- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2023 04:30 AM
Hi All,
I am seeing a weird issue.
I have 1 CI and for that CI, 27 Discovered Items have been created. Out of those 27, only 1 has VITs, and the rest others are empty. What could be the reason for these many Discovered Items? How to fix this issue?
Regards,
Maloy Banerjee
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2023 11:31 AM
@Maloy Banerjee1
Hey Maloy,
what you are seeing per se is not an issue that needs a fix in that sense.
1. The Discovered Item table is a list of hosts, we are getting reported by our vulnerability scanners
The reason 27 discovered items have been created is (and feel free to check this) is, because each discovered item is being reported with a different source ID from our scanner, which basically means, the scanner identifies each Discovered Item as being a different physical host.
To add to the answer of @Joe Kline , this is correct, if we are running network and agent scans, qualys or other scanners, may report even 2 separate source IDs for the same physical host.
2. The potential reason you have 27 Discovered Items related to a single CI in the CMDB
What I think happened in your case is that the scanner is seeing 27 separate hosts, and hence is creating a Discovered Item for each one of them.
After creating the Discovered Items, we are running the CI lookup rules first to identify a matching CI in the ServiceNow CMDB.
Now these 27 Discovered Items may have all matched to the same CI in the CMDB, based on the configured and in-use CI lookup rules.
If you are looking at the Discovered Items and see different Names and/or IP-Addresses, you may be thinking, how are they all matching to the same CI?
You also have to take a look at potential CMDB relationships that are leveraged.
In case you are receiving 27 different IP Addresses for each Discovered Item, and by using that IP address you are matching to some low level network devices, the CMDB relations are used to find a parent CI, which could again lead them to the same CI in the CMDB, even though they are different IPs etc.
To answer your question:
The sole fact that 27 DIs are leading to the same single CI, is not something that requires a Fix.
Of course all information provided is just based on my experience and something you ideally should validate in order to resolve your concerns.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2023 08:25 AM
Hi Maloy,
We use Qualys as our vulnerability scanner, and I get multiple SDI records created for the same CI because we scan with both Agent and remote network scans. Anything that can cause Qualys to have more than one HostID on their side will create a new SDI on SecOps side since the references there is based on matching the source ID values ...
Not sure if this explains similar conditions for your situation, but there certainly can be multiple SDI associated to a single CI ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2023 09:41 AM
Yes, Joe. Your point is correct. I see separate Source ID for each of those SDI records having the same CI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2023 02:02 AM
Hi @Joe Kline,
I have one question on this. Is it normal behavior to have multiple SDI records? or Do we need to fix this?
Regards,
Maloy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2023 11:31 AM
@Maloy Banerjee1
Hey Maloy,
what you are seeing per se is not an issue that needs a fix in that sense.
1. The Discovered Item table is a list of hosts, we are getting reported by our vulnerability scanners
The reason 27 discovered items have been created is (and feel free to check this) is, because each discovered item is being reported with a different source ID from our scanner, which basically means, the scanner identifies each Discovered Item as being a different physical host.
To add to the answer of @Joe Kline , this is correct, if we are running network and agent scans, qualys or other scanners, may report even 2 separate source IDs for the same physical host.
2. The potential reason you have 27 Discovered Items related to a single CI in the CMDB
What I think happened in your case is that the scanner is seeing 27 separate hosts, and hence is creating a Discovered Item for each one of them.
After creating the Discovered Items, we are running the CI lookup rules first to identify a matching CI in the ServiceNow CMDB.
Now these 27 Discovered Items may have all matched to the same CI in the CMDB, based on the configured and in-use CI lookup rules.
If you are looking at the Discovered Items and see different Names and/or IP-Addresses, you may be thinking, how are they all matching to the same CI?
You also have to take a look at potential CMDB relationships that are leveraged.
In case you are receiving 27 different IP Addresses for each Discovered Item, and by using that IP address you are matching to some low level network devices, the CMDB relations are used to find a parent CI, which could again lead them to the same CI in the CMDB, even though they are different IPs etc.
To answer your question:
The sole fact that 27 DIs are leading to the same single CI, is not something that requires a Fix.
Of course all information provided is just based on my experience and something you ideally should validate in order to resolve your concerns.