Unified Vulnerability Response Dashboard

Release version: Yokohama

Updated January 30, 2025

12 minutes to read

Summarize

Summarized using AI

Summary of Unified Vulnerability Response Dashboard

The Unified Vulnerability Response Dashboard in ServiceNow Yokohama release offers a centralized and comprehensive view of an organization's vulnerabilities and risks across infrastructure, cloud, applications, and containers. It enables security and vulnerability teams to gain real-time visibility, prioritize remediation efforts, and track progress effectively. The dashboard supports role-based access for various vulnerability management roles and provides a unified platform to monitor and manage risk.

Show full answer Show less

Access and Roles

Accessible via Vulnerability Manager Workspace or Platform Analytics Workspace dashboards.
Requires specific ServiceNow AI Platform roles such as vulnerability analyst, admin, container vulnerability admin, and app security manager.
Role-based views ensure users see relevant data aligned with their responsibilities.

Key Use Cases

Vulnerability and risk visibility across multiple asset types and business units.
Prioritization and timely remediation of vulnerabilities.
Tracking remediation progress via attack surface overview and SLA performance.
Resource allocation by comparing risk and remediation status across business units.
Insight into critical vulnerabilities flagged by CISA KEV and EPSS scores for better risk assessment.

Dashboard Structure and Tabs

Asset Overview: Displays configuration items, scanned assets, cloud resources, applications, and docker images.
Vulnerability Overview: Details active vulnerabilities by type, criticality, CISA KEV flags, and trends.
Assignment Overview: Shows unassigned vulnerabilities, remediation times, and SLA misses by assignment group.
Exception Management: Tracks deferred vulnerabilities, especially critical and high-risk ones.
Service Level Agreement (SLA): Monitors remediation timelines for vulnerabilities and compliance issues over time.
Exclusion Overview: Manages and analyzes exclusion rules and their impact on internet-facing and exploitable vulnerabilities.
Vulnerability Intelligence: Highlights vulnerabilities with EPSS scores ≥ 0.9, including those in the CISA KEV catalog, aiding prioritization.

Filters and Indicators

The dashboard supports filtering by business unit, assignment group, risk rating, criticality, internet-facing status, and exploit availability, allowing tailored views of vulnerability data. Indicators measure scanned assets, exploit presence, internet-facing assets, cloud resources, CISA KEV flagged vulnerabilities, active and new vulnerabilities, deferred items, and SLA performance metrics. These indicators provide actionable insights for vulnerability management and risk reduction.

Data Collection and Automation

Automated scheduled data collection jobs gather vulnerability and risk data daily, weekly, and historically.
These jobs populate risk scores and EPSS data to maintain up-to-date dashboard insights.
Rollup calculators aggregate risk scores across vulnerable items and configuration issues to produce an overall organizational risk score.
Note: The data collection jobs are deactivated by default and must be enabled by administrators.

Practical Benefits for ServiceNow Customers

Provides a unified, actionable view of vulnerabilities across diverse asset types and business units.
Enables efficient prioritization using risk scores, CISA KEV flags, and EPSS scores aligned with industry standards.
Facilitates performance tracking of remediation efforts and SLA adherence to improve security posture.
Supports informed decision-making on resource allocation and vulnerability exception handling.
Automates data aggregation and risk scoring to reduce manual efforts and improve accuracy.

The Unified Vulnerability Response dashboard provides a comprehensive view of an organization's vulnerabilities and risks. The vulnerabilities related to infrastructure, cloud, applications, and containers can be viewed in a centralized dashboard for better visibility and remediation.

Watch this four-minute video to learn about the Unified Vulnerability Response Dashboard.

Required ServiceNow AI Platform roles

The following roles are associated with this solution. They’re required for viewing, editing, and sharing the reports:

sn_vul.app_sec_manager
sn_vul.vulnerability_admin
sn_vul.vulnerability_analyst
sn_vulc.admin
sn_vul_container.vulnerability_admin
sn_vul_container.vulnerability_analyst
sn_vul.app_developer
sn_vulc.vulnerability_analyst

Access the Unified Vulnerability Response Dashboard

To open the dashboard, navigate to either:

All > Vulnerability Response > Vulnerability Manager Workspace and select the Dashboards icon. Depending on your role, the default dashboard is displayed. To view the Unified Vulnerability Response Dashboard, select the drop-down next to the dashboard name.
Workspaces > Platform Analytics Workspace > Dashboards > Unified Vulnerability Response Dashboard.

