Washington DC |
- Compose a script for vulnerable items or remediation tasks in the Approval Configuration form
- Compose a script in the Approval Configurations form for vulnerable items or remediation tasks on which an approval rule must be applied.
- View list of vulnerable items in the Vulnerability Manager Workspace
- View the list of active vulnerable items in the Vulnerability Manager Workspace using the active records count next to the View by drop-down in the Host vulnerabilities tab on the Home page.
- Open active vulnerable items list in classic UI from the Vulnerability Manager Workspace
- Navigate to the Classic UI's active vulnerable items list using the View Classic link in the Host Vulnerabilities tab on the home page of the Vulnerability Manager Workspace.
- Refresh a remediation task in the Vulnerability Manager and IT Remediation Workspaces
- Refresh a remediation task (VUL#) in the Vulnerability Manager and IT Remediation Workspaces to inspected if there are any additional records that belong to a remediation task.
- Updating the risk score in the Vulnerability Manager and IT Remediation Workspaces
- Update the risk score of a vulnerable item (VIT) using the Calculate Risk Score button in the Vulnerability Manager and IT Remediation Workspaces as per vulnerability calculators.
- Setting up questionnaire for exception requests based on condition
- Configure questionnaires based on conditions for exception requests.
- Displaying records in workspaces upon clicking the links in email notifications
- When links are clicked in an email notification, records open in Vulnerability Manager Workspace or IT Remediation Workspace based on the user’s role.
- Analysing the vulnerability landscape in the Vulnerability Manager Workspace
- View an overall summary of active vulnerabilities through visual representation of risk ratings, remediation progress, assignment group workloads, and records in remediation tasks.
- Acquiring the summary of a set of vulnerabilities using filters
- Display a summary of a set of active vulnerabilities by filtering those vulnerabilities on the Home page of the Vulnerability Manager Workspace.
- Associating compensating controls with a CVE and TPE for risk reduction in the Vulnerability Manager Workspace
- Associate relevant compensating controls with a Common Vulnerability Entry (CVE) and Third-party Entry (TPE), which can be used for reducing risk in the Vulnerability Manager Workspace.
- Disabling or enabling risk reduction requests in the Vulnerability Manager Workspace
- Enable or disable risk reduction requests for vulnerabilities related to a CVE or TPE in the Vulnerability Manager Workspace.
- Using bulk edit in the Vulnerability Manager Workspace
- Perform the following tasks on multiple host vulnerable items (VITs) and remediation tasks simultaneously in the Vulnerability Manager Workspace:
- Receiving notifications on false positive and exception requests
- Receive notifications and reminders on false positive and exception requests change approval records by setting approval expiry and reminder dates on the approval rules.
- Vulnerability Crisis Management
- View timestamps to see the last assessment of the events. The Assessment tab on the workspace is visible only when the new assessments are created. View the link to major security incidents
on the Vulnerability Manager Workspace for vulnerable items.
- CISA Known Exploit Vulnerability (KEV) Integration
- Import the Common Security Advisory Framework (CSAF) format through XML/JSON file import, API calls, or advisories, and map the solutions with the related vulnerabilities.
- Cybersecurity Executive Dashboard
- Access a unified view of your organization's security landscape through the Cybersecurity Executive Dashboard, which consolidates data from various products from within the ServiceNow
Security Operations suite.
- Quick start tests for Vulnerability Response.
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Vulnerability Response still works. If you customized Vulnerability Response, copy the quick start tests and configure them for your customizations.
- Update vulnerable items with data from last open detection (v21.1.2)
-
Update vulnerable items with the most recent and accurate data from the last open detection by setting the system property sn_vul.show_last_open_detection to true. The vulnerable items' IP
address, SSL, Port, Protocol, DNS name, NetBIOS name, and Description values are updated with the last open detection values during ingestion and the change of configuration item (CI) (Reapply of CI lookup
rule). To apply this update to the existing VITs, execute the Update Last Open Detection Value To VITs scheduled job. This ensures that the last open detection values are correctly
updated on all the existing VITs.
