VR - How to manage "Unclassed Hardware" CIs

Zach N · ‎05-25-2022

In Vulnerability Response, how do you manage the Unclassed Hardware [cmdb_ci_unclassed_hardware] table?

In regards to VR integrations with third-party tools, ServiceNow automatically creates CIs on the Unclassed Hardware table when a CI is unmatched (this is part of the Discovered Items process). Vulnerable Items are created with this temporary CI until a proper CI is matched (when a reconcile job runs for example). However, after a CI has been matched, the temporary CI remains on the Unclassed Hardware table.

This is creating issues as some of our Event Management alerts are matching to these unclassed CIs. I'm curious what others have done to manage this table? Do you regularly clean or delete unclassed CIs? I've been unable to find any official documentation on this.

Right now we only have 20 Unmatched Discovered Items, but the Unclassed Hardware table has around 900 CIs.

EDIT (06/27/22):

I ended up implementing Chris's idea via a script include and scheduled job. I have the scheduled job set to run daily. Seems to be working pretty well for now. Thanks for the idea Chris!

Script Include:

 var VulMgr = Class.create();

 VulMgr.prototype = {

     initialize: function () {},

     retireUnclassed: function () {

         try {

             var unclassedItems = new GlideRecord('cmdb_ci_unclassed_hardware'),
                 count = 0;

             unclassedItems.addQuery('install_status', '1');
             unclassedItems.query();

             while (unclassedItems.next()) {

                 var discoveredItems = new GlideRecord('sn_sec_cmn_src_ci');

                 discoveredItems.addQuery('state', 'unmatched');
                 discoveredItems.addQuery('cmdb_ci', unclassedItems.getUniqueValue());
                 discoveredItems.query();

                 if (!discoveredItems.next()) {

                     unclassedItems.operational_status = '6';
                     unclassedItems.install_status = '7';
                     unclassedItems.update();
                     count++;

                 }

             }

             return count;

         } catch (err) {
             return -1;
         }

     },

     type: 'VulMgr'

 };

Scheduled Job:

// Create manager
//
var mgr = new sn_vul.VulMgr();

// Retire items
//
mgr.retireUnclassed();

Chris McDevitt · ‎05-26-2022

Here is what I would do,

Create a scheduled job that looks at all non "retired" Unclassed Hardware items to see if they are still in use. What I mean is, I would see if there is a reference to the Unclassed Hardware item in the Discovered Items module. If there is not a reference in the Discovered Items module to that CI, then set that CI Status to "Retired".

According to the docs: "By default, events do not bind to CIs with a specified status, such as Retired."

https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/event-management/reference/r_EMHowAlertsBindCI.html

This is a conservative approach because, once something is deleted, there is no undo.

An even more conservative approach would be to set the Unclassed Hardware item to "absent" and modify evt_mgmt.ignore_retired_cis_in_binding property to also use "absent".

So in VR, just like Event Management, "retired" is ignored. By setting it to "absent" and updating Event Management we avoid potently creating duplicate Unclassed Hardware Items.

You will need to do a lot of testing to verify that one of these approaches will work in your environment.

View solution in original post

emir · ‎05-25-2022

Can you please check for me if the duplicate_of field is populated on any of these unclassed CI that have been matched later on? I will ask a few more folks on this topic

Zach N · ‎05-26-2022

Hey Emir, thanks for the response. Looking at the Duplicate of field for Unclassed Hardware, it is empty for all 900 records. I liked the direction you were headed but I don't think it is going to work unfortunately.

emir · ‎05-26-2022

I was hoping that the Health Jobs picked this up.

If you can please reach out to me via email (my name @ servicenow) I would like to have CMDB + Event + VR team to look at this ...

thanks!

Zach N · ‎06-27-2022

Hey Emir,

I appreciate your help, but I ended up going with Chris's idea.

Cheers!