Patch orchestration with Vulnerability Response

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Patch Orchestration with Vulnerability Response

    Patch orchestration with Vulnerability Response allows ServiceNow customers to manage patches and deployments for critical vulnerabilities across large asset groups. This feature leverages data from various third-party integrations and vulnerability scanners to facilitate the vulnerability remediation cycle, enabling users to identify vulnerabilities, apply patches, and close vulnerable items efficiently within their ServiceNow AI Platform instance.

    Show full answer Show less

    Key Features

    • Integration with third-party patch vendors and scanners for comprehensive vulnerability management.
    • Ability to view and monitor vulnerability data and remediation progress in both classic and workspace environments.
    • Scheduled deployments of patches during off-hours to minimize disruption.
    • Option for an approval process for patch requests to ensure they do not conflict with work schedules.
    • Roles specific to the patch orchestration integration for managing and viewing data related to patches.
    • Bulk editing capabilities for vulnerable items, allowing for efficient management of patches.

    Key Outcomes

    By utilizing the patch orchestration feature, organizations can expect to streamline their vulnerability management processes, improve patch deployment efficiency, and enhance overall security posture. The integration with tools like HCL BigFix and Microsoft SCCM provides flexibility in managing different asset types, while the approval process helps maintain operational integrity. Additionally, the enhancements in the Patch Management Data Model support better data handling across related applications.

    You can manage patches and patch deployments for critical vulnerabilities for large groups of your assets with Patch orchestration with Vulnerability Response. Vulnerability Response Patch Orchestration and the patch orchestration integrations are available on the ServiceNow® Store.

    Understanding patch orchestration with Vulnerability Response

    Patch orchestration with Vulnerability Response uses data from scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. This data is correlated in the Vulnerability Response application. This organization of data permits you to complete the steps of the vulnerability remediation cycle. Start with identifying vulnerabilities, then apply patches and updates, and finally close vulnerable items using third-party scanner data all from within your ServiceNow AI Platform® instance.

    Patch orchestration overview image that shows the following stages: install, configure, import data, view, and use.

    Patch orchestration with Vulnerability Response is supported in both the classic environment and the Vulnerability Response workspaces.

    For information about patch orchestration in the workspaces, see Patch orchestration with the Vulnerability Response Workspaces.

    With patch orchestration in Vulnerability Response, vulnerability managers and analysts and IT remediation specialists can perform the following remediation tasks:
    • See more context and information about the types of patches and vendors that make up their solutions (patches).
    • View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces or in the classic environment.
    • Deploy patches supported by third-party solution vendors for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals. You can schedule patches during off-hours to avoid conflicts with those at work.
    • Using imported detection data provided by third-party scanners, identify assets that have vulnerabilities and are not patched or are not successfully updated by scheduled patches.
    • Initiate and schedule available patches for assets that require updates from Patch Update, remediation task, and discovered item records in the Vulnerability Response application.
    • Monitor patch deployments with an optional approval process for patch requests submitted by your remediation specialists.

    Key terms

    Configuration item (CI)
    CIs are the existing assets that are listed in your Configuration Management Database (CMDB).
    Vulnerable item (VI)
    An imported vulnerability that matches an existing asset in your CMDB. Vulnerable items (VITs) are grouped into remediation tasks, or lists, according to certain criteria that specify remediation actions for VIs.
    Instance
    Refers to a distinct account of a solution vendor application. For example, each user account can be an instance in the HCL BigFix application. This term also refers to a unique, secure web address for a ServiceNow AI Platform® instance.
    Solution
    There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
    Patch
    Software updates that fix vulnerabilities. Patch vendors use their own names for patches, for example, In the HCL BigFix application, patches are called, Fixlets.
    Preferred patch
    Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
    Deployment
    Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine.

    Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of a third-party scanner or a solution vendor integration in your environment.

    Available versions of applications and dependencies required for the patch orchestration integration

    Roles required

    Users need roles that are specific to the patch orchestration integration you are using to view data and schedule patches from the Vulnerability Response application. See the configuration information for the supported integrations you are using listed below for more information.

    There is a submission and approval process for patch requests included with the applications. By default, a system property is activated [sn_vul_patch_orch.patch_approval_required] in the Vulnerability Response Patch Orchestration application in your ServiceNow AI Platform instance.

    This system property is activated so that when patch deployments are scheduled, they are submitted for review and approval to users assigned to the Level 1 - Patch update approval group. If you want users with the sn_vul_patch_orch.configure_patch role to schedule patches without approval, you can deactivate the [sn_vul_patch_orch.patch_approval_required] property. You might prefer to leave approvals activated so that scheduled patches do not conflict with normal working hours. If you deactivate the approval system property, any user with the sn_vul_patch_orch.configure_patch role can schedule and deploy patches without review and approval.

    For more information, and how to deactivate this system property, see the configuration topic for your supported integration.

    Schedule patches from Vulnerability Response records

    Remediation specialists can schedule patch updates to resolve vulnerable items and monitor remediation progress all from records in the Vulnerability Response application.

    You can schedule patches from the following records:

    • Patch Update
    • Remediation task
    • Discovered item

    Records that roll up active VI counts in Vulnerability Response

    To avoid potential performance issues with rolling up all the patches to all the vulnerabilities, the scheduled job that picks up changes only modifies the active VI count. These count changes and related data are rolled up to the following records in the Vulnerability Response application:

    • VIT (vulnerable item)
    • RT (remediation task)
    • Vulnerability solution
    • Patch Update

    For more information about viewing patch data and patch data roll up to records, and viewing patches without solutions, see the following topics.

    Bulk edit vulnerable items with patches

    You can bulk edit vulnerable items in the classic environment that have patches from the classic environment. For more information about how bulk editing works, see Edit vulnerable items in bulk in Vulnerability Response. The preferred patches for all the VIs selected for bulk edit. This option for edit only works if there are preferred patches mapped to all the VIs selected.

    Patch Management Data Model Enhancements

    The Patch Management Data Model plugin — a standalone, free plugin that encapsulates the data model currently used in the VR Patch Orchestration application. This includes key tables such as Collection, Patch Update, Patch Deployment, and others.

    This plugin can be used by patch management tools to ingest the Patch Management data to be used by applications such as ITSM, Vulnerability Response and so on for the existing workflows.

    Key Enhancements:
    • Tables such as, collection device, patch update, patch deployment tables in the existing patch orchestration plugin will be moved to the new data model plugin.
    • The data from the old table will be migrated to the new tables for the existing VR patch orchestration feature.