Vulnerability Item Creation based on Unmatched CI

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2023 03:05 PM
Hi everyone.
I need a layman's term understanding. I have watched videos, but it is not very clear.
From Qualys,
The system will search using QID in the Discovered Item table, if no record is found, it will invoke the CI Look up rule and then if it also doesn't find the CI in the CMDB based on the ci look up rule, my understanding is that it will create a record in the CMDB table as unclassified hardware and also create a record in the discovered item table with the state as unmatched.
Questions:
1. My understand is that, when discovered item state is matched, that is only when VIT should or can be created.
2. At what point does the VIT get created after these two records are created (Unmatched Discovered item record and Unclassified hardware CMDB record) due to not finding the CI
3. From discovered item table, which field contains the QID is it the source data and if I were to search, will I be searching based on keywords on the table?
I will have more questions based on the response I receive.
Thank you in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2023 06:15 PM
Scenario 1:
(A)
CI data(A100) is accurate in CMDB and a VULNERABILITY has just been detected for the first time on the CI.
Question: Does this mean that based on this scenario, There will be no record in the Discovered item table, Detection Table, or VIT
If the above is correct, please let me know, or feel free to modify this for me.
(B)
Qualys sends ci and vulnerability to ServiceNow in other to create a VIT.
The first thing is that it checks the discovered item table using the host ID
No record is found(because the vulnerability has never been detected in the CI)
If the above is correct, please let me know, or feel free to modify this for me.
(C)
CI look-up rule will kick in and try to find it in the CMDB
if found, it will create a new DISCOVERED ITEM record as matched and then create the VIT
If the above is correct, please let me know, or feel free to modify this for me.
(D)
My questions are:
At what point does it check the detection table(is it after checking the discovered item table or after creating the VIT)
At what point does it create a new detection record for the VIT.
At what point does it update an existing detection record( does this happen if the detection record is still open and the scanner finds the same vulnerability for the same CI and it will just update the last found?
Are the below true:
If a vulnerability is found in 5 CIs, It will create 5 Discovered item with the same Vulnerability and 5 VITs eventually.
If the above is correct, please let me know, or feel free to modify this for me.
Scenario 2:
CI data(B500) does not exist in ServiceNow and a vulnerability has just been detected for the first time on the CI.
It will first check the discovered item using the host ID to the source ID,
it will not find the record with the CI
Then it will invoke the CI LOOK UP rule. It will still not find the CI in the CMDB and eventually it will either create,
Unclassified CI or Incomplete IP Address CI based on the attributes that it used to search in the CMDB table.
Then it will create the discovered item as unmatched and then create the VIT
If the above is correct, please let me know, or feel free to modify this for me.
Questions:
In this scenario, does it create a new detection for the ci/vit
if yes, when is the detection recorded?