Tenable ITSM incident rules are not triggering when vulnerability occurs in servicenow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-02-2024 02:07 AM
I've created incident rules in ServiceNow to automatically generate incidents when Tenable vulnerabilities are detected. However, the rules don't seem to be triggering incidents even though the vulnerabilities are showing up correctly in ServiceNow. Could you please assist me in troubleshooting this issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-02-2024 10:09 AM
Are you licensed for ServiceNow's Vulnerability Response solution?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-02-2024 11:53 PM
Yes,Licensed only. we have already integrated Tenable.io with ServiceNow. We are receiving vulnerability details from Tenable within ServiceNow. Our requirement is for incidents to be created automatically when new vulnerabilities occur, using incident rules. I don't have enough knowledge about incident rules. By that, I mean the incident rule should only trigger when a vulnerability is transmitted from Tenable, not when vulnerabilities are imported manually. Since I don't have credentials for Tenable to create test vulnerabilities, I tried exporting vulnerabilities from production and importing them into the development ServiceNow instance, but the incident rule wasn't triggered. Could you please provide me with the complete workflow details about how incident rules create incidents?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-03-2024 04:27 AM
Please assist me .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-03-2024 07:26 AM
Look into how the Vulnerability Response integrations work: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/secops-integration-... . You won't need to create an incident rule. As the VR integrations run, they will load:
1) Third-Party entry table, all vulnerabilities being scanned for by Tenable.io
2) Discovered Items table, all assets being scanned by Tenable.io
3) Vulnerable Item table, all findings of a vulnerability on an asset. These are the "incident" type records, or the records to be worked by remediators for resolution of the findings. These vulnerable item records are commonly grouped to create a single record, a Remediation Task, for the remediation owner to take action on a single record for multiple VIs.