Severity mapping for Vulnerability Response

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Severity mapping for Vulnerability Response

    ServiceNow Vulnerability Response includes predefined severity mappings to normalize vulnerability severity data from various third-party sources using the National Vulnerability Database (NVD) as a reference. These mappings are essential for consistent prioritization and effective vulnerability management within the platform. Customers can adjust these mappings by modifying fields in the existing maps as needed.

    Show full answer Show less

    Severity Mapping for Third-Party Integrations

    • Rapid7 Integration:
      • NormalisedSeverity: Calculated using severity from the snvulnvdentry table via Business Rules on the snvulentry table.
      • Sourceseverity: Mapped from the severityscore table during API execution.
      • Priority: Field remains empty.
    • Qualys Integration:
      • NormalisedSeverity: Calculated similarly via Business Rules using snvulnvdentry data.
      • Sourceseverity: Mapped from SEVERITYLEVEL during Qualys Knowledge Base Integration.
      • Priority: Derived from SEVERITY table data mapped during Qualys Host Detection Integration through Business Rules that manage priority mapping.
    • Tenable.io Integration:
      • NormalisedSeverity: Calculated from snvulnvdentry data using Business Rules.
      • Sourceseverity: Mapped from riskfactor table during Plugin Integration.
      • Priority: Mapped from severityid during Open Vulnerabilities Integration.
      • VPR (Vulnerability Priority Rating): Score data is mapped to Sourceriskscore and also used to calculate Sourceriskrating during Plugin Integration.
    • Tenable.sc Integration:
      • NormalisedSeverity: Calculated via Business Rules from snvulnvdentry data.
      • Sourceseverity: Data from riskFactor is mapped during Plugin Integration.
      • Priority: Mapped based on severity attributes (such as id, name, description) during Open Vulnerabilities Integration.
      • VPR: vprScore is mapped to Sourceriskscore and used to calculate Sourceriskrating during Plugin Integration.
    • Microsoft TVM Integration:
      • NormalisedSeverity: Calculated using snvulnvdentry severity via Business Rules.
      • Sourceseverity: Mapped from the severity table during Microsoft TVM Vulnerability (CVE) Integration.
      • Priority: Field remains empty.

    Practical Impact

    These mappings allow ServiceNow customers to have a unified and normalized view of vulnerability severity regardless of the source integration. By leveraging Business Rules to calculate normalized severity and map source-specific severity and priority fields, customers can ensure consistent prioritization and response workflows in Vulnerability Response. Understanding how these mappings work helps in customizing and troubleshooting severity and priority handling across various vulnerability integrations.

    Vulnerability Response ships with National Vulnerability Database (NVD) to normalized ServiceNow severity mapping. ServiceNow third-party integrations provide severity mappings upon installation. These maps can be adjusted by changing the fields in existing maps.

    Rapid7 Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from the severity_score table is mapped to source_severity table while the Rapid7 Vulnerability Integration- API is running.

    Priority

    This field is empty.

    Qualys Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from the SEVERITY_LEVEL is mapped to the source_severity table while the Qualys Knowledge Base Integration is running.

    Priority

    Data for the Priority field is obtained from SEVERITY table and mapped to priority table while Qualys Host Detection Integration is running using the Business Rule mapped to Qualys Data.

    Note:
    Business Rules run in the background and checks the priority for Qualys and accordingly maps the Priority. So, to map Qualys data, BR is responsible.

    Tenable.io Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from risk_factor table is mapped to source_severity table while the Tenable.io Plugin Integration is running.

    Priority

    Data from severity_id is mapped to source_severity while the Tenable.io Open Vulnerabilities Integration is running.

    VPR

    Data from score is mapped to Source_risk_score while Tenable.io Plugin Integration is running.

    Data from Calculated from score is mapped to Source_risk_rating while Tenable.io Plugin Integration is running.

    Tenable.sc Vulnerability Integration Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data for riskFactor table is mapped to source_severity while the Tenable.io Plugin Integration is running.

    Priority

    Data from severity received as "severity": { "id": "0", "name": "Info", "description": "Informative" } is mapped to source_severity while the Tenable.io Open Vulnerabilities Integration is running.

    VPR

    Data from vprScore is mapped to Source_risk_score while Tenable.io Plugin Integration is running.

    Data from Calculated from vprScore is mapped to Source_risk_rating while Tenable.io Plugin Integration is running.

    TVM Severity Mapping

    Normalised_Severity

    Calculate normalised_severity on third-part entry using the severuty coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

    Source_severity

    Data from severity table is mapped to source_severity while Microsoft TVM Vulnerability(CVE) Integration is running.

    Priority

    This field is empty.