Configuring Vulnerability Response using the Setup Assistant

Release version: Zurich

Updated April 28, 2026

5 minutes to read

Summarize

Summarized using AI

Summary of Configuring Vulnerability Response using the Setup Assistant

The Setup Assistant in ServiceNow Zurich release streamlines the installation and configuration of the Vulnerability Response application and its supported third-party integrations. It guides administrators through essential setup steps to enable effective vulnerability management and remediation workflows within your environment.

Show full answer Show less

System Administration

Administrators with the admin role start by assigning appropriate Vulnerability Response personas and granular roles to users and groups. Key roles include:

snvul.admin: For vulnerability response administration, configuration, and integration management.
snvulvulnerabilitywrite: For creating and updating remediation tasks and vulnerable items.
snvulvulnerabilityread: For viewing vulnerability data and remediation tasks.

Users with the itil role automatically gain remediation owner access without additional assignments.

Admins also install supported third-party integration applications through the Setup Assistant, enabling streamlined vulnerability data imports.

Vulnerability Response Settings

Users with the snvul.vulnerabilityadmin or snvul.admin roles configure global settings including:

Vulnerability Assignment Rules: Define automatic assignment of remediation tasks. A base rule is provided, and a scheduled job can reapply these rules to open vulnerable items. Frequency should be planned considering environment size to balance performance.
Remediation Task Rules: Define how remediation tasks are automatically created. Rules can be reapplied or deleted with options to remove related open groups.
Risk Calculators: Enable and customize scoring algorithms to prioritize vulnerabilities effectively using shipped calculators or custom configurations.
Remediation Target Rules: Establish categories for remediation targets, with base system rules available for customization.

Integration Configuration

Administrators configure and manage third-party vulnerability scanner integrations using the Setup Assistant, including:

Qualys Vulnerability Integration
Tenable Vulnerability Integration

If the Solution Management for Vulnerability Response application is installed, solution provider integrations such as Red Hat and Microsoft Security Response Center can also be configured.

Multiple deployments of the same third-party integration are supported using templates based on original integration settings. It is recommended to disable rather than delete original integrations to preserve templates. Data from each integration is uniquely identifiable within a single Vulnerability Response instance.

Note that multiple Rapid7 InsightVM integrations require manual domain separation and are not supported directly via Setup Assistant.

Additional Considerations

Further setup and configuration tasks beyond the Setup Assistant are documented separately and may be required for complete Vulnerability Response implementation.

Setup Assistant walks you through setting up Vulnerability Response and certain third-party integrations for your environment. Setup Assistant provides almost everything you need to install and set up your environment so that you can use Vulnerability Response.

Setup Assistant functionality with System Administration, Vulnerability Response Settings, and Integration Configuration sections. — Figure 1. Setup Assistant functionality

Using Setup Assistant requires two different ServiceNow AI Platform® roles: admin and vulnerability admin.

Refer to the following sections to supplement the instructions and prompts provided in Setup Assistant.

System Administration - assign users and groups and install integration applications

Role required: admin

A list of users and integrations should be obtained from the Vulnerability Manager prior to beginning these tasks.

Navigate to All > Vulnerability Response > Administration > Setup Assistant.
In the first section, System Administration, the admin the assigns roles to users and groups and installs supported integrations.
Assign Vulnerability Response personas and roles to users and groups in Setup Assistant.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.
Assign roles in Setup Assistant.
- Assign the role of sn_vul.admin to users or groups.
- Assign the sn_vul.admin role for Vulnerability Response administration and configuration including vulnerability integrations, remediation task rules, calculators, and time-to-remediate rules.
- Assign the sn_vul_vulnerability_write role for the creation and update of remediation tasks and vulnerable items.
  Note:
  All other users automatically receive Write access only to remediation tasks that are assigned to them.
- Assign the sn_vul_vulnerability_read role to view remediation tasks, vulnerable items, and other vulnerability information.
  Note:
  Users with the itil role are automatically granted the sn_vul.remediation_owner role allowing them to see remediation tasks and vulnerable items assigned to them, vulnerability entries, and, solutions in the Vulnerability Response application on their instance and in the Mobile Agent application. No additional assignment is needed.
Install third-party integration applications.
- See Installation of Vulnerability Response and supported applications and Vulnerability Response integrations for more information about applications that are supported by Vulnerability Response.
- For more information about using setup assistant to install supported apps, see Install Vulnerability Response third-party applications using Setup Assistant.

