Severity mapping for Vulnerability Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Severity mapping for Vulnerability Response

    ServiceNow Vulnerability Response provides integrated severity mapping for various third-party vulnerability data sources. It normalizes and maps severity data received from integrations like National Vulnerability Database (NVD), Rapid7, Qualys, Tenable.io, Tenable.sc, and Microsoft TVM. These mappings ensure consistent severity representation within ServiceNow, aiding in prioritization and response management.

    Show full answer Show less

    Severity Mapping Details

    • Normalized Severity: For all integrations, the normalized severity is calculated based on the severity from the snvulnvdentry table. This is applied using Business Rules that update the normalized severity on the snvulentry table.
    • Source Severity: Each integration maps its native severity data to the sourceseverity table during integration runtime, ensuring raw severity data is retained for reference.
    • Priority: Priority values are mapped from specific data fields depending on the integration, often facilitated by Business Rules running in the background to automate mapping.
    • VPR (Vulnerability Priority Rating): For Tenable integrations, VPR scores and ratings are also mapped to specific fields (sourceriskscore and sourceriskrating) to reflect vulnerability risk level.

    Integration-Specific Mappings

    • Rapid7: Maps severity from severityscore to sourceseverity. Priority field remains empty.
    • Qualys: Maps severity from SEVERITYLEVEL to sourceseverity. Priority is mapped from the SEVERITY table using Business Rules during the Host Detection integration.
    • Tenable.io: Maps severity from riskfactor to sourceseverity. Severity ID maps to sourceseverity, and VPR data is mapped to risk score and rating fields during plugin integration.
    • Tenable.sc: Maps severity from riskFactor to sourceseverity. Priority is based on severity received during Open Vulnerabilities integration. VPR scores are mapped similarly to Tenable.io.
    • Microsoft TVM: Maps severity from severity table to sourceseverity. Priority field remains empty.

    What This Enables for ServiceNow Customers

    • Consistent and automated severity normalization across multiple vulnerability sources ensures a unified view of risk.
    • Preservation of original source severity data alongside normalized severity allows detailed analysis and auditability.
    • Automated priority mapping helps streamline vulnerability prioritization workflows without manual intervention.
    • The inclusion of VPR data for Tenable integrations provides enhanced risk scoring for informed decision-making.
    • Business Rules run in the background to maintain up-to-date severity and priority mappings as new vulnerability data is ingested.

    Vulnerability Response ships with National Vulnerability Database (NVD) to normalized ServiceNow severity mapping. ServiceNow third-party integrations provide severity mappings upon installation. These maps can be adjusted by changing the fields in existing maps.

    Rapid7 Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from the severity_score table is mapped to source_severity table while the Rapid7 Vulnerability Integration- API is running.

    Priority

    This field is empty.

    Qualys Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from the SEVERITY_LEVEL is mapped to the source_severity table while the Qualys Knowledge Base Integration is running.

    Priority

    Data for the Priority field is obtained from SEVERITY table and mapped to priority table while Qualys Host Detection Integration is running using the Business Rule mapped to Qualys Data.

    Note:
    Business Rules run in the background and checks the priority for Qualys and accordingly maps the Priority. So, to map Qualys data, BR is responsible.

    Tenable.io Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from risk_factor table is mapped to source_severity table while the Tenable.io Plugin Integration is running.

    Priority

    Data from severity_id is mapped to source_severity while the Tenable.io Open Vulnerabilities Integration is running.

    VPR

    Data from score is mapped to Source_risk_score while Tenable.io Plugin Integration is running.

    Data from Calculated from score is mapped to Source_risk_rating while Tenable.io Plugin Integration is running.

    Tenable.sc Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data for riskFactor table is mapped to source_severity while the Tenable.io Plugin Integration is running.

    Priority

    Data from severity received as "severity": { "id": "0", "name": "Info", "description": "Informative" } is mapped to source_severity while the Tenable.io Open Vulnerabilities Integration is running.

    VPR

    Data from vprScore is mapped to Source_risk_score while Tenable.io Plugin Integration is running.

    Data from Calculated from vprScore is mapped to Source_risk_rating while Tenable.io Plugin Integration is running.

    TVM Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severuty coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from severity table is mapped to source_severity while Microsoft TVM Vulnerability(CVE) Integration is running.

    Priority

    This field is empty.