Unified Vulnerability Response dashboard

Use cases

For examples of how different people in your organization would use this dashboard, see these use cases.


Users	Dashboard use
Vulnerability Managers Vulnerability Analysts	Provides real-time visibility of the risks present in infrastructure, applications, configurations, and containers. Enables Vulnerability Managers and Vulnerability Analysts to prioritize and remediate the vulnerabilities in a timely way. Provides an Attack Surface Overview of critical assets, which can be used to track the remediation progress and efforts. Provides an overview of risks across business units (BUs). You can use filters to select BUs and compare the progress to reallocate resources, as necessary. Role-level access must be provided to the BU head. Provides visibility into the potential impact by BUs. You can use the Common Vulnerability and Exposure (CVE) filter to identify exposures across the organization. Provides visibility into the EPSS scores attained by vulnerable entries that exist in the CISA KEV catalog for Application, Host, and Container vulnerable items.

Unified Vulnerability Response Dashboard tabs

This dashboard lets you see the vulnerabilities or issues that are present in hosts, cloud, configurations, applications, and containers. You can view the vulnerabilities based on the business unit, assignment group, risk rating, criticality, and whether an exploit exists for the vulnerabilities.

The Asset Overview tab provides the overall status of configuration items (CIs) in the system.

The Vulnerability Overview tab provides a status on the types of vulnerabilities such as host, application, container.

The Assignment Overview tab provides a status on the assignment of the vulnerabilities.

The Exception Management tab provides a status on the deferred vulnerabilities.

The Service Level Agreement (SLA) tab provides a status on the service level agreement attained by different assignment groups. Service level Agreement SLA tab

The Exclusion overview tab provides a status of exclusion rules you have created, as well as those affecting detections that are internet-facing and have available exploits.

The Vulnerability Intelligence tab provides a status on the EPSS scores attained by vulnerabilities having the CISA KEV flag true and EPSS Score >= 0.9 for Application, Host, and Container Vulnerable items.

Filters

You can filter the widgets based on the following:

Business unit
Assignment group
Risk rating
Criticality of assets
Internet facing
Exploit exists

When a filter is selected, the data in all widgets gets updated. However, if a filter is not applicable for a widget, a cross symbol is shown next to the filter name.

Note:

Only Business unit and Assignment group filters are available in Tokyo. All the filters are available from Utah onwards.

Indicators

Scanned assets: Formula indicator for assets scanned in the last 60 days. Contains scanned discovered item assets, scanned application release assets, scanned discovered container image assets as contributing indicators.
Assets - Exploit exists: Formula indicator for assets where exploit exists in the vulnerabilities. Contains Host assets - Exploit exists, Application assets - Exploit exists, Container assets - Exploit exists as contributing indicators.
Infra Asset - Internet Facing: Indicator for fetching the count of assets, which are internet facing.
Discovered items based on Cloud Resource type: Indicator for fetching the count of assets having an asset category such as cloud.
Base Images: Indicator for fetching the count of base images.
CISA KEVs Asset Type: Formula indicator, which gives the count of container and host vulnerable items where the vulnerability has the CISA KEV (BOD 22-01) flag set to true. Contains CISA exists CVR, and CISA exists Vul Items as contributing indicators.
CISA Exists Vulnerable Items – Unassigned: Formula indicator, which gives the count of container and host vulnerable items where the vulnerability has the CISA KEV (BOD 22-01) flag set to true and the vulnerable items are unassigned. Contains Unassigned Container Vul Items, Unassigned Host Vul Item as contributing indicators.
CISA Exists Vulnerable Items - Target Missed: Formula indicator, which gives the count of container and host vulnerable items where the vulnerability has the CISA KEV (BOD 22-01) flag set to true and the vulnerable items have missed the target. Contains CISA exists Vul Items, CISA exists CVR as contributing indicators.
Active Host VITs: Count of active host vulnerable items (VITs).
Active Application VITs: Count of active application vulnerable items (AVITs).
Active Container VITs: Count of active container vulnerable items (CVITs).
New VITs: Count of VITs that opened on a day.
New AVITs: Count of AVITs that opened on a day.
New CVITs: Count of CVITs that opened on a day.
New Test Results: Count of test results (TRs) that were created on a day.
Closed AVITs: Count of VITs closed on a day.
Closed VITs: Count of AVITs closed on a day.
Closed CVITs: Count of CVITs closed on a day.
Closed Test Results: Count of TRs closed on a day.
Open Config Issues - Test results: Count of all open test results, which are in failed state.
Organization Risk Score: Risk score of an organization from the Rollup Application Risk Score table.
Unassigned Application Vul Item: AVITs with no assignment group or assigned to.
Unassigned Host Vul Item: VITs with no assignment group or assigned to.
Unassigned Container Vul Items: CVITs with no assignment group or assigned to.
Unassigned Config Issues: TRs with no assignment group or assigned to.
Deferred VITs: VITs in deferred state.
Deferred AVITs: AVITs in deferred state.
Deferred CVITs: CVITs in deferred state.
Host SLA - Closed: Average age closed of closed VITs.
Application SLA - Closed: Average age closed of closed AVITs.
Container SLA - Closed: Average age closed of closed CVITs.
Test Result SLA - Passed: Average age closed of passed TRs.
Host SLA - Closed (Critical & High): Average age closed of closed critical and high VITs.
Application SLA - Closed (Critical & High): Average age closed of critical and high AVITs.
Container SLA - Closed (Critical & High): Average age closed of closed critical and high CVITs.
Test Result SLA - Passed (Critical & High): Average age closed of passed critical and high TRs.
Aggregate MTTR: Average age closed of closed VITs, AVITs, CVITs, and TRs.
SLA Missed: Average age closed of closed and target missed VITs, AVITs, CVITs, and TRs.
Vulnerabilities With EPSS Scores >= 0.9: Count of vulnerability entries with EPSS scores greater than or equal to 0.9.

