Understanding the Exploit Prediction Scoring System (EPSS) integration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Exploit Prediction Scoring System (EPSS) integration

    The Exploit Prediction Scoring System (EPSS) integration in ServiceNow Vulnerability Response imports data from First.org to help prioritize and remediate common vulnerabilities and exposures (CVEs). EPSS provides a probability score (0 to 1) indicating the likelihood a vulnerability will be exploited in the wild, with higher scores representing greater risk. This integration enriches your National Vulnerability Database (NVD) records or creates placeholders if NVD data is missing, ensuring your CVE table contains up-to-date exploit prediction scores.

    Show full answer Show less

    This integration is included by default in the base system, is active upon activation, and adds EPSS-specific fields—EPSS Score, EPSS Percentile, and EPSS Last Modified—to the Vulnerability Entries table. Scores are automatically updated during the initial import and rolled up to Threat and Priority Entities (TPEs) using a built-in calculator.

    Key Features

    • Data import and enrichment: Imports EPSS data to enhance or create CVE records, improving vulnerability prioritization.
    • Automated scheduled jobs: Runs daily updates by default, keeping EPSS data synchronized without manual intervention; can be configured as scheduled jobs.
    • Integration with existing vulnerability data: Works alongside NIST NVD and Common Weakness Enumeration (CWE) integrations; recommended to run NVD integration before EPSS.
    • Rollup of scores: EPSS scores are rolled up from CVEs to TPEs using a pre-configured calculator, which can be customized to fit your organization's needs.
    • Preconfigured run-as user: Uses a designated system user (VR.System) for integration tasks to maintain security and consistency; this should not be changed.

    Implementation Guidance

    • Perform the EPSS initial import before importing vulnerability data from third-party scanner products.
    • Ensure the NIST NVD integration is run first to provide foundational CVE data used by EPSS.
    • Use scheduled jobs to automate ongoing data synchronization, simplifying vulnerability remediation workflows.
    • Review and customize the EPSS rollup calculator as needed to tailor scoring to your vulnerability management process.
    • Refer to the Vulnerability Response integration documentation for detailed guidance on managing third-party integrations and scheduled jobs.

    Benefits for ServiceNow Customers

    By integrating EPSS data, customers gain a data-driven way to estimate the exploit likelihood of vulnerabilities, enabling more informed prioritization and quicker remediation decisions. Automated updates and integration with other vulnerability data sources help maintain accurate, actionable vulnerability records, improving overall security posture and operational efficiency.

    Overview of the EPSS integration with Vulnerability Response.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Overview

    The Exploit Prediction Scoring System (EPSS) integration imports EPSS data related to common vulnerabilities and exposures (CVEs) from First.org to prioritize and remediate vulnerabilities. For more information see, https://www.first.org. The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

    Data imports from the EPSS integration, further enrich the NVD data in your instance. If NVD records are not present, then it will create a placeholder in the CVE table and add EPSS details in the same table. Run this integration as part of your initial setup of Vulnerability Response and prior to importing vulnerability data into your instance with a third-party scanner product.

    Important:
    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Initial import of data with the EPSS integration

    1. Perform an initial import of EPSS data with the First.org EPSS Integration. For more information, see Configure and run a scheduled job to update CVE records with EPSS data.
      Important:
      You perform EPSS updates Daily from the integration record by default, and you must configure it if you want it to run as a scheduled job.
    2. Third-party libraries are updated as scheduled jobs. For more information, see Importing data with the NVD and CWE integrations and managing third-party libraries.
      Important:
      It is recommended to perform NIST National Vulnerability Database Integration - API (CVE only) integrations before EPSS.
    Perform the EPSS imports prior to importing vulnerability data with a third-party product. Third-party libraries are updated as scheduled jobs. Refer to your integration documentation at Vulnerability Response integrations for more information about third-party integrations.
    Important:
    The following integration is included in the base system. The integration is active by default.

    After the initial run, base system scheduled jobs run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    On activation of the EPSS integration, the EPSS Score, EPSS Percentile, and EPSS Last Modified fields are added to the Vulnerability Entries table. For existing CVEs these fields are auto-updated on successful completion of the initial import job. If there are new CVEs that are added to the Vulnerability Entries table after the completion of the EPSS scheduled job, the newly added CVEs will indicate their source as EPSS. The scores are rolled up to existing TPEs from CVEs from the NVD table, using the base system Rollup EPSS score from NVD to TPEs calculator. You can also modify the calculator. For more information, see Vulnerability Response Rollup Calculators.