duplicate unmatched CI creation from qualys on CMDB for Vulnerability response

IceIronDragon
Tera Guru

‎11-09-2022 06:55 AM

Hello All,

 

We have VR in place.

We see that there are duplicate of the CI being created as unmatched CI.

Why is this happening and how could we prevent it ?

 

IceIronDragon_0-1668005679812.png

 

0 Helpfuls
  • 988 Views
8 REPLIES 8

john_gibbons
ServiceNow Employee
ServiceNow Employee

‎11-09-2022 12:54 PM

You need to check your CI Lookup rules. Are you using IRE?

Some additional links that may help.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0998706

https://www.servicenow.com/community/for-new-customers-vr-articles/ci-matching-how-to-do-it-right/ta...

0 Helpfuls

IceIronDragon
Tera Guru
In response to john_gibbons

‎11-09-2022 05:41 PM

We are using custom CI lookup rules, not sure if the problem is look up rules or is it how Qualys scans the CI as the ip address associated is different on the duplicate CI. 

The original CI is of class computer, could it be that the PC has different ip address on the nic card and that is why it is representing the NIC card as unmatched Ci as the nic card info is not on cmdb.

0 Helpfuls

john_gibbons
ServiceNow Employee
ServiceNow Employee
In response to IceIronDragon

‎11-10-2022 02:17 PM

Is the Source ID value on the Discovered Items the same or all different?  DHCP can cause matching issues because of the IP changes. Consider using Asset Tracking and Data Merging process in Qualys or Merging Unauthenticated and Agent Scan Results.

john_gibbons
ServiceNow Employee
ServiceNow Employee
In response to john_gibbons

‎11-10-2022 02:18 PM

is the Source ID for the endpoint listed in the screen clip all the same in discovered items

0 Helpfuls