Discovered item coming from Qualys to ServiceNow in Vulnerability Response doesn't have VIT.

Rahulkalra · ‎03-07-2025

We saw that there are Discovered Items (Coming from Qualys) that do not have an associated Vulnerable Item, and the CI is created for that Discovered Item (created from IRE).

How I can restrict the IRE rules to restrict the creation of new CI if it doesn't have active vulnerability.

Please let me know how to achieve this.

andy_ojha · ‎03-12-2025

Hey there - you would to approach the solution here differently.

Instead, you can adjust the API Filter that ServiceNow uses when fetching Assets (via the Qualys Host List job) - to filter the Assets brought back from Qualys - to only those that have had vulnerabilities evaluated/processed on them.

This should help bring in assets for those that only have Detections/Vulnerable Items.

Do you have access to the NOW Support KB Articles?

This article outlines where to make the configuration change on the Qualys Host List Job, so that we filter/restrict which assets/hosts are fetched from the Qualys API:

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1324696
Qualys API has a neat filter called "vm_processed_after=" that you can use as the filter object (following the instructions from the KB above)
- "(Optional) Show hosts with vulnerability scan results processed after a certain date and time. Specify the date in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT), like “2016-09-12” or “2016-09-12T23:15:00Z”"
https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf

If you are looking to clean up the "unused" Discovered Item (i.e. not related to Detections or Vulnerable Items):

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1349923

Rahulkalra · ‎03-12-2025

@andy_ojha Can you please attach PdF for this article if you have support account please ?