Split Microsoft TVM detections based on the vulnerability instance to split vulnerable items

  • Release version: Zurich
  • Updated March 12, 2026
  • 1 minute to read

    • ServiceNow® Vulnerability Response enables the splitting of detections from Microsoft Threat and Vulnerability Management (MS TVM) scanners, enabling the creation of a unique vulnerable item (VIT) for each detected vulnerability instance. This split enables the assignment of VITs to various remediation teams, enhancing the management and tracking of vulnerabilities.

    Before you begin

    Role required: admin

    About this task

    The Microsoft Threat and Vulnerability Management (MS TVM) scanner's payload contains detection data, with each path within the proof used to split the detections. The diskpath tag in the payload identifies the vulnerability's location, facilitating accurate identification and management of vulnerabilities according to their specific paths.

    Procedure

    1. In the Third-party Integrations table [sn_sec_int_integration], set the Include proof in VI key column value to true for Tenable.io and Tenable.sc.
    2. Navigate to All > Vulnerability Response > Administration > Configure VI granularity.
    3. On the Include port form, select the Include port check box and select the click here link.
    4. On the Add proof to VI keys list, select New.
    5. On the Add proof to the VI key- New record form, in the Vulnerability field, add the Microsoft Threat and Vulnerability Management (MS TVM) CVE for which you want to include the proof and select Submit.
      The selected vulnerability appears in the Add proof to VI keys list.

    Splitting detections from Microsoft Threat and Vulnerability Management (MS TVM) scanner

    The following detection from Microsoft Threat and Vulnerability Management (MS TVM) scanner shows proof in the diskpath tag.

    


             "id": "329f3283 fae116€796ff1b59c8dd56fef4067elf_mozilla_firefox_126.0.1.0_CVE-2024-7528",
            "deviceId":"329f3283fae116e796ff1b59c8dd56fef4067e1f",

            "rbacGroupId":
      "rbacGroupName": "Unassigned",
       "deviceName": "ip-0a1409fd.secops.com",
        "osPlatform": "WindowsServer2019",
          "oVersion": "10.0.17763.5936",
        "osArchitecture": "x64",
         "softwareVendor": "mozilla",
        "softwareName": "firefox",
        "softwareVersion": "126.0.1.0",

             "cveId"; "CVE-2024-7528",
            #vulnerabilitySeverityLevel": "High",
         #recommendedSecurityUpdate":; "mfsa2024-33",

         "recommendedSecurityUpdateld": null,

            "recommendedSecurityUpdateUrl": null,
             "diskPaths": ['c: llprogram files\lamazonlIcfn-bootstraplilibcrypto-3.dll", "C: \lprogram files\lamazon\Icfn-bootstrap\\libsst-3.dll,

          "registryPaths":
            1 "HKEY LOCAL, MACHINE\\SOFTWAREW\WOW6432Nodel lMicrosoft|\Windows|1CurrentVersion\|Uninstalll\Mozilla Firefox 126.0.1 (x86 en-US)"


         #lastSeenTimestamp": "2024-08-28 19:36:07",

          "firstSeenTimestamp": "2024-08-06 20:32:34",

        "end0fSupportStatus": null,
           "end0fSupportDate": null,
       "exploitabilityLevel": "NoExploit",
           "recommendationReference": "va-_-mozilla-_-firefox",

          "cvssScore": 8.8,
       "securityUpdateAvailable": true,
          "cveMitigationStatus": null