Patch orchestration with Vulnerability Response

Release version: Yokohama

Updated January 30, 2025

6 minutes to read

Summarize

Summarized using AI

Summary of Patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response enables ServiceNow customers to manage and deploy patches for critical vulnerabilities across large asset groups. Utilizing data imported from third-party integrations, patch vendors, and vulnerability scanners, this feature centralizes vulnerability remediation within the ServiceNow AI Platform instance. It supports both the classic interface and Vulnerability Response workspaces, allowing vulnerability managers, analysts, and IT remediation specialists to identify, schedule, deploy, and monitor patches efficiently.

Show full answer Show less

Key Features

Data Integration and Correlation: Leverages scheduled imports from third-party patch vendors and scanners to correlate vulnerability and patch data within Vulnerability Response.
Patch Deployment: Facilitates scheduling and deploying patches for various platforms including Windows, CentOS, macOS, and Oracle, with the ability to plan deployments during off-hours to minimize disruption.
Vulnerability Identification: Uses imported scanner data to detect unpatched or unsuccessfully updated assets requiring remediation.
Patch Scheduling and Monitoring: Allows initiation and scheduling of patches directly from Patch Update, remediation task, and discovered item records, with an optional approval workflow to control patch deployments.
Role-Based Access: Provides specific roles for viewing and managing patch orchestration activities, including roles for remediation owners, vulnerability analysts, and patch configuration.
Bulk Editing: Supports bulk editing of vulnerable items with preferred patches in the classic environment for efficient remediation management.
Patch Management Data Model Plugin: Offers a standalone plugin encapsulating the data model for patch management, enabling integration with ITSM and other workflows, and includes migration of existing patch orchestration data.

Key Outcomes

Centralized visibility and management of vulnerability remediation activities, improving efficiency and control over patch deployment.
Automated correlation of vulnerability and patch data reduces manual effort and enhances accuracy in patch prioritization and scheduling.
Flexible patch scheduling and approval workflows help avoid operational conflicts and ensure organizational compliance.
Integration with leading third-party patch vendors like HCL BigFix and Microsoft SCCM ensures compatibility with existing enterprise patch management solutions.
Enhanced data model and plugin support future-proof patch orchestration capabilities and enable better data sharing across ServiceNow applications.

You can manage patches and patch deployments for critical vulnerabilities for large groups of your assets with Patch orchestration with Vulnerability Response. Vulnerability Response Patch Orchestration and the patch orchestration integrations are available on the ServiceNow® Store.

Understanding patch orchestration with Vulnerability Response

Patch orchestration with Vulnerability Response uses data from scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. This data is correlated in the Vulnerability Response application. This organization of data permits you to complete the steps of the vulnerability remediation cycle. Start with identifying vulnerabilities, then apply patches and updates, and finally close vulnerable items using third-party scanner data all from within your ServiceNow AI Platform® instance.

Patch orchestration overview image that shows the following stages: install, configure, import data, view, and use.

Patch orchestration with Vulnerability Response is supported in both the classic environment and the Vulnerability Response workspaces.

For information about patch orchestration in the workspaces, see Patch orchestration with the Vulnerability Response Workspaces.

With patch orchestration in Vulnerability Response, vulnerability managers and analysts and IT remediation specialists can perform the following remediation tasks:

See more context and information about the types of patches and vendors that make up their solutions (patches).
View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces or in the classic environment.
Deploy patches supported by third-party solution vendors for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals. You can schedule patches during off-hours to avoid conflicts with those at work.
Using imported detection data provided by third-party scanners, identify assets that have vulnerabilities and are not patched or are not successfully updated by scheduled patches.
Initiate and schedule available patches for assets that require updates from Patch Update, remediation task, and discovered item records in the Vulnerability Response application.
Monitor patch deployments with an optional approval process for patch requests submitted by your remediation specialists.

