Fixed Vulnerable Items still show open in Servicenow

AndrewP · ‎02-16-2022

We have some vulnerable items that only show a single Open detection, but do not seem to be recorded the Closed/Fixed detection. These items no longer exist in Qualys and wondering why Servicenow still shows them as open. We have rescanned and Servicenow updates daily but they are still unable to find the Closed/fixed detection. The vulnerable item in question last updated a few weeks ago. Is there a way to autoclose everything that is not active in Qualys?

Matt Martin1 · ‎03-02-2022

What we have found was that ServiceNow will only close the detection/VIT if the results from the host detection integration show that specific vulnerability as fixed via the API. If the asset is purged within Qualys or the API is not showing that specific QID with a status of Fixed it leaves the associated findings open in ServiceNow. Only way we have found to get these closed is to use the auto close stale detections or manually close the ones we find.

AndrewP · ‎03-02-2022

Thanks Matt,

I believe this is what happened to us as well. We regularly purge assets in Qualys because we have to, and Servicenow can't find a fixed status. It would be helpful if Servicenow created an updated solution that looked for that specific QID in Qualys, and if it can't find it, it closes.

If the host detection integration job fails for a particular day, I can see this being a big issue as well.

Matt Martin1 · ‎03-02-2022

One thing we did was to utilize flow designer to hit the Qualys API and search for a given host id in Qualys. Host ID was a field on the discovered item. Then if the asset doesn't exist in Qualys from the API call we closed out all the detections/VITs