Hello SecOps Friends,
I hope you're all doing well! I wanted to share something interesting I recently learned and would love to hear your thoughts on it.
In a project I was working on related to Vulnerability Response, I chatted with a ServiceNow employee about Lookup Rules. As many of you know, these rules generally work like this: we evaluate the first rule, and if we find a match, we stop there. If there’s no match, we move on to the next rule. If we still can’t find a match, and IRE can’t find one, we end up creating an unmatched configuration item (CI).
Here’s where it gets intriguing: the ServiceNow employee mentioned that if you have multiple scripted Lookup Rules using the same source value (like DNS), the process stops on the first rule no matter what. This means that even if a match is not found, higher-order rules won’t be evaluated, leading to an unmatched CI.
I found that quite surprising and a bit hard to believe.
I see a few possibilities here:
- I could be wrong, and this is indeed how everything works.
- Maybe I'm not wrong, but there’s a bug that ServiceNow employees are aware of, and they just haven’t shared that information.
- Or, the ServiceNow employee might have misunderstood the process.
I’d love to hear your opinions on this! What do you think?
