Consolidated page of all release notes for Configuration Compliance from Yokohama to Zurich.
How to use this page
To help you prepare for your upgrade, we have combined the cross-family Configuration Compliance release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Yokohama to Zurich.
Tip: If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."
Important information for upgrading Configuration Compliance to Zurich
Before you upgrade to Zurich, review these pre- and post-upgrade tasks and complete the tasks as needed.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
If you are currently using Configuration Compliance, and you do not intend to upgrade to Unified Security Exposure Management (USEM), install a version below v30.x of Configuration Compliance and for upgrades to supported third-party integration applications.
The Missing Assets [sn_vul_wiz_missing_asset] table used for storing assets imported by the backfill integrations for the Vulnerability Response Integration with Wiz is deprecated. If you are currently using the Vulnerability Response with Wiz integrations, after updating to version 1.1, you must backdate any of your existing Wiz primary integrations by three days and run them. Please review more information about the Wiz integration at SecOps articles on the Security Operations Community.
For more information about the released versions of the Vulnerability Response application as well as the third-party and ServiceNow applications that are compatible with the Zurich release, see the Vulnerability Response Compatibility Matrix and Release Schema Changes [KB0856498] article in the Now Support
Knowledge Base.
|
New features
Between your current release family and Zurich, new features were introduced for Configuration Compliance.
| Release |
Release notes |
Yokohama |
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) reported by Wiz in your environment on the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance that you want to import.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration.
- Wiz Backfill Integrations
- Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for missing assets that were not processed by the primary compliance integrations with specialized Wiz Backfill Integrations.
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
The Wiz Backfill Integrations are activated by default.
- Wiz Host Test Result Vulnerability Integration
- Import test results associated with the resource type, VIRTUAL MACHINE with the Wiz Host Test Result Vulnerability Integration. This integration is activated by default.
- Create remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vulc.admin role, you can create remediation tasks manually by selecting some or all the records in the Configuration Test Results lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating remediation tasks.
- Create remediation tasks manually in the IT Remediation Workspace
- With the sn_vulc.remediation_owner role, you can create remediation tasks manually by selecting desired records in the Configuration Test Results lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating remediation tasks.
- View risk score details of a test result in the Work notes section
- Starting with v15.2.1 of Configuration Compliance, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score
of a test result in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
- Quick Start Tests for Configuration Compliance
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Configuration Compliance works as expected. If you customized Configuration Compliance, copy the quick start tests and configure them for your customizations.
|
Zurich |
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v 6.1.3, the Tenable.io Compliance Results Integration is replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results are now imported
based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state of findings.
- Qualys Integration – API enhancements
- Qualys Integration has been upgraded to support newer Qualys API versions across Host Detection, Host List, Knowledgebase, PC Controls, PC Policies, and PCRS integrations. The integrations now ingest additional data fields,
including vulnerability detection source, authentication privilege status, active status for controls and policies, and cloud metadata, giving you better visibility into your vulnerability and compliance data. Use the new
posture_api_version integration instance parameter to choose between the default v2.0 APIs or the newer v5.0 streaming APIs for the PCRS Policy Host and PCRS Test Results integrations.
- Unified Microsoft Defender Integration for Security Exposure Management
- The Microsoft Defender for Cloud and Microsoft Defender Threat and Vulnerability Management (MS TVM) plugins are now consolidated into a single plugin: Microsoft Defender Integration for Security Exposure Management. This
consolidation deprecates the standalone Microsoft Defender for Cloud plugin. The unified plugin also introduces container image vulnerability ingestion from Microsoft Defender for Cloud, creating Container Vulnerable Items on
your instance. A guided migration path is available to transfer existing data from the deprecated applications to the unified plugin.
- Enhancements to the Vulnerability Response Integration with Wiz
-
The Missing Assets [sn_vul_wiz_missing_asset] is deprecated. After updating to version 1.1, you must backdate your existing primary Wiz integrations by three days and run them.
