- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 01:08 AM
Good morning,
I'm trying to understand if CI lookup rules can return an "Unclassed Hardware" item?
Here is the situation:
- I have a vulnerability on "somehost.domain.com"
- There is a matching CI in the CMDB, but is was just called "somehost" and does not contain the FQDN
- There is a FQDN rule but it looks for the whole FQDN in the CI
- In a first run an "Unclassed Hardware" CI was created named "somehost.domain.com"
I then created a new lookup rule that comes after the "Full FQDN" rule and just looks at the hostname. But after re-applying it still picks the Unclassed Hardware and I'm now not sure if this happens because the "Full FQDN" rule finds the still existing "Unclassed Hardware" item first?
How exactly does the rule engine deal with already existing "Unclassed Hardware" and "Incomplete IP identified" CIs?
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 05:03 AM
It's because now you have duplicate CIs in the system, One with the corrected FQDN of some class and another in the cmdb_ci_hardware class. Try adding cmdb_ci_hardware to sn_sec_cmn.ignoreCIClass system property so that system will not consider items from that class everytime it runs. I also use to ignore other classes that I dont want the system to search on.
Not that you have these following lines in your CI lookup rules. (It's in the default lookup rules)
var ignore = global.SecProperty.getProperty("sn_sec_cmn.ignoreCIClass","");
cmdbci.addQuery('sys_class_name','NOT IN', ignore);
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 01:20 AM
Hi,
All rules should be evaluated for the CI coming into servicenow for VR. There is a field on Discovered items record called as Other matched CIs. It contains other CI which are matched via other rules.
Check what is in that field. Try changing the order of the rule. Also check this for detail description on how rule works.
Thanks,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 02:03 AM
Hi Christoph
I got the same case, every time I re-apply lookup rules on unmatched discovered item it's picking up the same unclassed hardware ci (Rule Finding the unclassed ci first). I Tried to reconcile unmatched items which worked.
Reconcile unmatched discovered items
Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Rohila V
2022-25 ServiceNow Community MVP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 02:51 AM
+1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 05:03 AM
It's because now you have duplicate CIs in the system, One with the corrected FQDN of some class and another in the cmdb_ci_hardware class. Try adding cmdb_ci_hardware to sn_sec_cmn.ignoreCIClass system property so that system will not consider items from that class everytime it runs. I also use to ignore other classes that I dont want the system to search on.
Not that you have these following lines in your CI lookup rules. (It's in the default lookup rules)
var ignore = global.SecProperty.getProperty("sn_sec_cmn.ignoreCIClass","");
cmdbci.addQuery('sys_class_name','NOT IN', ignore);
