Integrations

ServiceNow

Vulncheck for Vulnerability Response

Overview

VulnCheck helps organizations outpace adversaries with vulnerability intelligence that predicts avenues of attack with speed and accuracy. The VulnCheck team comprises a who's who of cybersecurity research, with decades of experience uncovering 100s of 0 days and 10+ patents. VulnCheck's vulnerability and exploit intelligence equips defenders with the insights they need to focus resources on the vulnerabilities that matter most. That's why VulnCheck has been selected to power government agencies, large enterprises, and the industry's most innovative cybersecurity solutions, covering billions of assets around the world.

This integration between Vulnerability Response and the VulnCheck application enhances vulnerability data and pulls vulnerable item details from VulnCheck. It facilitates the creation of Vulnerable Items and enables organization-wide vulnerability management within a ServiceNow instance. By utilizing VulnCheck's functionalities, businesses can simplify the tasks of vulnerability identification, assessment, prioritization, and remediation. This integration ensures extensive visibility and centralized oversight of the vulnerability management lifecycle.

Application Features

  • Ability to configure authentication details and filtering options.
  • Ability to configure the integrations.
  • Ability to view Vulnerabilities populated and other related tables.
  • Ability to run enrichment on a specific vulnerability and a set of vulnerabilities by providing their IDs.

Compatibility Matrix

  • ServiceNow Version: Washington DC, Xanadu and Yokohama
  • VulnCheck API Version: V3 used for vulncheck-nvd2, exploits endpoint.

Configuration Instructions

Installation

This section describes how to download and install the “VulnCheck for Vulnerability Response” from the store.

Pre-Requisites

ServiceNow Plugins

  1. Vulnerability Response (sn_vul) - v24.1.6
  2. Vulnerability Response Integration with NVD (sn_vul_nvd) - v1.5.3
  3. Vulnerability Exposure Assessment (sn_vul_analyst) - v4.0.1 (optional plugin)

Permission and Roles

VulnCheck for Vulnerability Response can be used by users having the role x_cdsp_vuln_vr.vulncheck_vr_admin, sn_vul.admin.

UserRolePermissionsDescription
App Adminvulncheck_vr_adminInstallation of the application, Configuration record and filters, Integrations, Enrich NVDs on demand, Data Sources, System Properties, Application Logs, Support Contact, Privacy PolicyThe user of this role will be able to configure the application and run the integrations.
sn_vul.adminAccess to tables from application scope of Vulnerability Response Integration with NVDThe user with this role can have access to tables like sn_vul_nvd_entry, sn_vul_software, sn_vul_exploit, sn_vul_reference, sn_vul_cwe

VulnCheck for Vulnerability Response

Steps to install the application from the ServiceNow Store:

  1. Users with the System administrator(admin) role can install the application from the ServiceNow Store.
  2. Go to https://store.servicenow.com
  3. Search for the “VulnCheck for Vulnerability Response” on the search tab.
  4. Click on the VulnCheck for Vulnerability Response.
  5. Click on the “Get” button and enter the HI credentials of your instance.
  6. Once it is added successfully, open the instance and Navigate to Applications > All Available Applications > All.
  7. Find the application using the filter criteria and search bar.
  8. Next to the application listing, click Install.

ServiceNow All

Configuration Instructions

Create Users

Note:- This step is optional, if you do not want to create a user, then System Admin can access the VulnCheck Application. The ServiceNow platform admin creates the various users.

Username (for example)Role to be assigned
App Adminx_cdsp_vuln_vr.vulncheck_vr_admin, sn_vul.admin

Below is an example showing how to create a user and assign the role to it. Role Required: System Administrator (admin) Procedure:

  • Navigate to “Organization” -> “Users”.
  • Click the “Users” module.

ServiceNow Users Module

  • On the Users list that is displayed, click “New”. A new user form is displayed

New User

  • Fill in the form.

Note: The values for User ID title, and email address shown in the following table and figure are example values.

