Review source and target fields and view imported data on tables and records in your ServiceNow Now Platform AI instance.

Asset Integration field mapping

Wiz field ServiceNow table ServiceNow field
id sn_sec_cmn_src_ci source_id
nativeType sn_sec_cmn_src_ci cloud_resource_type

Also, stored in source_data as wiz_native_type
type sn_sec_cmn_src_ci source_data

stored in source_data as ciType
name sn_sec_cmn_src_ci name
name sn_sec_cmn_src_ci resource_name
graphEntity.providerUniqueId sn_sec_cmn_src_ci source_data

If exist, stored in source_data as provider_unique_id
graphEntity.properties.externalId sn_sec_cmn_src_ci source_data

If exist and graphEntity.providerUniqueId does not exist, then it gets stored in source_data as provider_unique_id
lastSeen sn_sec_cmn_src_ci non_infra_last_scan_date

Also stored as last_scan_time in source_data field in Discovered item table
firstSeen sn_sec_cmn_src_ci source_data

Stored in source_data as first_seen
isOpenToAllInternet sn_sec_cmn_src_ci source_data

Stored in source_data as is_open_to_all_internet
isAccessibleFromInternet sn_sec_cmn_src_ci cmdb_ci_internet_facing

Stored in source_data as is_accessible_from_internet
hasAccessToSensitiveData sn_sec_cmn_src_ci source_data

Stored in source_data as has_access_to_sensitive_data
hasAdminPrivileges sn_sec_cmn_src_ci source_data

Stored in source_data as has_admin_privileges
hasHighPrivileges sn_sec_cmn_src_ci source_data

Stored in source_data as has_high_privileges
hasSensitiveData sn_sec_cmn_src_ci source_data

Stored in source_data as has_sensitive_data
typeFields.operatingSystem sn_sec_cmn_src_ci os
typeFields.instanceType sn_sec_cmn_src_ci source_data

Stored in source_data as instance_type
resourceGroup.id sn_sec_cmn_src_ci source_data

Stored in source_data as resource_group_id
resourceGroup.name sn_sec_cmn_src_ci source_data

Stored in source_data as resource_group_name
tags sn_sec_cmn_src_ci host_tag
cloudPlatform sn_sec_cmn_src_ci cloud_service_provider
region sn_sec_cmn_src_ci cloud_region
cloudAccount.externalId sn_sec_cmn_src_ci cloud_account
projects sn_sec_cmn_src_ci projects
cloudProviderURL sn_sec_cmn_src_ci resource_id

This is used to retrieve project id in case of GCP cloud platform Serverless resource type.
externalId sn_sec_cmn_src_ci resource_id

This is used as resource_id in case of Azure cloud platform Virtual machine resource type.

Host vulnerability Integration field mapping

Wiz field ServiceNow table ServiceNow field
description sn_vul_detection proof
status sn_vul_detection source_status
lastDetectedAt sn_vul_detection last_found
firstDetectedAt sn_vul_detection first_found
vulnerableAsset.name sn_vul_detection dns
remediation sn_vul_detection solution_summary
vulnerableAsset.ipAddresses[0] sn_vul_detection ip_address
vendorSeverity sn_vul_detection source_severity
fixedVersion sn_vul_detection fixed_version
status sn_vul_detection is_ignored
status sn_vul_detection status
name sn_vul_entry id
score sn_vul_third_party_entry v3_base_score
CVEDescription sn_vul_third_party_entry summary
vendorSeverity sn_vul_third_party_entry source_severity
cvssv3.attackVector sn_vul_third_party_entry v3_attack_vector
cvssv3.attackComplexity sn_vul_third_party_entry v3_attack_complexity
cvssv3.confidentialityImpact sn_vul_third_party_entry v3_confidentiality_impact
cvssv3.privilegesRequired sn_vul_third_party_entry v3_privileges_required
cvssv3.integrityImpact sn_vul_third_party_entry v3_integrity_impact
cvssv3.userInteractionRequired sn_vul_third_party_entry v3_user_interaction
hasExploit sn_vul_third_party_entry exploit
hasCisaKevExploit sn_vul_third_party_entry cisa_exists
vulnerableAsset.tags sn_sec_cmn_src_ci host_tag
vulnerableAsset.id sn_sec_cmn_src_ci source_id
vulnerableAsset.name sn_sec_cmn_src_ci name
vulnerableAsset.region sn_sec_cmn_src_ci cloud_region
vulnerableAsset.providerUniqueId sn_sec_cmn_src_ci resource_id
vulnerableAsset.cloudPlatform sn_sec_cmn_src_ci cloud_service_provider
vulnerableAsset.type sn_sec_cmn_src_ci assetType
relatedIssueAnalytics sn_sec_cmn_src_ci source_data
vulnerableAsset.nativeType sn_sec_cmn_src_ci cloud_resource_type
vulnerableAsset.subscriptionExternalId sn_sec_cmn_src_ci cloud_account
vulnerableAsset.name sn_sec_cmn_src_ci resource_name
vulnerableAsset.imageName sn_sec_cmn_src_ci image_id
vulnerableAsset.* sn_sec_cmn_src_ci source_data

All the details inside vulnerableAsset are added in source_data field.
lastDetectedAt sn_sec_cmn_src_ci source_data

