Vulnerability Response vulnerable item detections from third-party integrations

  • Release version: Zurich
  • Updated July 31, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response vulnerable item detections from third-party integrations

    The Vulnerability Response application in ServiceNow supports integrations with third-party scanners to import detailed vulnerability detection data from your enterprise environment. These detections represent individual occurrences of vulnerabilities as reported by scanners, and are linked to Vulnerable Item (VI) records within your ServiceNow AI Platform instance.

    Show full answer Show less

    Detection data is paired with VIs, updating VI states accordingly. If no matching VI exists, a new one is created. Detection statuses are controlled solely by scanner data. Recent enhancements allow VIs to reflect the most recent open detection values, improving data accuracy on fields like IP address, SSL, port, protocol, and proof.

    Key Features

    • Third-party integration support: Integrations with scanners such as Qualys, Rapid7, Tenable, Microsoft Defender Vulnerability Management, and others enable automated import of vulnerability detection data.
    • Detection and VI relationship: Each detection is a distinct instance of a vulnerability tied to a CI (configuration item) and enriches the corresponding VI record.
    • Configurable detection data updates: The system property snvul.showlastopendetection controls whether VIs update with the latest open detection data after ingestion.
    • Detection key configurations: Unique detection keys, specific to each integration, ensure accurate matching of detections to VIs, considering attributes like vulnerability, port, protocol, asset ID, proof, and NIC (for Rapid7).
    • Reopening resolved VIs: Vulnerable items marked Resolved but not Closed/Fixed are automatically reopened if detected in subsequent scans, ensuring accurate tracking of recurring vulnerabilities.
    • Detection data visibility: Users can view detailed detection data on VI records and verify imported data on integration run records.

    Practical Implications for ServiceNow Customers

    By leveraging third-party vulnerability scanner integrations, customers can maintain a comprehensive and up-to-date view of vulnerabilities across their assets directly within the ServiceNow platform. This enables streamlined vulnerability tracking, prioritization, and remediation workflows.

    Customization options allow customers to tailor detection data handling to their operational needs, such as updating VIs with the latest detection attributes or managing the reopening of resolved vulnerabilities based on scanner findings.

    Supported integrations require separate subscriptions and must be properly configured to ensure smooth data ingestion and accurate vulnerability management.

    View all of the information that is gathered by third-party scans in your ServiceNow AI Platform® instance. View the returned results of the scans on detection and vulnerable item (VI) records in your instance as these results are viewed on the scanners.

    Overview

    The Vulnerability Response application supports third-party Integrations that retrieve vulnerable item data from your enterprise environment. Detailed data about detections, that is, single, distinct occurrences of vulnerabilities as reported by the scanners of your third-party integrations, are imported and displayed on both the detection and the vulnerable item records in your ServiceNow AI Platform instance.

    Third-party Integrations retrieve vulnerable item detection data. Detections are distinct occurrences of vulnerabilities as reported by the scanners. Detection data are paired with vulnerable items and VI state is updated based on the state of the detections. If a VI is not found, a new one is created. Detections are only opened or closed by data found directly by a scanner.

    In previous versions of Vulnerability Response, vulnerable item detections, the relationship between a CI (asset) in your environment and an imported vulnerability from a third-party scanner, created a unique vulnerable item in your ServiceNow AI Platform instance.

    The granularity of the original data provided by the scanner is preserved. With detections, the detection data is paired with vulnerable items. During an ingestion, if a vulnerable item is not found, a new VI is created.

    Starting from version 21.1.2 of Vulnerability Response, a system property sn_vul.show_last_open_detection is provided in the base system. By default, the value of this property is set to false, and the current behavior of aggregating the values from the initial detection to the VI remains unchanged. However, if it is set to true, a VI is automatically updated with the last open detection after an ingestion. The fields such as IP address, SSL, Port, Protocol, NetBIOS, and Proof are updated for the VI detections. If needed, you can customize the detection fields that should be updated by modifying the DetectionBase script.

    To view the values for the last open detection, navigate to the Last Open Detection tab on the VI form view. To update all the VIs opened in the past year with the last open detection values, you can run the scheduled job Update Last Open Detection Value To VITs on-demand. This scheduled job is also provided in the base system.

    Note:
    When a configuration item (CI) changes on a discovered item, the corresponding updates are also reflected in the detections. As a result, the detections may be moved from one VI to another VI. Based on this change and the value of the sn_vul.show_last_open_detection property, the values of the detections are rolled up to the source and target VIs.

    Supported versions of Vulnerability Response

    For more information about installing or updating the Vulnerability Response application, see Install Vulnerability Response.