FieldDescription
User IDUnique User ID for the role in your ServiceNow Platform instance. An example is vulncheck_app_admin.
First NameFirst name of the person, you are assigning
Last NameLast name of the person, you are assigning
TitleJob Title, for example, DataBee admin
PasswordThe unique password created for this role
EmailUnique email address
TimezoneSelect the time zone from where the user is working.
  • Click “Submit”. Once submitted, you can assign the role.
  • On the Users list in the User ID column, click on the name of the new user you created, for example vulncheck_app_admin.
  • Once the record is open, the Set password UI is visible in the form view of the record.
  • Click on the Set Password UI action.
  • One pop-up will be displayed. Click on “Generate”. This will generate a unique password for the created user that needs to be changed on the first log-in.
  • Copy the generated password and close the popup.
  • On the Users list in the User ID column, click on the name of the new user you created, for example vulncheck_admin.
  • Once the record is open, go to the Roles section, and click “Edit”.

Roles

  • Add vulncheck_vr_admin in the collection field of Edit Member form.

VR Admin

  • In the Collection column, select vulncheck_vr_admin and move to the Roles List.
  • Likewise perform the same steps for adding other roles.
  • Click “Save”.

Use Cases

Authentication and Filter Vulnerabilities

This section describes how to authorize the App to fetch data from VulnCheck. This module will help the user to validate the API token and add the filter components. Any condition specified here will be applied to filter out the incoming vulnerabilities.

Provide authentication credentials and filter options

  1. The user needs to navigate to the system properties table by entering sys_properties.LIST.
  2. Search for the Name x_cdsp_vuln_vr.host_url and open the system properties record available and provide the value for host URL used for the VulnCheck API.
  3. Next navigate to Vulnerability Response with Vulncheck -> Configuration. This opens the default record.
  4. Here the user needs to provide the Name for the configuration record shipped.
  5. The user needs to provide the Token for the API, this can be generated by visiting https://vulncheck.com/settings/tokens
  6. Users can modify the filter options for the fields: Minimum EPSS Score, Maximum EPSS Score, Minimum CVSS Score, and Maximum CVSS Score. The values entered in these fields are used to filter the vulnerabilities for mapping into the SNOW tables. If no values are specified, default values will be applied.
  7. Click on update and look for the successful validation message, an error will be displayed in case of incorrect host URL or Token input.

Configuration

Fetch Vulnerabilities from VulnCheck Platform

“VulnCheck for Vulnerability Response” provides functionality to fetch Vulnerabilities and related information from VulnCheck and store them as vulnerabilities and populate the related table.

Vulnerability information is fetched through two integrations: “VulnCheck NVD Integration” and “VulnCheck Exploit Integration.”

  • VulnCheck NVD Integration: This integration is set to run daily. It fetches vulnerabilities from the Vulncheck platform and populates the ServiceNow tables.
  • VulnCheck Exploit Integrations: This integration is set to run on demand and is triggered after VulnCheck NVD Integration is completed. Hence no user intervention is required. It fetches the exploits associated with vulnerabilities and populates the required tables.

Role Required:x_cdsp_vuln_vr.vulncheck_vr_admin Procedure:

  1. Login to the ServiceNow instance.
  2. Navigate to “VulnCheck for Vulnerability Response” and under it click on “Integrations”.

Integratoins

  1. Select Integration with the name “VulnCheck NVD Integration”.

Vulncheck NVD

  1. Activate the "Active" checkbox and click the 'Update' button.

Update

  1. Open the VulnCheck Integration record. To fetch issues on demand, click the “Execute Now” button.
  2. To fetch issues at a specific time interval, select the relevant option from the Run dropdown, set the desired time, and click the “Update” button.

View Vulnerabilities and related data

Users can view the vulnerabilities fetched and related lists: Role Required:x_cdsp_vuln_vr.vulncheck_vr_admin Procedure:

  1. Navigate to “Vulnerability Response” -> “Libraries” -> NVD

Libraries

  1. Then users can search for any specific vulnerability to view using the filter options on SNOW tables and click on the records to view the details of a vulnerability entry information mapped and the related list.
  2. Users can click on the “Enrich NVD” button on the right corner of a vulnerability entry to enrich a particular NVD.

