Linking asset data to CVE in VR&OTVR

Kosuke Tsujibay · ‎12-01-2023

Hi, anyone

I'm triyng to sell OTM to customer but they already have security tool which provides detect asset in factory but not

provide CVE info.

As you may know, OTVR can have vulnerability Item by connecting asset and CVE using Service Graph Connector or Excel import.

However in above case, OTVR can't perform perfectory because that security tool doesn' t provide CVE info.

So here is my question.

Is it possible to link CVE, which can be retrieved from NIST, to asset data in ServiceNow automatically?

Briefly, I want to know if there is any way to link CVE data in ServiceNow to asset data in ServiceNow, if possible, automatically?

Nitesh Tolani · ‎12-28-2023

ServiceNow doesn't automatically detect the vulnerabilities (CVEs) on the assets.

However, the customer can use exposure assessment through which the exposure can be identified for the software or the CPEs associated with the CVE (which is brought in by the NIST NVD Integration).

Product Documentation: https://docs.servicenow.com/bundle/vancouver-security-management/page/product/vulnerability-response...

Currently, there is a system property (sn_vul_analyst.enable_exposure_for_cisa) through which the exposure is automatically calculated for the CISA exploited vulnerabilities.

Hope this helps.