Qualys is finding IP addresses and creating unmatched CIs in CMDB

Go to solution
cmcclendon
Mega Guru

‎07-10-2020 09:47 AM

We are currently using Qualys in our Vuln Response space. When Qualys scans the network, it finds thousands of devices that are just an IP address with no properties. As a result, thousands of CI's are being created in the CMDB of Class Unmatched CI on a daily basis. The CI has no properties other than the name/IP address. My question is, "Is an IP address considered a CI?" Should we try to prevent the creation of the IP addresses in the CMDB?

Thanks. 

Labels:
0 Helpfuls
  • 1,493 Views
1 ACCEPTED SOLUTION

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎07-10-2020 10:57 AM

@cmcclendon 

The short answer is that each asset/host that Qualys knows about will be and needs to be represented in the CMDB. This is because a Vulnerability item(VI) is a combination of a CI + a Vulnerability. A VI in SN can not exist without a CI.

The long answer is that there is a lot of things going on here:

All of the Unmatched CI with IP address is because....

- Qualys can not resolve those IP address to FQDN

- Qualys is doing an unauthenticated scan

- You CI Matching Rules need tunning

Note: IP addresses can be an attribute of the CI or the NIC (CI) who is tied to the CI.

 

Resolution:

1. Create a scheduled job to delete Unmatched CI what has no VI associated.

2. Create a scheduled job to delete Unmatched CI after deleting stale VI.

A stale VI is a VI that has not been seen by Qualys for X number of days.

 

Short Story:

The Unmatched CI represents a Vulnerability that needs to be addressed.

 

Long Story:

Unmatched CI needs to be managed based on your organization's requirements.

 

Go ahead and mark this as helpful or Correct!

 

 

 

View solution in original post

3 REPLIES 3

Go to solution
Chuck Tomasi
Tera Patron

‎07-10-2020 09:50 AM

Didn't I just answer this? Is this a duplicate post or am I imagining things today? 🙂

In my experience, IPs are NOT CIs. They are attributes of a CI. Think of it like the address on your house. Just having the address allows things to be delivered there, but it's not a CI in and of itself. You could have multiple IPs for the same CI as well (e.g. server with redundant NICs)

If all you have is an IP address, how about launching a discover against it (or that range) to find out what's out there?

Go to solution
cmcclendon
Mega Guru
In response to Chuck Tomasi

‎07-10-2020 12:55 PM

Sorry Chuck. I posted it under two communities to ensure visibility. 🙂

-Chris

0 Helpfuls

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎07-10-2020 10:57 AM

@cmcclendon 

The short answer is that each asset/host that Qualys knows about will be and needs to be represented in the CMDB. This is because a Vulnerability item(VI) is a combination of a CI + a Vulnerability. A VI in SN can not exist without a CI.

The long answer is that there is a lot of things going on here:

All of the Unmatched CI with IP address is because....

- Qualys can not resolve those IP address to FQDN

- Qualys is doing an unauthenticated scan

- You CI Matching Rules need tunning

Note: IP addresses can be an attribute of the CI or the NIC (CI) who is tied to the CI.

 

Resolution:

1. Create a scheduled job to delete Unmatched CI what has no VI associated.

2. Create a scheduled job to delete Unmatched CI after deleting stale VI.

A stale VI is a VI that has not been seen by Qualys for X number of days.

 

Short Story:

The Unmatched CI represents a Vulnerability that needs to be addressed.

 

Long Story:

Unmatched CI needs to be managed based on your organization's requirements.

 

Go ahead and mark this as helpful or Correct!