Source risk score on vulnerability entry is different from Tenable VPR score

sath · ‎09-21-2023

Hi,

We have noticed that for one of the vulnerability entries in our ServiceNow instance has source risk score different from the VPR score in Tenable and Tenable.io Plugin Integration is running everyday successfully. Please assist why the source risk score is different from VPR score.

andy_ojha · ‎09-21-2023

Hey there,

There appears to be a pattern with the Tenable VPR data not getting updated via the current integration today.

The ServiceNow VR integration, will pull in data about Tenable Plugins based on a delta (modification date) - but there seems to be scenarios where the VPR values change in Tenable, but the corresponding plugin modification date does not change (or advance forward) in Tenable - so it does not come over during the import jobs (delta runs).

You may want to open a Support Case with ServiceNow and mention this KB Article for further assistance "KB1001825".

To prove the theory, you could backdate the Tenable Plugin job (import since) to re-import the Plugin data - and validate that some of the stubborn TEN-xxx plugins in ServiceNow (Third-Party Entry) table have their 'source risk score' updated as you expected.

Another avenue if you have examples from your testing, would be to open a Case with Tenable Support - with your examples, showing the VPR scores on a given Plugin were updated, but the plugin modification date did not advance forward on the corresponding Tenable Plugin (reference Issue "VM-5033")

View solution in original post

andy_ojha · ‎09-25-2023

There are no documented workarounds for this - it'd be something custom - like a business rule to override the date to a more appropriate one, doing a weekly import to grab the historical plugins. What I meant was, there are better custom approaches that could be explored, than touching that Script Include to import plugins without a date filter specified.

Your best bet is to open those Support Cases to move forward (with ServiceNow and Tenable) - ideally if this is a Tenable API issue, they would resolve it (to ensure when VPR scores change, the plugin modification date is updated)...

sath · ‎09-26-2023

Thank you. Once VPR score is updated from Tenable to source risk score field on third party table, should we manually reapply vulnerability risk rule to update the risk scores on vulnerable items or will it be changed as part of scheduled jobs?

andy_ojha · ‎09-26-2023

Hey - there is a hidden gem that helps here, and should take of itself (no action required)...

Check out these two components:

Business Rule | Name = Set recalcualte flag
Scheduled Job | Name = Run severity calculator after vuln entry promotion

When the Tenable VPR changes on the Third-Party Entry, a "re-calculate" flag is set to True, and then a Scheduled Job picks that up to re-eval the Risk Scoring for any Active Vulnerable Items, referencing that Third-Party Entry (vulnerability).

Reference:

sath · ‎10-02-2023

Thank you so much for the assistance.