Apply CI Lookup Rules to unmatched discovered items

Syed14 · ‎12-05-2020

Hi,

We have some discovered items which are unmatched but we noticed that they could be matched if we either update CI Lookup Rules or the unmatched CI itself. We know that we can reclassify a discovered item to some specific CI class which is good but still a manual process. So the question we have:

a) How can we manually apply/trigger CI matching rules (CI Lookup Rules) to some of the unmatched discovered items?

b) If we modify an unmatched discovered item / or CI Lookup Rules is there any chance that it could be consider as a candidate to become a matched discovered item for a future integration run? in simple words is there any chance that an unmatched item can become a matched?

Thanks

Syed14 · ‎06-21-2021

I haven't tested it yet but happy so see this feature as a part of new release which was missing in previous versions..

Reapply CI lookup rules on selected discovered items

View solution in original post

SM6 · ‎02-13-2021

Thank you Chris McDevitt. So if I'm using VR for Tenable (SN Developed), then I have to only concentrate on re-arranging the CI Lookup Rules and ignore CI Mapping Rules? Also what if I'm using both SN Developed and also Tenable Developed?

Chris McDevitt · ‎02-13-2021

Well, I do not think technically there is anything stopping you from running both integrations... But you really do not want to do that. I can imagine a lot of duplicate data if you ran both integrations. Disable one integration and focus on the other.

If you use the SN developed one focus on the Ignore CI Class and tune it to reflect the needs of your environment. Typically only items that are children of cmdb_ci_hardware.

https://docs.servicenow.com/bundle/quebec-security-management/page/product/security-operations-common/task/ignore-CI-classes.html

Use the Discovered Items module as your guide and focus on Matched items first until you like all of the Classes these incoming assets are matching on.

Then focus on CI Lookup rules to fine to the quality of the match. Again use Discovered Items as your guide.

Last focused on your unmatched items to see how best to handle them.

SM6 · ‎02-13-2021

Thank you Chris...This is really helpful...!

Thank you.

SM6 · ‎02-16-2021

Hi Chris,

Can you please help me on this question that I posted - URGENT: Tenable IO filter data

Thank you.

Chris McDevitt · ‎12-10-2020

Syed,

Take a look at the latest VR release and IRE
This is not a simple ask, because the VI is comprised of the Unmatched CI. What needs to happen is that existing VI's CI needs to be reclassified. Re-running the rules will not do that.... today...

Levering OOTB thinking(Qualys, Rapid7, and the SN Tenable Integration)

Here is an option... ugly but an option.

Develop and thoroughly test in a lower environment.

Update and test your CI Matching Rules
Leverage the Auto Close Stales records function

https://docs.servicenow.com/bundle/newyork-security-management/page/product/vulnerability-response/task/vr-autoclosevi.html
or maybe an Auto-Delete Rule

https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html

Delete the corresponding Unmatched CI records in the Discovered Items table.
Re-run your integration.

This will create a new VI that is mapped to the CI that is matched in your better rules.

You will have "duplicate" VI that are linked to an 'Unmatched CI' and are now "Old and Stale".... i.e, prefect for the Auto Close Stale records function.
You need to Delete the corresponding records in the Discovered Items table because the first thing the Integration does is reference the Source ID field on that table for a match.

Just a thought... much testing ahead of you 🙂