- Create auto-close rules (v22.0)
- Vulnerability Managers can use the advanced auto-close rule functionality to automatically close stale detections along with their corresponding vulnerable items.
- Solutions management improvements (v22.0)
- Performance improvements have been made for faster processing of non-Microsoft solutions.
- Generic framework to ingest data from any solution vendor (v22.0)
- A new generic framework has been introduced, leveraging the Common Security Advisory Framework (CSAF), to facilitate faster information exchange and processing through integrations. Leading software vendors offer
the CSAF format for describing vulnerabilities and solutions. Solution data can be imported either through file upload or API integration.
- Exclude inactive installs from Exposure Assessment (v22.0)
- A new system property, sn_vul.filter_inactive_sw_installs, has been introduced to determine whether inactive software installations should be filtered out for exposure assessment. By default, the property is enabled in the base system. When the filter is enabled, only active installations are displayed.
- Prevent detections from getting converted into vulnerable items (v22.1.2)
- The Exclusion Rule feature in Vulnerability Response enables you to filter out low-priority vulnerabilities such as informational ones during ingestion, helping prevent the creation of vulnerable items. With this feature, only critical
and high severity vulnerable items are created, thereby improving the overall performance of the product.
- Enhancements to the Unified Vulnerability Response Dashboard (v22.1.2)
- If you've created any exclusion rules, you can now access Exclusion Rule Reports on the Unified Vulnerability Response Dashboard.
- Enhanced Cybersecurity Executive Dashboard (v2.1.3)
- The Cybersecurity Executive Dashboard v2.1.3 includes the following enhancements:
- Key metrics from Governance, Risk, and Compliance (GRC) that offers a comprehensive overview of your organization's cybersecurity posture.
- Direct access to the GRC dashboard through the Cybersecurity Executive Dashboard for seamless navigation and integration of essential risk and compliance information.
- Operational Technology metrics that provide a comprehensive security perspective across both IT and OT environments, facilitating thorough risk management and monitoring.
- An enhanced user experience with an intuitive and distinguishable dashboard design that scales effectively to accommodate the evolving needs of your organization.
- Improved accuracy and reliability in metrics to ensure that the data presented in the dashboards is accurate, supporting better decision-making and strategic planning.
|
Xanadu |
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) that are reported by Wiz that you want to import with the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration. See the Wiz Vulnerability Response Integrations for more information about the vulnerability and compliance
integrations.
- Wiz Backfill Integrations
-
Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for assets that were not processed by the primary Host Vulnerability Integration with a specialized Wiz Backfill Integration.
The Host Vulnerability Backfill Integration is activated by default.
Note: The Wiz Asset Integration and the Wiz Container Vulnerability Integration do not have backfill integrations. The Wiz Asset Integration can discover assets and create and update discovered item records on the Discovered item [sn_sec_cmn_src_ci] table. The Wiz Container Vulnerability Integration imports and processes discovered container image records.
- Create solutions from scanners
- Starting with v24.0.6 of Vulnerability Response, solution records can now be configured to be created from scanners such as Tenable, Qualys, and Microsoft Threat and Vulnerability Management (MS TVM). These solutions are set as preferred in the absence of options from software
vendors.
- Activate or deactivate CVEs for exposure assessment
- Starting with version 4.0.1 of Vulnerability Exposure Assessment, if a Common Vulnerability Entry (CVE) has not been updated or had vulnerable items (VITs) created in the past 30 days, the
exposure assessment record for that CVE is automatically marked as inactive. However, you can manually activate or deactivate these records. Additionally, the scheduled job
Check potential vulnerability exposure regularly scans for such CVEs to designate them as inactive. If there is an update, it marks them as active.
- Split detections from Tenable and Microsoft TVM scanners
- Starting with v24.0.6 of Vulnerability Response, you can split the detections from Tenable and Microsoft Threat and Vulnerability Management (MS TVM) scanners, enabling the creation of a unique
vulnerable item (VIT) for each detected vulnerability instance. This split enables the assignment of VITs to various remediation teams, enhancing the management and tracking of
vulnerabilities.
