When linking vulnerability information to configuration items, are only lookup rules used?

kuroiwa · ‎05-13-2025

Vulnerability information integrated from third parties (such as Tenable)
To link this vulnerability to CI, it is necessary to search for configuration items.

Is it correct to think that only lookup rules are used at this time?
Are IRE or identification rules not used?

If you know the answer, could you please let me know.

Reference:
https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/security-operations-c...

andy_ojha · ‎05-13-2025

Hey there,

Check out Scenario 2, in this YouTube video (10:52):

https://www.youtube.com/watch?v=-Y-P9hD0hUI

It's a combination of both, 1) SecOps Lookup Rules (to attempt to match to a CI) and 2) IRE to do a secondary lookup, along with inserting a new CI if one is not found if a CI is not found in either 1) or 2).

The Community Article for the video has some attachments included, with additional diagrams and tips/tricks:

https://www.servicenow.com/community/secops-articles/the-more-you-know-secops-and-cmdb-interactions-...

kuroiwa · ‎05-23-2025

Hi @andy_ojha ,

Thank you very much. That was a great answer. I understood it well.

By the way, if a Discovered Items already has an UnClassed Hardware record associated with it, does it re-search the CMDB by LookUp Rule or IRE?
In other words, what happens if data for which a record exists in Discovered Items is received a second time from VR?

I am sorry, but could you please let me know. Thank you in advance.