The backfill integrations are activated by default.
After you backdate and run your integrations, the following backfill integrations are no longer required:
- Host Vulnerability Backfill Integration
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
The [is_ignored] column is deprecated for the Host Test Results and Test Results Integrations. This column was replaced by the [is_result_ignored] column.
Source severity is mapped to the Priority column on the Test Results [sn_vulc_result] table.
Resource type filters are on the Test Results, Issues, and Host Test Results configuration tabs on the Wiz Configuration page. You can add any of the resource types listed. Note:
If you configure resource types on the Resource Type Configuration tab, and you choose to configure parameters on the integration instance records, your configurations on integration instance take precedence over your
settings on the Resource Type Configuration tab. See Identify Wiz Resource types for more information.
Additional attributes imported from Wiz that are not stored in the Discovered items [sn_sec_cmn_src_ci] table are stamped with Asset Attributes in this table.
Test results from the Host misconfiguration integration are classified as result type 'host_misconfiguration'.
Data for resources that have the validated_at_runtime flag set to 'yes' is imported and populated on detections.
The is_ignored column is deprecated on the Host Test Results and Test Results Integrations. This column was replaced by the is_result_ignored column.
The CMDB internet-facing field on the discovered item is mapped to Limited Internet Exposure on findings.
Column length for the descriptions in the Host Vulnerability import table has been increased.
- Qualys parameter to ignore passed test results
- Starting with v15.2.5 of Configuration Compliance, the ignore_passed_result integration instance parameter for the Qualys Integration for Security Operations has been added.
This parameter is set to false by
default so that passed test results imported by Qualys are not ignored. Set the parameter to true to ignore passed test results on import. Note: If activated, this parameter does not impact
closure of the test results. For example, if you activate the parameter, and a failed test result from a previous import has since passed, it will be closed correctly.
- Identify Wiz Resource Types for import
-
Identify the Resource Types (assets) reported by Wiz in your environment on the Wiz Integration Resource Type configuration page in your ServiceNow AI Platform instance that you want to import.
The Resource Types that you select apply to all the primary Wiz vulnerability and compliance integrations except the Wiz Container Vulnerability Integration.
- Wiz Backfill Integrations
- Retrieve and process data stored on the Wiz Missing Assets [sn_vul_wiz_missing_asset] table for missing assets that were not processed by the primary compliance integrations with specialized Wiz Backfill Integrations.
- Test Results Backfill Integration
- Host Test Results Backfill Integration
- Issues Backfill Integration
The Wiz Backfill Integrations are activated by default.
- Wiz Host Test Result Vulnerability Integration
- Import test results associated with the resource type, VIRTUAL MACHINE with the Wiz Host Test Result Vulnerability Integration. This integration is activated by default.
- The Wiz Configuration Compliance (Test Results) and Issues Integrations
-
- Import configuration test results with the Wiz
Configuration Compliance Integration (Wiz Test Results) to detect non-compliant cloud configurations. Findings are mapped to cloud test results (CTRs) in the Configuration Compliance application to help you enforce security policies and standards across your cloud environment.
- Import data with the Wiz Issues Integration that can help you identify assets that are involved in toxic combinations of vulnerabilities and misconfigurations. These findings are also mapped to CTRs with Wiz
Issues labeled as the source to help you track and remediate assets that may pose complex multi-vector risks.
|
Changes
Between your current release family and Zurich, some changes were made to existing Configuration Compliance features.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one
remediation task. The default Match All mode continues to evaluate all applicable rules.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v[VERSION], the Tenable.io Compliance Results Integration is replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results are now
imported based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state of
findings.
