Configuring Vulnerability Response using the Setup Assistant

Release version: Australia

Updated April 28, 2026

5 minutes to read

Summarize

Summarized using AI

Summary of Configuring Vulnerability Response using the Setup Assistant

The Setup Assistant in ServiceNow guides you through configuring Vulnerability Response (VR) and supported third-party integrations efficiently. It centralizes key setup steps, from user role assignments to integration configurations, enabling you to deploy VR with minimal manual effort. This process requires two roles:adminandvulnerability admin.

Show full answer Show less

System Administration

Using the Setup Assistant, administrators assign VR personas and granular roles to users and groups to control access and capabilities within the VR application. Key roles include:

snvul.admin for VR administration and configuration tasks.
snvulvulnerabilitywrite for creating and updating remediation tasks and vulnerable items.
snvulvulnerabilityread for viewing remediation tasks and vulnerability data.
Users with the itil role automatically receive permissions to view assigned remediation tasks without extra role assignments.

The Setup Assistant also supports installing third-party integration applications that extend VR capabilities. This includes integrations with scanners and solution providers.

Vulnerability Response Settings

Vulnerability administrators or admins define global settings and rules that govern VR behavior:

Vulnerability Assignment Rules: Automatically assign remediation tasks. A baseline rule is provided, and changes can be scheduled via a "Reapply all vulnerability assignment rules" job to maintain consistency.
Remediation Task Rules: Automatically create remediation tasks based on defined criteria. Rules can be reapplied or deleted with options to manage existing open groups.
Risk Calculators: Enable and customize scoring to prioritize vulnerabilities effectively. Several calculators come preconfigured.
Remediation Target Rules: Define categories and targets for remediation efforts.

Integration Configuration

The Setup Assistant facilitates configuring, scheduling, and managing third-party vulnerability scanner integrations such as Qualys and Tenable. When the Solution Management for Vulnerability Response application is installed, it also supports configuring solution providers like Red Hat and Microsoft Security Response Center.

Multiple deployments of the same integration type are supported via templates, enabling flexible multi-sourced data ingestion.
Deleting original integrations requires selecting new templates; disabling is recommended over deletion to maintain template availability.
Rapid7 InsightVM integrations require separate configuration outside Setup Assistant for domain separation.

Additional Considerations

Further setup and configuration tasks not covered by the Setup Assistant may be necessary. Refer to additional documentation for comprehensive configuration guidance beyond the assistant's scope.

Setup Assistant walks you through setting up Vulnerability Response and certain third-party integrations for your environment. Setup Assistant provides almost everything you need to install and set up your environment so that you can use Vulnerability Response.

Setup Assistant functionality with System Administration, Vulnerability Response Settings, and Integration Configuration sections. — Figure 1. Setup Assistant functionality

Using Setup Assistant requires two different ServiceNow AI Platform® roles: admin and vulnerability admin.

Refer to the following sections to supplement the instructions and prompts provided in Setup Assistant.

System Administration - assign users and groups and install integration applications

Role required: admin

A list of users and integrations should be obtained from the Vulnerability Manager prior to beginning these tasks.

Navigate to All > Vulnerability Response > Administration > Setup Assistant.
In the first section, System Administration, the admin the assigns roles to users and groups and installs supported integrations.
Assign Vulnerability Response personas and roles to users and groups in Setup Assistant.

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.
Assign roles in Setup Assistant.
- Assign the role of sn_vul.admin to users or groups.
- Assign the sn_vul.admin role for Vulnerability Response administration and configuration including vulnerability integrations, remediation task rules, calculators, and time-to-remediate rules.
- Assign the sn_vul_vulnerability_write role for the creation and update of remediation tasks and vulnerable items.
  Note:
  All other users automatically receive Write access only to remediation tasks that are assigned to them.
- Assign the sn_vul_vulnerability_read role to view remediation tasks, vulnerable items, and other vulnerability information.
  Note:
  Users with the itil role are automatically granted the sn_vul.remediation_owner role allowing them to see remediation tasks and vulnerable items assigned to them, vulnerability entries, and, solutions in the Vulnerability Response application on their instance and in the Mobile Agent application. No additional assignment is needed.
Install third-party integration applications.
- See Installation of Vulnerability Response and supported applications and Vulnerability Response integrations for more information about applications that are supported by Vulnerability Response.
- For more information about using setup assistant to install supported apps, see Install Vulnerability Response third-party applications using Setup Assistant.