- New Properties module
- Starting with v24.0.6 of Vulnerability Response, a new Properties module has been added to the navigation menu under the Administration section. This
module enables direct modification of the values, offering a user-friendly method to manage and update system properties directly from the interface.
- Deletion of classification rules and application on discovered items
- Starting with v24.0.6 of Vulnerability Response, if a classification rule is deleted or deactivated, it’s no longer applied to the discovered item and the data in the
Classification and Classification_type fields get cleared.
- Exceptions for CI creation
- Starting with v24.0.6 of Vulnerability Response, if Identification and Reconciliation engine (IRE) encounters exceptions that prevent the creation of configuration items (CIs), the specifics of these
exceptions are recorded in the Additional Information field.
- View configuration item history
- Starting with v24.0.6 of Vulnerability Response, you can view the updates to a CI in the Discovered Item table. Information including the previous CI, the updated CI, and the user who made the
changes is documented in the Audit History related list.
- Customize the calculation of Age and Age closed values of a vulnerable item
- Starting with v24.0.6 of Vulnerability Response, the Age and Age Closed durations of a Vulnerable Item can be configured to be calculated from the date in the Created, Opened, or First Found
fields.
- Open the search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI
- Starting with v24.0.6 of Vulnerability Response, automatically open your search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI, by adjusting the application scope in the unified navigation bar to Vulnerability Manager Workspace or IT Remediation Workspace respectively. These application scopes are available to you based on your assigned role.
- Vulnerability Manager Workspace access to the sn_vul.read_all role
- Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul.read_all role, you can view the host vulnerable items in the Vulnerability Manager Workspace.
- IT Remediation Workspace access to the sn_vul.read_assigned role
- Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul.read_assigned role, you can view the host vulnerable items assigned to you and your assignment groups in the IT Remediation Workspace and remediate them.
- Navigate to the List page in the Vulnerability Manager Workspace or IT Remediation Workspace by selecting the links from the All menu
- Starting with v24.0.6 of Vulnerability Response, when you enable the 'sn_vul_cmn_ws.navigate_to_workspace' system property, selecting predefined filter links in the Vulnerability Response module from
the 'All' menu will automatically open these links in the List page in the Vulnerability Manager Workspace or IT Remediation Workspace based on your role.
- Hide the record count on the Host Vulnerable Items list in the Vulnerability Manager Workspace and IT Remediation Workspace
- Starting with v24.0.6 of Vulnerability Response, you can hide the record count on the lists in the List page of the Vulnerability Manager Workspace and IT Remediation Workspace by adding the table names to the glide.ui.list.seismic.omit.count system property.
- Enable automatic refresh for the Home page dashboard in the Vulnerability Manager Workspace
- Starting with v24.0.6 of Vulnerability Response, when creating and editing filters in the Host Vulnerabilities tab on the Home page of the Vulnerability Manager Workspace, you can configure the widgets to refresh automatically. Otherwise, you can manually refresh the widgets by selecting the
Refresh button on the Host Vulnerabilities tab.
- Re-evaluating remediation properties for all records in the Vulnerability Manager Workspace
- Starting with v24.0.6 of Vulnerability Response, you can evaluate the remediation properties for all the Vulnerable Items from the Host Vulnerable Items list by selecting the All
items option in the Record selection field of the Re-evaluate remediation properties modal in the Vulnerability Manager Workspace.
- Reevaluate the remediation properties for vulnerable items in the Vulnerability Manager Workspace
- Select the vulnerable items conditionally for reevaluating the following remediation properties in the Vulnerability Manager Workspace:
- Assignments
- Remediation tasks
- Remediation target date
- Exceptions (Vulnerability Response v24.0.6)
- Risk score
- Navigate to the Exposure Assessment page in workspaces from the All menu
- With the Vulnerability Response Pro or Enterprise subscription, you’re redirected to the Exposure Assessment page in the Vulnerability Manager Workspace or Vulnerability Assessment
Workspace based on your role, on selecting the Exposure Assessment link in the All menu.
