Auto-Close Configuration - Vulnerabilities matching against old servers

Jason Stuart
Tera Expert

Hello All,

      In the past I have tried to implement the Auto-Close for Vulnerability Management.  In doing so, we ran into an issue where vulnerabilities on servers are not being reopened.  We use Tenable for our integration.  Here is the scenario.

Server A has a vulnerability

Server A gets retired

All "Discovered Items" get updated with the CI-Decommissioned state.

 

Server B is a replacement for Server A

Server B gets renamed with the Name of Server A, and the IP of Server A

Integration runs, and imports the new vulnerabilities.  

Vulnerabilities match against the "Old" discovered items, never opening up new Vulnerabilities.

 

Is there a way to bypass this?  If you need more information please let me know.

Thanks!

 

3 REPLIES 3

Nitesh Tolani
ServiceNow Employee
ServiceNow Employee

Is the Tenable providing the same asset_id for both Servers A and B?
The discovered item has source_id as one of the unique keys. You may want to check the unique Ids coming from Tenable for both servers. 

Ideally that should be different and hence different discovered items should be created.

This is the case.  I think they are using both an Agentless Scan and a Agent Scan.  The Agentless scan returns a "Unique" id of servername,ip and repository.  I dont know of anyway to adjust that.

By vulnerabilities don't get reopened, do you mean vulnerable items or detections?

Server B is a replacement for Server A - Are their sys_ids same in the CMDB?