- Qualys Integration – API enhancements
- Qualys Integration has been upgraded to support newer Qualys API versions across Host Detection, Host List, Knowledgebase, PC Controls, PC Policies, and PCRS integrations. The integrations now ingest additional data fields,
including vulnerability detection source, authentication privilege status, active status for controls and policies, and cloud metadata, giving you better visibility into your vulnerability and compliance data. Use the new
posture_api_version integration instance parameter to choose between the default v2.0 APIs or the newer v5.0 streaming APIs for the PCRS Policy Host and PCRS Test Results integrations.
- Optimized Tenable.io Compliance Results ingestion
- Starting with v[VERSION], the Tenable.io Compliance Results Integration is deprecated and replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration. Compliance results
are now imported based on their status, optimizing ingestion performance and scalability for environments with large volumes of compliance data while keeping remediation and compliance tracking aligned with the current state
of findings.
- Configure Test Result Granularity
- Starting with v15.6.1, you can configure the granularity of Tenable Configuration Test Results (CTRs) to split results into unique findings. For example, if a database has five instances, the system generates five distinct
test results, one per instance, providing improved visibility into individual patching efforts.
- Configure Test Result Granularity
- Starting with v15.4.3, you can configure the granularity of Qualys Configuration Test Results (CTR) in configuration compliance and split CTRs into unique findings. For example, if a database has five instances, the system
generates five distinct test results, one per instance, providing improved visibility into individual patching efforts.
- Configure maximum rows in related lists
- To improve readability and performance, you can now limit the number of rows shown in related lists on forms by setting the system property sn_vul_cmn.related_list.set_max_row.
- Improved state management for remediation tasks and vulnerable items
- State management logic for roll down of state from remediation tasks (RTs) to findings and roll up of state from findings to RTs has been refined across all modules. Updates improve accuracy by handling mixed item states (a
combination of Deferred and Closed), supporting closure of tasks in sub-states like In-Review, and reopening tasks based on the Assigned To field. The update also improves handling of False Positive state transitions based on
scanner results as source of truth. These enhancements reduce manual effort, clarify task ownership, and streamline remediation workflows.
|
Removed
Between your current release family and Zurich, some Configuration Compliance features or functionality were removed.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Deprecations
Between your current release family and Zurich, some Configuration Compliance features or functionality were deprecated.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Activation information
Review information on how to activate Configuration Compliance.
| Release |
Release notes |
Yokohama |
Install Configuration Compliance by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Zurich |
Install Configuration Compliance and third-party integrations by requesting them from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Additional requirements
If any additional requirements were introduced or changed for Configuration Compliance we have noted them here.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Browser requirements
If any specific browser requirements were introduced or changed for Configuration Compliance we have noted them here.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Accessibility information
Review details on accessibility information for Configuration Compliance, such as specific requirements or compliance levels.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
- Dark theme
- The new Coral theme includes a dark theme option for web and mobile experiences. This option is commonly used to alleviate eye strain and improve readability.
|
Localization information
If there are specific localization considerations for Configuration Compliance we have noted them here.
| Release |
Release notes |
Yokohama |
No updates for this release. |
Zurich |
No updates for this release. |
Highlight information
If there are specific highlight considerations for Configuration Compliance we have noted them here.
| Release |
Release notes |
Yokohama |
- With the sn_vulc.admin role, create remediation tasks manually in the Vulnerability Manager Workspace.
- With the sn_vulc.remediation_owner role, create remediation tasks manually in the IT Remediation Workspace.
See Configuration Compliance for more information.
|
Zurich |
- If you are currently using Configuration Compliance and you want to upgrade to Unified Security Exposure Management (USEM), see Unified Security Exposure Management release notes for more information about USEM and the Unified Security Exposure Management migration.
- Import Wiz issues and configuration test results from the Wiz scanners into test results in the Configuration Compliance application with the Vulnerability Response Integration with Wiz.
- With the sn_vulc.remediation_owner role, create remediation tasks manually in the IT Remediation Workspace.
- With the sn_vulc.admin role, create remediation tasks manually in the Vulnerability Manager Workspace.
See Configuration Compliance for more information.
|