The CreatorCon Call for Content is officially open! Get started here.

Discovered Items not matching existing CI

Go to solution
juliesutton
Mega Expert

‎03-03-2020 11:19 AM

We are using Qualys to import our vulnerabilities.  When a discovered item doesn't match an existing CI, how do you resolve that?  

Labels:
0 Helpfuls
  • 2,913 Views
1 ACCEPTED SOLUTION

Go to solution
Dan Daugherty
ServiceNow Employee
ServiceNow Employee
In response to juliesutton

‎03-04-2020 10:10 AM

Hey, Julie.

If I recall correctly, when you discovery rules run, they should be robust enough to find the unclassified ci and reclassify it for you. You may need to adjust your discovery rules to find these, though. That takes care of the potential for a duplicate ci.

The discovered item is a different story, and I'm not 100% if the matching that would happen during discovery will flip the unmatched flag in the discovered items table to false. I know if you use the Reclassify option on the Discovered Item, it will set it to matched and reclassify the CI for you.

Also, after that reclassification, the next scan for that ci will find the same discovered item and should flip the unmatched flag to false.

We are hoping for low volumes of unmatched ci's, though. Initially it can be a hassle to have to reclassify a large number of ci's by hand, but after the ci matching rules are flushed out, you should see a decrease in the number of new unmatched ci's.

Let me know if this helps.

Thanks,
Dan

View solution in original post

10 REPLIES 10

Go to solution
Eric Feron
Moderator
Moderator

‎03-03-2020 12:17 PM

Hi Julie,

these 2 tutorials might help get the high level picture of what is going on with Unmatched Discovered Items.

I suspect that to reduce Unmatched Discovered Items, you will need to work with your CMDB team.

We are working on a specific Qualys tutorial also. A few weeks out though.

 

 

0 Helpfuls

Go to solution
juliesutton
Mega Expert

‎03-03-2020 01:21 PM

While very useful videos, I don't think either of these address the issue.  The discovered item didn't match correctly.  I now have it sitting in the table as unmatched.  There is an existing CI in the correct table.  How do I rerun the script or tweak it so that it finds the CI?

We can continue to resolve why it didn't match in the first place in a different process.  I want to know what to do about the ones sitting in the queue now.

Thanks,

Julie

Go to solution
Alex Mittell
ServiceNow Employee
ServiceNow Employee
In response to juliesutton

‎03-03-2020 02:36 PM

Have a read of this doc page, I think it covers what you need:

https://docs.servicenow.com/bundle/orlando-security-management/page/product/vulnerability-response/t...

Do you know why they are not matching? I'd check the logs see what the message is then edit the CI lookup rules to suit so you don't get the un-matched items.

https://docs.servicenow.com/bundle/orlando-security-management/page/product/security-operations-comm...

Some specific info on the Qualys identification script here:

https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-vr/qu...

 

Go to solution
juliesutton
Mega Expert

‎03-04-2020 07:15 AM

I suppose this gets us closer as I can reclassify a CI, wait for the duplication task to run and create a duplicate, then combine the records.  It's just not very efficient.  It would be great if I could just select the existing CI and relate the discovered item to it instead of and Unmatched CI.

Thanks, Julie