Identify applications in Application Vulnerability Response automatically

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Identify Applications in Application Vulnerability Response Automatically

    Application Vulnerability Response automates the identification of applications by leveraging data imported from third-party integrations. It utilizes Configuration Management Database (CMDB) CI Lookup Rules to find matches for application vulnerable items (AVI) during the remediation process.

    Show full answer Show less

    Key Features

    • CI Lookup Rules: These rules search the CMDB for matches using application attributes such as sourceappid and appname. If a match is found, relevant information populates the AVI record.
    • Placeholder Creation: If no match is found, a placeholder scanned application record is created with the application name and ID.
    • Rule Evaluation Order: CI lookup rules are evaluated by the lowest order value first, and they stop once a single match is found.
    • Domain Separation: CI lookup rules can be specific to different sources and can support multiple deployments, particularly for the Veracode Vulnerability Integration.
    • Performance Considerations: Careful construction of rules is essential to avoid performance issues during data importation.

    Key Outcomes

    By using the automated identification process, ServiceNow customers can streamline vulnerability management, reduce manual effort, and enhance the accuracy of application identification in their CMDB. Customers are advised to test any custom or modified CI Lookup Rules to prevent resource degradation and ensure efficient processing.

    When data is imported from a third-party integration, Application Vulnerability Response automatically uses application data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules identify applications for the application vulnerable item (AVI) record to aid in remediation.

    As applications are imported, a lookup is performed on the Scanned Application [sn_vul_app_scanned _application] table using source_app_id and app_name to find matches to applications from prior imports. When an application ID match is found, its values are used in the Application and App release fields in the application vulnerable item record.

    If a match is not found, or the application ID field is empty, the rules use the other application information to attempt to correctly identify the application. If a match is still not found, a placeholder scanned application record is created with only Application name and Application ID fields.

    The Source Application Id and Application Name lookup rules are shipped with the Veracode Vulnerability Integration, by default.

    Note:
    Default CI lookup rules for Application Vulnerability Response are available only for the Veracode Vulnerability Integration.
    When attempting a match, the lookup rules are evaluated by lowest Order value first. They stop when a rule returns a single CI as a match.
    Note:
    If a rule is created in such a way that it returns more than one CI, only the first match is used.

    To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the CI matching rule field for Scanned Applications. Click the Update Personalized List gear gear icon icon at the top of the Scanned Application list view to add it to the view.

    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.
    CI lookup rules can be domain separated and are source-specific. If supported, each source could have multiple deployments. For example, the Veracode Vulnerability Integration, can have multiple deployments of the Veracode Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
    Note:
    CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Application Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.