Auto-Close Configuration - Vulnerabilities matching against old servers

Jason Stuart · ‎08-24-2023

Hello All,

In the past I have tried to implement the Auto-Close for Vulnerability Management. In doing so, we ran into an issue where vulnerabilities on servers are not being reopened. We use Tenable for our integration. Here is the scenario.

Server A has a vulnerability

Server A gets retired

All "Discovered Items" get updated with the CI-Decommissioned state.

Server B is a replacement for Server A

Server B gets renamed with the Name of Server A, and the IP of Server A

Integration runs, and imports the new vulnerabilities.

Vulnerabilities match against the "Old" discovered items, never opening up new Vulnerabilities.

Is there a way to bypass this? If you need more information please let me know.

Thanks!

Nitesh Tolani · ‎12-22-2023

Is the Tenable providing the same asset_id for both Servers A and B?
The discovered item has source_id as one of the unique keys. You may want to check the unique Ids coming from Tenable for both servers.

Ideally that should be different and hence different discovered items should be created.

Jason Stuart · ‎12-28-2023

This is the case. I think they are using both an Agentless Scan and a Agent Scan. The Agentless scan returns a "Unique" id of servername,ip and repository. I dont know of anyway to adjust that.

Nitesh Tolani · ‎12-29-2023

By vulnerabilities don't get reopened, do you mean vulnerable items or detections?

Server B is a replacement for Server A - Are their sys_ids same in the CMDB?