Severity mapping for Vulnerability Response

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Severity mapping for Vulnerability Response

ServiceNow Vulnerability Response includes predefined severity mappings that normalize vulnerability severities from various third-party integrations to the ServiceNow standard. These mappings enable consistent prioritization and handling of vulnerability data from multiple sources, streamlining vulnerability management in your ServiceNow environment. Customers can adjust severity mappings by modifying fields in existing maps to better fit their organizational needs.

Show full answer Show less

Severity Mapping Details by Integration

National Vulnerability Database (NVD): Provides baseline normalized severity mapping used across integrations, calculated via Business Rules on the snvulnvdentry and snvulentry tables.
Rapid7 Vulnerability Integration: Maps severity data from the severityscore table to sourceseverity during API execution. Priority fields are initially empty and can be customized.
Qualys Vulnerability Integration: Maps severity levels from the SEVERITYLEVEL table to sourceseverity, and priority data from the SEVERITY table to the priority field. Business Rules running in the background ensure priority is correctly assigned based on Qualys data.
Tenable.io Vulnerability Integration: Uses severity data from the riskfactor table for sourceseverity. Priority is mapped from severityid. Vulnerability Priority Rating (VPR) data is derived from the score field and mapped to sourceriskscore and sourceriskrating during plugin integration.
Tenable.sc Vulnerability Integration: Similar to Tenable.io, mapping riskFactor to sourceseverity and severity details to priority. VPR scores from vprScore are mapped to risk score and rating fields.
Microsoft TVM Vulnerability (CVE) Integration: Maps severity from the severity table to sourceseverity. The priority field is left empty by default.

Practical Implications for ServiceNow Customers

Severity mapping ensures consistent interpretation and prioritization of vulnerabilities from diverse sources within ServiceNow Vulnerability Response.
Business Rules automate the normalization and priority assignment process, reducing manual effort and improving accuracy.
Customers can tailor severity and priority mappings by modifying existing map fields to align with internal risk management policies.
Understanding how each integration maps severity and priority data helps in troubleshooting discrepancies and optimizing vulnerability workflows.

Vulnerability Response ships with National Vulnerability Database (NVD) to normalized ServiceNow severity mapping. ServiceNow third-party integrations provide severity mappings upon installation. These maps can be adjusted by changing the fields in existing maps.

Rapid7 Vulnerability Integration Severity Mapping

Normalised_Severity

Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

Source_severity

Data from the severity_score table is mapped to source_severity table while the Rapid7 Vulnerability Integration- API is running.

Priority

This field is empty.

Qualys Vulnerability Integration Severity Mapping

Normalised_Severity

Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

Source_severity

Data from the SEVERITY_LEVEL is mapped to the source_severity table while the Qualys Knowledge Base Integration is running.

Priority

Data for the Priority field is obtained from SEVERITY table and mapped to priority table while Qualys Host Detection Integration is running using the Business Rule mapped to Qualys Data.

Note:

Business Rules run in the background and checks the priority for Qualys and accordingly maps the Priority. So, to map Qualys data, BR is responsible.

Tenable.io Vulnerability Integration Severity Mapping

Normalised_Severity

Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

Source_severity

Data from risk_factor table is mapped to source_severity table while the Tenable.io Plugin Integration is running.

Priority

Data from severity_id is mapped to source_severity while the Tenable.io Open Vulnerabilities Integration is running.

VPR

Data from score is mapped to Source_risk_score while Tenable.io Plugin Integration is running.

Data from Calculated from score is mapped to Source_risk_rating while Tenable.io Plugin Integration is running.

Tenable.sc Vulnerability Integration Severity Mapping

Normalised_Severity

Calculate normalised_severity on third-part entry using the severity coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

Source_severity

Data for riskFactor table is mapped to source_severity while the Tenable.io Plugin Integration is running.

Priority

Data from severity received as "severity": { "id": "0", "name": "Info", "description": "Informative" } is mapped to source_severity while the Tenable.io Open Vulnerabilities Integration is running.

VPR

Data from vprScore is mapped to Source_risk_score while Tenable.io Plugin Integration is running.

Data from Calculated from vprScore is mapped to Source_risk_rating while Tenable.io Plugin Integration is running.

TVM Severity Mapping

Normalised_Severity

Calculate normalised_severity on third-part entry using the severuty coming from sn_vul_nvd_entry table. This is set using Business Rules for Lookup normalized severity on sn_vul_entry table.

Source_severity

Data from severity table is mapped to source_severity while Microsoft TVM Vulnerability(CVE) Integration is running.

Priority

This field is empty.