There is a record with incomplete matching with CI in VIT generation by Vulnerability Response

ServiceNow Beg1 · ‎03-07-2022

Linking vulnerability data from third-party scanners (Qualys) to Snow instances
We are building a flow to generate VIT with Vulnerability Response for CI detected by Discovery (registered in CMDB).
It seems that there are records in the VIT that are incompletely matched with the CI.
(Record in which the description of the configuration item field is the IP address instead of the host name)

The IP address itself is the same as the target targeted by Discovery.
When you move to the details screen, it will be displayed as "Incomplete IP Identification Device".

What causes the above events?
And how do you get the host name to match correctly?

Steps to reproduce:
1. Collect the target host information in the Snow instance by Discovery (register as CI in CMDB)
2. Link vulnerability data from a third-party scanner (Qualys) to a Snow instance
3. When checking the VIT record, there is a mixture of matching CIs linked by host name and those linked by IP address.
*. CI matching by host name seems to behave correctly.
(CI matching by IP address is displayed as "incomplete IP identification device")

Chris McDevitt · ‎03-09-2022

"In the CMDB, what is the Name, FQDN, and IP of the CI you thought that this should have matched on?
　⇒I'm sorry about this, but it's not what I can tell you ..."

That was a rhetorical question used to make you examine the data closely.

"- If the incoming data becomes an "incomplete IP identification device" then the scanner ONLY sent you an IP Address, not much to work with.
　⇒ If this is the case, it will have a big impact, but I am also contacting HI Support regarding this matter."

HI support can not help you. The VR scanner needs to return an FQDN. You need to work with Qualys support on this. IP Address matching is not advised.

"- Make sure your IP address look-up rule is enabled in the CI Lookup rules.
- Is Lookup by Network Partition enabled?
　⇒ I enabled both settings on the instance for verification and tried Qualys data integration and reapplying CI lookup rules, but the results did not change ..."

You will need to understand CI Lookup rules in-depth and all the little nuisances. I would recommend working with a professional services team to get you through the beginning stages.

View solution in original post

Chris McDevitt · ‎03-08-2022

Hi,

1) We have made a bunch of videos and whitepapers on this... but they are hidden in plain sight. 🙂

2)

- In the CMDB, what is the Name, FQDN, and IP of the CI you thought that this should have matched on?

- In the Discovered Items module, find the exact record and look at the Source Data Field. Whatever is in the Source Data is whatever the CI Lookup Rules have to work with.

- If the incoming data becomes an "incomplete IP identification device" then the scanner ONLY sent you an IP Address, not much to work with.

- Make sure your IP address look-up rule is enabled in the CI Lookup rules.

- Is Lookup by Network Partition enabled?

https://docs.servicenow.com/bundle/sandiego-security-management/page/product/secops-integration-vr/qualys/task/qualys-updateCI-NPI.html

ServiceNow Beg1 · ‎03-08-2022

Thank you for providing information.

- In the CMDB, what is the Name, FQDN, and IP of the CI you thought that this should have matched on?
　⇒I'm sorry about this, but it's not what I can tell you ...

- If the incoming data becomes an "incomplete IP identification device" then the scanner ONLY sent you an IP Address, not much to work with.
　⇒ If this is the case, it will have a big impact, but I am also contacting HI Support regarding this matter.

- Make sure your IP address look-up rule is enabled in the CI Lookup rules.
- Is Lookup by Network Partition enabled?
　⇒ I enabled both settings on the instance for verification and tried Qualys data integration and reapplying CI lookup rules, but the results did not change ...

Chris McDevitt · ‎03-09-2022

"In the CMDB, what is the Name, FQDN, and IP of the CI you thought that this should have matched on?
　⇒I'm sorry about this, but it's not what I can tell you ..."

That was a rhetorical question used to make you examine the data closely.

"- If the incoming data becomes an "incomplete IP identification device" then the scanner ONLY sent you an IP Address, not much to work with.
　⇒ If this is the case, it will have a big impact, but I am also contacting HI Support regarding this matter."

HI support can not help you. The VR scanner needs to return an FQDN. You need to work with Qualys support on this. IP Address matching is not advised.

"- Make sure your IP address look-up rule is enabled in the CI Lookup rules.
- Is Lookup by Network Partition enabled?
　⇒ I enabled both settings on the instance for verification and tried Qualys data integration and reapplying CI lookup rules, but the results did not change ..."

You will need to understand CI Lookup rules in-depth and all the little nuisances. I would recommend working with a professional services team to get you through the beginning stages.

ServiceNow Beg1 · ‎03-09-2022

> The VR scanner needs to return an FQDN.

> IP Address matching is not advised.

Thank you for your advice.
When I checked the instance again, the host information that was matched only by the IP address was registered in the "cmdb_ci_incomplete_ip" table as an incomplete IP identification device.
After deleting the above IP address record, I re-linked the data from Qualys, and I was able to successfully CI match.