Automating Entity Creation from CMDB Tables in Legacy GRC

thomasanton · 3 weeks ago

Hi everyone,

We're currently working with a legacy version of ServiceNow GRC and have started leveraging Entity Types and filters to create entities from two CMDB tables:

Business Applications (cmdb_ci_business_app)
Application Services (cmdb_ci_service_discovered)

We've defined entity types for each and are using filters to generate entities based on attributes like environment, location, and service tier. This has helped us build a more structured view of our risk landscape.

However, we're now looking to automate the creation and maintenance of these entities—especially as our CMDB grows and changes frequently. Since we're not yet on the latest GRC version with Composite Entities, I'm wondering:

What are the best practices for automating entity creation in legacy GRC?
Can we use scheduled jobs, scripts, or flows to dynamically generate entities from filtered CMDB data?
Has anyone implemented a similar setup and found a scalable solution?

Any guidance, examples, or documentation links would be greatly appreciated!

Best regards,

Thomas

Matthias Ferstl · 3 weeks ago

Hi @thomasanton

this is what Entity Types actually do. They create Entities automatically.

Also, if the -lets say- server OS on the CMDB changes from Windows to Linux and you have filters that check on OS, the entity will automatically be reassigned.

This is OOB for many versions, so no need to change a thing here.

Kind Regards

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat

thomasanton · 3 weeks ago

Hi Matthias,

Thank you for the quick response!

That is what the documentation was telling me and what i though should happen. Do you have any troubleshooting ideas for why the entity types wouldn't populate entities automatically?

Thanks,

Thomas

Matthias Ferstl · 3 weeks ago

So. First of all: you earned my respect and the respect of others, that debug customized GRC Applications, by simply asking questions before you script your own stuff.

Second: Keep it that way, GRC has a heavily scripted framework and you will break things if you dont know the framework.

Third:
If you create entites or update things in types, those items will be queued.

This means the process needs some time.

You can take a shortcut by klicking "Update entities from filters" if a filter was created or changed at the Entity Type

If nothing happens, check if your filter finds objects by selevting the filter and taking a look at "No of records matching the condition"

In general: GRC is heavily depending on queues and asynch jobs, because every change has potentially a cascade of changes. This means: To save ressources may things are scheduled jobs, queues, or asynch. So sometimes just wait a bit.

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat

thomasanton · 3 weeks ago

Thank you for the kind words and the screen shots.

Our version does not show the "Update entities from filters" in that spot. I did some digging and found it under UI Actions. I am not sure what to click to force the changes.

I also see the number of records created by filter as well.

How long does it take to process in a Dev environment? Hours or days?

What else should I be looking for?

Thanks,

Thomas