Configuration Compliance imported data

  • Release version: Yokohama
  • Updated February 4, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuration Compliance imported data

    The Configuration Compliance application in ServiceNow imports configuration policies, tests, authoritative sources, and test results from third-party vulnerability management integrations, such as Qualys and Tenable. This imported data is stored in modules for viewing and management, enabling vulnerability managers and analysts to identify and remediate configuration-related vulnerabilities on enterprise assets.

    Show full answer Show less

    Note that starting from version 14.9 of Configuration Compliance, terminology has been updated (e.g., “Test Result Group” is now “Remediation Task Group,” and “Rules” are now “Remediation Task Rules”).

    Key Components and Their Roles

    • Test Groups: Collections of configuration tests related to specific technologies (like Windows or Oracle). These groups often align with industry standards and can be customized. Test groups are imported from third-party integrations and help organize assessments.
    • Tests: Libraries of data that define compliance requirements for technology assets. Tests identify out-of-compliance conditions and are mapped to policies and authoritative sources. For example, tests can check software releases or hardware versions.
    • Technologies: Imported libraries of operating systems, network devices, databases, and applications associated with policies and tests. Technologies help specify remediation applicability and are read-only, matching definitions in external platforms like Qualys.
    • Authoritative Sources: References to published industry standards (e.g., NIST 800-53) that underpin compliance requirements. These sources are imported with citations and are used to generate vulnerability alerts and support audit preparation.
    • Test Results: Imported data reflecting the compliance status of assets as reported by third-party scanners. Configuration Compliance does not calculate test results but imports them for remediation tracking and correlation.

    Supported Integrations and Data Import Process

    The application supports integrations primarily with Qualys and Tenable vulnerability management tools. These integrations use scheduled jobs to import data in stages:

    • Qualys Integration: Scheduled jobs import policies (Qualys PC Policies), tests (Qualys PC Controls), authoritative sources (Qualys PC Policies Detail), and test results (Qualys PC Results). There are newer PCRS integrations available from v14.5 for more granular test results import.
    • Tenable Integration: Imports are managed through scheduled jobs for asset data, compliance results, and backfill integrations. These must be run in a defined sequence to reconcile asset data correctly.

    Manual execution of these integration jobs is supported with specific order requirements to ensure data consistency.

    Practical Benefits for ServiceNow Customers

    • Enables centralized visibility of configuration compliance data imported from external vulnerability tools, facilitating comprehensive risk assessment.
    • Supports alignment of compliance tests to industry standards and organizational policies, aiding audit readiness.
    • Allows remediation tasks to be created and tracked based on imported test results, improving vulnerability response efficiency.
    • Provides detailed contextual data such as technologies and authoritative sources to better understand compliance scope and remediation requirements.

    The Configuration Compliance application imports policies, tests, authoritative sources, and test results from third-party integrations and stores them in modules for viewing.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Supported integrations

    Third-party integrations import configuration assessment findings, test groups, tests, technologies, authoritative sources, and test results into the Configuration Compliance application. Vulnerability managers or vulnerability analysts can use this data to identify and respond to the configuration-related vulnerabilities on your assets.

    For more information about supported integrations, see Configuration Compliance integrations.

    Test groups

    Test Groups are related to authoritative documents and test records. A group of configuration tests define Test Groups. Test Groups typically align to a technology class, for example, Windows, Oracle databases, Cisco IOS, and are often derived from the primary industry standard. Test Groups can be modified to meet the needs of the organization. A single Configuration Test can belong to multiple test groups.

    Integration Description
    Qualys Vulnerability Integration Test groups are retrieved and Control IDs are populated by the scheduled job, Qualys PC Policies at 1:00AM.
    You can view the scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Policies.
    Note:
    If you choose to run the integration manually, run Qualys PC Policies first.
    Tenable Vulnerability Integration The scheduled job Tenable.io Compliance Results Integration imports policies.
    If you choose to run the integrations manually, run the integrations in the following order until you reconcile any ignored assets with assessment data:
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Integration
    • Tenable.io Compliance Results Backfill Integration
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Backfill Integration

    To view the policy record, navigate to All > Configuration Compliance > Test Groups.

    To correctly identify and create the test group records, audit information for test groups is imported and displayed in the Short description field.

    Tests

    Tests are libraries of data records that organize scans of computing assets. Configuration tests define how a class of technology assets should be governed.

    A Configuration Compliance test is the mechanism third-party integration applications use to group assets by vulnerability type. Some third-party VA scanning solutions such as Qualys have very large libraries of tests (as many as 8,000) that are mapped to policies and "frameworks" of authoritative sources.

    A Test can have many values, one-to-many, expected vs. actual, and so on. A test is anything that can be used to identify a class of software or hardware asset that is out of compliance. For example, a release or hardware number.

