Identify applications in Application Vulnerability Response automatically

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Identify applications in Application Vulnerability Response automatically

    Application Vulnerability Response (AVR) in ServiceNow automatically identifies applications by matching imported application data from third-party integrations with Configuration Management Database (CMDB) records. This automatic identification supports accurate remediation by linking vulnerabilities to the correct applications.

    Show full answer Show less

    Key Features

    • Lookup Rules: AVR uses lookup rules to find application matches in the CMDB based on imported data fields like sourceappid and appname. These rules prioritize matches by evaluating them in order of their assigned priority.
    • Matching Process: If an application ID match is found, it populates the Application and Application Release fields in the vulnerability record. If no match is found, the system attempts other data fields to identify the application, and if still unmatched, creates a placeholder record with basic details.
    • Default Rules: Default lookup rules are provided specifically for the Veracode Vulnerability Integration to facilitate immediate use.
    • Rule Behavior: Lookup rules stop processing once a single matching Configuration Item (CI) is found. If multiple matches are returned, only the first is used.
    • Rule Management: Rules can be deactivated but not recovered once deleted. They are domain separated and source-specific, allowing different integrations or deployments to have distinct rule sets.
    • Performance Considerations: Importing vulnerability data and applying lookup rules can impact system performance. Custom or modified rules should be thoroughly tested to avoid long processing times or resource degradation.
    • Audit and Visibility: When a match is found, the rule that identified it is recorded in the CI matching rule field for traceability. Users can add this field to their views for easier monitoring.

    Practical Implications for ServiceNow Customers

    • Customers integrating vulnerability data can rely on automatic application identification to reduce manual effort and improve accuracy in linking vulnerabilities to applications.
    • Understanding and managing lookup rules is critical to ensure proper matches and maintain CMDB integrity.
    • Careful construction and testing of custom lookup rules are essential to avoid performance issues and data duplication or orphaned records.
    • Default integration support (e.g., Veracode) provides out-of-the-box functionality, but customization may be required for other sources.

    When data is imported from a third-party integration, Application Vulnerability Response automatically uses application data to search for matches in the Configuration Management Database (CMDB). It does this using lookup Rules. These rules identify applications for the application vulnerable item (AVI) record to aid in remediation.

    As applications are imported, a lookup is performed on the Scanned Application [sn_vul_app_scanned _application] table using source_app_id and app_name to find matches to applications from prior imports. When an application ID match is found, its values are used in the Application and App release fields in the application vulnerable item record.

    If a match is not found, or the application ID field is empty, the rules use the other application information to attempt to correctly identify the application. If a match is still not found, a placeholder scanned application record is created with only Application name and Application ID fields.

    The Source Application Id and Application Name lookup rules are shipped with the Veracode Vulnerability Integration, by default.

    Note:
    Default lookup rules for Application Vulnerability Response are available only for the Veracode Vulnerability Integration.
    When attempting a match, the lookup rules are evaluated by lowest Order value first. They stop when a rule returns a single CI as a match.
    Note:
    If a rule is created in such a way that it returns more than one CI, only the first match is used.

    To make it easier to find matching issues, when a match is found, the lookup rule used to find it is added to the CI matching rule field for Scanned Applications. Click the Update Personalized List gear gear icon icon at the top of the Scanned Application list view to add it to the view.

    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.
    Lookup rules can be domain separated and are source-specific. If supported, each source could have multiple deployments. For example, the Veracode Vulnerability Integration, can have multiple deployments of the Veracode Vulnerability Integration. Each deployment has its own set of lookup Rules.
    Note:
    Lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined lookup Rules. See Prevent duplicate or orphaned records after running Application Vulnerability Response lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.