Excluding an OS in Lookup Rules

browne26 · 4 weeks ago

Some of our CIs are matching on our lookup rules, but we want to exclude a certain OS. My first thought is to add a condition on the lookup rule it is matching on, to exclude that OS. However, it just matched on the next rule. So from this I assume that condition will need to be added to each lookup rule so it is not included. I have no problem with doing this, however I wondered if there was an easier way or a more efficient way than just adding conditions to my lookup rules?

william_tran · 4 weeks ago

Hey there,

Are you trying to exclude a certain OS based on the data that is being received from the specific scanner that you are using?

There's really two ways that you could approach this.

Use CI Ignore Property - https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/security-operations-c...
Create a new system property and update your lookup rule scripts to include this script for all OS' that you do not want to match against.

There is also the condition builder on a lookup rule, you could potentially use the condition builder for an easier approach, so you don't have to update the script.

I hope this helps!

William

browne26 · 4 weeks ago

Hey William,

Yes trying to exclude a certain OS based on the data that is being recieved from the scanner.

I did look at the ignoring CI classes, but it is considered an unclassed CI and I don't want to ignore all unclassed CIs, just the CIs created with a specific OS. It would be nice to ignore CIs not just based on their classification, but on other aspects as well.

We have multiple lookup rules in place, so I think I'll have to add that specific condition to ignore the OS on each lookup rule. I was just curious since we have multiple lookup rules if there was an easier way to go about this.

Appreciate your help!

Emma