Vulnerability Response integrations

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response integrations

    Vulnerability Response in ServiceNow Zurich release supports integration with various third-party vulnerability scanners and data sources. These integrations import vulnerability data, reconcile it with the Configuration Management Database (CMDB) assets, and automatically create and manage vulnerable items for remediation. This process enables prioritization, risk scoring, and assignment to appropriate teams for efficient vulnerability management.

    Show full answer Show less

    Key Features

    • Third-party integrations: Support for importing vulnerabilities from sources like the National Vulnerability Database (NVD), Rapid7, Qualys, Tenable, Shodan, and others. Vulnerabilities are matched against CMDB assets to generate actionable vulnerable items.
    • No cross-integration deduplication: Vulnerable item deduplication does not occur across different third-party integrations (e.g., between Rapid7 and Qualys).
    • Integration management: Many integrations can be installed, configured, scheduled, and launched on-demand via the Setup Assistant, streamlining integration operations. Some integrations, such as Rapid7, require configuration outside the Setup Assistant.
    • Integration process monitoring: The system uses heartbeat timestamps to monitor import queue entries and detect processing delays or timeouts, preventing integration stalls during large data imports.
    • Updated process state naming: From version 17.1 onward, integration states use updated names for clarity, such as changing “Processing” to “Retrieving” and “WaitComplete” to “Waiting/Processing.”
    • Support for multiple deployments: Domain-separated imports are available to support integrations in multi-deployment environments.
    • Application and CSDM table integration: Vulnerability Response and related applications contribute to and consume data from Common Service Data Model (CSDM) tables, enhancing cross-product data sharing and value.
    • Manual integration creation: Customers can develop custom integrations beyond those available in the ServiceNow Store to meet specific needs.

    Key Outcomes

    • Automated import and reconciliation of vulnerability data with your existing asset data enable efficient vulnerability management workflows.
    • Prioritized and risk-scored vulnerable items ensure remediation efforts focus on the most critical issues with business context.
    • Flexibility to integrate multiple vulnerability scanners and data sources without cross-integration conflicts, maintaining data integrity.
    • Robust integration monitoring and timeout handling minimize risk of data processing delays or failures, ensuring continuous data flow.
    • Ability to manage and customize integrations through Setup Assistant and manual methods adapts to diverse enterprise environments.
    • Leveraging CSDM tables enhances interoperability across ServiceNow Security Operations and other IT products for comprehensive asset and vulnerability insights.

    Vulnerability Response includes support for third-party integrations. Included in this section are some basic guidelines for developing your own integrations.

    Third-party integrations

    Refer to the notes and text for how third-party integrations and the Vulnerability Response application create vulnerable items.

    Imported vulnerabilities from the National Vulnerability Database (NVD) and detection data from third-party scanners are reconciled with the assets in your CMDB. When an imported vulnerability matches an existing asset, a vulnerable item is created. Vulnerable items are grouped automatically into tasks for remediation, risk-scored with business context, prioritized and assigned to appropriate teams for remediation.

    Note:

    Third-party integrations are treated separately. If more than one third-party integration application is in use in your environment there is no vulnerable item (VI) deduplication across integrations. For example, VI deduplication between Rapid7 and Qualys is not available.

    However, mismatches in detection count between a third-party scanner (for example, Qualys) to VIs in your ServiceNow instance are expected, since we dedupe across IPs, ports and so on.

    For information about third-party integrations supported by Application Vulnerability Response see, Integrating Application Vulnerability Response with other applications

    Additional notes for integrations

    If multiple deployments are supported for an integration, see Create domain-separated imports for an integration.

    • You can install, configure, schedule, and launch on-demand many of the integration applications from within Setup Assistant.
    • You can install the Rapid7 Vulnerability Integration application from Setup Assistant, but configuration is not supported for this integration from within the Setup Assistant. See Install the Rapid7 Vulnerability Integration for more information.
    • The Tenable for Vulnerability Response application by Tenable is created and maintained by Tenable. See their documentation at Tenable for Vulnerability Response.
    During integration execution, multiple processes are generated, and data is received in the form of pages. Each process can contain one or more import queue entries with attached data in pages. These entries must process the data within the one-hour time limit. However, if the payload size is large, the processing time may exceed one hour or get stuck, resulting in an integration timeout error. The integration continues to process the data despite the timeout error. To avoid this miscommunication, starting from version 18.2.4 of Vulnerability Response, timestamps (heartbeats) are sent periodically to indicate if the queue is active and processing data. The Last Record Processed field in the Import Queue Entry page is updated based on the count of records the import queue creates or updates. In case an import queue entry exceeds the one-hour time limit, the system checks the Last Record Processed field to see if it is also older than one hour. If it is, this indicates that the import queue entry is stuck, and it is timed out to prevent any further delays in processing.
    Note:
    The Last Record Processed field is updated based on what is defined in the following system properties:
    • sn_sec_cmn.record_threshold_heartbeat: Defines the number of processed records, after which the heartbeat (timestamp) is sent to the import queue entry.
    • sn_sec_cmn.maximum_heartbeat_delay: Defines the time after which the import queue entry must be timed out.
    Starting from VR v17.1, the following integration process state names have been updated:
    State name prior to V17.1 State name V17.1 onwards
    Processing Retrieving
    WaitComplete Waiting/Processing
    Note:
    You can view the attachments that are downloaded and processed. When the status of the integration run is waitcomplete, it displays the percentage of integration that is complete.

    Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.

    Manually created integrations

    You can add other integrations that are not available as ServiceNow Store applications, as needed. See Manually create a vulnerability integration for more information.