Does Discovered Items Classification rule runs every time the asset is updated?

sath · ‎10-10-2023

Hi,

We have created a Classification rule on Discovered Items that sets the classification type to External if the resource tag of discovered item(asset) contains 'External'. Does this rule runs only once or each time an asset is updated? Also if an asset gets classified as external but then we remove the resource tag ''External', does there need to be a rule to change it back to Internal?

Screen Shot 2023-10-10 at 2.39.59 PM.png

andy_ojha · ‎10-11-2023

Hey there ...

One thing to watch for when using Resource Tag -> that is a special type of field in ServiceNow, referred to as a GlideList field -> it stores a list of SYS_IDs .. and not the actual names of the Tags from the Scanners.

The reason this is important to note, is that if we leverage the DI.Resource Tags in any of our logic / core configs - like Classification Rules, Assignment Rules, Reports - we need to make sure that the SYS_IDs persist between all of our ServiceNow Instances... If you don't, the Resource Tag of "External" will have a different SYS_ID in each ServiceNow Instance - and the logic / core config won't work as you expect. A way to handle this is to XML export out of the table 'sn_sec_cmn_host_tag` from the instance you are building on - and promote that forward to the rest of our instance(s) and up to PROD.

Baseline - the Classification type for the Discovered Item -> is simply set once and never changes.

I suspect you are asking though, what happens to a DI that does not have the Resource Tag containing, External? In that case, you can make a fallback Classification Rule -> and infer, that it is "Internal" if it does not have the External Tag (use the Execution Order)

View solution in original post

andy_ojha · ‎10-10-2023

Hey there - this is a great observation.

Baseline, there are two flavors of Classification Rules i) Discovered Items and ii) Vulnerability Entries.

In order for the Classification Rules to be triggered on each respective table - there is a Business Rule (on each Table), named "Run Classification Rules".

i) Discovered Items - Business rule, runs only on insert
ii) Vulnerability Entries - Business rue, runs on insert and for select updates

If you have appetite to align the Discovered Items Classification Rules (to account for changes), you could similarly update the business rule (Name = Run Classification Rules, Table = sn_sec_cmn_src_ci | Discovered Items) and model the condition to be similar to the one that runs on Vulnerability Entry (and toggle, the update flag).

Keep in mind - that even if the Classification Changes on the Discovered Item, it won't necessarily trigger other core configurations that have their own conditions for when they run (e.g. Scoring Calculator, Assignment, etc.)

Reference:

sath · ‎10-11-2023

Thank you @andy_ojha . This is really helpful.

Also does classification type changes on discovered items if resource tag does not contain external (currently if resource tag contains external, we classify discovered item as external asset) with OOB configuration?

sath · ‎10-11-2023

We have noticed that the classification rule is not getting changed even if resource tag changes. I see two solutions for this:

1. Modify the business rule 'Run Classification Rules' to trigger it for update scenario as well

2. Reapply classification rules

Would like to know if you have any other suggestions?

andy_ojha · ‎10-11-2023

Hey there - yes, this is what was reviewed above.

Keep in mind, with going with either option - it will result in updating the Classification values for the Discovered item - and you can use that in queries, reports, etc. But - it won't trigger any logic like Scoring Calculators, Assignment Rules to be ran again.