Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration

  • Release version: Zurich
  • Updated March 12, 2026
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration

    The Vulnerability Response integration with Microsoft Threat and Vulnerability Management (MS TVM) enables you to import and leverage vulnerability data from MS TVM into your ServiceNow AI Platform instance. This integration helps prioritize and remediate vulnerabilities by matching imported vulnerability data to assets in your Configuration Management Database (CMDB) and providing comprehensive dashboards and reports within the Vulnerability Response application. The integration is available through a separate subscription on the ServiceNow Store and requires installation and configuration via Setup Assistant.

    Show full answer Show less

    Key Features

    • Data Import and Matching: Imports vulnerability data, including third-party scanner entries and National Vulnerability Database (CVE) entries, from MS TVM. Vulnerabilities are matched to existing CIs or result in creating unmatched CIs for new assets using the Identification and Reconciliation Engine (IRE).
    • Multi-Instance and Multi-Source Support: Supports multiple MS TVM accounts (instances) and deployments across your environment, facilitating flexible integration management.
    • Scheduled and On-Demand Jobs: Allows scheduling of data retrieval jobs (daily or weekly) and supports manual execution to keep vulnerability data current.
    • CI Lookup Rules: Uses machine data (MAC address, FQDN, IP addresses) to automatically identify and link vulnerabilities to CIs in the CMDB, improving asset-vulnerability correlation.
    • Discovered Items and Machine Tags: Displays discovered items from MS TVM imports, showing how assets are identified and mapped. Machine tags imported with asset data aid in organizing assets and can be used in assignment and remediation rules.
    • Remediation Task Grouping and Assignment: Vulnerable items are grouped and assigned for remediation based on configurable group and assignment rules, streamlining vulnerability management workflows.
    • Role-Based Access Control: Defines specific roles for installation, configuration, and use of the integration, ensuring secure and appropriate access for administrators, vulnerability managers, and viewers.

    Practical Application for ServiceNow Customers

    By implementing this integration, ServiceNow customers can augment their Vulnerability Response capabilities with real-time, detailed vulnerability and asset data from MS TVM. This enables more accurate vulnerability identification, prioritization, and remediation efforts directly within the ServiceNow platform. Customers benefit from automated asset matching, scheduled data updates, and comprehensive visibility into vulnerabilities through dashboards and reports.

    Next Steps

    • Purchase and download the Vulnerability Response integration with MS TVM from the ServiceNow Store.
    • Use the Setup Assistant in Vulnerability Response to install and configure the integration, assign necessary roles, and set up CI lookup and remediation rules.
    • Run the MS TVM Machines integration first to import machine tags before creating assignment or remediation task rules to ensure tags are available for filtering and grouping.
    • Leverage the integration’s scheduled jobs or execute them on demand to maintain up-to-date vulnerability data.

    The Vulnerability Response integration with Microsoft Threat and Vulnerability Management (MS TVM) application uses data imported from MS TVM to help you prioritize and remediate vulnerabilities for your assets. The application is available with a separate subscription from the ServiceNow Store.

    You can use the MS TVM Vulnerability integration to import third-party scanner data about your assets and vulnerabilities. You can then view reports about vulnerabilities and vulnerable items on the Vulnerability Response dashboards.

    MS TVM integration workflow that displays installing and configuring the application, viewing the ingested data in your ServiceNow AI Platform instance, and automatically prioritizing and remediating vulnerabilities for your assets.

    Available versions

    Release version Release notes

    Vulnerability Response Integration with MS TVM v2.2

    For more information about released versions of the Vulnerability Response application, compatibility, and schema changes, see the Vulnerability Response Compatibility Matrix and Release Schema Changes [KB0856498] article in the HI Knowledge Base.

    Domain separation and MS TVM

    Import vulnerability integration data to a specified domain by assigning a user in that domain to run the integrations. To create domain-separated imports for the MS TVM Vulnerability Integration, see Create domain-separated imports for an integration.

