
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2023 10:52 AM - edited 03-28-2023 11:07 AM
Hello Community,
I am bit confused about the CI un-matching process in Vulnerability Response application. I already went through all the attached articles & ServiceNow community but could not figure out everything associated un-matching process of Vulnerability response application.
Could you please help me in answering below queries in detail?
1. What is the logic that differentiates unmatched CIs [sn_sec_cmn_unmatched_ci] from unclassed CIs [cmdb_ci_unclassed_hardware] ?
2. How IRE decides which CI should be in unmatched [sn_sec_cmn_unmatched_ci] table and which one should be in unclassed [cmdb_ci_unclassed_hardware] table?
3. What does it mean by 'Created by VR' & 'Created by IRE' choices in 'Matching type for the DI' field of Discovered Item table?
4. Is it good practice to abort insertion of new CIs through VR process? If we block them, do they get created in unclassed hardware table or unmatched table?
Please do share if there is any detailed flow chart that explains all the steps. I already went through attached flow, but I feel its bit incomplete. I don't see any step associated with Unmatched CIs [sn_sec_cmn_unmatched_ci] table in the attached flow.
It would be of great help if you could share your inputs here. Thanks!
@Eric Feron @rahimulah @sivamallu @Chris McDevitt @Jan Spurlin @Madhumitha Redd @Elizabeth Skogq @John Gibbons @Anthony Ramos @andy_ojha
Solved! Go to Solution.
- 3,955 Views

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2023 06:25 PM
Hey there,
Would suggest reviewing the content we posted here:
The video and illustrations presented will help with some of the questions you posed...
-------------------------------------------------------------------
1. What is the logic that differentiates unmatched CIs [sn_sec_cmn_unmatched_ci] from unclassed CIs [cmdb_ci_unclassed_hardware] ?
--> See 5:31
--> See 10:52
- The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
- Unmatched CI Class, is used when IRE has an Error (in the current model)
- Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)
2. How IRE decides which CI should be in unmatched [sn_sec_cmn_unmatched_ci] table and which one should be in unclassed [cmdb_ci_unclassed_hardware] table?
--> See 5:31
--> See 10:52
- The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
- Unmatched CI Class, is used when IRE has an Error (in the current model)
- Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)
3. What does it mean by 'Created by VR' & 'Created by IRE' choices in 'Matching type for the DI' field of Discovered Item table?
--> Those are only a portion of the options
-> What this represents is either
A) If we matched to a CI in the CMDB, how did we match - with the SecOps CI Lookup Rules or the CMDB IRE Identifier Rules
B) If we created a CI in the CMDB - due to not having a match - how was it created, via the CMDB IRE or falling back to VR (e.g. IRE had an error, etc)
--> The Concept is Scenario 3 at 13:09
4. Is it good practice to abort insertion of new CIs through VR process? If we block them, do they get created in unclassed hardware table or unmatched table?
-- Sorry, not sure what the end goal here is for blocking or aborting
- If we bring in a host from a 3rd party scanner, we need to either match to an existing CMDB CI or create a new CI to track with if one does not exist (we could not successfully lookup a CI)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2023 06:25 PM
Hey there,
Would suggest reviewing the content we posted here:
The video and illustrations presented will help with some of the questions you posed...
-------------------------------------------------------------------
1. What is the logic that differentiates unmatched CIs [sn_sec_cmn_unmatched_ci] from unclassed CIs [cmdb_ci_unclassed_hardware] ?
--> See 5:31
--> See 10:52
- The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
- Unmatched CI Class, is used when IRE has an Error (in the current model)
- Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)
2. How IRE decides which CI should be in unmatched [sn_sec_cmn_unmatched_ci] table and which one should be in unclassed [cmdb_ci_unclassed_hardware] table?
--> See 5:31
--> See 10:52
- The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
- Unmatched CI Class, is used when IRE has an Error (in the current model)
- Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)
3. What does it mean by 'Created by VR' & 'Created by IRE' choices in 'Matching type for the DI' field of Discovered Item table?
--> Those are only a portion of the options
-> What this represents is either
A) If we matched to a CI in the CMDB, how did we match - with the SecOps CI Lookup Rules or the CMDB IRE Identifier Rules
B) If we created a CI in the CMDB - due to not having a match - how was it created, via the CMDB IRE or falling back to VR (e.g. IRE had an error, etc)
--> The Concept is Scenario 3 at 13:09
4. Is it good practice to abort insertion of new CIs through VR process? If we block them, do they get created in unclassed hardware table or unmatched table?
-- Sorry, not sure what the end goal here is for blocking or aborting
- If we bring in a host from a 3rd party scanner, we need to either match to an existing CMDB CI or create a new CI to track with if one does not exist (we could not successfully lookup a CI)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2023 10:24 AM
Thanks @__andy-b2poYQ__ for the quick and detailed response. Your response and the video have cleared most of my doubts. I will get back to you if I have any further doubts on this topic.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2023 02:43 AM
Hi @andy_ojha ,
I went through the video that you shared, and I have one more query related to VR updating existing CI attributes. Please refer attached snapshot from the video.
Could you please let me know the scenarios during which VR System updates attributes of existing CI.
Thanks,
Abhinandan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2023 09:37 AM
Even I am curious to know the answer of this one ?? @andy_ojha Do you have any answer to this ? Under what scenario the VR will update the existing CIs in CMDB ??
Thanks,
Saumya