Why are some vulnerable items getting created and some are not for the same CI?

Dommer
Tera Contributor

Hi all,

Can someone explain the process on how Vulnerable Item's get created and what tables are referenced? I have 3 VIT's all with the same CI, but we know Tenable.io found more vulnerabilities for that CI. I can see the vulnerability's in the third-party entries table and populated with data, but there's no VIT for it. The discovered item is there for the CI and clearly is finding a match with a CI lookup rule. All the data is populating so why is VR creating only some VIT's and not all of them for this CI? This is just one example, but its happening with other matching CI's.

 

Thanks,

6 REPLIES 6

Voona Rohila
Kilo Patron
Kilo Patron

Hi Doomer

Check Vulnerability detections for that VIT in detections tab.

 

find_real_file.png

 

Check if  those vulnerable detections fixed in "tenable"and also If the integration bringing fixed vulnerabilities or not.


Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Rohila V
2022-25 ServiceNow Community MVP

Dommer
Tera Contributor

Thanks for your reply. The detections tab for the VI is showing the detection item and is getting updated weekly during the Tenable integration runs. I can confirm that the vulnerabilities for the missing VIT's have a state of open in Tenable. VR should be creating VIT's for them, but is not.

 

To further clarify, both Fixed and Open vulnerability import's are running successfully.

Rachna S
Tera Guru

Hi @Dommer 

 

Did you ever find the root cause of your issue ?

Hi,
I currently have an open case with SN. I discovered that the TenableIOProcessor script include has an exception for vulnerabilities with family_id '39'. The SN docs state that the Tenable.SC should have this exception! So this is the practical reason why some are not created!

However, I don't think it is correctly configured. The response I got so far is that I should deploy a fix myself, and change 39 into 28. I am however still waiting to have access to the problem record that was linked. I want to know why family id of 28 would be the correct option to be excluded and why this exception is not included in the TenableSCProcessor script include and why the docs state the exception for family id '39' is in the Tenable.sc integration, where no exception can be found, while the docs don't say anything about family id '28' being excluded in the tenable.io integration.

So that is all that I currently know about it!