- Common Security Advisory Framework (CSAF) scanner mapping is optional
- The Scanner mapping field is now optional for the following Common Security Advisory Framework (CSAF) import methods:
- File import
- Advisories
- CSAF URL
- Multiple vendors supported for CSAF through Rolie feed
- Import vulnerability solutions from CSAF aggregators or trusted providers via URL import supporting Resource-Oriented Lightweight Information Exchange (ROLIE) feed. These vulnerability
solutions are automatically mapped to the correct vendor and vulnerable items (VITs) based on the Common Vulnerabilities and Exposures (CVEs).
- Enhanced processing performance of scheduled job
- The Rollup vulnerable item values to vulnerability and group scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade
involves segmenting the job into several smaller child jobs, which are executed either in parallel or concurrently. This modification enables processing of multiple records
simultaneously, thus significantly speeding up the overall task.
- Workflow deprecation and replacement by flow designer
- The following workflows have been deprecated and replaced by the flow designer:
- Exception Rule State Approval
- Remediation Task State Approval
- Vulnerability Response - Scan Vulnerability
- Vulnerable Item State Approval
- Vulnerability Response - Scan Vulnerable Item
.
- Risk score updates in the Notes section
- Access information on how an item's risk score is adjusted according to modifications in the vulnerability calculators. These details are available in the Notes section and include:
- Calculator group name
- Calculator name
- Field values along with their weightage and impact on the risk score
- Final risk score
- Vulnerability Crisis Management (VCM) is available as a separate subscription in the store
- Starting with v1.0.1 of Vulnerability Crisis Management, the application is available as a separate subscription in the store. You can access Vulnerability Crisis Management from the
Vulnerability Assessment workspace only if you have fine- grained entitlement or have installed the application from the store. Previously, Vulnerability Crisis Management was included
with the Vulnerability Emergency Response plugin.
- Vulnerability Exposure Response is renamed as Vulnerability Exposure Assessment
- Starting with v3.2.2, the Vulnerability Emergency Response plugin has been renamed as Vulnerability Exposure Assessment.
|
Yokohama |
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) that are reported by Wiz that you want to import with the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration. See the Wiz Vulnerability Response Integrations for more information about the vulnerability and compliance integrations.
- Wiz Backfill Integrations
-
Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for assets that were not processed by the primary Host Vulnerability Integration with a specialized Wiz Backfill Integration.
The Host Vulnerability Backfill Integration is activated by default.
Note: The Wiz Asset Integration and the Wiz Container Vulnerability Integration do not have backfill integrations. The Wiz Asset Integration can discover assets and create and update discovered item records on the Discovered item [sn_sec_cmn_src_ci] table. The Wiz Container Vulnerability Integration imports and processes discovered container image records.
- Create host remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vul.vulnerability_analyst or sn_vul.vulnerability_admin role, you can create host remediation tasks manually by selecting some or all the records in the Host vulnerable items’ lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating host remediation tasks.
- Create host remediation tasks manually in the IT Remediation Workspace
-
With the sn_vul.remediation_owner role, you can create host remediation tasks manually by selecting desired records in the Host vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating host remediation tasks.
- Questionnaire Support in Exception Management via Smart Assessment
- Configure advanced questionnaires as part of the exception management process using Smart Assessment. This enhancement allows remediation owners to provide detailed context for exception requests and enables approvers to
configure conditional questions to gather information for informed decision making.
- Collaboration and streamlined approval: Facilitate collaboration between your vulnerability management and remediation teams by streamlining the approval process with clear and complete exception justifications.
- Mandatory questionnaires: Block the submission of exception requests until mandatory questionnaires are completed. If a questionnaire is marked as mandatory, the test results and its associated remediation tasks remain
in the 'Open' state until the questionnaire is completed and submitted.
