Vulnerability Response applications and CSDM tables

  • Release version: Yokohama
  • Updated March 6, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations, and Software Bill of Materials (SBOM) applications in ServiceNow manage and utilize Common Service Data Model (CSDM) tables. These applications import asset and vulnerability data from external scanners and integrate with CMDB records to provide comprehensive vulnerability management and remediation workflows.

    Show full answer Show less

    They rely on CSDM tables generated by other applications and contribute data back, enhancing Security Operations capabilities and benefiting multiple ServiceNow products.

    Key Features

    • Asset Import and Representation: Imported assets from third-party vulnerability scanners are stored in specific tables such as Host Vulnerability Response Discovered Items, Cloud and Container Vulnerability Response discovered images, and Application Vulnerability Response Discovered Applications.
    • CMDB Integration: Imported data is matched to existing CMDB Configuration Item (CI) records, which may include non-discoverable attributes like Support Group or Classification. These attributes can be sourced from CSDM synchronizations and used in vulnerability assignment rules.
    • Scripted Rules for Automation: Customers can create scripted rules to leverage CSDM data (e.g., CI Classification) for automatic assignment and remediation of vulnerabilities, allowing tailored and automated vulnerability management workflows.
    • Referenced CSDM Tables: Applications reference important CSDM tables including Product Model [cmdbmodel], Application Model [cmdbapplicationproductmodel], Configuration Item [cmdbci], Business Service [cmdbciservicebusiness], Technical Service [cmdbciservicetechnical], CMDB Group, and Dynamic CI Group tables.
    • SBOM Matching: When uploading SBOM files, the system attempts to match Product Models and Business Applications to existing CMDB records, enabling linkage of application services or business applications to product models.

    Key Outcomes

    • Enhanced Vulnerability Management: Imported vulnerabilities from sources such as the National Vulnerability Database (NVD) and third-party scanners are reconciled with CMDB assets, creating vulnerable items that are risk-scored, prioritized, grouped into remediation tasks, and assigned appropriately.
    • Integration with Security and IT Products: Data enrichment through NVD and Common Weakness Enumeration (CWE) integrations helps prioritize remediation efforts.
    • Cross-Product Benefits: Integration with Security Posture Control (SPC) enables visibility into enterprise assets and identification of security tool coverage gaps. Governance, Risk, and Compliance (GRC) benefits from continuous monitoring and prioritization. DevOps teams can protect development environments by uploading SBOM files from GitHub repositories and initiating GitHub Actions for software component safety.

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications.

    Figure 1. The CSDM data framework and Vulnerability Response applications
    Tables highlighted that are referenced and used by the Vulnerability Response applications

    CSDM tables referenced by Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications

    As assets are imported from third-party vulnerability scanners (integrations), they are brought into Vulnerability Response and represented in specific tables:
    • Host Vulnerability Response Discovered Items.
    • Cloud and Container Vulnerability Response discovered images
    • Application Vulnerability Response Discovered Applications (product model)
    As part of the Security Operations CMDB configuration item (CI) look up, a search is performed to match a (CI) record from imported data with existing records in the CMDB.

    Each specific CI Record may contain non-discoverable attributes, for example, Support Group, or Classification, that are populated on the CI that can be used as input for vulnerable item assignment Rules. These attributes might be populated from Common Service Data Model (CSDM) synchronizations based on upstream Technical Service Offerings.

    If you want to leverage related CSDM objects for Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications, you need to use scripted rules.

    For example, to automatically assign vulnerable items for remediation using vulnerable item assignment rules, you might create a rule that leverages configuration item Classification values as they are updated on imported vulnerability entries. For this case, you need a scripted rule to query the target value you want from the related CSDM object.

    Below is an example of a scripted query that you might use to see if a CI has Java and is tied to a vulnerability entry.

    Scripting example that shows

    Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications reference the following tables. Refer to the CSDM data framework and Vulnerability Response applications image for more information.
    • The Product Model [cmdb_model] table (referenced by Application Vulnerability Response and Software Bill of Materials).
    • The Application Model [cmdb_application_product_model] table (referenced by Application Vulnerability Response and Software Bill of Materials).
    • The Configuration Item [cmdb_ci] table.
    • The Business Service [cmdb_ci_service_business] table.
    • The Service [cmdb_ci_service] table.
    • CMDB Group [cmdb_group] table.
    • Dynamic CI Group [cmdb_ci_query_based_service] table.

    CSDM tables used by Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications

    1. Product Model [cmdb_model] table (used by Application Vulnerability Response and Software Bill of Materials).
    2. Application Model [cmdb_application_product_model] table (used by Application Vulnerability Response and Software Bill of Materials).
    3. The Configuration Item [cmdb_ci] table.
    4. Business Application [cmdb_ci_business_app] (used by Application Vulnerability Response and Software Bill of Materials).
    5. Business Service [cmdb_ci_service_business].
    6. Technical service [cmdb_ci_service_technical].
    Note:

    When you upload Software Bill of Materials files, the SBOM applications try to match any Product Model and Business Applications you upload to those that already exist in your CMDB. You can link application services or business applications to a product model.

    Products that add value to Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications

    Using the Vulnerability Response applications with the following ServiceNow products can benefit your organization.
    Third-party vulnerability scanners and integrations

    Imported vulnerabilities from the National Vulnerability Database (NVD) and detection data from third-party scanners are reconciled with the assets in your CMDB. When an imported vulnerability matches an existing asset, a vulnerable item is created. Vulnerable items are grouped automatically into tasks for remediation, risk-scored with business context, prioritized and assigned to appropriate teams for remediation. For more information and a list of integrations see Vulnerability Response integrations.

    The CWE Comprehensive 2000 and NVD Integrations

    Imported data from the NIST National Vulnerability Database (NVD) and Common Weakness Enumeration (CWE) integrations is used to enrich the vulnerability data in your instance and help you decide whether to escalate remediation for a vulnerability, vulnerable item, or remediation task. See Understanding the NVD integrations and Configure and run the scheduled job for updating CWE records for more information.

    Products that benefit from integration with Software Bill of Materials

    Security Posture Control

    Security Posture Control enables cybersecurity teams to get visibility into their complete enterprise asset inventory and determine their overall security posture. Policies in SPC can help you detect assets with vulnerability that you import with the Vulnerability Response applications to help you locate security tool coverage gaps.

    Governance, Risk, and Compliance

    Connect security and IT with an integrated risk program offering continuous monitoring, prioritization, and automation.

    DevOps

    Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment. Upload SBOM files to the ServiceNow AI Platform from your GitHub repositories.