Field mapping for the Wiz Vulnerability Response Integrations

  • Release version: Xanadu
  • Updated October 3, 2025
  • 4 minutes to read

    • Review source and target fields and view imported data on tables and records in your ServiceNow Now Platform AI instance.

    Asset Integration field mapping

    Wiz field ServiceNow table ServiceNow field
    id sn_sec_cmn_src_ci source_id
    nativeType sn_sec_cmn_src_ci cloud_resource_type

    Also, stored in source_data as wiz_native_type
    type sn_sec_cmn_src_ci source_data

    stored in source_data as ciType
    name sn_sec_cmn_src_ci name
    name sn_sec_cmn_src_ci resource_name
    graphEntity.providerUniqueId sn_sec_cmn_src_ci source_data

    If exist, stored in source_data as provider_unique_id
    graphEntity.properties.externalId sn_sec_cmn_src_ci source_data

    If exist and graphEntity.providerUniqueId does not exist, then it gets stored in source_data as provider_unique_id
    lastSeen sn_sec_cmn_src_ci non_infra_last_scan_date

    Also stored as last_scan_time in source_data field in Discovered item table
    firstSeen sn_sec_cmn_src_ci source_data

    Stored in source_data as first_seen
    isOpenToAllInternet sn_sec_cmn_src_ci source_data

    Stored in source_data as is_open_to_all_internet
    isAccessibleFromInternet sn_sec_cmn_src_ci cmdb_ci_internet_facing

    Stored in source_data as is_accessible_from_internet
    hasAccessToSensitiveData sn_sec_cmn_src_ci source_data

    Stored in source_data as has_access_to_sensitive_data
    hasAdminPrivileges sn_sec_cmn_src_ci source_data

    Stored in source_data as has_admin_privileges
    hasHighPrivileges sn_sec_cmn_src_ci source_data

    Stored in source_data as has_high_privileges
    hasSensitiveData sn_sec_cmn_src_ci source_data

    Stored in source_data as has_sensitive_data
    typeFields.operatingSystem sn_sec_cmn_src_ci os
    typeFields.instanceType sn_sec_cmn_src_ci source_data

    Stored in source_data as instance_type
    resourceGroup.id sn_sec_cmn_src_ci source_data

    Stored in source_data as resource_group_id
    resourceGroup.name sn_sec_cmn_src_ci source_data

    Stored in source_data as resource_group_name
    tags sn_sec_cmn_src_ci host_tag
    cloudPlatform sn_sec_cmn_src_ci cloud_service_provider
    region sn_sec_cmn_src_ci cloud_region
    cloudAccount.externalId sn_sec_cmn_src_ci cloud_account
    projects sn_sec_cmn_src_ci projects
    cloudProviderURL sn_sec_cmn_src_ci resource_id

    This is used to retrieve project id in case of GCP cloud platform Serverless resource type.
    externalId sn_sec_cmn_src_ci resource_id

    This is used as resource_id in case of Azure cloud platform Virtual machine resource type.

