Managing Unmatched CI, Unclassed Hardware and Incomplete IP records

Ronald Merlino
Tera Expert

During the Qualys ingestion and CI Lookup Process if there is no matching CI in the CMDB an Unmatched CI, Unclassed hardware and Incomplete IP record is create their associated tables (sn_sec_cmn_unmatched_ci or cmdb_ci_incomplete_ip or cmdb_ci_unclassed_hardware) and an Unmatched CI, Unclassed Hardware or Incomplete IP record is created in the Discovered Items Table. 

In a later Qualys ingestion if that CI had been added to the CMDB is the record in the Discovered Item Table updated to Matched and is the record in the Unmatched CI, Unclassed Hardware or Incomplete IP tables removed?

 

Thanks 

1 ACCEPTED SOLUTION

Ronald Merlino
Tera Expert

Appreciate the information.

View solution in original post

4 REPLIES 4

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Hi,

"In a later Qualys ingestion if that CI had been added to the CMDB is the record in the Discovered Item Table updated to Matched and is the record in the Unmatched CI...."

You need to "reapply" the CI Lookup rules for this to happen. The CI Lookup only run once on an incoming device. The integration looks at the Source ID to determine if it has seen that device before. If the integration has seen that device, it uses the previous matching configuration item for the current run.

https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/task/reapply-reconcile-unmatched-discovered-items.html

 

 

..."Unclassed Hardware or Incomplete IP tables removed?"

No, and Yes.... Let me explain:

If ServiceNow Discovery locates and finds a match between an Unclassed Hardware item and a newly discovered device that device will be reclassified to its correct class. (i.e. it will be moved from the Unclassed Hardware class to whatever class ServiceNow Discovery / IRE decides it should be).

https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/configuration-management/concept/c_CIReclassification.html

 

If the missing configuration item is added with a non-IRE method, then you will have two records.

Hi Chris,

 

Inline with above information, I need to know as What are the other critical information missing based on which CI gets created in “Incomplete Identified IP Device” class rather than “Unclassed Hardware”. Need to understand the key identifier attributes ?

Incomplete Identified IP Device class is used when only the IP Address is available for asset lookup.  These are commonly unauthenticated scans, and are not able to access any additional information about the asset.

Ronald Merlino
Tera Expert

Appreciate the information.