Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration

    The Vulnerability Response integration with Microsoft Threat and Vulnerability Management (MS TVM) enables ServiceNow customers to import and manage vulnerability data from MS TVM directly within their ServiceNow AI Platform instance. This integration helps prioritize and remediate vulnerabilities on your assets by importing third-party scanner data and providing actionable insights through dashboards. The integration is available via a separate subscription from the ServiceNow Store and supports multi-source deployments across different MS TVM accounts.

    Show full answer Show less

    Key Features

    • Data Import and Matching: The integration imports vulnerability and asset data from MS TVM and attempts to match vulnerabilities to existing Configuration Items (CIs) in the CMDB. If no match is found, unmatched CIs and vulnerable items are created.
    • CI Lookup Rules: Automated rules (e.g., matching by MAC address, FQDN, IP address) identify and link assets to vulnerabilities, ensuring accurate mapping between MS TVM data and your CMDB. These rules can be configured and disabled but not deleted.
    • Discovered Items and Machine Tags: Assets imported from MS TVM are tracked as discovered items, with machine tags used to organize and filter assets. Tags are case-insensitive and imported as part of the MS TVM Machines integration.
    • Multiple Scheduled Integrations: Daily and weekly scheduled jobs import actionable security recommendations, CVE data, asset information, and vulnerabilities (both full and delta imports) to keep your environment up to date.
    • Remediation and Assignment: Vulnerable items are grouped and assigned to remediation tasks based on your configured group and assignment rules, streamlining vulnerability management workflows.
    • Role-Based Access: The integration requires specific ServiceNow AI Platform roles for installation, configuration, and usage, including admin, vulnerability admin, and roles specific to MS TVM integration configuration and viewing.

    Practical Considerations

    • Enable domain separation by assigning users to specific domains to segregate imported vulnerability data if needed.
    • Run the MS TVM Machines integration before creating assignment or remediation task rules to ensure machine tags are available for filtering and grouping.
    • Disabling machine tags globally affects all ServiceNow AI Platform instances by turning off tag functionality.
    • Use the Setup Assistant within Vulnerability Response for installation and configuration of the MS TVM integration.

    What to Expect

    By leveraging this integration, ServiceNow customers can expect improved visibility into vulnerabilities and asset relationships, enhanced prioritization through actionable recommendations, and streamlined remediation processes. The integration’s automated matching and tagging capabilities ensure your CMDB remains synchronized with MS TVM data, enabling effective vulnerability management across your environment.

    The Vulnerability Response integration with Microsoft Threat and Vulnerability Management (MS TVM) application uses data imported from MS TVM to help you prioritize and remediate vulnerabilities for your assets. The application is available with a separate subscription from the ServiceNow Store.

    You can use the MS TVM Vulnerability integration to import third-party scanner data about your assets and vulnerabilities. You can then view reports about vulnerabilities and vulnerable items on the Vulnerability Response dashboards.

    MS TVM integration workflow that displays installing and configuring the application, viewing the ingested data in your ServiceNow AI Platform instance, and automatically prioritizing and remediating vulnerabilities for your assets.

    Available versions

    Release version Release notes

    Vulnerability Response Integration with MS TVM v2.2

    For more information about released versions of the Vulnerability Response application, compatibility, and schema changes, see the Vulnerability Response Compatibility Matrix and Release Schema Changes [KB0856498] article in the HI Knowledge Base.

    Domain separation and MS TVM

    Import vulnerability integration data to a specified domain by assigning a user in that domain to run the integrations. To create domain-separated imports for the MS TVM Vulnerability Integration, see Create domain-separated imports for an integration.

    Terms and key features of the integrations

    Vulnerable items and vulnerabilities
    A vulnerable item is created in your ServiceNow AI Platform instance when:
    • An imported vulnerability from a third-party scanner is matched to an existing asset (configuration item) in your CMDB). The MS TVM product refers to these matches as vulnerabilities.
    • An imported vulnerability from a third-party scanner is not matched to an existing asset in your CMDB. In this case, an unmatched configuration item (CI) is also created with a vulnerable item.

      Use the Identification and Reconciliation Engine (IRE) to create CIs in two new classes when an existing CI can't be matched with a host. Otherwise, unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine.

    Third-party vulnerability entries
    Third-party vulnerability entries are imported from third-party scanners such as MS TVM and are listed in the Third-Party Vulnerability Entries table in your ServiceNow AI Platform instance. Also, National Vulnerability Database entries (CVEs) are imported from MS TVM. The exploit information that is associated with both these types of entries comes from MS TVM. This exploit information can be used for risk calculation.
    Note:
    A third-party vulnerability is retrieved only for vulnerabilities that do not have a CVE assigned to them. MS TVM can add a temporary name for the vulnerability, for example, TVM-XXXX-XXXX. This name is updated after a CVE ID is assigned.
    Configuration item (CI)
    CIs are the existing assets that are listed in your CMDB.
    Discovered item
    Discovered items are the assets that are ingested from the MS TVM machine import that match existing CIs in your CMDB.

    If a match is not found, a CI is created in the Unmatched CI class of the CMDB. Enable the CMDB CI Class Models plugin, the Identification and Reconciliation Engine (IRE) creates CIs by using new classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. If the original, unmatched CI is reclassified, the discovered item records are updated to reflect that state. Discovered items give you visibility into how assets are identified and mapped to CIs in the CMDB.

    CI lookup rules
    When data is imported from MS TVM, Vulnerability Response automatically uses machine (asset) data to search for matches in the CMDB. CI lookup rules are used to identify CIs and to add them to VI records when VIs are created.
    Instance
    An instance refers to multiple accounts of MS TVM. Each account can be an instance in the MS TVM application.
    Integration
    An integration is a scheduled job that retrieves information from a third-party source, such as the integration of the MS TVM machines.
    Deployment
    When an integration supports multi-source, a single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of MS TVM in your environment.

