Domain separation and Container Vulnerability Response

  • Release version: Xanadu
  • Updated March 3, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain Separation and Container Vulnerability Response

    Domain separation in Container Vulnerability Response allows for the logical grouping of data, processes, and administrative tasks into distinct domains. This capability ensures that customer data remains secure and accessible only to authorized users within their respective domains. It enhances operational efficiency while maintaining data integrity across multiple clients within a single instance.

    Show full answer Show less

    Key Features

    • Standard Support: All aspects of Basic level support are included, with application properties being domain-aware.
    • Data Segregation: Vulnerable items ingested from third-party scanners remain within the same domain as the integration user, preventing cross-domain access.
    • Risk Scoring and Remediation: Risk scores and remediation rules are defined and executed based on the domain of the integration user.
    • Reporting: Dashboards and reports reflect the state of container vulnerabilities within their respective domains.
    • Deferral Workflows: Approval processes for deferrals are managed within the same domain, ensuring visibility and control.
    • Customizability: Analysts have the autonomy to create workflows, remediation rules, and manage application data specific to their domain.

    Key Outcomes

    By utilizing domain separation in Container Vulnerability Response, organizations can:

    • Standardize procedures across their customer base while reducing operational costs.
    • Enhance security by ensuring sensitive data is not exposed across domains.
    • Empower vulnerability analysts to manage their own application data and workflows effectively.
    • Facilitate comprehensive tracking and reporting of vulnerabilities and remediation efforts.

    Setting up domain separation requires no additional steps, as all tables are automatically configured with a Domain column once domain separation is enabled on the instance.

    Domain separation is supported in Container Vulnerability Response. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    How domain separation works in Container Vulnerability Response

    With domain separation you can standardize Container Vulnerability Response procedures, across the customer base you serve, with lowered operational costs and a higher quality of service.

    Separate customer work spaces for workflows, dashboards, reports, and so on, ensures that customer data is separated and never exposed to other clients.

    Table 1. Domain separation support in Container Vulnerability Response by version releases
    Release Support level Notes
    Orlando Standard
    Paris Standard
    Quebec Standard
    Rome Standard
    San Diego Standard
    Tokyo Standard
    Utah Standard
    Vancouver Standard
    Washingtondc Standard
    Xanadu Standard

    Domain separation for the Container Vulnerability Response application covers the following product functionality:

    • Ingests the container vulnerable items from third-party scanners (for example, the Palo Alto Prisma Cloud and Wiz products) in the correct domain. The data ingests in the same domain as that of the integration user, whose credentials are used for integration.
    • Re-scans specific assets from Container Vulnerability Response in the domain from which it was requested.
    • Uses the CMDB CI lookup process to ensure that the CI information from the scanners matches the CIs in CMDB of the integration user’s domain.
    • Calculates risk scores at the vulnerable item level as per the risk score calculator defined in the same domain as that of the integration user.
    • Remediation target rules are executed on container vulnerable items as per the remediation target rules defined in the same domain as that of the integration user.
    • Remediation task rule(s) can be defined, and stay in, the same domain as the domain of the integration user.
    • Remediation tasks created using the remediation task rules stay in the same domain as where the group rules are created.
    • Deferral workflow goes through the approval process in the same domain for which the deferral is requested.
    • Reports and dashboards display the container vulnerable item-states such as age of vulnerable item, open vulnerable items by CI, container vulnerabilities by impact, and remediation target date status in the domain to which it belongs.
    • Knowledge from third-party scanners can be ingested in the global domain and data can be shared across multiple clients.
    Note:
    In all the above cases the overarching principles of visibility in separated domains in the ServiceNow AI Platform apply.

    For more information on how to create and support domain-separated imports, see Create domain-separated imports for an integration and Create and support multiple domains in the background jobs framework.

    Use cases

    The Container Vulnerability Response application manages the life cycle of a container vulnerable item end to end. The following use cases are domain-separation aware:

    • Ingest container vulnerable items (vulnerabilities on assets) from your third-party integration.
      • Ingest data from multiple instances
      • De-duplicate the container vulnerable item
      • Match up with CMDB CI
    • Enrichment of container vulnerable item with risk scores and remediation target dates
      • Asset enrichment (CMDB)
      • Risk score and remediation target date enrichment
    • Group container vulnerable items and assign the remediation task
      • Automatically group the container vulnerable items
      • Automatically assign the remediation task
    • Remediate
      • Remediation tasks
      • Comprehensive remediation life cycle
      • Deferral workflow
    • Measure the security posture of the organization and vulnerability management program
      • Vulnerability trend, most vulnerable asset, vulnerability by age
      • Remediation status by the remediation target date

    Setup

    Setting up domain separation for Container Vulnerability Response does not require any additional steps. All Container Vulnerability Response tables acquire the Domain column after the instance is domain separated. You can direct container vulnerability integration import data to specific domains. See Create domain-separated imports for an integration for more information.

    Domain-separated data

    Data can be domain separated, which means:
    • A container vulnerable item ingested from third-party scanners stays in the same domain as the domain of the integration user, and is not accessible from any other domain.
    • Container vulnerabilities, container vulnerable items (instances) or assets in one domain cannot be viewed from other domains.
    • The risk scoring algorithm, the remediation task rules and the remediation target rules cannot be viewed by anyone outside the domain.
    • Container vulnerability information from third-party scanners can exist in the global domain and be shared with all customers.
    • Remediation tasks in one domain cannot be viewed from another domain.
    • Deferral workflows created in one domain are not visible in another domain.
    • All email notifications are contained within the domain they belong to.
    Note:
    The scheduled import templates available on the instance are by default set to "Domain: global". So, to avoid any conflicts when there are multiple domains on instances, adapt the following practice:
    • Distribute the import templates available on the instance across the number of domains involved in the integration.
    • Update the import template record's domain to the sys_id of the target domain.
    • If necessary, create import templates for each domain.
    • Ensure each domain has 2 import templates.

    How vulnerability analysts manage their own application data

    • Analysts create their own application installation, multi-source application management, and CI lookup rules.
    • Analysts can configure specific integrations exclusively for use within the domain.
    • Analysts can create their own deferral and change management workflows.
    • Analysts can create their own remediation task rules, risk-scoring logic to accurately prioritize vulnerabilities, auto-assign remediation tasks and assign to the correct assignment group.
    • Domain users create a manual container vulnerability item and then close the item.

    Business logic and processes that can be domain-separated by instance owner

    • Container Vulnerability Response users and groups
    • Container Vulnerability Response integrations
    • Complete setup configuration (user and group management, application installation, multi-source application management, CI lookup rules, remediation task rules, risk calculators, remediation target rules etc.)
    • Complete remediation life cycle including deferral
    • Scheduled jobs