Discovered Items not matching existing CI

juliesutton · ‎03-03-2020

We are using Qualys to import our vulnerabilities. When a discovered item doesn't match an existing CI, how do you resolve that?

Dan Daugherty · ‎03-04-2020

Hey, Julie.

If I recall correctly, when you discovery rules run, they should be robust enough to find the unclassified ci and reclassify it for you. You may need to adjust your discovery rules to find these, though. That takes care of the potential for a duplicate ci.

The discovered item is a different story, and I'm not 100% if the matching that would happen during discovery will flip the unmatched flag in the discovered items table to false. I know if you use the Reclassify option on the Discovered Item, it will set it to matched and reclassify the CI for you.

Also, after that reclassification, the next scan for that ci will find the same discovered item and should flip the unmatched flag to false.

We are hoping for low volumes of unmatched ci's, though. Initially it can be a hassle to have to reclassify a large number of ci's by hand, but after the ci matching rules are flushed out, you should see a decrease in the number of new unmatched ci's.

Let me know if this helps.

Thanks,
Dan

View solution in original post

Barry K · ‎01-12-2021

Julie, did you ever get to end of job on this one. We have a similar situation where it has chosen the wrong CI in CMDB and now we want to change it to the proper one.

If we adjust the CI in the detections table will it continue to use that for any future VIs created as I don't want to end up creating duplicate VIs.

Thanks