Yokohama |
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) reported by Wiz in your environment on the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance that you want to import.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration.
- Wiz Backfill Integrations
- Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for missing assets that were not processed by the primary compliance integrations with specialized Wiz Backfill Integrations.
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
The Wiz Backfill Integrations are activated by default.
- Wiz Host Test Result Vulnerability Integration
- Import test results associated with the resource type, VIRTUAL MACHINE with the Wiz Host Test Result Vulnerability Integration. This integration is activated by default.
- Create remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vulc.admin role, you can create remediation tasks manually by selecting some or all the records in the Configuration Test Results lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating remediation tasks.
- Create remediation tasks manually in the IT Remediation Workspace
- With the sn_vulc.remediation_owner role, you can create remediation tasks manually by selecting desired records in the Configuration Test Results lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating remediation tasks.
- View risk score details of a test result in the Work notes section
- Starting with v15.2.1 of Configuration Compliance, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score
of a test result in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
- Quick Start Tests for Configuration Compliance
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Configuration Compliance works as expected. If you customized Configuration Compliance, copy the quick start tests and configure them for your customizations.
|
Zurich |
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v 6.1.3, the Tenable.io Compliance Results Integration is replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results are now imported
based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state of findings.
- Qualys Integration – API enhancements
- Qualys Integration has been upgraded to support newer Qualys API versions across Host Detection, Host List, Knowledgebase, PC Controls, PC Policies, and PCRS integrations. The integrations now ingest additional data fields,
including vulnerability detection source, authentication privilege status, active status for controls and policies, and cloud metadata, giving you better visibility into your vulnerability and compliance data. Use the new
posture_api_version integration instance parameter to choose between the default v2.0 APIs or the newer v5.0 streaming APIs for the PCRS Policy Host and PCRS Test Results integrations.
- Unified Microsoft Defender Integration for Security Exposure Management
- The Microsoft Defender for Cloud and Microsoft Defender Threat and Vulnerability Management (MS TVM) plugins are now consolidated into a single plugin: Microsoft Defender Integration for Security Exposure Management. This
consolidation deprecates the standalone Microsoft Defender for Cloud plugin. The unified plugin also introduces container image vulnerability ingestion from Microsoft Defender for Cloud, creating Container Vulnerable Items on
your instance. A guided migration path is available to transfer existing data from the deprecated applications to the unified plugin.
- Enhancements to the Vulnerability Response Integration with Wiz
-
The Missing Assets [sn_vul_wiz_missing_asset] is deprecated. After updating to version 1.1, you must backdate your existing primary Wiz integrations by three days and run them.
The backfill integrations are activated by default.
After you backdate and run your integrations, the following backfill integrations are no longer required:
- Host Vulnerability Backfill Integration
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
The [is_ignored] column is deprecated for the Host Test Results and Test Results Integrations. This column was replaced by the [is_result_ignored] column.
Source severity is mapped to the Priority column on the Test Results [sn_vulc_result] table.
Resource type filters are on the Test Results, Issues, and Host Test Results configuration tabs on the Wiz Configuration page. You can add any of the resource types listed. Note:
If you configure resource types on the Resource Type Configuration tab, and you choose to configure parameters on the integration instance records, your configurations on integration instance take precedence over your
settings on the Resource Type Configuration tab. See Identify Wiz Resource types for more information.
Additional attributes imported from Wiz that are not stored in the Discovered items [sn_sec_cmn_src_ci] table are stamped with Asset Attributes in this table.
Test results from the Host misconfiguration integration are classified as result type 'host_misconfiguration'.
Data for resources that have the validated_at_runtime flag set to 'yes' is imported and populated on detections.
The is_ignored column is deprecated on the Host Test Results and Test Results Integrations. This column was replaced by the is_result_ignored column.
The CMDB internet-facing field on the discovered item is mapped to Limited Internet Exposure on findings.
Column length for the descriptions in the Host Vulnerability import table has been increased.
