CISA Known Exploit Vulnerability (KEV) Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CISA Known Exploit Vulnerability (KEV) Integration

    The CISA Known Exploit Vulnerability (KEV) Integration enhances the Vulnerability Response module by ingesting data from the CISA catalog, enabling effective prioritization and remediation of actively exploited vulnerabilities for both government agencies and corporations. This integration automatically updates your ServiceNow instance, ensuring your vulnerability management processes are informed by the latest threat intelligence.

    Show full answer Show less

    Key Features

    • Data Enrichment: Integrates CISA data to enrich Common Vulnerabilities and Exposures (CVE) information, which is reflected in the Third-Party Vulnerability Entries table.
    • Known Ransomware Identification: Incorporates a new field for identifying CVEs known to be used in ransomware campaigns, allowing for prioritized remediation efforts.
    • Automated Scheduling: The integration runs as a daily scheduled job, with the option to execute jobs manually, maintaining synchronization with vulnerability management systems.
    • Configuration: A run-as user is configured for integration, with a default value of VR.System that should not be modified.

    Key Outcomes

    By utilizing the CISA KEV Integration, ServiceNow customers can expect improved vulnerability prioritization, enhanced situational awareness regarding ransomware risks, and streamlined remediation processes. This ultimately leads to a more robust security posture and better protection against actively exploited vulnerabilities.

    The Vulnerability Response integration with the CISA Known Exploited Vulnerabilities (KEVs) catalog ingests data to help you effectively prioritize and remediate these vulnerabilities.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    CISA enables urgent and prioritized remediation of actively exploited vulnerabilities for government agencies and corporations.

    About CISA

    Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. Cybersecurity & Infrastructure Security Agency that publishes a report on the most exploited vulnerabilities. It easily integrates with Vulnerability Response to map Common Vulnerabilities and Exposures (CVE) vulnerabilities enriching the data in your instance. This information is then rolled up to the Third-Party Vulnerability Entries table. The earliest due date is considered for the roll-up to the vulnerable items.
    Note:
    The CISA Exists check box for CVEs retrieved by CISA.
    Values retrieved from the CISA integration:
    • CVE ID
    • Due date
    • Date added
    • Vendor/Project
    • Product
    • Known ransomware (starting from v21.0 of Vulnerability Response, a new field Known To Be Used in Ransomware Campaigns is ingested from the CISA Known Exploited Vulnerabilities (KEVs) catalog. It’s indicated by the flagging of the Known ransomware field on the National Vulnerability Entry database table. The flag is set at the Common Vulnerabilities and Exposures (CVE) level and rolled up to the third-party entry (TPE).

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Scheduled jobs

    The CISA Integration is invoked automatically as a daily scheduled job. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes

    Vulnerability Response v16.5, v18.0

    Vulnerability Response Integration with CISA v1.0, v1.2

    Viewing the CISA integration

    To view the CISA integration, navigate to Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    The following integrations are included in the base system.
    Note:
    Only the CISA Integration is active, by default.
    Table 1. CISA integration
    Integration Description
    Cybersecurity & Infrastructure Security Agency (CISA) Integration Retrieves CISA vulnerability data (CVE) and enriches the existing vulnerability data. This integration is set automatically to run daily.

    To view data in third-party vulnerabilities, see View Vulnerability Response vulnerability libraries.