CI Lookup Rules

tapasvi · ‎12-14-2020

Hi Folks,

I am troubleshooting an issue where in i need to understand the CI mapping rules for VM Rapid & data import.

Issue - Rapid7 (Intsights VM) has scanned a asset with URL - xyz.com however when the VI got created it was created with IP address, Shouldn't it create the VI with URL name in CI field?

Do we have 1-1 mapping for CI under CI mapping rules or is it 1-many.

Example: If an Asset is scanned in Rapid7 with IP address then will it only search its match in the CMDB IP class or will it do a complete search in CMDB table.

I am assuming that even if i have 1 attribute (IP or FQDN or MAC or Hostname) in the scanned source data it should populate the related CI under VI table configuration field.

Shivam Sarawagi · ‎12-14-2020

Hi,

Can you check if in "Source Data" of discovered item you are getting the FQDN?

Also, mapping between column of "Unmatched CI" and Rapid7 attributes are defined in table sn_sec_cmn_src_cmdb_map.

Note: If it finds multiple CI while running a Lookup rule, first CI will be picked.

Thanks

Chris McDevitt · ‎12-14-2020

Let see....

1. When a new asset is ingested it runs through all of the CI Lookup Rules starting with the Lowest to Hight order rule. The first rule to match wins and the rules are no longer processed.

2. In the case of an IP address it will search a few classes starting with the network adapter. (Note that IP address matching in any platform is full of issues. These issues stem from organizations' lack of IP address discipline and keeping the CMDB up to date.)

3. The new CI is created based on the data supplied by the scanner. Takes a look at the 'Source Data' in the matching Discovered Item.

I almost forgot, the latest version no longer creates items in the 'Unmatched CI' class.

https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/concept/ci-creation-using-IRE.html

SM6 · ‎05-27-2021

Hi Chris,

I'm having trouble understanding why my CI Lookup rule is not working on a certain search criteria.

Here is what I'm trying to achieve.

CMDB CI details:

CI name: xxxxx

HostName: yyyy

In here I'm trying to search by host name with FQDN from tenable in two different ways.

// _queryMatch function checks if the query returns 0, 1 or more than 1 CI.
// it returns:
//    null: if no CI found
//    ci record: if a unique CI was found
//    the first CI record found: if more than 1 CI was found and log a duplicate error message
//    To avoid specific CI classes ,add the class names, comma separated, to the property sn_sec_cmn.ignoreCIClass
(function process(rule, sourceValue, sourcePayload) {
    var sourceField = {};
    var ignore = global.SecProperty.getProperty("sn_sec_cmn.ignoreCIClass", "");
    sourceField[rule.source_field] = sourceValue;

    var cmdbci = new GlideRecord("cmdb_ci");
    cmdbci.addQuery("fqdn", "IN", sourceValue);
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

    cmdbci = new GlideRecord("cmdb_ci");
    cmdbci.addQuery("name", "IN", sourceValue);
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

    cmdbci = new GlideRecord("cmdb_ci");
    cmdbci.addQuery("fqdn", 'STARTSWITH', sourceValue + '.');
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

    cmdbci = new GlideRecord("cmdb_ci");
    cmdbci.addQuery("name", 'STARTSWITH', sourceValue + '.');
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

    cmdbci = new GlideRecord("cmdb_ci_server");
    cmdbci.addQuery("host_name", "IN", sourceValue);
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

    cmdbci = new GlideRecord("cmdb_ci_server");
    cmdbci.addQuery("host_name", 'STARTSWITH', sourceValue + ".");
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

    return null;
})(rule, sourceValue, sourcePayload);

Now the validation has to occur from the two sections of the code which is where they're failing.

  cmdbci = new GlideRecord("cmdb_ci_server");
    cmdbci.addQuery("host_name", "IN", sourceValue);
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

 cmdbci = new GlideRecord("cmdb_ci_server");
    cmdbci.addQuery("host_name", 'STARTSWITH', sourceValue + ".");
    if (!gs.nil(ignore))
        cmdbci.addQuery('sys_class_name', 'NOT IN', ignore);
    cmdbci.query();

    cmdbci = _queryMatch(cmdbci, rule, sourceField);

    if (cmdbci)
        return cmdbci.getUniqueValue();

The CI's host_names are matching with the FQDN even if the names of the CI is different. But non or the logic is working.

Can you help me understand why the Lookup rule is not getting validated?

Chris McDevitt · ‎06-01-2021

Without a specific example, it is hard for me to understand what is going on.

and

"Now the validation has to occur from the two sections of the code which is where they're failing."

I'm sure I understand what you mean here...