Detections Remain in ServiceNow Despite Removal from Microsoft TVMIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Detections Remain in ServiceNow Despite Removal from Microsoft TVM Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ALL Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Behavior Overview -Vulnerable Item Detections are linked to specific CIs (machines). -In Microsoft TVM, no detections or vulnerabilities exist for the CI “xxxxx” — they have been removed. -However, in ServiceNow, open detections still appear for this CI, linked to previously imported vulnerabilities. -Microsoft does not send data for CIs that remain active but have no associated vulnerabilities in TVM. -This behavior is not a ServiceNow limitation or defect. Microsoft currently does not provide any API or functionality to handle such cases. Verification Steps: -Run the Microsoft TVM Machine Integration job. -Observe that no data is received for CI “xxxxx” (associated with the given Device AAD ID and Device ID in TVM). -You can confirm this from the sn_vul_msft_tvm_machines_import table in ServiceNow.-This is the API that we are using to fetch the machine information from Microsoft : GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityChangesByMachine?pageSize=5&sinceTime=2021-05-19T18%3A35%3A49.924Z -This is the proof of Microsoft documentation about capabilities: https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities#3-delta-export-software-vulnerabilities-assessment-json-response Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } -To handle such scenarios, the auto-close rules feature is available as part of Vulnerability Response application.-To mitigate the issue, we can enable the auto-close rules by setting the threshold (e.g., 15 days or as per the customer's business requirements). 1.Navigate to Vulnerability Response > Administration > Auto-Close Configuration > Stale Detections. The Auto-Close Stale Configuration form is displayed.-Doc: https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/vulnerability-response/task/vr-autoclose-detections.html-This way, if Microsoft does not send machine or detection/vulnerability information, ServiceNow will wait for the configured number of days and then move the state to stale, after which the associated detections will be closed.-Auto-close detections scheduled job can be configured to execute at scheduled time daily: https://xxxxxxxx.service-now.com/nav_to.do?uri=sysauto_script.do?sys_id=ccebece877bd021012c97b051c5a9994-Auto close rules: https://xxxxxxxx.service-now.com/nav_to.do?uri=sn_vul_cmn_auto_close_rule.do?sys_id=663d7cb015608210f8774ae7518bd551-Once the job is executed, we can observe the count of vulnerable detections decreasing as their state changes from Open to Stale for those not seen in the last 15 days.