    Terms and key features of the integrations

    Vulnerable items and vulnerabilities
    A vulnerable item is created in your ServiceNow AI Platform instance when:
    • An imported vulnerability from a third-party scanner is matched to an existing asset (configuration item) in your CMDB). The MS TVM product refers to these matches as vulnerabilities.
    • An imported vulnerability from a third-party scanner is not matched to an existing asset in your CMDB. In this case, an unmatched configuration item (CI) is also created with a vulnerable item.

      Use the Identification and Reconciliation Engine (IRE) to create CIs in two new classes when an existing CI can't be matched with a host. Otherwise, unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs using the Identification and Reconciliation engine.

    Third-party vulnerability entries
    Third-party vulnerability entries are imported from third-party scanners such as MS TVM and are listed in the Third-Party Vulnerability Entries table in your ServiceNow AI Platform instance. Also, National Vulnerability Database entries (CVEs) are imported from MS TVM. The exploit information that is associated with both these types of entries comes from MS TVM. This exploit information can be used for risk calculation.
    Note:
    A third-party vulnerability is retrieved only for vulnerabilities that do not have a CVE assigned to them. MS TVM can add a temporary name for the vulnerability, for example, TVM-XXXX-XXXX. This name is updated after a CVE ID is assigned.
    Configuration item (CI)
    CIs are the existing assets that are listed in your CMDB.
    Discovered item
    Discovered items are the assets that are ingested from the MS TVM machine import that match existing CIs in your CMDB.

    If a match is not found, a CI is created in the Unmatched CI class of the CMDB. Enable the CMDB CI Class Models plugin, the Identification and Reconciliation Engine (IRE) creates CIs by using new classes. For more information, see Creating CIs using the Identification and Reconciliation engine. If the original, unmatched CI is reclassified, the discovered item records are updated to reflect that state. Discovered items give you visibility into how assets are identified and mapped to CIs in the CMDB.

    CI lookup rules
    When data is imported from MS TVM, Vulnerability Response automatically uses machine (asset) data to search for matches in the CMDB. CI lookup rules are used to identify CIs and to add them to VI records when VIs are created.
    Instance
    An instance refers to multiple accounts of MS TVM. Each account can be an instance in the MS TVM application.
    Integration
    An integration is a scheduled job that retrieves information from a third-party source, such as the integration of the MS TVM machines.
    Deployment
    When an integration supports multi-source, a single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of MS TVM in your environment.

    The MS TVM integration also includes the following key features:

    • You can identify the assets across your environment and update the CIs on your existing discovered items, vulnerable items, and detection records to give you more details about your vulnerabilities.
    • You can schedule when you want the jobs to run for all the MS TVM integrations. You can also execute scheduled jobs on-demand.
    • You can group vulnerable items.
    • You can configure CI lookup rules to define how the asset data from third-party sources is used to identify CIs in your CMDB.

    Required ServiceNow AI Platform roles

    The integration tasks require the following roles in your ServiceNow AI Platform instance.

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    admin
    The system admin uses Setup Assistant to install the MS TVM application. If not assigned, the admin assigns the vulnerability admin (sn_vul.vulnerability_admin) and other roles in Setup Assistant.
    sn_vul.vulnerability_admin
    Once assigned, the vulnerability admin completes the configuration of the MS TVM integrations in Setup Assistant. This role has complete access to the Vulnerability Response application and its records. The vulnerability admin configures all Vulnerability Response applications and rules for installed third-party integrations.
    sn_vul_msft_tvm.configure_integration

    This role contains the sn_vul_msft_tvm.read_integration granular role. Users with this role can configure the  Vulnerability Response Integration with the Microsoft Threat and Vulnerability Management application.

    sn_vul_msft_tvm.read_integration

    Users with this role can only view the  Vulnerability Response Integration with the Microsoft Threat and Vulnerability Management application records.

    Vulnerability Response group
    By default, the Vulnerability Response group is available in Setup Assistant. Users assigned to the Vulnerability Response group inherit the sn_vul.read_all and sn_vul.remediation_owner roles automatically.

