Vulnerability item and detection questions

vijir · ‎03-19-2023

Hello,

Can someone please help provide information on these:

For Tenable integration with Vulnerability Response management, the detection key config needs to be updated to include 'proof' along with port, protocol and asset_id. Is it something to be updated from ServiceNow side?

Instead of attaching all the detections for the CI to a single VIT record, would like to explore on the path to create each detection under a VIT record (1-1). The detection may come from the same host, but the path or port may be different which requires remediation from the team. Also the SLA is linked to VIT record and not at the detection level (yes, SLA is used in addition to Remediation target). Though I believe it is not a best practice to create a VIT record for each detection, I would like to understand the drawbacks of doing it in terms of upgradability and customization.

John Gregory · ‎03-20-2023

Hi Vijir

This functionality is available - just not for Tenable ☹️ as we have the same issues as you. I don't get why this would be available for one scanner vendor and not for others.

https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/vulnerability-respons...

vijir · ‎03-21-2023

Thanks John, I was thinking to disable CI lookup rules to deactivate the detections linked under VIT record so that each detection creates a new VIT record. The implications may be high which I have not discovered yet.

How are you handling the remediation targets when it is set at VIT level and does not change whenever the new detection comes or an existing detection is updated?

vijir · ‎03-28-2023

Upon upgrading the plugins, I see an option to include Proof in VI Key for Tenable.sc.

I will post it here if that option is useful.