Vulnerability Response integrations

Versão de lançamento: Australia

Atualizado 12 de mar. de 2026

6 min. de leitura

Vulnerability Response includes support for third-party integrations. Included in this section are some basic guidelines for developing your own integrations.

Third-party integrations

Starting with v30.0 of Vulnerability Response, monitor installed integrations within the Security Exposure Management Workspace Administration console. Administrators can now view and troubleshoot integration run statuses for installed third-party applications, ensuring better visibility and operational health. For more information, see Review Unified Security Exposure Management integrations.

Imported vulnerabilities from the National Vulnerability Database (NVD) and detection data from third-party scanners are reconciled with the assets in your CMDB. When an imported vulnerability matches an existing asset, a vulnerable item is created. Vulnerable items are grouped automatically into tasks for remediation, risk-scored with business context, prioritized and assigned to appropriate teams for remediation.

Nota:

Third-party integrations are treated separately. If more than one third-party integration application is in use in your environment there is no vulnerable item (VI) deduplication across integrations. For example, VI deduplication between Rapid7 and Qualys is not available.

However, mismatches in detection count between a third-party scanner (for example, Qualys) to VIs in your ServiceNow instance are expected, since we dedupe across IPs, ports and so on.

The following table provides a list of Vulnerability Response infrastructure integrations created by ServiceNow® and partners to import vulnerabilities and create vulnerable items.

Tabela 1. Vulnerability Response - Infrastructure Integrations
Vendor	Vendor product	Integration summary	Key features	Built by
Tenable	Tenable.io Tenable.sc	Match assets and import third-party vulnerabilities to create vulnerable items. Nota: Tenable.io doesn’t support launching rescan on agent-based machines.	Vulnerability rescan Solution data Third-party definitions Tagging	ServiceNow®
Rapid7	Rapid7 InsightVM	Match assets, import third-party vulnerabilities to create vulnerable items.		ServiceNow®
Qualys	Qualys VMDR	Match assets, import third-party vulnerabilities to create vulnerable items.	Rescan on-demand.	ServiceNow®
CrowdStrike	Crowdstrike Falcon Spotlight	Match assets and use NVD to create vulnerable items.	NVD definitions. Supports tag-based filtering on import.	Partner
Microsoft	Microsoft Defender Vulnerability Management	Match assets and import endpoint vulnerabilities to create vulnerable items.	Third-party definitions.	ServiceNow®
Microsoft	Microsoft Defender for IoTMicrosoft Azure Defender for IoT	Import vulnerabilities into ServiceNow Operational Technology Vulnerability Response and take risk-based action with production process context		ServiceNow®
Cisco (Kenna)	Kenna.VM	Match assets and use NVD to create vulnerable items. Includes Kenna risk score.	NVD definitions Solution data	Partner
Tanium	Comply	Match assets and import third-party vulnerabilities to create vulnerable items.		Partner
Orca	Orca Security	Match assets and import third-party vulnerabilities to create vulnerable items.		Partner
Onapsis	Onapsis for SAP Vulnerabilities	Match assets and import third-party vulnerabilities to create vulnerable items for SAP assets and applications		Partner
Synack	Synack Red Team	Import vulnerabilities from Synack.		Partner
Wiz	Wiz	Match cloud assets and import third-party vulnerabilities to create vulnerable items.		Partner
Lacework	Lacework	Import infrastructure vulnerabilities from cloud asset sources.	Supports vulnerability calculator and filtering by severity.	Partner
Recorded Future	Attack Surface Intelligence for VR	External attack surface assets and exposures imported into ServiceNow Vulnerability Response. Create vulnerable Items from external asset detections. Includes Recorded Future threat and vulnerability enrichment.		Partner
Mandiant	Mandiant Attack Surface Management	Import information about vulnerabilities and vulnerable items from the Mandiant Attack Surface Management platform.		Partner
IBM	Security Guardium	Integrate IBM Guardium database vulnerability scan results with ServiceNow®.		Partner
CyCognito	CyCognito SaaS	Import issues and assets from Cycognito SaaS platform		Partner
VMware	Carbon Black Cloud	Ingest vulnerability data and context from VMwareCarbon Black Cloud. Create configuration items from Carbon Black Cloud endpoints and workload.		Partner
Nucleus	Vuln Management	Import findings from Nucleus Security. Auto-update vulnerable items. Bi-directional update via comments field. Map custom fields.		Partner
InfoSec Global (ISG)	AgileSec Analytics	Import vulnerability findings on Cryptographic assets. Cryptographic Keys, Keystores, and Libraries.		Partner
Censys	External Attack Surface Management	Scan, discover, and catalog vulnerabilities on internet-facing assets.		Partner

