Qualys CI Last Scanned or Never scanned

qcj3 · ‎11-07-2018

I have a requirement to generate a report for CIs that haven't been scanned or have a scan older than a specified date. The issue I have is that I'm trying to run the report from the Configuration Item table so that I can get all the CIs in my CMDB but I can't join vulnerable scan data.

Does anyone have a suggestion on how I can generate a report that shows all CIs and the date they were last scanned or NULL if it was never scanned by Qualys?

Alex Cox · ‎11-20-2018

Honestly this table is new to me! Thanks for sharing it - I found that in my Qualys environment that did indeed have useful fields: Configuration Item, Last Vulnerability Found and Scanner!

So I believe you would be able to combine the first segment of the technique above (a database view) with this table, and skip the business rule to generate last scanned data which is already there. 🙂

View solution in original post

Alex Cox · ‎11-07-2018

Hey there,

Given that the datasets are separated without a direct reference to dot-walk, I can think of two comprehensive approaches worth considering:

One way would be to create a database view (https://docs.servicenow.com/bundle/london-performance-analytics-and-reporting/page/use/reporting/concept/c_DatabaseViews.html) which is a little tricky to learn at first, but quite powerful. The slightly downside to this method would be that it will take the report a little while to run since the view is constructed at report time.

Another option would be to maintain a custom date field on the cmdb_ci table, such as "u_last_qualys_scan" and keep populate that updated with a business rule on the sn_vul_vulnerable_item that has this basic logic:

On update/insert when state is not closed/deferred/etc and last_found (or last updated by Qualys) is not blank:

Update current.cmdb_ci.u_last_qualys_scan (or the name of your field) with the value of current.last_found (or last updated by Qualys)

Consider using setWorkflow(false) to prevent business rules and workflows from firing when you find and update the current.cmdb_ci record.

Once this data is on the cmdb_ci table it would easier to directly run a report on that table. The downside of this would be that you wouldn't have the data available right away, but it would trickle in with each Qualys update.

Hope this helps!

Alex

qcj3 · ‎11-19-2018

Alex,

I think that your suggestion is what the team will adopt. Can you tell me what the purpose of the Ci Scan Table (sn_vul_ci_scan)? It looks like it has what I want.

Alex Cox · ‎11-20-2018

Honestly this table is new to me! Thanks for sharing it - I found that in my Qualys environment that did indeed have useful fields: Configuration Item, Last Vulnerability Found and Scanner!

So I believe you would be able to combine the first segment of the technique above (a database view) with this table, and skip the business rule to generate last scanned data which is already there. 🙂

joe_harvey · ‎08-17-2022

Update on table CI Scan [sn_vul_ci_scan]: it was phased out in VR v16.1

https://docs.servicenow.com/en-US/bundle/sandiego-security-management/page/product/vulnerability-response/reference/installed-with-vr.html

Alex's original ideas are still valid. Another possibility is Discovered Item which was added after this question was first asked.