    Host vulnerability Integration field mapping

    Wiz field ServiceNow table ServiceNow field
    description sn_vul_detection proof
    status sn_vul_detection source_status
    lastDetectedAt sn_vul_detection last_found
    firstDetectedAt sn_vul_detection first_found
    vulnerableAsset.name sn_vul_detection dns
    remediation sn_vul_detection solution_summary
    vulnerableAsset.ipAddresses[0] sn_vul_detection ip_address
    vendorSeverity sn_vul_detection source_severity
    fixedVersion sn_vul_detection fixed_version
    status sn_vul_detection is_ignored
    status sn_vul_detection status
    name sn_vul_entry id
    score sn_vul_third_party_entry v3_base_score
    CVEDescription sn_vul_third_party_entry summary
    vendorSeverity sn_vul_third_party_entry source_severity
    cvssv3.attackVector sn_vul_third_party_entry v3_attack_vector
    cvssv3.attackComplexity sn_vul_third_party_entry v3_attack_complexity
    cvssv3.confidentialityImpact sn_vul_third_party_entry v3_confidentiality_impact
    cvssv3.privilegesRequired sn_vul_third_party_entry v3_privileges_required
    cvssv3.integrityImpact sn_vul_third_party_entry v3_integrity_impact
    cvssv3.userInteractionRequired sn_vul_third_party_entry v3_user_interaction
    hasExploit sn_vul_third_party_entry exploit
    hasCisaKevExploit sn_vul_third_party_entry cisa_exists
    vulnerableAsset.tags sn_sec_cmn_src_ci host_tag
    vulnerableAsset.id sn_sec_cmn_src_ci source_id
    vulnerableAsset.name sn_sec_cmn_src_ci name
    vulnerableAsset.region sn_sec_cmn_src_ci cloud_region
    vulnerableAsset.providerUniqueId sn_sec_cmn_src_ci resource_id
    vulnerableAsset.cloudPlatform sn_sec_cmn_src_ci cloud_service_provider
    vulnerableAsset.type sn_sec_cmn_src_ci assetType
    relatedIssueAnalytics sn_sec_cmn_src_ci source_data
    vulnerableAsset.nativeType sn_sec_cmn_src_ci cloud_resource_type
    vulnerableAsset.subscriptionExternalId sn_sec_cmn_src_ci cloud_account
    vulnerableAsset.name sn_sec_cmn_src_ci resource_name
    vulnerableAsset.imageName sn_sec_cmn_src_ci image_id
    vulnerableAsset.* sn_sec_cmn_src_ci source_data

    All the details inside vulnerableAsset are added in source_data field.
    lastDetectedAt sn_sec_cmn_src_ci source_data

    Container vulnerability Integration field mapping

    Wiz field ServiceNow table ServiceNow field
    imageId sn_vul_container_image image_id
    vulnerableAsset.name sn_vul_container_image image_name
    vulnerableAsset.repository.externalId after ## sn_vul_container_image registry
    vulnerableAsset.repository.externalId before ## sn_vul_container_image repo
    vulnerableAsset.tags sn_vul_container_image image_labels
    projects sn_vul_container_image image_projects
    vulnerableAsset.region sn_vul_container_image cloud_regions
    vulnerableAsset.cloudPlatform sn_vul_container_image cloud_providers
    vulnerableAsset.subscriptionExternalId sn_vul_container_image cloud_account_ids
    vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image image_namespace
    vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image image_clusters
    vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image_vulnerable_item image_clusters
    vulnerableAsset.executionControllers.ancestors.name sn_vul_container_image_vulnerable_item image_namespace
    vulnerableAsset.repository.externalId before ## sn_vul_container_image_vulnerable_item image_repository
    layerMetadata.isBaseLayer sn_vul_container_image_findings is_base_image
    firstDetectedAt sn_vul_container_image_findings first_found
    lastDetectedAt sn_vul_container_image_findings last_found
    detailedName sn_vul_container_image_package name
    version sn_vul_container_image_package version
    locationPath sn_vul_container_image_package path
    name sn_vul_entry id
    score sn_vul_third_party_entry v3_base_score
    CVEDescription sn_vul_third_party_entry summary
    vendorseverity sn_vul_third_party_entry source_severity
    cvssv3.attackVector sn_vul_third_party_entry v3_attack_vector
    cvssv3.attackComplexity sn_vul_third_party_entry v3_attack_complexity
    cvssv3.confidentialityImpact sn_vul_third_party_entry v3_confidentiality_impact
    cvssv3.privilegesRequired sn_vul_third_party_entry v3_privileges_required
    cvssv3.integrityImpact sn_vul_third_party_entry v3_integrity_impact
    cvssv3.userInteractionRequired sn_vul_third_party_entry v3_user_interaction
    hasExploit sn_vul_third_party_entry hasExploit
    layerMetadata.isBaseLayer sn_vul_container_image_layer Base layer
    layerMetadata.details sn_vul_container_image_layer instruction
    layerMetadata.id sn_vul_container_image_layer id
    status sn_vul_container_image_findings is_ignored
    validate_at_runtime sn_vul_container_image_findings validate_at_runtime
    id sn_vul_container_image_findings unique_key
    fixed_version sn_vul_container_image_findings fix_status