    MS TVM integrations

    Multi-source is supported for all the MS TVM integrations. You can add and deploy multiple instances of the following integrations across your environment from Setup Assistant in Vulnerability Response. You also install and configure the Vulnerability Response Integration with the MS TVM application from Setup Assistant.

    To view the MS TVM integrations, navigate to Microsoft TVM Vulnerability Integration > Administration > Integrations. Vulnerability Response provides integrations with MS TVM end points to import the data according to the scheduled time intervals. The following integrations are included in the base system.

    Table 1. MS TVM integrations
    Run sequence Schedule Integration Description
    1 Daily Microsoft TVM Recommendations Integration Retrieves a list of all the actionable security recommendations to remediate the vulnerabilities.
    2 Daily Microsoft TVM Vulnerability (CVE) Integration Retrieves a list of the national vulnerability database entries and third-party vulnerability entries, as well as their exploit information.
    3 Daily Microsoft TVM Machines Integration Retrieves all asset (machine) data, including machine tags, from the Microsoft TVM and processes it in your instance.
    4 Weekly
    Note:
    After installation, this integration is run automatically after the machines import.
    		 Microsoft TVM Machines Vulnerabilities Integration (Full Import) Retrieves all the open vulnerabilities on all the assets.
    5 Daily Microsoft TVM Machines Vulnerabilities Integration (Delta Import) Retrieves all the information that has changed in the full vulnerability import of the organization, including the new, fixed, and updated vulnerabilities.

    Vulnerable items are grouped into remediation tasks according to the group rules that you set and are assigned for remediation based on your assignment rules. For more information, see Vulnerability Response remediation tasks and remediation task rules overview and Vulnerability Response assignment rules overview.

    CI lookup rules

    When data is imported from MS TVM, Vulnerability Response automatically uses machine (asset) data to search for matches in the Configuration Management Database (CMDB). CI lookup rules are used to identify CIs and add them to VI records when VIs are created. For more information on how CI lookup rules work, see Create a Vulnerability Response CI lookup rule.
    Note:
    Once you remove a rule, you can't recover it. Instead of removing an existing rule, you should disable it.
    The following MS TVM lookup rules are shipped with the base system:
    • MAC_ADDRESS
    • FQDN
    • IP
    Note:
    You can use multiple values for the IP_ADDRESS and MAC_ADDRESS of an asset. A CI lookup rule considers all values for matching.

    Discovered items

    You can see the CIs that were detected during an import from the MS TVM Machines integration.
    Note:
    The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.
    For more information, see Discovered Items.

    Machine tags

    Machine tags, also known as host tags, are used for organizing and tracking the assets in your organization. You assign tags to your machines.

    All machine tags are imported as part of the MS TVM Machines integration. Machine tags are generally used for filtering in Vulnerability Response assignment rules and remediation task rules. The tags are displayed in the Discovered Item form.
    Note:
    Run the MS TVM Machine integration before you create Vulnerability Response assignment or remediation task rules in the Vulnerability Response application so that all tags are available for these rules before vulnerable items are imported and grouped. Also note the following points about tags:
    • Tag storage is not case sensitive. If a Paris tag is created, then a PARIS tag cannot be stored in the Machine tag table. Paris and PARIS are considered to be the same machine tag by the system. Whichever tag is imported first is the tag that is stored and recognized.
    • Using machine tags as a group key in a remediation task rule may have unexpected results. Group keys are columns in the remediation tasks table, whereas machine tags are intended for use only in the condition builder.
    • Machine tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Disabling tags disables them across all ServiceNow AI Platform® instances.

    What to do next

    After you download the Vulnerability Response integration with Microsoft Threat and Vulnerability Management from the ServiceNow® Store, installation and configuration are supported by Setup Assistant in Vulnerability Response. For more information, see Install and configure the Vulnerability Response Integration with the MS TVM application using Setup Assistant.