Vulnerability Response Settings

Role required: sn_vul.vulnerability_admin or sn_vul.admin (deprecated), or admin

In Vulnerability Response Settings, the vulnerability administrator defines application-wide settings and defines rules for Vulnerability Response. Alternatively, the admin can perform these tasks.

Create Vulnerability Assignment Rules.
Create rules that define the automatic assignment of remediation tasks for resolution. At least one rule is shipped with the base system. See Vulnerability Response assignment rules overview for more information.

Note:
The reapply feature requires a baseline application of the rules. Once your rules are created, activate the Reapply all vulnerability assignment rules scheduled job to execute, at your convenience. Otherwise, you will be required to reapply all rules to all Open VIs prior to changing them.

When the job is complete, set the Run field in the scheduled job to fit your environment. Depending on the number of active VIs you have, evaluating and updating them daily can have non-trivial performance impact. For larger environments, consider updating once a week or even once a month.

Reapplying assignment rules does not regroup the vulnerable items.
Create remediation task rules.
Create rules that define the automatic creation of remediation tasks for resolution. At least one rule, Vulnerability, is shipped with the base system. You can reapply the rules from the form or list view.
- When a group rule is deleted, from the form or list view, you have the option to delete all Open groups created by that rule. Groups not in the Open state are excluded.
- See Create a Vulnerability Response CI lookup rule for more information on creating rules for your environment.
- See Exploring the Vulnerability Response application for more information on using Vulnerability Response to remediate vulnerabilities.
Create and enable Risk Calculators.
Enable risk calculators that define how vulnerable items are scored for prioritization. Several risk calculators are shipped with the base system. See Vulnerability Response calculators and vulnerability calculator rules information on creating or editing risk calculators for your environment.
Create Remediation Target Rules.
Create remediation target rules for categories of remediation. At least one rule is shipped with the base system. See Vulnerability Response remediation target rules for more information on creating rules for your environment.

Integration Configuration

Role required: sn_vul.vulnerability_admin or sn_vul.admin (deprecated), or admin.

In the Integration Configuration section, configure, schedule, edit, and launch on-demand the following third-party vulnerability scanner integrations and, if the Solution Management for Vulnerability Response application is installed, solution providers.

See Configure the Qualys Vulnerability Integration using Setup Assistant for more information about configuring the Qualys Vulnerability Integration.
Configuration of the Vulnerability Response Integration with Tenable application is supported. See Configure the Tenable Vulnerability Integration using Setup Assistant.
After you install the Vulnerability Solution Management application, the Solution Integrations option is displayed below Scanner Integrations. Click Solution Integrations to configure your installed vulnerability solution providers from this section of Setup Assistant. The Red Hat Solution Integration and Microsoft Security Response Center Solution Integration are supported.
See Vulnerability Solution Management for more information about installed solutions. See Install the Solution Management for Vulnerability Response application for more information about installation.

See Configure installed solution integrations for Vulnerability Solution Management using Setup Assistant for more information about configuring your installed solutions.
If an integration is multi-sourced, you can have multiple deployments of the same third-party integration.
The settings from your original third-party integration are used as a template for the settings of each new integration.
Note:
If you delete the original vulnerability integration, you have to select another integration to use as your template. Consider disabling the integration instead of deleting it. Integrations created from disabled templates are disabled by default.

Data from each third-party integration is uniquely identified and available in a single instance of Vulnerability Response.

Note:

Multiple vulnerability integrations for Rapid7 InsightVM are not available within Setup Assistant. See Create domain-separated imports for an integration for information on configuring and creating multiple Rapid7 InsightVM integrations.

Additional tasks

See Additional Vulnerability Response setup and configuration tasks for more information on setup tasks not included in Setup Assistant.