Adding a ServiceNow CMDB Connector will pull data from the CMDB CI table. The user in the Cisco Vulnerability Management connector must have access (read or read/write) to this table and all the associated fields.
If your ServiceNow CMDB instance is large it is recommended that you filter the results before attempting to run the connector for the first time. You can request that support put a basic filter (u_retired=false^u_active=true) or a more advanced filter if you know a specific device type you want to bring in such as "servers only".
From within the Connector dialog, you will be able to determine if you want assets activated using the value of the Retired field in the CMDB instead of using the Asset Settings provided by Cisco Vulnerability Management. Note: Scanners will show assets as active until they are no longer found on the network by the scanner. The Retired field is not explicitly tied to the network unless you have policies in place to ensure this. It is recommended to choose a single source of truth to determine asset status (active/inactive). If you choose to have the CMDB Retired field as the source of truth, you should not enable the Asset Settings to avoid assets flipping between active and inactive status.
You may also use the connector to access the Criticality rating in ServiceNow and use that value to determine Asset Priority values in Cisco Vulnerability Management. See Asset Scoring for additional information on how this will effect asset scores in Cisco Vulnerability Management. This data is pulled from cmdb_ci_service in the busines_criticality column which has values from 1 (high) to 4(low) by default. If the link between Assets and Business Services is not present, this feature will not be available and no criticality rating will appear in the connector dialog.
Default Data Processing
- Items converted to Cisco Vulnerability Management Tags:
- Owner field in Cisco Vulnerability Management is populated by the "managed_by" CMDB field
Default fields used for Asset matching:
- name = hostname
- ip_address = ip address
- mac_address = mac address
- fqdn = fully qualified domain name
- sys_id or customer defined id = External ID (only defined if ServiceNow asset ID is to be pulled in as the overarching ID for Assets. Example source field: sys_id. External ID should be removed from all other connectors to prevent overriding of the value with vulnerability scanner host ids)
Locator field names can be changed via back-end settings if CMDB fields do not match the defaults. It is a good idea to look at how names are being pulled into Cisco Vulnerability Management from the network scanner before completing this mapping to ensure asset matching. Example:
To ensure asset matching you would want to pull SNOW host_name into Cisco Vulnerability Management.
We have the ability to filter your CMDB data in two ways:
- ServiceNow CMDB Database View
- Query Filtering
ServiceNow Database View
ServiceNow has the ability to create database views. These views can be used to filter the data or combined the data from multiple tables within your ServiceNow CMDB. Cisco Vulnerability Management has the ability to redirect our CMDB connector to use your custom database view. Please consult with your internal ServiceNow resources to develop any custom database views.
Cisco Vulnerability Management's CMDB connector has the ability to filter your CMDB data using a filter that you can build within your ServiceNow CMDB. Please follow the following instructions to build your query and then send it to your Cisco CSE to apply.
Generating the query string from within ServiceNow CMDB.
- Open you ServiceNow CMDB system
- Type “cmdb_ci.list” in the Filter Navigation box at the top left of the window, and press Enter
- Click the “Filter Funnel” and apply the desired filters.
- After running the query, you will see a list of bread crumbs in blue with a link. Right-click on the end term and you will get the option for copying the URL or Query.
- Choose the "Query", and NOT the URL.
- Send this to Cisco to be applied to your CMDB connector