- If the questionnaire is incomplete, the state change approval record is saved as 'Draft'. Only after completing the questionnaire can the user submit the exception request, which will then move the test results or
remediation tasks to the 'In Review' state.
- Lookup rules enhancements
- When you reapply Lookup rules, Discovered items (DIs) that have been inactive for more than 90 days are ignored. These Discovered items (DIs) are also excluded from licensing considerations. Removing them from the lookup
logic can improve performance and reduce processing time.
- Background job enhancements: New fields have been added to help you view successfully evaluate records, the time taken for processing, the time remaining, and an estimated number of records.
- Improved accuracy for non-CSDM Vulnerability Response users: A system property (sn_sec_cmn.ci_lifecycle_status_source) has been introduced to help users who do not follow Common Service Data Model (CSDM) standards. This
property ensures that Discovered items (DIs) and associated VITs are properly marked as Decommissioned and are excluded from the CI Lookup. Additionally, the Retired Configuration Items PA indicator has been updated to
accurately reflect CIs based on the decommissioning flags.
- The scheduled job to create reconcile unmatched discovered items feature is deprecated. You can "Reapply Look up Rules" for selected or filtered items in the discovered items table view.
- Tenable.cs integrations with the Vulnerability Response and Container Vulnerability Response application
- The Vulnerability Response Integration with Tenable application now supports data ingestion from Tenable.cs, enabling you to bring in cloud and container vulnerabilities directly into ServiceNow. This integration enhances your ability to prioritize and remediate vulnerabilities identified in Tenable cloud resources and container images. Key capabilities are:
- Importing vulnerabilities discovered by Tenable.cs in cloud hosts and container images into ServiceNow automatically.
- Enabling remediation workflows to triage, assign, and resolve the most critical vulnerabilities across cloud-native and containerized environments.
- Using the Setup Assistant to easily configure credentials and integration parameters—get started with minimal manual setup.
- Scheduling jobs to run periodically to import findings from Tenable.cs, create vulnerable items (for cloud hosts), create container vulnerable items and associate them with the relevant cloud resources and container
image records.
- Assess vulnerability exposure by publisher
- Starting with v5.0 of Vulnerability Exposure Assessment, a publisher-based assessment is introduced that enables you to assess the vulnerability impact by vendor. For example, Microsoft, and Red Hat. By focusing on recently disclosed vulnerabilities from critical vendors, you can prioritize remediation and proactively address threats, improving your overall security posture.
- View risk score details of a vulnerable item in the Work notes section
- Starting with v25.0.3 of Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of a
vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
- Quick Start Tests for Vulnerability Response
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Vulnerability Response works as expected. If you customized Vulnerability Response, copy the quick start tests and configure them for your customizations.
- Enhancements to exception rules handling
-
- Exception rules are reevaluated with nightly scheduled jobs.
- Vulnerable items that no longer match exception rule conditions are unlinked from remediation tasks.
- A deferred vulnerable item (VIT) is reopened if it doesn’t match any active exception rules.
- Exception rules don’t create remediation tasks. VITs are deferred directly and aren’t associated with a remediation task.
- Tenable's endpoint scanning integration
- Support for Tenable's endpoint scanning integration to retrieve scan metadata. The integration fetches scan details using the last_schedule_id from existing asset data in Tenable.io.
- Reopened Count field on vulnerable items
- Added the Reopened Count field on vulnerable items to track the number of times their states change from 'Closed' to 'Open' or to 'Active'.
- Out-of-the-box vendor advisories via Common Security Advisory Framework (CSAF) integration
- The following vendor advisories are configured out-of-the-box and are automatically activated when the Solution Management plugin is enabled: Redhat and Suse.
|
Zurich |
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
- Unified Microsoft Defender Integration for Security Exposure Management
- The Microsoft Defender for Cloud and Microsoft Threat and Vulnerability Management (MS TVM) integrations are now consolidated into a single plugin, Microsoft Defender Integration for Security Exposure Management, deprecating the standalone Microsoft Defender for Cloud Integration application. The unified plugin also introduces container image vulnerability ingestion from Microsoft Defender for Cloud, creating Container Vulnerable items on your instance. The deprecated application are supported through a guided migration path to transfer existing data to the unified
plugin.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v 6.1.3, the Tenable.io Compliance Results Integration is replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results are now imported
based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state of findings.
