Verify your vulnerable items have been remediated between scheduled scanning cycles by initiating rescans in the Tenable platform. You can initiate a rescan on-demand for vulnerable items for the Tenable.sc product from your ServiceNow AI Platform® instance.

Before you begin

Roles required: sn_vul.write_all or sn_vul.write_assigned
Note: Tenable.sc does not support launching rescan on agent based machines.

Verify your scanner is activated before you begin. Navigate to Vulnerability Response > Vulnerability Scanning > Scanners.

About this task

To initiate rescan from the workspaces, see Rescan Tenable.io and Tenable.sc vulnerable items from the Vulnerability Response workspaces.

Follow the steps listed below to initiate a rescan in the classic environment.

To help reduce the overhead and volume involved with scheduled, full scans, remediation owners, IT specialists, vulnerability analysts, or vulnerability managers can initiate targeted rescans on-demand for specific vulnerabilities on assets (configuration items) in their environments. You can initiate rescans from vulnerable item (VI), remediation tasks (RT)s, third-party entry (TPE), or discovered item records from your ServiceNow AI Platform instance.

Rescans permit your remediation owners and vulnerability analysts to verify that your remediation activities, patches, and other actions have successfully fixed specific vulnerabilities on your configuration items (CIs).

As an example, your entire environment is scanned once every three weeks. The most recent full scan was completed a week ago, but you applied a patch yesterday to fix a critical vulnerability. Due to the nature of this vulnerability, you cannot wait two weeks for the next scheduled scan to verify that it has been remediated. To verify that your patch successfully fixed a critical vulnerability discovered during an earlier scan, you can initiate a targeted rescan from your ServiceNow AI Platform for Tenable.sc vulnerable items.

Note: When requesting rescan from your ServiceNow AI Platform® instance, selecting the Vulnerability Response Integration with Tenable credentials is optional. The ServiceNow® Tenable.sc Scan Credential Integration imports and updates scanner credentials from the Tenable.sc product in your instance. This integration runs weekly to import and securely store your Tenable credentials data.

Note that this imported data does not include Tenable passwords or other sensitive Tenable account information. The ServiceNow® Tenable.sc Scan Credential Integration is enabled (Active) automatically from within the Setup Assistant in your instance when you configure the Tenable.sc Vulnerabilities integrations (Tenable.sc Open and Fixed Vulnerabilities Integrations).

Note the following information about the credentials you import so that your users can see them as needed from your ServiceNow AI Platform instance:
  • Credentials created with the Tenable.sc administrator user role are available to users across all your organizations.
  • Credentials created with the Tenable.sc organizational users role are only available to users within that organization. These credentials are not imported into the ServiceNow AI Platform for users outside of the creator’s organization unless they are shared with the user's account being used to connect to the instance.

See the Tenable.sc documentation website for more information.

See Configure the Tenable Vulnerability Integration using Setup Assistant for more information about configuring the Tenable.sc application. To view more information about the Scan Credential Integration, navigate to All > Tenable Vulnerability Integration > Integrations > Tenable.sc Scan Credential Integration.

During integration execution, multiple processes are generated, and data is received in the form of pages. Each process can contain one or more import queue entries with attached data in pages. These entries must process the data within the one-hour time limit. However, if the payload size is large, the processing time may exceed one hour or get stuck, resulting in an integration timeout error. The integration continues to process the data despite the timeout error. To avoid this miscommunication, starting from version 18.2.4 of Vulnerability Response, timestamps (heartbeats) are sent periodically to indicate if the queue is active and processing data. The Last Record Processed field in the Import Queue Entry page is updated based on the count of records the import queue creates or updates. In case an import queue entry exceeds the one-hour time limit, the system checks the Last Record Processed field to see if it is also older than one hour. If it is, this indicates that the import queue entry is stuck, and it is timed out to prevent any further delays in processing.
Note: The Last Record Processed field is updated based on what is defined in the following system properties:
  • sn_sec_cmn.record_threshold_heartbeat: Defines the number of processed records, after which the heartbeat (timestamp) is sent to the import queue entry.
  • sn_sec_cmn.maximum_heartbeat_delay: Defines the time after which the import queue entry must be timed out.

Procedure

  1. Navigate to All > Vulnerability Response > Vulnerable items.
  2. Locate the vulnerable item record that you want to trigger a rescan from and open it.
    Note: You can only initiate rescans for VIs with Tenable.sc as the source. Verify Tenable.sc is displayed in the Source column on the VI List views, or in the Source fields on individual records. You can use the condition builder to group VIs by Source. Or, if the Source column is not displayed on the VI List view, in the upper left of the list, click the Personalize List icon (Gear icon) and use the Slushbucket to move Source from Available to Selected.
  3. Alternatively, navigate to All > Vulnerability Response > Remediation Tasks or Vulnerability Response > Libraries > Third-Party for the remediation task or third-party entry records, respectively, that you want to use for the rescan.

    Depending on your choice, the Rescan button is available on the following records:

    • On a single VI record, the VI must be from the Tenable.sc product and in any state other than Closed. For multiple VI records, all the VIs must be from the Tenable.sc product and in any state other than Closed.
    • On an RT record, the remediation task can be in any state other than Closed, and all the associated VIs must be from the Tenable.sc product.
    • On a third-party entry (TPE) record, the record must have at least one associated VI record from the Tenable.sc product in any state other than Closed.
  4. In the upper right of the record, click Rescan.
    You are prompted to choose the scanner credentials to access the scanner. These are the credentials imported by the Tenable.sc Scan Credential Integration.
  5. In the dialog, select the filters and credential types you want.
  6. Click Request Scan.

    A message is displayed that indicates your scan is being processed. Status for all rescans can be found at any time under the Scan related lists on the VI, RT, TPE records you used to launch the rescans. In the message, click View details to view the status of the rescan and view any other rescans launched from a given record.

    The State field on the parent scan record is marked as complete after all the child scans are successfully completed. The child scans import data. The parent scan record is a container for the child scans.

    Your ServiceNow AI Platform® instance tracks the rescan status until it successfully completes, or, until the set tracking period times out, whichever happens first. The time-out does not stop the scan. The time-out refers to when the ServiceNow AI Platform® stopped tracking your rescan status, not when the actual rescan stopped. All VIs that have transitioned, or will transition, to Closed/Fixed are imported with the next scheduled import of the Tenable.sc Fixed Vulnerabilities Integration.