Vulnerabilities are active in Qualys but there are no open VIT records in VR for those detections.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Vulnerabilities are active in Qualys for below CI's but there are no open VIT records for those detections.
We have active vulnerabilities in Qualys for certain CIs, but there are no open VIT records for those detections. This issue started recently—previously, VIT records were created for these Qualys IDs. Could this be related to a recent upgrade? Were there any code changes introduced that might ignore these records?
If this is not due to the upgrade, is there any out-of-the-box (OOB) logic in ServiceNow VR that could prevent VIT record creation for certain Qualys detections?
- Labels:
-
Security Operations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Hi Yashwanth8, Are you doing any deletion of VI records (auto flushes/table cleaner) or archiving, without including detections in that clean up?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Thank you for the suggestion. I’ve checked, and currently, we are not running any deletion or archiving jobs that specifically target VI records. There are no auto-flush or table cleaner configurations enabled for the sn_vul_vulnerability_item table, and archiving policies are not active for VR tables.
Could you confirm if missing detections after VI cleanup could prevent new VIT creation? Also, are there any recommended best practices to ensure detection and VI records remain in sync during cleanup or maintenance activities?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago - last edited a week ago
Have you checked to see if there are Detections (sn_vul_detection) being created for these? I would check your Qualys Integration Instance parameters and make sure you have everything you need set up. Also verify your Qualys Host Detection vs Comprehensive Host Detection integrations.
There are also Exclusion Rules that could come into play as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
I have seen where removing VI records (through whatever means) and leaving their detections, leave the detection orphaned. When this happens and data comes in, finding these detections for the asset and vulnerability, they attempt to align to the VI and with an 'invalid VI' it won't appear to post, as you look for a VI. You can check this by going to your detections table (based on its size, you may need to go in with a filter condition. Do this by entering: sn_vul_detections.FILTER in the navigator window) and see if there are records where the VI doesn't display. You don't want to have a condition of VI is empty, because it will still hold the sys_id, having once been assigned. I would suggest conditioning the filter for vulnerable item.number is empty. These could be the records impacting your load.
