type records, or the records to be worked by remediators for resolution of the findings.  These vulnerable item records are commonly grouped to create a single record, a Remediation Task, for the remediation owner to take action on a single record for multiple VIs.