    Supported third-party integrations

    A supported third-party integration with your Vulnerability Response application is required for vulnerable item detections. The following third-party integrations are supported by the Vulnerability Response application for vulnerable item detections:
    • Qualys Host Detection Integration
    • Rapid7 Data Warehouse:
      • Vulnerable Item Integration
      • Vulnerable Item Resolution Integration
    • Rapid7  Vulnerable Item Resolution Integration (InsightVM)
      • Insight VM integration
      • Vulnerable Item Integration - API
    • Tenable Vulnerability Integration
    • Microsoft Defender Vulnerability Management

    These third-party integrations are available with a separate subscription from the ServiceNow Store. For more information about these integrations, see Vulnerability Response integrations and Security Operations and the ServiceNow Store for more information about obtaining entitlement.

    To verify that your third-party scanner is configured for import, see Install and configure the Rapid7 Integration for Security Operations application and Install the Qualys Vulnerability Integration.

    Key terms for vulnerable item detections

    Vulnerability
    Data about weaknesses in software, operating systems, and assets imported from internal and external sources. This data is imported and compared to existing assets (configuration items, CIs) listed in the CMDB.
    Vulnerable item
    A vulnerable item is created or updated when an imported vulnerability matches a CI in the CMDB.
    Detection
    A single, distinct occurrence of a vulnerability as reported by a scanner referred to as a Vulnerable Item Detection within the ServiceNow AI Platform environment. A detection includes enriched data about a vulnerability and any corresponding vulnerable items. This data is displayed on the Detection record (VID#) and the vulnerable item list view that includes the following details:
    • First found (data)
    • Last found (date)
    • DNS name
    • Net BIOSname
    • IP address
    • Port
    • Protocol
    • Proof
    • SSL
    • Times found
    Note:
    Adding a business rule on the detection table will impact the performance of the ingestion.
    Detection key
    A hashed combination of fields that provided a way to identify and tie a detection to a vulnerable item. Detection keys are integration-specific.
    Table 1. Detection key configurations
    Scanner Vulnerability Port Protocol Asset ID Proof NIC
    Qualys Yes Yes Yes Yes No NA
    Tenable Yes Yes Yes Yes No NA
    Rapid7 Yes Yes Yes Yes Yes (it is not case sensitive) Yes
    Note:
    • If the detection key is not specified, or for versions earlier than Vulnerability Response 14.0, the detection key is a combination of vulnerability entry, port, protocol, asset ID, and proof.
    • Starting with v19.0 of Vulnerability Response, a new detection key NIC is added for Rapid7 InsightVM, that is activated by default. Existing detections without NIC are updated with the first incoming NIC in the payload from Rapid7. The detection key is recalculated and repopulated on the detection including NIC. New detections are created if similar detections are seen with different NIC values. This data is not rolled up to the Vulnerable Item table. The NIC value is stored in a new column on the sn_vul_detection_key_config and sn_vul_detection table.
    De dup
    The process used by the Vulnerability Response application of collapsing of individual detections into a single VI when the data meets certain hard-coded criteria.
    VI External ID
    The value stored in the External ID field of the VI table. This value is a hash comprised of the combination of keys within a VI that represents what makes it unique within the application. It is composed of a CI and a vulnerable entry.

    Reopen resolved vulnerable items

    Vulnerable items set to Resolved in your ServiceNow AI Platform instance but not transitioned to Closed/Fixed by the subsequent integration runs are reopened if they are detected during rescans.

    Closed VIs with a substate of fixed or stale are reopened if a new detection is created and the VIs can be matched with the new vulnerability.

    As per the script include, DetectionBase, method _shouldReOpenVI(), if the VIT was earlier Closed with substate Fixed, Stale, or CI Decommissioned, it is reopened, and the detection is mapped to the existing VIT.

    For example, say a VIT's closed date is later than the last_found date of a detection. You would expect these VIT records to remain closed. However, if you see a previously closed VIT reopened, it means that the VIT was closed by an earlier detection and the vulnerability was found again in a later scan. When a new detection is found that matches the closed VIT that has the same vulnerability on the VIT's configuration item, the VIT is reopened.

    For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to Resolved but then not transitioned to Closed/Fixed by subsequent scans transition back to Open after the number of days you enter.

    For Qualys detections, if the scanner continues to find VIs that were set to Resolved but then not transitioned to Closed/Fixed by subsequent scans, these VIs move back to Open when the last found date is later than the Resolved date.

    View detection data

    You view the data imported from vulnerable item detections on the VI record. For more information, see View Vulnerability Response vulnerable item detection data and Verify Vulnerability Response vulnerable item detection data on integration run (VINTRUN) records.