    Integration Description
    Qualys Vulnerability Integration The scheduled job, Qualys PC Controls, retrieves the tests. You can view the scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Controls.
    Note:
    If you choose to run the integration manually, run Qualys PC Controls after Qualys PC Policies.
    Tenable Vulnerability Integration The scheduled job Tenable.io Compliance Results Integration imports configuration tests (Tests).
    If you choose to run the integrations manually, run the integrations in the following order until you reconcile any ignored assets with assessment data:
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Integration
    • Tenable.io Compliance Results Backfill Integration
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Backfill Integration

    To view the Configuration Test record, navigate to Configuration Compliance > Tests. On the record, imported data is displayed in the Short description field and Remediation Status, Description, and Remediation tabs. Data is also displayed on the Citations, Policies, and Test Results Related Links.

    Technologies

    One of the techniques used by third-party vulnerability scanners to create test groups of software and hardware configuration items for analysis is to organize them by technology. Technologies are an imported library of OSes, network devices, databases, and apps that are associated with policies. Tests have multiple implementations for different technologies. Remediation is technology-specific, as well.

    You can view the applicable technologies for a test, to better understand what kinds of software or hardware assets the control can be applied to. Examples of technologies that can be applied to controls include CentOS 7.x, Windows 8.1, Windows 2016 Server, and so on. The list of technologies is read-only and match the technologies defined in the Qualys Cloud Platform application.

    Technologies are imported for database-related configuration assessments only. The db_type (if not empty) in the import is used to create a technology. View technologies populated on the Technologies section on configuration test records, test result records, policy records and at Configuration Compliance > Supporting Data > Technologies.

    Authoritative sources

    Configuration Compliance uses Authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as "NIST 800-53 version 3 (2009) 3: 2009, SA-4".
    Note:
    In the Qualys Vulnerability Integration, this combination is referred to as framework.

    Authoritative sources and citations (also known as mandates) are imported from the third-party vulnerability scanners.

    Authoritative source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. They define requirements for security policies and procedures. Configuration tests can reference multiple authoritative sources through citations. Authoritative sources can report on compliance for a given standard in preparation for an audit.

    Integration Description
    Qualys Vulnerability Integration The scheduled job, Qualys PC Policies Detail, retrieves the authoritative sources and citations. You can view this scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Policies Detail.
    Note:
    If you choose to run the integration manually, run Qualys PC Policies Detail after Qualys PC Policies.
    Tenable Vulnerability Integration The scheduled job Tenable.io Compliance Results Integration imports authoritative sources as part of Citations data.
    If you choose to run the integrations manually, run the integrations in the following order until you reconcile any ignored assets with assessment data:
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Integration
    • Tenable.io Compliance Results Backfill Integration
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Backfill Integration

    Data is displayed on the Citations related link on configuration test records.

    Test results

    Configuration Compliance does not calculate the test results, but imports them as part of a third-party integration. Once they are viewable in Configuration Compliance, they are remediated using Remediation Tasks. See Configuration Compliance correlation for more information.

    Integration Description
    Qualys Vulnerability Integration

    You can retrieve the test results in one of the following ways:

    The scheduled job, Qualys PC Results, retrieves the test results. You can view this scheduled job by navigating to Qualys Vulnerability Integration > Primary Integrations > Qualys PC Results.

    Note:
    If you choose to run the integration manually, run Qualys PC Results after Qualys PC Policies and Qualys PC Policies Detail.

    The Qualys PC Results import uses the Start Time parameter in the Integration Details tab. All other Configuration Compliance imports bring in all available data regardless of Start Time.

    When the Qualys PC Results import is complete, an event is fired to trigger end-of-import calculations. For more information see, Configuration Compliance states.

    Alternatively, starting from V14.5, you can also run the following integrations to retrieve the test results:
    • Qualys PCRS Policy Host Integration - Retrieves the host IDs for each policy. To view this scheduled job, navigate to: Qualys Vulnerability Integration > Primary Integrations > Qualys PCRS Policy Host Integration.
      Note:
      If you choose to run the integration manually, run Qualys PCRS Policy Host Integration after Qualys PC Policies and Qualys PC Policies Detail.

      After this scheduled job is complete, it automatically triggers the Qualys PCRS Test Results Integration.

    • Qualys PCRS Test Results Integration - Retrieves the test results for each host ID. To view this scheduled job, navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys PCRS Test Results Integration.
      Note:
      If you choose to run the integration manually, run Qualys PCRS Test Results Integration after Qualys PC Policies, Qualys PC Policies Detail and Qualys PCRS Policy Host Integration.

      This integration uses the Start Time parameter in the Integration Details tab.
    Tenable Vulnerability Integration The scheduled job Tenable.io Compliance Results Integration imports Test Results.
    If you choose to run the integrations manually, run the integrations in the following order until you reconcile any ignored assets with assessment data:
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Integration
    • Tenable.io Compliance Results Backfill Integration
    • Tenable.io Assets Integration
    • Tenable.io Compliance Results Backfill Integration

    To view the Configuration Test record, navigate to Configuration Compliance > Tests Results. On the record, imported data is displayed in theTest, and Configuration Item fields. Data is also displayed on the Expected Values, Actual Values, and Remediation tabs. The Remediation Tasks and Test Result History Related Links are populated.