Xanadu Security Management

Split Tenable detections based on the vulnerability instance to split vulnerable items

Save as PDF

Share this page

Table of Contents

Split Tenable detections based on the vulnerability instance to split vulnerable items

Save as PDF

Share this page

Release version:
UpdatedAug 1, 2024
2 minutes to read

Xanadu
Vulnerability Response

ServiceNow® Vulnerability Response enables the splitting of detections from Tenable scanners, enabling for the creation of a unique vulnerable item (VIT) for each detected vulnerability instance. This split enables the assignment of VITs to various remediation teams, enhancing the management and tracking of vulnerabilities.

Before you begin

Role required: admin

About this task

The Tenable scanner's payload contains detection data, with each path within the proof used to split the detections. The output tag in the payload identifies the vulnerability's location, facilitating accurate identification and management of vulnerabilities according to their specific paths.

Procedure

In the Third-party Integrations table [sn_sec_int_integration], set the Include proof in VI key column value to true for Tenable.io, Tenable.sc, and Tenable.cs.
Navigate to All > Vulnerability Response > Administration > Configure VI granularity.
For Tenable.cs product, navigate to Detection Key Configuration [sn_vul_detection_key_config] table, select Tenable.cs record and update,
On the Include port form, select the Include port check box and select the click here link (applies only to Tenable.io and Tenable.sc).
On the Add proof to VI keys list, select New.
On the Add proof to the VI key- New record form, in the Vulnerability field, add the Tenable ID for which you want to include the proof.

Note: You can split the detections based solely on path information or by combining path and version details. For additional details, refer to the section 'Splitting detections from Tenable scanners' on this page.
In the Regular Expression to Split Tenable VITs field:
- Split the detection based on only the path by entering Path\s+:\s+([A\n]+).
- Split the detection based on path and installed and fixed versions by entering Path\s+:\s+([A\n]+)\n\s+lnstalled\s+version\s+:\s+([A\n]+)\n\s+Fixed\s+version\s+:\s+([A\n]+).
Select Submit.

Example: Splitting detections from Tenable scanners

The following detection from a Tenable scanner shows proof in the output tag that includes both path and version information.


        "results":


                      "asset":
                            "agent_uuid": *92124caabdb9459baa9d053186df48b9",
                           "bios_uuid": "ec2cbbfd-dc9e-efbf-acdd-485daZe8c7df"
                           "device_ type": "aws-ec2-instance",
                             "fqdn": "ip-ac0a0004. secops.com",
                            "hostname": "ip-ac0a0004",
                "uuid": "486acb3b-674f-477a-bc37-660a7bba37b3",
                             "ipv4": "18.220.145.158",
                             "last_authenticated_results": "2024-05-17T03:34:04.424Z",

                            "mac_address": "0a:3e:8b:ed:63:e6",
                           "netbios name": "IP-AC0A0094".
                           "operating_system": [
                                   "Microsoft Windows Server 2019 Datacenter Build 17763"


                            "network_id": "00000000-0000-0000-0000-000000000008",

                           "tracked": true


                     "output": "In                                     C: 11 Program Files (x86) \ \Common Files\\0racle\\Java\\javapath_target_119044062511\n Installed version : 1.8.0_361.9\n Fixed version                                                                                                                                                                                                                                                                            Path
                     "plugin":
                             "bid":
                                     123456


                            "checks_for_default_account": false,
                          "checks_for malware": false,

                              "coe":
                           "cpe:/a:notepad-plus-plus:notepad%5c%2b15ck2b"


                             "cvSs3_base_score": 7.8,
                           "cvss3 temporal score": 7.0,

                           "cvss3_temporal_vector": {
                                   "exploitability": "Proof-of-Concept",
                                   "remediation level": "Official Fix",
                                    "report_confidence": "Confirmed",
                                    "raw": "E: P/RL:0/RC: C"

Xanadu Security Management