Auto-Close Configuration - Vulnerabilities matching against old servers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2023 08:25 AM
Hello All,
In the past I have tried to implement the Auto-Close for Vulnerability Management. In doing so, we ran into an issue where vulnerabilities on servers are not being reopened. We use Tenable for our integration. Here is the scenario.
Server A has a vulnerability
Server A gets retired
All "Discovered Items" get updated with the CI-Decommissioned state.
Server B is a replacement for Server A
Server B gets renamed with the Name of Server A, and the IP of Server A
Integration runs, and imports the new vulnerabilities.
Vulnerabilities match against the "Old" discovered items, never opening up new Vulnerabilities.
Is there a way to bypass this? If you need more information please let me know.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2023 11:09 AM
Is the Tenable providing the same asset_id for both Servers A and B?
The discovered item has source_id as one of the unique keys. You may want to check the unique Ids coming from Tenable for both servers.
Ideally that should be different and hence different discovered items should be created.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2023 10:22 AM
This is the case. I think they are using both an Agentless Scan and a Agent Scan. The Agentless scan returns a "Unique" id of servername,ip and repository. I dont know of anyway to adjust that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2023 09:14 PM
By vulnerabilities don't get reopened, do you mean vulnerable items or detections?
Server B is a replacement for Server A - Are their sys_ids same in the CMDB?