- Qualys parameter to ignore passed test results
- Starting with v15.2.5 of Configuration Compliance, the ignore_passed_result integration instance parameter for the Qualys Integration for Security Operations has been added.
This parameter is set to false by
default so that passed test results imported by Qualys are not ignored. Set the parameter to true to ignore passed test results on import. Note: If activated, this parameter does not impact
closure of the test results. For example, if you activate the parameter, and a failed test result from a previous import has since passed, it will be closed correctly.
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) reported by Wiz in your environment on the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance that you want to import.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration.
- Wiz Backfill Integrations
- Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for missing assets that were not processed by the primary compliance integrations with specialized Wiz Backfill Integrations.
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
The Wiz Backfill Integrations are activated by default.
- Wiz Host Test Result Vulnerability Integration
- Import test results associated with the resource type, VIRTUAL MACHINE with the Wiz Host Test Result Vulnerability Integration. This integration is activated by default.
- The Wiz Configuration Compliance (Test Results) and Issues Integrations
-
- Import configuration test results with the Wiz
Configuration Compliance Integration (Wiz Test Results) to detect non-compliant cloud configurations. Findings are mapped to cloud test results (CTRs) in the Configuration Compliance application to help you enforce security policies and standards across your cloud environment.
- Import data with the Wiz Issues Integration that can help you identify assets that are involved in toxic combinations of vulnerabilities and misconfigurations. These findings are also mapped to CTRs with Wiz
Issues labeled as the source to help you track and remediate assets that may pose complex multi-vector risks.
|
Australia |
- Compliance test uniqueness key
- You can now configure which identifier the system uses to uniquely match incoming Tenable compliance test records. Previously, compliance tests were identified by the check_id field, which caused records to be overwritten
when multiple tests shared the same control identifier. You can now select the identifier that best matches how your Tenable data is structured (compliance_control_id, check_id, or
compliance_functional_id), ensuring test records are accurately preserved during ingestion.
- Qualys parameter to ignore passed test results
- Starting with v15.2.5 of Configuration Compliance, the ignore_passed_result integration instance parameter for the Qualys Integration for Security Operations has been added.
This parameter is set to false by
default so that passed test results imported by Qualys are not ignored. Set the parameter to true to ignore passed test results on import. Note: If activated, this parameter does not impact
closure of the test results. For example, if you activate the parameter, and a failed test result from a previous import has since passed, it will be closed correctly.
- AWS Integration for Security Exposure Management
- The AWS Integration for Security Exposure Management supports integrations with the following AWS services:
- AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and
unintended network exposure. The Vulnerability Response integration with AWS Inspector imports host and container vulnerability findings from AWS Inspector.
- AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports host, container vulnerabilities, and misconfigurations from AWS Security Hub.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v 6.1.3, the Tenable.io Compliance Results Integration is replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results are now imported
based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state of findings.
- Qualys Integration – API enhancements
- The Qualys Vulnerability Integration has been upgraded to support newer Qualys API versions across Host Detection, Host List, Knowledgebase, PC Controls, PC Policies, and PCRS integrations. The integrations now ingest additional data fields, including vulnerability detection
source, authentication privilege status, active status for controls and policies, and cloud metadata, giving you better visibility into your vulnerability and compliance data. Use the new
posture_api_version
integration instance parameter to choose between the default v2.0 APIs or the newer v5.0 streaming APIs for the PCRS Policy Host and PCRS Test Results integrations.
- Unified Microsoft Defender Integration for Security Exposure Management
- The Microsoft Defender for Cloud and Microsoft Defender Threat and Vulnerability Management (MS TVM) plugins are now consolidated into a single plugin: Microsoft Defender Integration for Security Exposure Management. This
consolidation deprecates the standalone Microsoft Defender for Cloud plugin. The unified plugin also introduces container image vulnerability ingestion from Microsoft Defender for Cloud, creating Container Vulnerable Items on
your instance. A guided migration path is available to transfer existing data from the deprecated applications to the unified plugin.
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
|