    Configuration Compliance Test Results Integration field mapping

    Wiz field ServiceNow table ServiceNow field
    rule.id sn_vulc_test source_id
    rule.name sn_vulc_test short_description
    rule.remediationInstructions sn_vulc_test remediation
    rule.description sn_vulc_test description
    severity sn_vulc_test source_criticality
    status sn_vulc_result result
    id sn_vulc_result source_id
    analyzedAt sn_vulc_result last_seen
    firstSeenAt sn_vulc_result first_seen
    rule.remediationInstructions sn_vulc_result remediation
    resource.nativeType sn_sec_cmn_src_ci source_data
    resource.type sn_sec_cmn_src_ci source_data
    id sn_vulc_result description
    id sn_vulc_result source_id
    securitySubCategories.category.framework.id sn_vulc_auth_src source_id
    securitySubCategories.category.framework.name sn_vulc_auth_src short_description
    securitySubCategories.category.framework.description sn_vulc_auth_src description
    securitySubCategories.id sn_vulc_citation section
    securitySubCategories.title sn_vulc_citation section_name
    resource.projects sn_sec_cmn_src_ci projects
    status sn_vulc_result is_ignored

    if status is Rejected, is_ignored is set to true, else false.

    Issues Integration field mapping

    Note:
    Data mapped for the Issues Integration to cloud test results (CTRs) are labeled with Wiz Issues as the source to help you differentiate these CTRs from the test results integration CTRs.
    Wiz field ServiceNow table ServiceNow field
    sourceRule.id sn_vulc_test source_id
    sourceRule.name sn_vulc_test short_description
    sourceRule.resolutionRecommendation/sourceRule.remediationInstructions sn_vulc_test remediation
    sourceRule.description sn_vulc_test description
    severity sn_vulc_test source_criticality
    createdAt sn_vulc_result first_seen
    updatedAt sn_vulc_result last_seen
    status sn_vulc_result result
    id sn_vulc_result source_id
    sourceRule.resolutionRecommendation/sourceRule.remediationInstructions sn_vulc_result remediation
    sourceRule.controlDescription sn_vulc_result description
    entitySnapshot.nativeType sn_sec_cmn_src_ci source_data
    entitySnapshot.type sn_sec_cmn_src_ci source_data
    Wiz issue sn_vulc_result result_type
    id sn_vulc_result description
    severity sn_vulc_test source_criticality
    id sn_vulc_result source_id
    sourcerule.securitySubCategories.category.framework.id sn_vulc_auth_src source_id
    sourcerule.securitySubCategories.category.framework.name sn_vulc_auth_src short_description
    sourcerule.securitySubCategories.category.framework.description sn_vulc_auth_src description
    sourcerule.securitySubCategories.id sn_vulc_citation section
    sourcerule.securitySubCategories.title sn_vulc_citation section_name
    projects sn_sec_cmn_src_ci projects
    status sn_vulc_result is_ignored

    if status is Rejected, is_ignored is set to true, else false.

    Mapping to vulnerable item and test result records

    • The Asset Integration imports data about your cloud assets reported by the Wiz scanner.
    • Host vulnerability findings are mapped to host vulnerable items (VITs).
    • Host test results that are associated with the resource type, VIRTUAL MACHINE are mapped to cloud test results records (CTRs) in the Configuration Compliance application.
    • Container vulnerability findings are mapped to container vulnerable items (CVITs).
    • Configuration test results findings are mapped to cloud test results records (CTRs) in the Configuration Compliance application.
    • Issues findings are mapped to cloud test results records (CTRs) in the Configuration Compliance application.
    • The Backfill Integrations import and process any Asset IDs that are reported as missing by the primary vulnerability and compliance integrations.