For information about third-party integrations supported by Application Vulnerability Response see, Integrating Application Vulnerability Response with other applications

CISA Known Exploit Vulnerability (KEV) Integration
Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration
Understanding the HCL BigFix patch orchestration integration with Vulnerability Response
Understanding the Vulnerability Response patch orchestration integration with Microsoft SCCM
Understanding the NVD integrations
Qualys Vulnerability Integration
Understanding the Rapid7 Vulnerability Integration
Shodan Exploit Integration
Understanding the Tenable Vulnerability Integration
Microsoft Security Response Center Solution Integration
The Microsoft Security Response Center Solution Integration is available with Vulnerability Solution Management. For information on the installation and configuration of the Microsoft Security Response Center Solution Integration and the Red Hat Solution Integration, see Install the Solution Management for Vulnerability Response application. You can configure, edit, schedule, and launch on-demand the Microsoft Security Response Center Solution Integration and the Red Hat Solution Integration from within the Setup Assistant.

Additional notes for integrations

If multiple deployments are supported for an integration, see Create domain-separated imports for an integration.

You can install, configure, schedule, and launch on-demand many of the integration applications from within Setup Assistant.
You can install the Rapid7 Vulnerability Integration application from Setup Assistant, but configuration is not supported for this integration from within the Setup Assistant. See Install the Rapid7 Vulnerability Integration for more information.
The Tenable for Vulnerability Response application by Tenable is created and maintained by Tenable. See their documentation at Tenable for Vulnerability Response.

During integration execution, multiple processes are generated, and data is received in the form of pages. Each process can contain one or more import queue entries with attached data in pages. These entries must process the data within the one-hour time limit. However, if the payload size is large, the processing time may exceed one hour or get stuck, resulting in an integration timeout error. The integration continues to process the data despite the timeout error. To avoid this miscommunication, starting from version 18.2.4 of Vulnerability Response, timestamps (heartbeats) are sent periodically to indicate if the queue is active and processing data. The Last Record Processed field in the Import Queue Entry page is updated based on the count of records the import queue creates or updates. In case an import queue entry exceeds the one-hour time limit, the system checks the Last Record Processed field to see if it is also older than one hour. If it is, this indicates that the import queue entry is stuck, and it is timed out to prevent any further delays in processing.

Nota:

The Last Record Processed field is updated based on what is defined in the following system properties:

sn_sec_cmn.record_threshold_heartbeat: Defines the number of processed records, after which the heartbeat (timestamp) is sent to the import queue entry.
sn_sec_cmn.maximum_heartbeat_delay: Defines the time after which the import queue entry must be timed out.

Starting from VR v17.1, the following integration process state names have been updated:


State name prior to V17.1	State name V17.1 onwards
Processing	Retrieving
WaitComplete	Waiting/Processing

Nota:

You can view the attachments that are downloaded and processed. When the status of the integration run is waitcomplete, it displays the percentage of integration that is complete.

Starting from v22.1.2 of Vulnerability Response, you can exclude vulnerabilities from getting ingested using exclusion rules. Additionally, when you run Rapid7, Qualys, Tenable for Vulnerability Response, Microsoft Defender Vulnerability Management integrations or manually ingest vulnerabilities, you can view the number of detections that were excluded. This information can be accessed in the Detections tab on the Integration run screen. For more information, see and Create an exclusion rule.

Vulnerability Response applications and CSDM tables

The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.

Manually created integrations

You can add other integrations that are not available as ServiceNow Store applications, as needed. See Manually create a vulnerability integration for more information.