Third-Party Vulnerability entries

Go to solution
Tyler36
Tera Contributor

‎11-04-2019 06:17 AM

This is the first time i am using Vulnerability response, so when the tenable scan ran this morning there was no third-party vulnerability entries the got created which means there was no vulnerability groups that got created which means there was no problem records that got created. I have a script include that parse the groups and creates problem tickets so when i saw that this morning it made me very concerned. I guess my question is how are these third-party vulnerability entries being created and is that a common thing when a scan runs that none are created? Any information is greatly appreciated.  

 

Labels:
0 Helpfuls
  • 2,925 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Tyler36

‎11-08-2019 03:48 PM

Hey there,

Can you clarify what is triggering the creation of PRBs?
 - Is it from Vulnerable Items, Vulnerability Groups or Third-Party Entries?

Yes - you may not see new Third-Party Entries being created day-to-day (nor would you see new Plugins created every day in Tenable); depending on the environment and how often Tenable Scans are being performed -> you would likely see more activity on Vulnerable Items.

If you've wired up logic to create a Problem record every time a record is created in the Third-Party Entry table -> I would stop this.

It's absolutely worth circling back with the client here, as this is not how ServiceNow intended the Vulnerability Response application to be used, nor is this what Problem Records should be used for.

The Remediation Users should be assigned Vulnerability Groups as their strategic unit of work (i.e. Task).  This is where they can acknowledge their work, ask for an exception, create a Change Request, monitor progress, etc.

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
threatangler
Tera Contributor
In response to Tyler36

‎11-04-2019 06:45 AM

A way to test it is to scan a system not seen before by the scanner. I did that and ServiceNow pulled in those new vulnerabilities not seen before the integration with the scanner.

And after a week or so, I updated the vulnerability scanner software and scanned my environment again. The new vulnerabilities the scanner was able to detect from the update were pulled into ServiceNow. 

Again, this was with Rapid7 not Tenable. But, worth sharing in case it is the same behavior.

0 Helpfuls

Go to solution
threatangler
Tera Contributor
In response to threatangler

‎12-18-2019 07:00 AM

There is a field in the integrations called "import since". It is set to one day back from today and resets each time an integration is run. To pull data further back, simply set this field to a date further back. It will pull data from further in history then reset to only pull data from one day back on the next run. 

0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎11-04-2019 07:19 AM

Hey Tyler - As others have mentioned here, unless there are new "Vulnerabilities" or "Plugins" in Tenable, you wouldn't see new records created in ServiceNow's 'Third-Party Entry' table.  

There's a difference between the Tenable Plugin, and the Tenable Plugin being detected on a system.  The Tenable Plugin is an objective "vulnerability detection" (sort of like a signature), and this can be detected on many systems.  Tenable Plugins are stored in the ServiceNow `Third-Party Entry` table, and the detections are stored in `Vulnerable Items`.

Also keep in mind, just because a scan was performed in Tenable, it does not mean the findings will automatically be sent to ServiceNow when the Tenable Scan is complete.  The integration between Tenable and ServiceNow, requires Tenable Scans to be performed, and then ServiceNow periodically will request the findings / detections from Tenable on a scheduled basis.  The time at which the periodic integration is executed, should coincide when we expect Tenable Scans to already be completed (on a best effort).

As you've scheduled the integration to run daily, depending on how often Tenable Scans are performed -> you should likely expect to see new / updated records on the 'Vulnerable Item' table.   
  -> These represent the Vulnerability found on a system or CI in your environment
  -> The third-party entry table simply represents the Plugins from Tenable (not the detections); think of this as your library of possible Vulnerabilities... Where 'Vulnerable Items', are the actual instances of the vulnerability being detected on a CI...
  -> We should expect new Tenable Plugins to get published periodically, but likely wouldn't see a great volume of this everyday.  However - we'd expect more activity around Tenable Plugins (vulnerabilities) being found on systems -> which are represented as Vulnerable Items in ServiceNow.

--------------------------------------------------------------------

As a side note -> I would strongly reconsider the workaround you mentioned to create Problem records for Vulnerability Groups.  The purpose of the Vulnerability Group is to act as a unit of work (i.e. a Task), that represents a strategic grouping of Vulnerable Items, and are assigned to a the appropriate Team to triage and handle.  

--> Are you creating PRB records for each Vulnerability Group?

--> What was the business driver for that or requirement you were looking to solve?
--> Why did we go this direction, versus having Remediation Owners / Remediation Users start with using `Vulnerability Groups` and `Vulnerable Items`?

Go to solution
Tyler36
Tera Contributor
In response to andy_ojha

‎11-04-2019 07:28 AM

So basically the creation of problems was a long process we tried to talk the client out of but that is what they wanted. I have a scheduled import for the tenable information every monday and thrusday morning (so it ran this morning). When i saw no problems being created i traced it back to the third-party vulnerabilities and there were none that was created today. We have nothing to do with tenable side of it. We have just been implementing tenable into servicenow. So with that being said is that a common thing that no third-party vulnerabilities being created?  I have never seen it before today but this is the first time every working with vulnerability response.

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Tyler36

‎11-08-2019 03:48 PM

Hey there,

Can you clarify what is triggering the creation of PRBs?
 - Is it from Vulnerable Items, Vulnerability Groups or Third-Party Entries?

Yes - you may not see new Third-Party Entries being created day-to-day (nor would you see new Plugins created every day in Tenable); depending on the environment and how often Tenable Scans are being performed -> you would likely see more activity on Vulnerable Items.

If you've wired up logic to create a Problem record every time a record is created in the Third-Party Entry table -> I would stop this.

It's absolutely worth circling back with the client here, as this is not how ServiceNow intended the Vulnerability Response application to be used, nor is this what Problem Records should be used for.

The Remediation Users should be assigned Vulnerability Groups as their strategic unit of work (i.e. Task).  This is where they can acknowledge their work, ask for an exception, create a Change Request, monitor progress, etc.

0 Helpfuls