Key terms

Configuration item (CI): CIs are the existing assets that are listed in your Configuration Management Database (CMDB).
Vulnerable item (VI): An imported vulnerability that matches an existing asset in your CMDB. Vulnerable items (VITs) are grouped into remediation tasks, or lists, according to certain criteria that specify remediation actions for VIs.
Instance: Refers to a distinct account of a solution vendor application. For example, each user account can be an instance in the HCL BigFix application. This term also refers to a unique, secure web address for a ServiceNow AI Platform® instance.
Solution: There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
Patch: Software updates that fix vulnerabilities. Patch vendors use their own names for patches, for example, In the HCL BigFix application, patches are called, Fixlets.
Preferred patch: Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
Deployment: Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine.
Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of a third-party scanner or a solution vendor integration in your environment.

Available versions of applications and dependencies required for the patch orchestration integration

The Vulnerability Response application and the dependency plugins, Security Support Common and Security Support Orchestration.
Vulnerability Solution Management.
Vulnerability Response Patch Orchestration application available in the ServiceNow® Store.
A supported third-party patch vendor application, such as The Vulnerability Response patch orchestration integration with HCL BigFix or the The Vulnerability Response patch orchestration integration with Microsoft SCCM.
Supported third-party scanner integrations with Vulnerability Response.

Roles required

Users need roles that are specific to the patch orchestration integration you are using to view data and schedule patches from the Vulnerability Response application. See the configuration information for the supported integrations you are using listed below for more information.

Understanding the HCL BigFix patch orchestration integration with Vulnerability Response and The Vulnerability Response patch orchestration integration with Microsoft SCCM.
In the Vulnerability Response workspaces and the classic environment, the sn_vul_patch_orch.read_patch role, which permits users to view but not edit data, is inherited with the sn_vul.remediation_owner and sn_vuln.vulnerability_analyst roles.
The roles you need to assign that are required to configure the connections to the patch vendors and schedule patches are integration-specific. See Configure the Vulnerability Response patch orchestration integration with HCL BigFix and Configure the Vulnerability Response Patch Orchestration with MS SCCM for more information.

There is a submission and approval process for patch requests included with the applications. By default, a system property is activated [sn_vul_patch_orch.patch_approval_required] in the Vulnerability Response Patch Orchestration application in your ServiceNow AI Platform instance.

This system property is activated so that when patch deployments are scheduled, they are submitted for review and approval to users assigned to the Level 1 - Patch update approval group. If you want users with the sn_vul_patch_orch.configure_patch role to schedule patches without approval, you can deactivate the [sn_vul_patch_orch.patch_approval_required] property. You might prefer to leave approvals activated so that scheduled patches do not conflict with normal working hours. If you deactivate the approval system property, any user with the sn_vul_patch_orch.configure_patch role can schedule and deploy patches without review and approval.

For more information, and how to deactivate this system property, see the configuration topic for your supported integration.

Schedule patches from Vulnerability Response records

Remediation specialists can schedule patch updates to resolve vulnerable items and monitor remediation progress all from records in the Vulnerability Response application.

You can schedule patches from the following records:

Patch Update
Remediation task
Discovered item

Records that roll up active VI counts in Vulnerability Response

To avoid potential performance issues with rolling up all the patches to all the vulnerabilities, the scheduled job that picks up changes only modifies the active VI count. These count changes and related data are rolled up to the following records in the Vulnerability Response application:

VIT (vulnerable item)
RT (remediation task)
Vulnerability solution
Patch Update

For more information about viewing patch data and patch data roll up to records, and viewing patches without solutions, see the following topics.

Bulk edit vulnerable items with patches

You can bulk edit vulnerable items in the classic environment that have patches from the classic environment. For more information about how bulk editing works, see Edit vulnerable items in bulk in Vulnerability Response. The preferred patches for all the VIs selected for bulk edit. This option for edit only works if there are preferred patches mapped to all the VIs selected.

Patch Management Data Model Enhancements

The Patch Management Data Model plugin — a standalone, free plugin that encapsulates the data model currently used in the VR Patch Orchestration application. This includes key tables such as Collection, Patch Update, Patch Deployment, and others.

This plugin can be used by patch management tools to ingest the Patch Management data to be used by applications such as ITSM, Vulnerability Response and so on for the existing workflows.

Key Enhancements:

Tables such as, collection device, patch update, patch deployment tables in the existing patch orchestration plugin will be moved to the new data model plugin.
The data from the old table will be migrated to the new tables for the existing VR patch orchestration feature.