Discovered item coming from Qualys to ServiceNow in Vulnerability Response doesn't have VIT.

Rahulkalra
Tera Contributor

We saw that there are Discovered Items (Coming from Qualys) that do not have an associated Vulnerable Item, and the CI is created for that Discovered Item (created from IRE). 

 

How I can restrict the IRE rules to restrict the creation of new CI if it doesn't have active vulnerability.

 

Please let me know how to achieve this.

2 REPLIES 2

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there - you would to approach the solution here differently.

 

Instead, you can adjust the API Filter that ServiceNow uses when fetching Assets (via the Qualys Host List job) - to filter the Assets brought back from Qualys - to only those that have had vulnerabilities evaluated/processed on them. 

 

This should help bring in assets for those that only have Detections/Vulnerable Items.

 

Do you have access to the NOW Support KB Articles?

This article outlines where to make the configuration change on the Qualys Host List Job, so that we filter/restrict which assets/hosts are fetched from the Qualys API:

 

If you are looking to clean up the "unused" Discovered Item (i.e. not related to Detections or Vulnerable Items):

 

 

 

@andy_ojha Can you please attach PdF for this article if you have support account please ?