When linking vulnerability information to configuration items, are only lookup rules used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-13-2025 06:24 PM
Vulnerability information integrated from third parties (such as Tenable)
To link this vulnerability to CI, it is necessary to search for configuration items.
Is it correct to think that only lookup rules are used at this time?
Are IRE or identification rules not used?
If you know the answer, could you please let me know.
Reference:
https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/security-operations-c...

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-13-2025 07:35 PM
Hey there,
Check out Scenario 2, in this YouTube video (10:52):
It's a combination of both, 1) SecOps Lookup Rules (to attempt to match to a CI) and 2) IRE to do a secondary lookup, along with inserting a new CI if one is not found if a CI is not found in either 1) or 2).
The Community Article for the video has some attachments included, with additional diagrams and tips/tricks:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-23-2025 02:49 AM
Hi @andy_ojha ,
Thank you very much. That was a great answer. I understood it well.
By the way, if a Discovered Items already has an UnClassed Hardware record associated with it, does it re-search the CMDB by LookUp Rule or IRE?
In other words, what happens if data for which a record exists in Discovered Items is received a second time from VR?
I am sorry, but could you please let me know. Thank you in advance.