Breakdowns

VIT type (unified)
Internet Facing (unified)
Risk Rating (unified)
Exploit Exists (unified)
Discovered Item Cloud Resource Type (unified)
CISA Exists (unified)
CMDB class (unified)
Business Unit (unified)
Business Criticality (unified)
Deferred Reason (unified)
Assignment group (unified)
Remediation Status (unified)

Data visualizations

Table 1. Asset Overview tab
Title	Type	Description
Attack Surface Overview	Single score	Number representing the aggregated score of an organization's security.
CMDB CI Count	Single score	Number of CIs in the organization that are registered and tracked in the Configuration Management Database (CMDB). Provides a breakdown of the following CIs: Scanned CIs: Number of scanned CIs Exploit: Number of exploits available Internet Facing: Number of internet facing CIs
Cloud Resource	Single score	Number of CIs with asset category such as cloud. Provides a breakdown of the following cloud assets: AWS Azure GCP
Docker Image	Single score	Number of docker images including the number of base images.
Applications	Single score	Number of applications in the organization.

Table 2. Vulnerability Overview tab
Title	Type	Description
CISA KEVs	Pie Chart	Number of vulnerabilities associated with the CISA catalog and CISA flag as true. Provides a breakdown based on the following: CISA Vulnerability: Types of vulnerabilities with CISA flag as true Host CIs - Internet Facing: Internet facing CIs Unassigned VITs: Unassigned VITs with CISA flag as true VITs missed target: VITs that missed target with CISA flag as true
Active Vulnerabilities by Criticality	Stacked Bar	Number of active VITs, AVITs, and CVITs based on criticality.
Vulnerability creation and closure trend	Multiple Line	Number of new and closed vulnerabilities for all applications. Provides a trend for the last three months.
Misconfiguration by cloud platform	Multiple Line	Number of configuration issues based on risk rating for each cloud asset.
Cloud Compliance	Table	List of resources with the asset category as cloud along with the following details: Resource name Class Vulnerability issues: Number of issues present in the resource that are aggregated based on the risk rating. Configuration issues: Number of resources with configuration issues along with the risk rating. Cloud account: Cloud account ID. Cloud region: Location of the cloud resources. Cloud provider: Name of the cloud provider.

Table 3. Assignment Overview tab
Title	Type	Description
Unassigned VITs	Stacked Bar	Number of vulnerabilities that aren’t assigned to any group or individual along with the risk rating.
MTTR by Assignment Group - Top 10	Multiple Line	Mean time taken by an assignment group to identify and remediate the security vulnerabilities or issues. The top 10 assignment groups are displayed that have the highest mean time for remediation.
Top 10 Assignment Groups missing SLA (Critical & High Vulnerability)	Stacked Bar	Top 10 assignment groups that missed the target date of remediation of critical and high vulnerabilities.

Table 4. Exception Management tab
Title	Type	Description
Deferred VITs	Stacked Bar	Number of vulnerabilities in the deferred state based on risk rating.
Critical and High Deferred VITs by Assignment Group	Stacked Bar	Number of vulnerabilities with critical and high risk ratings in the deferred state that is categorized based on the assignment groups.