    The MS TVM integration also includes the following key features:

    • You can identify the assets across your environment and update the CIs on your existing discovered items, vulnerable items, and detection records to give you more details about your vulnerabilities.
    • You can schedule when you want the jobs to run for all the MS TVM integrations. You can also execute scheduled jobs on-demand.
    • You can group vulnerable items.
    • You can configure CI lookup rules to define how the asset data from third-party sources is used to identify CIs in your CMDB.

    Required ServiceNow AI Platform roles

    The integration tasks require the following roles in your ServiceNow AI Platform instance.

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    admin
    The system admin uses Setup Assistant to install the MS TVM application. If not assigned, the admin assigns the vulnerability admin (sn_vul.vulnerability_admin) and other roles in Setup Assistant.
    sn_vul.vulnerability_admin
    Once assigned, the vulnerability admin completes the configuration of the MS TVM integrations in Setup Assistant. This role has complete access to the Vulnerability Response application and its records. The vulnerability admin configures all Vulnerability Response applications and rules for installed third-party integrations.
    sn_vul_msft_tvm.configure_integration

    This role contains the sn_vul_msft_tvm.read_integration granular role. Users with this role can configure the  Vulnerability Response Integration with the Microsoft Threat and Vulnerability Management application.

    sn_vul_msft_tvm.read_integration

    Users with this role can only view the  Vulnerability Response Integration with the Microsoft Threat and Vulnerability Management application records.

    Vulnerability Response group
    By default, the Vulnerability Response group is available in Setup Assistant. Users assigned to the Vulnerability Response group inherit the sn_vul.read_all and sn_vul.remediation_owner roles automatically.

    MS TVM integrations

    Multi-source is supported for all the MS TVM integrations. You can add and deploy multiple instances of the following integrations across your environment from Setup Assistant in Vulnerability Response. You also install and configure the Vulnerability Response Integration with the MS TVM application from Setup Assistant.

    To view the MS TVM integrations, navigate to Microsoft TVM Vulnerability Integration > Administration > Integrations. Vulnerability Response provides integrations with MS TVM end points to import the data according to the scheduled time intervals. The following integrations are included in the base system.

    Table 1. MS TVM integrations
    Run sequence Schedule Integration Description
    1 Daily Microsoft TVM Recommendations Integration Retrieves a list of all the actionable security recommendations to remediate the vulnerabilities.
    2 Daily Microsoft TVM Vulnerability (CVE) Integration Retrieves a list of the national vulnerability database entries and third-party vulnerability entries, as well as their exploit information.
    3 Daily Microsoft TVM Machines Integration Retrieves all asset (machine) data, including machine tags, from the Microsoft TVM and processes it in your instance.
    4 Weekly
    Note:
    After installation, this integration is run automatically after the machines import.
    		 Microsoft TVM Machines Vulnerabilities Integration (Full Import) Retrieves all the open vulnerabilities on all the assets.
    5 Daily Microsoft TVM Machines Vulnerabilities Integration (Delta Import) Retrieves all the information that has changed in the full vulnerability import of the organization, including the new, fixed, and updated vulnerabilities.

    Vulnerable items are grouped into remediation tasks according to the group rules that you set and are assigned for remediation based on your assignment rules. For more information, see Vulnerability Response remediation tasks and remediation task rules overview and Vulnerability Response assignment rules overview.

    CI lookup rules

    When data is imported from MS TVM, Vulnerability Response automatically uses machine (asset) data to search for matches in the Configuration Management Database (CMDB). CI lookup rules are used to identify CIs and add them to VI records when VIs are created. For more information on how CI lookup rules work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.
    Note:
    Once you remove a rule, you can't recover it. Instead of removing an existing rule, you should disable it.
    The following MS TVM lookup rules are shipped with the base system:
    • MAC_ADDRESS
    • FQDN
    • IP
    Note:
    You can use multiple values for the IP_ADDRESS and MAC_ADDRESS of an asset. A CI lookup rule considers all values for matching.

    Discovered items

    You can see the CIs that were detected during an import from the MS TVM Machines integration.
    Note:
    The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.
    For more information, see Discovered Items.

    Machine tags

    Machine tags, also known as host tags, are used for organizing and tracking the assets in your organization. You assign tags to your machines.

    All machine tags are imported as part of the MS TVM Machines integration. Machine tags are generally used for filtering in Vulnerability Response assignment rules and vulnerability group rules. The tags are displayed in the Discovered Item form.
    Note:
    Run the MS TVM Machine integration before you create Vulnerability Response assignment or remediation task rules in the Vulnerability Response application so that all tags are available for these rules before vulnerable items are imported and grouped. Also note the following points about tags:
    • Tag storage is not case sensitive. If a Paris tag is created, then a PARIS tag cannot be stored in the Machine tag table. Paris and PARIS are considered to be the same machine tag by the system. Whichever tag is imported first is the tag that is stored and recognized.
    • Using machine tags as a group key in a remediation task rule may have unexpected results. Group keys are columns in the remediation tasks table, whereas machine tags are intended for use only in the condition builder.
    • Machine tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Disabling tags disables them across all ServiceNow AI Platform® instances.

    What to do next

    After you download the Vulnerability Response integration with Microsoft Threat and Vulnerability Management from the ServiceNow® Store, installation and configuration are supported by Setup Assistant in Vulnerability Response. For more information, see Install and configure the Vulnerability Response Integration with the MS TVM application using Setup Assistant.