Update for Scenario 3 illustrated in the video (IRE Matches the Imported Host - rather than the SecOps CI Lookup Rules)...

• The behavior illustrated in the video was true in versions of the Store Apps prior to Feb 2023 (specifically in versions of Security Support Common, prior to v13.5.2)
  • The only way to determine if IRE was the mechanism used to match to a Target CMDB CI on a Discovered Item, was to look for records where the State = Matched, and CI Lookup Rule = Empty as illustrated in Scenario 3 of the video

This has been greatly enhanced as of the Feb 2023 release (Security Support Common) 

• "New: Added the column 'Matching type' to the Discovered items table to understand whether the discovered item has been matched by IRE or CI lookup rules..."

Some more recommended resources to help you with CI Matching:

----------------------------

• CI Matching - How to do it right. (20 min video tutorial) and downloadable slides by Andy Ohja and Eric Feron - Video tutorial and slides, Mar 2020.
• The more you know - SecOps and CMDB Interactions (Video) by Andy Ohja and Denny Ng - Video, Jan 2023.
• ServiceNow Vulnerability Response CI Matching Tuning by John Gibbons - Full article, Mar 2022.
• Recommended practices for CI Matching success (Customers only: deep-dive webinar) Jan. 25-26, 2023 by Elizabeth Skogquist and John Gibbons - Recording of the Product Success webinar, Jan 2023.
• Reapplying CI Matching Rules to Discovered Items after Source Data is updated by Dan Daugherty - Full article, Feb 2023.

-----------------------------

Thank you @denny  and @andy_ojha and @Eric Feron for the helpful video. I do have some questions, though:

1. Regarding scenario 2 (no match found using SecOps CI Lookup/IRE creation), does the SecOps import process have any classification logic in it? It sounds like it will use IRE for identification, but that it is always putting the CI into Unclassed Hardware (or maybe Incomplete IP or Unmatched CI)? It would be really helpful, if it had enough information, to put a device into Windows Server for example, like Discovery would do.
2. Regarding scenario 3 (no match found using SecOps CI Lookup/IRE identification), why is this an edge case? This case might be very common when a customer is using Discovery and/or Service Graph Connectors (SGCs) initially, and later adds a SecOps/VR integration.
3. Regarding any scenario, is there any difference between using a security vendor's SGC app versus using their VR import app in the CMDB population logic? There are many vendors that have both types of apps on the store. Clearly the SGC apps would not invoke any vulnerability logic, but I would expect them to operate similar to other "simple" SGCs like SCCM or Intune, which when they have enough information will put CIs into an appropriate class, and do not put CIs into Unclassed Hardware.

We are actually seeing some issues with a security vendor's SGC app (we don't have their VR app) where it is identifying an existing CI which was initially populated by Discovery and/or and SGC, but then changes the CI class to Unclassed Hardware. This is unexpected and seems completely wrong. Even worse, it then deletes the CI's related records using a RecordRemoval script; see https://www.servicenow.com/docs/bundle/washingtondc-servicenow-platform/page/product/configuration-m....

Note that our instance is currently on Washington.