- Qualys Integration – API enhancements
- Qualys Integration has been upgraded to support newer Qualys API versions across Host Detection, Host List, Knowledgebase, PC Controls, PC Policies, and PCRS integrations. The integrations now ingest additional data fields, including vulnerability detection
source, authentication privilege status, active status for controls and policies, and cloud metadata, giving you better visibility into your vulnerability and compliance data.
- Improved vulnerability assessment workflows
-
- CI filtering for vulnerability assessments: You can now filter which configuration items are included in a vulnerability assessment using a condition builder.
- Business Application population on AVITs: AVITs created from SBOM assessment results now include Business Application information, helping you understand application impact and prioritize remediation.
- Priority roll‑down from vulnerability assessments: Updates to the priority of a vulnerability assessment now automatically roll down to associated VITs and AVITs, ensuring consistent prioritization based on the highest
severity.
- Enhanced Compensatory controls
- When new vulnerable items are ingested and associated with a remediation task that already has an approved compensating control, the reduced risk rating is now automatically inherited by those new vulnerable items.
- Enhancements to the Wiz Vulnerability Response Integration
-
- The Universally Unique Identifier (UUID) that identifies detections for the Wiz Host Vulnerability integration will be mapped to a detection key.
Note: This enhancement is supported for new customers only. For existing customers, the detection key for the Wiz Host Vulnerability integration is created using the combination of vulnerability, asset_id, and proof.
- You can configure the First parameter for the Wiz Asset Integration to help you resolve 504 errors. You can reduce the page size if you're having memory issues or generating errors. The default value is 500.
- Enhancements to Detection Key Configurations for Vulnerability Response
- Introduced configurable detection keys that enable you to choose between Asset ID and Configuration Item, with validations, UI
controls, and enhanced an existing schedule job to update existing detections.
- Enhancements to the Vulnerability Response Integration with Wiz
-
The Missing Assets [sn_vul_wiz_missing_asset] is deprecated. After updating to version 1.1, you must backdate your existing primary Wiz integrations by three days and run them.
The backfill integrations are activated by default.
After you backdate and run your primary integrations, the following backfill integrations are no longer required:
- Host Vulnerability Backfill Integration
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
Resource types filters are supported on the Host Vulnerability, Host Test Results, Test Results, and Issues tabs on the Wiz Configuration page.
Additional attributes imported from Wiz that are not stored in the Discovered items [sn_sec_cmn_src_ci] table are stamped with Asset Attributes in this table.
Test results from the Host misconfiguration integration are classified as result type 'host_misconfiguration'.
Data for resources that have the validated_at_runtime flag set to 'yes' is imported and populated on detections.
The is_ignored column is deprecated on the Host Test Results and Test Results Integrations. This column was replaced by the is_result_ignored column.
The CMDB internet-facing field on the discovered item is mapped to Limited Internet Exposure on findings.
Column length for the descriptions in the Host Vulnerability import table has been increased.
- Improved remediation target date handling
- Remediation target (RT) dates now dynamically recalculate when a finding’s risk rating changes. Administrators can configure how recalculation occurs to verify RT dates remain accurate and align with the latest risk updates,
helping maintain consistent and reliable SLA tracking.
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) that are reported by Wiz that you want to import with the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration. See the Wiz Vulnerability Response Integrations for more information about the vulnerability and compliance integrations.
- Wiz Backfill Integrations
-
Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for assets that were not processed by the primary Host Vulnerability Integration with a specialized Wiz Backfill Integration.
The Host Vulnerability Backfill Integration is activated by default.