Container vulnerability Integration field mapping

Wiz field ServiceNow table ServiceNow field
imageId sn_vul_container_image image_id
vulnerableAsset.name sn_vul_container_image image_name
vulnerableAsset.repository.externalId after ## sn_vul_container_image registry
vulnerableAsset.repository.externalId before ## sn_vul_container_image repo
vulnerableAsset.tags sn_vul_container_image image_labels
projects sn_vul_container_image image_projects
vulnerableAsset.region sn_vul_container_image cloud_regions
vulnerableAsset.cloudPlatform sn_vul_container_image cloud_providers
vulnerableAsset.subscriptionExternalId sn_vul_container_image cloud_account_ids
vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image image_namespace
vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image image_clusters
vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image_vulnerable_item image_clusters
vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image_vulnerable_item image_namespace
vulnerableAsset.repository.externalId before ## sn_vul_container_image_vulnerable_item image_repository
layerMetadata.isBaseLayer sn_vul_container_image_findings is_base_image
firstDetectedAt sn_vul_container_image_findings first_found
lastDetectedAt sn_vul_container_image_findings last_found
detailedName sn_vul_container_image_package name
version sn_vul_container_image_package version
locationPath sn_vul_container_image_package path
name sn_vul_entry id
score sn_vul_third_party_entry v3_base_score
CVEDescription sn_vul_third_party_entry summary
vendorseverity sn_vul_third_party_entry source_severity
cvssv3.attackVector sn_vul_third_party_entry v3_attack_vector
cvssv3.attackComplexity sn_vul_third_party_entry v3_attack_complexity
cvssv3.confidentialityImpact sn_vul_third_party_entry v3_confidentiality_impact
cvssv3.privilegesRequired sn_vul_third_party_entry v3_privileges_required
cvssv3.integrityImpact sn_vul_third_party_entry v3_integrity_impact
cvssv3.userInteractionRequired sn_vul_third_party_entry v3_user_interaction
hasExploit sn_vul_third_party_entry hasExploit
layerMetadata.isBaseLayer sn_vul_container_image_layer Base layer
layerMetadata.details sn_vul_container_image_layer instruction
layerMetadata.id sn_vul_container_image_layer id
status sn_vul_container_image_findings is_ignored
validate_at_runtime sn_vul_container_image_findings validate_at_runtime
id sn_vul_container_image_findings unique_key
fixed_version sn_vul_container_image_findings fix_status

Configuration Compliance Test Results Integration field mapping

Wiz field ServiceNow table ServiceNow field
rule.id sn_vulc_test source_id
rule.name sn_vulc_test short_description
rule.remediationInstructions sn_vulc_test remediation
rule.description sn_vulc_test description
severity sn_vulc_test source_criticality
status sn_vulc_result result
id sn_vulc_result source_id
analyzedAt sn_vulc_result last_seen
firstSeenAt sn_vulc_result first_seen
rule.remediationInstructions sn_vulc_result remediation
resource.nativeType sn_sec_cmn_src_ci source_data
resource.type sn_sec_cmn_src_ci source_data
id sn_vulc_result description
id sn_vulc_result source_id
securitySubCategories.category.framework.id sn_vulc_auth_src source_id
securitySubCategories.category.framework.name sn_vulc_auth_src short_description
securitySubCategories.category.framework.description sn_vulc_auth_src description
securitySubCategories.id sn_vulc_citation section
securitySubCategories.title sn_vulc_citation section_name
resource.projects sn_sec_cmn_src_ci projects
status sn_vulc_result is_ignored

if status is Rejected, is_ignored is set to true, else false.

Issues Integration field mapping

Note: Data mapped for the Issues Integration to cloud test results (CTRs) are labeled with Wiz Issues as the source to help you differentiate these CTRs from the test results integration CTRs.
Wiz field ServiceNow table ServiceNow field
sourceRule.id sn_vulc_test source_id
sourceRule.name sn_vulc_test short_description
sourceRule.resolutionRecommendation/sourceRule.remediationInstructions sn_vulc_test remediation
sourceRule.description sn_vulc_test description
severity sn_vulc_test source_criticality
createdAt sn_vulc_result first_seen
updatedAt sn_vulc_result last_seen
status sn_vulc_result result
id sn_vulc_result source_id
sourceRule.resolutionRecommendation/sourceRule.remediationInstructions sn_vulc_result remediation
sourceRule.controlDescription sn_vulc_result description
entitySnapshot.nativeType sn_sec_cmn_src_ci source_data
entitySnapshot.type sn_sec_cmn_src_ci source_data
Wiz issue sn_vulc_result result_type
id sn_vulc_result description
severity sn_vulc_test source_criticality
id sn_vulc_result source_id
sourcerule.securitySubCategories.category.framework.id sn_vulc_auth_src source_id
sourcerule.securitySubCategories.category.framework.name sn_vulc_auth_src short_description
sourcerule.securitySubCategories.category.framework.description sn_vulc_auth_src description
sourcerule.securitySubCategories.id sn_vulc_citation section
sourcerule.securitySubCategories.title sn_vulc_citation section_name
projects sn_sec_cmn_src_ci projects
status sn_vulc_result is_ignored

if status is Rejected, is_ignored is set to true, else false.

Mapping to vulnerable item and test result records

  • The Asset Integration imports data about your cloud assets reported by the Wiz scanner.
  • Host vulnerability findings are mapped to host vulnerable items (VITs).
  • Host test results that are associated with the resource type, VIRTUAL MACHINE are mapped to cloud test results records (CTRs) in the Configuration Compliance application.
  • Container vulnerability findings are mapped to container vulnerable items (CVITs).
  • Configuration test results findings are mapped to cloud test results records (CTRs) in the Configuration Compliance application.
  • Issues findings are mapped to cloud test results records (CTRs) in the Configuration Compliance application.
  • The Backfill Integrations import and process any Asset IDs that are reported as missing by the primary vulnerability and compliance integrations.