This topic describes ServiceNow App known issues.

For updates to these known issues, see ServiceNow 3.0.0 Release Notes.

ITSM and SecOps

  • SOAR actions including Update Endpoint Policy, Quarantine/Unquarantine Endpoint, and Delete File on Endpoint sometimes show multiple “Flow Execution started for….action” Worknotes for a single action.
  • For some Process GUIDs, you might not get Process Metadata for selected alerts.
  • When fetching process details using an alert’s process GUID, sometimes the API response does not include that Alert ID. This results in the initiating alert not having an associated process record.
  • Enriched events: Because page size is set as 1000 in API calls, there is a mismatch in counts while fetching events in pages.
  • Flow number is shown instead of flow name in Worknotes for SOAR action in the ServiceNow Quebec version.
  • Resolved in version 2.1.0 of both apps: If Incident Creation Criteria are set and you give a default value to Alert Aggregation, the condition given to Incident Creation will either disappear (if performed for the first time) or show the previous value .
  • Able to perform Quarantine Endpoint SOAR action even if the alert has already been quarantined.
  • Able to perform Unquarantine Endpoint SOAR action even if the alert has already been unquarantined.
  • Able to perform Ban Process Hash SOAR action even if the alert has already been banned.
  • Able to perform Unban Process Hash SOAR action even if the alert has already been unbanned.

Vulnerability Response

  • The application does not support a sliding window mechanism to get timebound sets of vulnerabilities; that is, the application will always fetch all the vulnerabilities from Carbon Black Cloud.
  • If the user changes the Run field from the VMware Carbon Black Cloud Vulnerabilities Integration, it will not get reflected on the record of Configuration Profile that is associated with the same Integration Instance.
  • The number of Vulnerable Items can be greater than the number of Vulnerabilities.
  • ServiceNow requires asset name to be unique; however, this is not enforced in Carbon Black Cloud. If two devices have different Device IDs and the same name in Carbon Black Cloud, one device will be discarded during ingest to ServiceNow.
  • When the default Integration instance is not valid, the user can change the Validation Status from the list of Integration instances.
  • If any integration is in the Ready state, then all other integration runs are discarded because only one integration can be in the Ready state at any given time.
  • When any integration is in a Running or Wait Complete state and you stop the integration run, the state is Complete and the substate is User Cancelled. After some time the substate transitions to Success.
  • If the profile is inactive and you run the scheduler, it will not run and the substate in Integration run is Failed with a note Encountered error running the integration. Error: Cannot run integration without VR configuration profile.
  • A log exists that has the message 0 in system logs, which are at the Information level.
  • Sometimes empty diagnostic logs are found that contain a message in the form-view, but the message shows empty in the list-view.
  • When you run a scheduler from the configuration profile and then manually changes the scheduler from Integration Instance, the scheduler is set to the value that you set in Integration Instance.