Note: The Wiz Asset Integration and the Wiz Container Vulnerability Integration do not have backfill integrations. The Wiz Asset Integration can discover assets and create and update discovered item records on the Discovered item [sn_sec_cmn_src_ci] table. The Wiz Container Vulnerability Integration imports and processes discovered container image records.
- Import host vulnerability data with the Vulnerability Response Integration with Wiz
- Import host vulnerability findings related to virtual machines and serverless assets in your cloud environment with the Wiz Host Vulnerability Integration. These findings are mapped to Host Vulnerable Items (VITs) within the Vulnerability Response application to support remediation workflows.
- Modify the severity for a CVE or TPE
- Vulnerability managers and vulnerability analysts can now adjust the severity of common vulnerabilities and exposures (CVEs) and third-party entries (TPEs) from the list view in the vulnerability manager workspace. The risk
level of the associated vulnerabilities will be recalculated during the scheduled jobs based on the modified severity. You can also reset the severity to its original source value if required.
- Questionnaire Support in Exception Management via Smart Assessment
- Configure advanced questionnaires as part of the exception management process using Smart Assessment. This enhancement enables remediation owners to provide detailed context for exception requests and enables approvers to configure conditional questions to gather information for informed
decision making.
- Collaboration and streamlined approval: Facilitate collaboration between your vulnerability management and remediation teams by streamlining the approval process with clear and complete exception justifications.
- Mandatory questionnaires: Block the submission of exception requests until mandatory questionnaires are completed. If a questionnaire is marked as mandatory, the test results and its associated remediation tasks remain
in the 'Open' state until the questionnaire is completed and submitted.
- If the questionnaire is incomplete, the state change approval record is saved as 'Draft'. Only after completing the questionnaire can the user submit the exception request, which will then move the test results or
remediation tasks to the 'In Review' state.
- Lookup rules enhancements
- When you reapply Lookup rules, Discovered items (DIs) that have been inactive for more than 90 days are ignored. These Discovered items (DIs) are also excluded from licensing considerations. Removing them from the lookup
logic can improve performance and reduce processing time.
- Background job enhancements: New fields have been added to help you view successfully evaluate records, the time taken for processing, the time remaining, and an estimated number of records.
- Improved accuracy for non-CSDM
Vulnerability Response users: A system property (sn_sec_cmn.ci_lifecycle_status_source) has been introduced to help users who do not follow Common Service Data Model (CSDM) standards. This property verifies that Discovered items (DIs) and associated VITs are properly marked as Decommissioned and are excluded from the CI Lookup. Additionally, the Retired
Configuration Items PA indicator has been updated to accurately reflect CIs based on the decommissioning flags.
- The scheduled job to create reconcile unmatched discovered items feature is deprecated. You can "Reapply Look up Rules" for selected or filtered items in the discovered items table view.
- Tenable.cs integrations with the Vulnerability Response and Container Vulnerability Response application
- The Vulnerability Response Integration with Tenable application now supports data ingestion from Tenable.cs, enabling you to bring in cloud and container vulnerabilities directly into ServiceNow. This integration enhances your ability to prioritize and remediate vulnerabilities identified in Tenable cloud resources and container images. Key capabilities are:
- Importing vulnerabilities discovered by Tenable.cs in cloud hosts and container images into ServiceNow automatically.
- Enabling remediation workflows to triage, assign, and resolve the most critical vulnerabilities across cloud-native and containerized environments.
- Using the Setup Assistant to easily configure credentials and integration parameters—get started with minimal manual setup.
- Scheduling jobs to run periodically to import findings from Tenable.cs, create vulnerable items (for cloud hosts), create container vulnerable items and associate them with the relevant cloud resources and container image records.
- Assess vulnerability exposure by publisher
- Starting with v5.0 of Vulnerability Exposure Assessment, a publisher-based assessment is introduced that enables you to assess the vulnerability impact by vendor. For example, Microsoft, and Red Hat. By focusing on recently disclosed vulnerabilities from critical vendors, you can prioritize remediation and proactively address threats, improving your overall security posture.