Vulnerability Response Settings

Role required: sn_vul.vulnerability_admin or sn_vul.admin (deprecated), or admin

In Vulnerability Response Settings, the vulnerability administrator defines application-wide settings and defines rules for Vulnerability Response. Alternatively, the admin can perform these tasks.

Create Vulnerability Assignment Rules.
Create rules that define the automatic assignment of remediation tasks for resolution. At least one rule is shipped with the base system. See for more information.

Note:
The reapply feature requires a baseline application of the rules. Once your rules are created, activate the Reapply all vulnerability assignment rules scheduled job to execute, at your convenience. Otherwise, you will be required to reapply all rules to all Open VIs prior to changing them.

When the job is complete, set the Run field in the scheduled job to fit your environment. Depending on the number of active VIs you have, evaluating and updating them daily can have non-trivial performance impact. For larger environments, consider updating once a week or even once a month.

Reapplying assignment rules does not regroup the vulnerable items.
Create remediation task rules.
Create rules that define the automatic creation of remediation tasks for resolution. At least one rule, Vulnerability, is shipped with the base system. You can reapply the rules from the form or list view.
- When a group rule is deleted, from the form or list view, you have the option to delete all Open groups created by that rule. Groups not in the Open state are excluded.
- See Create a Vulnerability Response CI lookup rule for more information on creating rules for your environment.
- See Exploring the Vulnerability Response application for more information on using Vulnerability Response to remediate vulnerabilities.
Create and enable Risk Calculators.
Enable risk calculators that define how vulnerable items are scored for prioritization. Several risk calculators are shipped with the base system. See Vulnerability Response calculators and vulnerability calculator rules information on creating or editing risk calculators for your environment.
Create Remediation Target Rules.
Create remediation target rules for categories of remediation. At least one rule is shipped with the base system. See Vulnerability Response remediation target rules for more information on creating rules for your environment.

Integration Configuration

Role required: sn_vul.vulnerability_admin or sn_vul.admin (deprecated), or admin.

In the Integration Configuration section, configure, schedule, edit, and launch on-demand the following third-party vulnerability scanner integrations and, if the Solution Management for Vulnerability Response application is installed, solution providers.

See Configure the Qualys Vulnerability Integration using Setup Assistant for more information about configuring the Qualys Vulnerability Integration.
Configuration of the Vulnerability Response Integration with Tenable application is supported. See Configure the Tenable Vulnerability Integration using Setup Assistant.
After you install the Vulnerability Solution Management application, the Solution Integrations option is displayed below Scanner Integrations. Click Solution Integrations to configure your installed vulnerability solution providers from this section of Setup Assistant. The Red Hat Solution Integration and Microsoft Security Response Center Solution Integration are supported.
See Vulnerability Solution Management for more information about installed solutions. See Install the Solution Management for Vulnerability Response application for more information about installation.

See Configure installed solution integrations for Vulnerability Solution Management using Setup Assistant for more information about configuring your installed solutions.
If an integration is multi-sourced, you can have multiple deployments of the same third-party integration.
The settings from your original third-party integration are used as a template for the settings of each new integration.
Note:
If you delete the original vulnerability integration, you have to select another integration to use as your template. Consider disabling the integration instead of deleting it. Integrations created from disabled templates are disabled by default.

Data from each third-party integration is uniquely identified and available in a single instance of Vulnerability Response.

Note:

Multiple vulnerability integrations for Rapid7 InsightVM are not available within Setup Assistant. See Create domain-separated imports for an integration for information on configuring and creating multiple Rapid7 InsightVM integrations.

Additional tasks

See Additional Vulnerability Response setup and configuration tasks for more information on setup tasks not included in Setup Assistant.