Vulnerabilities database import

Marco26
Kilo Contributor

‎04-07-2022 05:40 AM

Hello,

We are working on an SecOps Vulnerability Response opportunity where customers is looking for to import vulnerability entries from following sources:

find_real_file.png

What is the best way to do it? 

Thx,

Marco

Labels:
Preview file
13 KB
0 Helpfuls
  • 1,435 Views
11 REPLIES 11

Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to Gary22

‎04-27-2022 06:54 AM

Hi,

A Vulnerable Item is a combination of a Vulnerability (sn_vul_entry) AND a Configuration Item (cmdb_ci). You need both parts to make a VI.

When you create a new VI manually it looks like this:

find_real_file.png

You need to provide a Vulnerability and a CI to successfully create a VI.

 

When you import data into Vulnerability Response you need to PROVIDE an actual Vulnerability and an actual Configuration Item

For a Store Integration such as Tenable or Qualys, the incoming data is run through a lot of processing to identify and provide a valid Vulnerability and Configuration Item to create the Vulnerability.

VR by itself does not check anything. All of the checking (i.e. validation and matching) is done by the (Store) Integrations (Tenable, Qualys, Rapid7, etc.)

Preview file
20 KB

Gary22
Tera Contributor
In response to Chris McDevitt

‎04-27-2022 07:01 AM

Thanks a lot for replying @Chris McDevitt   . My doubt is , I have an integration with Rapid 7 . i import vulnerabilities from there , lookup the cmdb and create the vulnerable item . The same vulnerability is also available in the NVD . so this vulnerability in the NVD ( in my servicenow instance library )  will enrich the existing  vulnerable item ( created via rapid 7 vulnerability on the same CI) or will it create a new vul item for the NVD vulnerabiluty ( post cmdb lookup ) .

 

Thanks again for the guidance 

0 Helpfuls

Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to Gary22

‎04-27-2022 07:16 AM

I see,

Are you talking about deduplication across vulnerability sources? If so, then no, VR does not attempt to duplicate across vulnerability sources.

 

If you are writing a custom integration and you have the latest VR version, you could check your open VIs -> Vulnerability -> CVEs to see if your main integration already has something open that contains a matching CVE. But this gets complicated fast. 

find_real_file.png

 

Preview file
21 KB

Gary22
Tera Contributor
In response to Chris McDevitt

‎04-27-2022 08:26 AM

Thanks Chris , you are a saviour 🙂 

0 Helpfuls

Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to Gary22

‎10-03-2022 07:09 AM

Mega Expert,

Sorry, I lost track of this thread.

A  Vulnerable Item is comprised of a Vulnerability and a Configuration item.

You NEED a Vulnerability and a Configuration item to create a VIT.

In your scenario, YOUR script would need to look up the vulnerability in the NVD (i.e., CVE) and return a reference for the Vulnerability.

0 Helpfuls