Split Tenable detections based on the vulnerability instance to split vulnerable items

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:7分

    • ServiceNow® Vulnerability Response enables the splitting of detections from Tenable scanners, enabling for the creation of a unique vulnerable item (VIT) for each detected vulnerability instance. This split enables the assignment of VITs to various remediation teams, enhancing the management and tracking of vulnerabilities.

    始める前に

    Role required: admin

    このタスクについて

    The Tenable scanner's payload contains detection data, with each path within the proof used to split the detections. The output tag in the payload identifies the vulnerability's location, facilitating accurate identification and management of vulnerabilities according to their specific paths.

    After a plugin is added to the [sn_vul_proof_key_vulnerability] table, run the integration to split existing VITs. To verify, inspect the VITs for distinct detection paths.

    Scenario 1: Detection exists before plugin is added
    • Before Adding Plugin: Detection A with 4 file paths → VIT1
    • After Adding Plugin & Ingestion Run: The existing VIT is updated with new proof, and three additional VITs are created.
    • Closure Behavior: If a path is no longer seen in Tenable data, ServiceNow closes the corresponding detection and its VIT using a hash-based comparison of the file path.
    Scenario 2: Detection ingested after plugin is added
    Detections are split during ingestion.
    注:
    Splitting occurs automatically during the ingestion run after plugin configuration.

    手順

    1. In the Third-party Integrations table [sn_sec_int_integration], set the Include proof in VI key column value to true for Tenable.io, Tenable.sc, and Tenable.cs.
    2. Navigate to All > Vulnerability Response > Administration > Configure VI granularity.
    3. For Tenable.cs product, navigate to Detection Key Configuration [sn_vul_detection_key_config] table, select Tenable.cs record and update,
    4. オプション: On the Include port form, select the Include port check box and select the click here link (applies only to Tenable.io and Tenable.sc).
    5. On the Add proof to VI keys list, select New.
    6. On the Add proof to the VI key- New record form, in the Vulnerability field, add the Tenable ID for which you want to include the proof.
      注:
      You can split the detections based solely on path information or by combining path and version details. For additional details, refer to the section 'Splitting detections from Tenable scanners' on this page.
    7. In the Regular Expression to Split Tenable VITs field:
      • Split the detection based on only the path by entering Path\s+:\s+([A\n]+).
      • Split the detection based on path and installed and fixed versions by entering Path\s+:\s+([A\n]+)\n\s+Installed\s+version\s+:\s+([A\n]+)\n\s+Fixed\s+version\s+:\s+([A\n]+).
    8. Select Submit.

    Splitting detections from Tenable scanners

    The following detection from a Tenable scanner shows proof in the output tag that includes both path and version information.

    {
  "results": {
    "asset": {
      "agent_uuid": "92124caabdb9459baa9d053186df48b9",
      "bios_uuid": "ec2cbbfd-dc9e-efbf-acdd-485daZe8c7df",
      "device_type": "aws-ec2-instance",
      "fqdn": "ip-ac0a0004.secops.com",
      "hostname": "ip-ac0a0004",
      "uuid": "486acb3b-674f-477a-bc37-660a7bba37b3",
      "ipv4": "18.220.145.158",
      "last_authenticated_results": "2024-05-17T03:34:04.424Z",
      "mac_address": "0a:3e:8b:ed:63:e6",
      "netbios_name": "IP-AC0A0094",
      "operating_system": [
        "Microsoft Windows Server 2019 Datacenter Build 17763"
      ],
      "network_id": "00000000-0000-0000-0000-000000000008",
      "tracked": true
    },
    "output": "\n  Path: C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath_target_1190440625\\\n Installed version : 1.8.0_361.9\n Fixed version : Upgrade to version 8.0.401 or greater\n  Path : C:\\Program Files\\Java\\jre1.8.0_361\\\n  Installed version : 1.8.0_361.9\n  Fixed version : Upgrade to version 8.0.401 or greater\n  Path : C:\\Program Files\\Java\\jdk1.8.0_351\\\n  Installed version : 1.8.0_351.10\n  Fixed version : Upgrade to version 8.0.401 or greater\n"
    "plugin": {
      "bid": 123456,
      "checks_for_default_account": false,
      "checks_for_malware": false,
      "coe": "cpe:/a:notepad-plus-plus:notepad%5c%2b15ck2b",
      "cvSs3_base_score": 7.8,
      "cvss3_temporal_score": 7.0,
      "cvss3_temporal_vector": {
        "exploitability": "Proof-of-Concept",
        "remediation_level": "Official Fix",
        "report_confidence": "Confirmed",
        "raw": "E:P/RL:0/RC:C"
      }
    }
  }
}