Quick Thoughts on Lookup Rules in ServiceNow

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2024 06:14 AM
Hello SecOps Friends,
I hope you're all doing well! I wanted to share something interesting I recently learned and would love to hear your thoughts on it.
In a project I was working on related to Vulnerability Response, I chatted with a ServiceNow employee about Lookup Rules. As many of you know, these rules generally work like this: we evaluate the first rule, and if we find a match, we stop there. If there’s no match, we move on to the next rule. If we still can’t find a match, and IRE can’t find one, we end up creating an unmatched configuration item (CI).
Here’s where it gets intriguing: the ServiceNow employee mentioned that if you have multiple scripted Lookup Rules using the same source value (like DNS), the process stops on the first rule no matter what. This means that even if a match is not found, higher-order rules won’t be evaluated, leading to an unmatched CI.
I found that quite surprising and a bit hard to believe.
I see a few possibilities here:
- I could be wrong, and this is indeed how everything works.
- Maybe I'm not wrong, but there’s a bug that ServiceNow employees are aware of, and they just haven’t shared that information.
- Or, the ServiceNow employee might have misunderstood the process.
I’d love to hear your opinions on this! What do you think?
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2024 10:59 AM
Hello @Lukasz Bojara
It would be good idea to ask the ServiceNow employee for a documentation reference.
either docs or a related support article. They even create support article with new issues and findings every now and then, if there's not already a reference, then they have to create one.
Please mark the answer as helpful and correct if helped.
Kind Regards,
Ravi