- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2022 03:32 PM
During the Qualys ingestion and CI Lookup Process if there is no matching CI in the CMDB an Unmatched CI, Unclassed hardware and Incomplete IP record is create their associated tables (sn_sec_cmn_unmatched_ci or cmdb_ci_incomplete_ip or cmdb_ci_unclassed_hardware) and an Unmatched CI, Unclassed Hardware or Incomplete IP record is created in the Discovered Items Table.
In a later Qualys ingestion if that CI had been added to the CMDB is the record in the Discovered Item Table updated to Matched and is the record in the Unmatched CI, Unclassed Hardware or Incomplete IP tables removed?
Thanks
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2022 07:11 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2022 05:46 AM
Hi,
"In a later Qualys ingestion if that CI had been added to the CMDB is the record in the Discovered Item Table updated to Matched and is the record in the Unmatched CI...."
You need to "reapply" the CI Lookup rules for this to happen. The CI Lookup only run once on an incoming device. The integration looks at the Source ID to determine if it has seen that device before. If the integration has seen that device, it uses the previous matching configuration item for the current run.
https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/task/reapply-reconcile-unmatched-discovered-items.html
..."Unclassed Hardware or Incomplete IP tables removed?"
No, and Yes.... Let me explain:
If ServiceNow Discovery locates and finds a match between an Unclassed Hardware item and a newly discovered device that device will be reclassified to its correct class. (i.e. it will be moved from the Unclassed Hardware class to whatever class ServiceNow Discovery / IRE decides it should be).
https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/configuration-management/concept/c_CIReclassification.html
If the missing configuration item is added with a non-IRE method, then you will have two records.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2024 06:30 PM
Hi Chris,
Inline with above information, I need to know as What are the other critical information missing based on which CI gets created in “Incomplete Identified IP Device” class rather than “Unclassed Hardware”. Need to understand the key identifier attributes ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 06:08 AM
Incomplete Identified IP Device class is used when only the IP Address is available for asset lookup. These are commonly unauthenticated scans, and are not able to access any additional information about the asset.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2022 07:11 AM
Appreciate the information.