- View risk score details of a vulnerable item in the Work notes section
- Starting with v25.0.3 of Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of a
vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
- Quick Start Tests for Vulnerability Response
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Vulnerability Response works as expected. If you customized Vulnerability Response, copy the quick start tests and configure them for your customizations.
- Enhancements to exception rules handling
-
- Exception rules are reevaluated with nightly scheduled jobs.
- Vulnerable items that no longer match exception rule conditions are unlinked from remediation tasks.
- A deferred vulnerable item (VIT) is reopened if it doesn’t match any active exception rules.
- Exception rules don’t create remediation tasks. VITs are deferred directly and aren’t associated with a remediation task.
- Tenable's endpoint scanning integration
- Support for Tenable's endpoint scanning integration to retrieve scan metadata. The integration fetches scan details using the last_schedule_id from existing asset data in Tenable.io.
- Reopened Count field on vulnerable items
- Added the Reopened Count field on vulnerable items to track the number of times their states change from 'Closed' to 'Open' or to 'Active'.
- Out-of-the-box vendor advisories via Common Security Advisory Framework (CSAF) integration
- The following vendor advisories are configured by default and are automatically activated when the Solution Management plugin is enabled: Redhat and Suse.
|
Australia |
- Unified Microsoft Defender Integration for Security Exposure Management
- The Microsoft Defender for Cloud and Microsoft Defender Threat and Vulnerability Management (MS TVM) plugins are now consolidated into a single plugin: Microsoft Defender Integration for Security Exposure Management. This
consolidation deprecates the standalone Microsoft Defender for Cloud plugin. The unified plugin also introduces container image vulnerability ingestion from Microsoft Defender for Cloud, creating Container Vulnerable Items on
your instance. A guided migration path is available to transfer existing data from the deprecated applications to the unified plugin.
- AWS Integration for Security Exposure Management
- The AWS Integration for Security Exposure Management supports integrations with the following AWS services:
- AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and
unintended network exposure. The Vulnerability Response integration with AWS Inspector imports host and container vulnerability findings from AWS Inspector.
- AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports host, container vulnerabilities, and misconfigurations from AWS Security Hub.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v 6.1.3, the Tenable.io Compliance Results Integration is replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results are now imported
based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state of findings.
- Qualys Integration – API enhancements
- The Qualys Vulnerability Integration has been upgraded to support newer Qualys API versions across Host Detection, Host List, Knowledgebase, PC Controls, PC Policies, and PCRS integrations. The integrations now ingest additional data fields, including vulnerability detection
source, authentication privilege status, active status for controls and policies, and cloud metadata, giving you better visibility into your vulnerability and compliance data. Use the new
posture_api_version
integration instance parameter to choose between the default v2.0 APIs or the newer v5.0 streaming APIs for the PCRS Policy Host and PCRS Test Results integrations.
- Vulnerability Data Management with Central Vulnerability Database (CVDB)
- The Central Vulnerability Database (CVDB) introduces a unified, source-agnostic vulnerability data layer that consolidates data from multiple sources into a single authoritative record, improving accuracy, consistency, and
traceability. Key capabilities include:
- Unified vulnerability record: Correlates vulnerability data from multiple sources, supports sources including National Vulnerability Database (NVD), scanner intelligence, European Union Vulnerability Database, Japanese Vulnerability Database, and vulnerability intelligence feeds.
- Priority-based data reconciliation configuration:
- Field-level priority: Ensures each attribute (e.g., CVSS, remediation, exploit status) can be configured from the most reliable provider.
- Source-level priority: Applies a global ranking when field-level rules are not defined.
- Hybrid model: Field-level rules take precedence, with source-level fallback; all source data is preserved for full traceability.
- Source attribution and traceability: Maintains detailed source metadata, timestamps, and change history to ensure full auditability and transparency.
- Data enrichment: Combines CVSS scores, exploit intelligence, and remediation guidance to provide a richer and more actionable vulnerability context.
|