Table 5. Service Level Agreement (SLA) tab
Title	Type	Description
Host Vulnerability: SLA attainment by assignment group	Multiple Line	Time taken by an assignment group to remediate host vulnerabilities. Provides a trend for the last 10 months.
Compliance Issues: SLA attainment by assignment group	Multiple Line	Time taken by an assignment group to remediate compliance issues. Provides a trend for the last 10 months.
Application Vulnerability: SLA attainment by assignment group	Multiple Line	Time taken by an assignment group to remediate application vulnerabilities. Provides a trend for the last 10 months.
Container Vulnerability: SLA attainment by assignment group	Multiple Line	Time taken by an assignment group to remediate container vulnerabilities. Provides a trend for the last 10 months.

Table 6. Exclusion overview tab
Title	Type	Description
Exclusion rules	Table	List of all exclusion rules you have created.
Exclusion rules v/s Internet facing	Stacked Bar	Exclusion rules impacting detections which belong to internet facing assets.
Exclusion rules v/s Exploit exists	Stacked Bar	Exclusion rules impacting detections that are vulnerable to existing exploits.

Table 7. Vulnerability Intelligence tab
Title	Type	Description
Vulnerabilities with EPSS Score>= 0.9	Table	Complete list view of all vulnerable entries (CVEs or TPEs) that have an EPSS score greater than or equal to 0.9 along with the following details. ID: CVE ID of the vulnerability EPSS Score EPSS Last Modified CISA KEV BOD 22-01: Indicates if the entry exists in the CISA KEV BOD (Binding Operational Directive 22-01) Total VIs: Total count of VIs that exist for this vulnerability entry. Total Container VIs: Total count of container VIs that exist for this vulnerability entry. Severity
External Facing Host Vulnerable Items With EPSS Score >= 0.9	Single score	Number indicating the aggregate count of external facing host vulnerable items with an EPSS score greater than or equal to 0.9. Provides single scores sorted by severity of risk rating.
External Facing Host Vulnerable Items By Risk Rating	Stacked Bar	Number of external facing host vulnerable items by risk rating. The stack bars are categorized by EPSS Score >=0.9 and CISA KEV =True.
Vulnerable Items With EPSS Score >= 0.9 By Risk Rating	Stacked Bar	Number of vulnerabilities with EPSS score greater than or equal to 0.9 sorted by risk rating. Provides a breakdown by host vulnerable items, application vulnerable items, and container vulnerable items.

Scheduled jobs for data collection

Data collection jobs automatically collect scores for automated indicators and breakdowns. The following scheduled jobs are run to collect scores on new data automatically.

Warning:

By default, the following data collection jobs are deactivated in the base system:

Unified Dashboard Daily Data Collection
Unified Dashboard Weekly Data Collection
Unified Dashboard Historical Data collection

Before enabling the jobs, refer to the KB.


Scheduled job	Frequency	Description
Unified Dashboard Historical Data collection	Once	Collects scores and snapshots for existing records.
Unified Dashboard Weekly Data Collection	Weekly	Collects data weekly.
Unified Dashboard Daily Data Collection	Daily	Collects data everyday.
Rollup Risk scores to Organization	Daily	Collects the aggregated risk score for an organization.
Populate cloud compliance daily counts	Daily	Collects data for cloud compliance.
EPSS Daily Job	Daily	Collects EPSS data from First.org.

A new table Rollup Application Risk Score [sn_vul_cmn_rollup_app_risk_score] is created in the Vulnerability Common Scope. This table is populated using the following rollup calculators via the scheduled jobs everyday.


Rollup calculator name	Description
Organization Risk Score Rollup	Rolls up the risk scores for all vulnerable items and configuration issues in an organization. It provides an overall risk score for an organization.
Vulnerable Item Rollup	Rolls up the risk scores for all vulnerable items in an organization, to contribute to the overall risk score of an organization.
Application Vulnerable Item Rollup	Rolls up the risk scores for all application vulnerable items in an organization, to contribute to the overall risk score of an organization.
Container Vulnerable Item Rollup	Rolls up the risk scores for all container vulnerable items in an organization, to contribute to the overall risk score of an organization.
Test Result Rollup	Rolls up the risk scores for all test results in an organization, to contribute to the overall risk score of an organization.
Rollup EPSS Scores from NVDs to TPEs	Rolls up EPSS Scores from NVDs to TPEs, to contribute to the overall risk score of an organization.