Vulnerability Details

Vulnerability References

  1. To add the “Reported Exploitation” related list Click on hamburger button -> Configure -> Related List -> Click on Edit this View in Vulnerability Response -> Select the “Reported Exploitation → Vulnerability list”

Related Lists

Vulnerability Response

Reported Exploitation

Enrich Vulnerabilities by IDs

Users can enrich a set of vulnerabilities by providing valid IDs. Role Required:x_cdsp_vuln_vr.vulncheck_vr_admin Procedure:

  1. Navigate to “VulnCheck for Vulnerability Response” and under it click on “On Demand NVD Enrichment” module.
  2. Provide a set of valid comma separated NVD IDs to run the enrichment on and click on “Enrich NVDs‘.
  3. A display message will list all the IDs corresponding to the NVDs which are successfully enriched and another message to list all the invalid NVD IDs provided by the user.

NVD Enrichment

Create Vulnerable Items using Exposure Assessment

  1. To utilize exposure assessment, the prerequisite is to ensure that the following tables are populated:
  • cmdb_ci
  • cmdb_sam_sw_install
  • cmdb_sam_sw_discovery_model
  1. Set this system property if the exposure assessment is required to not filter out the inactive CIs
  • The user needs to navigate to the system properties table by entering sys_properties.LIST.
  • Search for the property sn_vul.filter_inactive_sw_installs and set the value to false
  1. Follow these steps to create VIT using Exposure Assessment
  • Navigate to Workspaces and click on Vulnerability Assessment Workspaces

Vulnerability Workspace

  • Under the Assess by CVE tab click on Add button

Vulnerability Workspace

  • Select the desired CVE to populate the VIT for if the CVE is not present on the list click on the show filter panel and then click on the Advanced view.

Add CVE

  • Next build the filter for desired CVEs for eg: Select ID field and is operator with the CVE id as value and click on update

Advanced View

  • Select the required CVE to assess the exposure for and click on Add button

Remote Code

  • Next we can see the vulnerable software and products for the CVE and the software installation count, select the desired exposure configuration and click on the Create Vulnerable Items to create the VITs.

Create Vulnerability Items

Uninstallation

This section describes how to uninstall the “DataBee CMDB Sync” application from a ServiceNow instance.

Role Required: System Administrator (admin) Procedure:

  1. Navigate to “System Applications” -> “All Available Applications” -> “All”.
  2. A list of applications installed in the instance is displayed.
  3. Locate the DataBee CMDB Sync , select it, and click “Uninstall” under the related links.
  4. The application will be uninstalled from your instance.

All

Support, troubleshooting and Known Behaviours

Support

Navigate to “VulnCheck for Vulnerability Response”. For any issues related to the application, navigate to “VulnCheck for Vulnerability Response” then select “Support Contact”.

Support

  • Support Contact opens with VulnCheck support email address.

Contact Support

Troubleshooting

Unable to install “VulnCheck for Vulnerability Response” from ServiceNow store

  1. Verify you have the system administrator (admin) role.
  2. Navigate to “System Definition” then select “All” in your instance.
  3. Verify if the following application is installed or not. If not, then first install this application.

Unable to create New User

Review the following link and execute the steps. https://www.servicenow.com/docs/bundle/xanadu-customer-service-management/page/administer/users-and-groups/task/t_CreateAUser.html

Unable to install/activate the plugin in ServiceNow Instance

Review the following link and execute the steps. https://www.servicenow.com/docs/bundle/xanadu-platform-administration/page/administer/plugins/task/t_ActivateAPlugin.html

User deletes any of the Integration Records

Uninstall the application and reinstall the application.

Integration ends with ECCResponseTimeOutException

  1. The user needs to navigate to the system properties table by entering sys_properties.LIST.
  2. Search for the property glide.http.outbound.max_timeout.enabled and set the value to true. If the property is not available then create a new property of type true|false with the given name in Global scope.
  3. Next search for the property glide.http.outbound.max_timeout and set a higher value such as 60 or 120. If the property is not available then create a new property of type integer with the given name in Global scope.

Edit the list view for a related list

  1. To add/remove the column of a table or of the related list table follow these steps.
  2. Click on the gear icon on the top right

Exploits

  1. Next in the personalize list columns dialog add or remove the columns as desired using the arrow buttons and clock OK.

Personalize

Filigran OpenCTI

Alerts (Email / Slack)