Fixed Vulnerable Items still show open in Servicenow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-16-2022 11:42 AM
We have some vulnerable items that only show a single Open detection, but do not seem to be recorded the Closed/Fixed detection. These items no longer exist in Qualys and wondering why Servicenow still shows them as open. We have rescanned and Servicenow updates daily but they are still unable to find the Closed/fixed detection. The vulnerable item in question last updated a few weeks ago. Is there a way to autoclose everything that is not active in Qualys?
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-02-2022 11:56 AM
What we have found was that ServiceNow will only close the detection/VIT if the results from the host detection integration show that specific vulnerability as fixed via the API. If the asset is purged within Qualys or the API is not showing that specific QID with a status of Fixed it leaves the associated findings open in ServiceNow. Only way we have found to get these closed is to use the auto close stale detections or manually close the ones we find.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-02-2022 01:00 PM
Thanks Matt,
I believe this is what happened to us as well. We regularly purge assets in Qualys because we have to, and Servicenow can't find a fixed status. It would be helpful if Servicenow created an updated solution that looked for that specific QID in Qualys, and if it can't find it, it closes.
If the host detection integration job fails for a particular day, I can see this being a big issue as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-02-2022 01:20 PM
One thing we did was to utilize flow designer to hit the Qualys API and search for a given host id in Qualys. Host ID was a field on the discovered item. Then if the asset doesn't exist in Qualys from the API call we closed out all the detections/VITs