View Vulnerability Response vulnerable item detection data

Release version: Yokohama

Updated January 30, 2025

4 minutes to read

The complete data gathered by your third-party scanner integrations with Vulnerability Response are displayed on the Detections and Initial Detections tabs on the vulnerable item records (VIT). It is also displayed on Detection records on the Vulnerable Item Detection list in your ServiceNow AI Platform® instance.

Before you begin

Third-party Integrations retrieve vulnerable item detection data. Detections are distinct occurrences of vulnerabilities as reported by the scanners. Detection data are paired with vulnerable items and VI state is updated based on the state of the detections. If a VI is not found, a new one is created. Detections are only opened or closed by data found directly by a scanner.

Role required:

sn_vuln.admin initiates integration runs and views vulnerable item detection data.
sn_vul.remediation_owner is assigned vulnerable items created from vulnerable item detections and views data on VI records.

Procedure

To view the vulnerable item detection data, navigate to a vulnerable item record and open it.

The record is displayed with the Initial Detections and Detections tabs.
Note:
Data previously displayed on the Configuration Details tab is displayed along with other detection data on the Initial Detection and Detections tabs.
Click the Detections tab.
When a vulnerable item is created from the results of a third-party scan, the data from the scan are displayed on the detection record, as shown in the following figure.
Each row in the Vulnerable Item Detections section represents data from a distinct detection. In the First found column, the date the vulnerable item is first detected by the scanner is displayed. In the Last found column, the date of the most current detection is displayed. The Source field displays the scanner that retrieved the data.
Note:
For Qualys, with vulnerable item detections, the following fields are deprecated on the VI record and are no longer populated:

Qualys severity

Last updated by source

Also for Qualys, as shown in the preceding figure, when a VI is created from a scan, the value from the scan for Results is displayed in the Proof column on the detection record. However, this value is not displayed on the upper portion of the VI record.

For Rapid7, when a VI is created from a scan, the value for Proof from the scan can be displayed in both the Proof column on the detection record and on the upper portion of the VI record, but not by default. To display this value on the upper portion of the VI record, select the Proof field from the form layout.
Optional: To configure the layout of the Detections tab on the record, follow these steps.
1. The following columns are displayed on the Detections tab by default.
  - Status
  - First found (data)
  - Last found (date)
  - DNS name
  - Net BIOSname
  - IP address
  - Times found
  - Port
  - Protocol
  - Proof
  - SSL
  Note:
  Note: if there is no value in a column, data for that field was not detected by the scanner.
2. Click the gear icon () to personalize your view.
3. Select the columns from the slushbucket to display specific data and click OK.
With the Detections tab selected, in the Status column, click an item to open the detection record and view the details associated with that vulnerable item, including a Solution summary (Rapid7 InsightVM integration only).

Figure 1. Qualys detection record

Figure 2. Rapid7 detection record
Return to the record and select the Initial Detection tab.

The Initial Detections tab displays the data imported from the third-party scanner on the first occurrence of the detection. This information on the initial detection tab does not change as detection data are updated.
Optional: Navigate to Vulnerable Item Detections to view the Vulnerable Item Detection List.
The Vulnerable Item Detection list is displayed. Each row on the Vulnerable Items Detections list represents a distinct detection. The columns display the same data as the VI record.

Detections are only opened or closed by data that is found by a scanner, they do not roll down from VIs. As Detections are imported, they are used to create VIs and update the states of VIs. If all detections are closed for a vulnerable item, that vulnerable item will be closed. On the VI record, the state is closed, and the substate is fixed.
Note:
Errors are logged while:
- Processing attachments retrieved from the scanner.
- Creating or updating detections or vulnerable items.
For information on handling detection errors, see Error handling for detections.
When all VIs are closed for a remediation task, the remediation task is closed.

Closed VIs with a substate of fixed or stale are reopened if a new detection is created and the VIs can be matched with the new vulnerability.

Vulnerable items set to Resolved in your instance but not transitioned to Closed/Fixed by the subsequent integration runs are reopened if they are detected during rescans.

When all VIs are closed for a remediation task, the record is closed.

Vulnerable items set to 'Resolved' in your instance but not transitioned to 'Closed/Fixed' by the subsequent integration runs are reopened if they are detected during rescans.

For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to Resolved but then not transitioned to Closed/Fixed by subsequent scans transition back to Open after the number of days you enter.

For Qualys detections, if the scanner continues to find VIs that were set to 'Resolved' but then not transitioned to Closed/Fixed by subsequent scans, these VIs move back to Open when the last found date is later than the Resolved date.

What to do next

To view more data, including item and detection counts, you can Verify Vulnerability Response vulnerable item detection data on integration run (VINTRUN) records.