Source risk score on vulnerability entry is different from Tenable VPR score

Go to solution
sath
Tera Expert

‎09-21-2023 08:29 AM

Hi,

We have noticed that for one of the vulnerability entries in our ServiceNow instance has source risk score different from the VPR score in Tenable and Tenable.io Plugin Integration is running everyday successfully. Please assist why the source risk score is different from VPR score.

0 Helpfuls
  • 1,505 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎09-21-2023 12:40 PM - edited ‎09-21-2023 12:41 PM

Hey there,

 

There appears to be a pattern with the Tenable VPR data not getting updated via the current integration today.

The ServiceNow VR integration, will pull in data about Tenable Plugins based on a delta (modification date) - but there seems to be scenarios where the VPR values change in Tenable, but the corresponding plugin modification date does not change (or advance forward) in Tenable - so it does not come over during the import jobs (delta runs).

You may want to open a Support Case with ServiceNow and mention this KB Article for further assistance "KB1001825".

 

To prove the theory, you could backdate the Tenable Plugin job (import since) to re-import the Plugin data - and validate that some of the stubborn TEN-xxx plugins in ServiceNow (Third-Party Entry) table have their 'source risk score' updated as you expected.

Another avenue if you have examples from your testing, would be to open a Case with Tenable Support - with your examples, showing the VPR scores on a given Plugin were updated, but the plugin modification date did not advance forward on the corresponding Tenable Plugin (reference Issue "VM-5033")

View solution in original post

8 REPLIES 8

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎09-21-2023 12:40 PM - edited ‎09-21-2023 12:41 PM

Hey there,

 

There appears to be a pattern with the Tenable VPR data not getting updated via the current integration today.

The ServiceNow VR integration, will pull in data about Tenable Plugins based on a delta (modification date) - but there seems to be scenarios where the VPR values change in Tenable, but the corresponding plugin modification date does not change (or advance forward) in Tenable - so it does not come over during the import jobs (delta runs).

You may want to open a Support Case with ServiceNow and mention this KB Article for further assistance "KB1001825".

 

To prove the theory, you could backdate the Tenable Plugin job (import since) to re-import the Plugin data - and validate that some of the stubborn TEN-xxx plugins in ServiceNow (Third-Party Entry) table have their 'source risk score' updated as you expected.

Another avenue if you have examples from your testing, would be to open a Case with Tenable Support - with your examples, showing the VPR scores on a given Plugin were updated, but the plugin modification date did not advance forward on the corresponding Tenable Plugin (reference Issue "VM-5033")

Go to solution
sath
Tera Expert
In response to andy_ojha

‎09-25-2023 06:34 AM - edited ‎09-25-2023 06:35 AM

Hi @andy_ojha , Thank you for the reply, this makes sense. We have tried by commenting out the line

'restMessage.setQueryParameter("last_updated", this.runParams.startDate);' in the script include 'TenableIOPluginIntegration' under function '_buildRestMessage'. The last_updated field on Tenable end doesn't account for VPR updates and hence its not returning the VPR updates to ServiceNow. 

But if we comment out that line, its taking more than 2 hours for the integration run and its bringing all the plugins into ServiceNow. 
Will open a case with ServiceNow, but couldn't find the KB Article: KB1001825 you mentioned above. Would you mind posting the link?
Here's the link on Tenable plugin URL:
0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to sath

‎09-25-2023 07:30 AM - edited ‎09-25-2023 07:31 AM

Hey there,

Would caution against modifying that method in that script include - there are other workarounds that would be less invasive - right now, that is probably querying the Tenable API for plugins across all time as no date would be used (defaulting).

 

The KB Article is currently an internal one (for the NOW SecOps VR Integration w/ Tenable and VPR data gaps) - figured you could still mention that KB Article number though, as you request assistance to speed up the triage process.

0 Helpfuls

Go to solution
sath
Tera Expert
In response to andy_ojha

‎09-25-2023 07:48 AM - edited ‎09-25-2023 07:48 AM

Right, it is querying the api for all the plugins. Could you please post the other workarounds for this issue (need VPR updates as well)?

0 Helpfuls