What differentiates Unmatched CIs from Unclassed CIs?

Go to solution
Abhinandan Pati
Giga Guru

‎03-28-2023 10:52 AM - edited ‎03-28-2023 11:07 AM

Hello Community,

 

I am bit confused about the CI un-matching process in Vulnerability Response application. I already went through all the attached articles & ServiceNow community but could not figure out everything associated un-matching process of Vulnerability response application.

Could you please help me in answering below queries in detail?

1. What is the logic that differentiates unmatched CIs [sn_sec_cmn_unmatched_ci] from unclassed CIs [cmdb_ci_unclassed_hardware] ?
2. How IRE decides which CI should be in unmatched [sn_sec_cmn_unmatched_ci] table and which one should be in unclassed [cmdb_ci_unclassed_hardware] table?
3. What does it mean by 'Created by VR' & 'Created by IRE' choices in 'Matching type for the DI' field of Discovered Item table?
4. Is it good practice to abort insertion of new CIs through VR process? If we block them, do they get created in unclassed hardware table or unmatched table?

 

Please do share if there is any detailed flow chart that explains all the steps. I already went through attached flow, but I feel its bit incomplete. I don't see any step associated with Unmatched CIs [sn_sec_cmn_unmatched_ci] table in the attached flow.

 

It would be of great help if you could share your inputs here. Thanks!

@Eric Feron @rahimulah @sivamallu @Chris McDevitt  @Jan Spurlin @Madhumitha Redd @Elizabeth Skogq @John Gibbons @Anthony Ramos  @andy_ojha 

Preview file
4558 KB
Preview file
138 KB
Preview file
635 KB
Preview file
228 KB
Preview file
91 KB
Preview file
87 KB
Preview file
66 KB
  • 3,955 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎03-29-2023 06:25 PM

Hey there,

Would suggest reviewing the content we posted here:

The video and illustrations presented will help with some of the questions you posed...

-------------------------------------------------------------------

1. What is the logic that differentiates unmatched CIs [sn_sec_cmn_unmatched_ci] from unclassed CIs [cmdb_ci_unclassed_hardware] ?

  --> See 5:31
  --> See 10:52
     - The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
    - Unmatched CI Class, is used when IRE has an Error (in the current model)
    - Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)

2. How IRE decides which CI should be in unmatched [sn_sec_cmn_unmatched_ci] table and which one should be in unclassed [cmdb_ci_unclassed_hardware] table?
  --> See 5:31
  --> See 10:52
     - The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
    - Unmatched CI Class, is used when IRE has an Error (in the current model)
    - Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)

3. What does it mean by 'Created by VR' & 'Created by IRE' choices in 'Matching type for the DI' field of Discovered Item table?
  --> Those are only a portion of the options 
     -> What this represents is either 
       A) If we matched to a CI in the CMDB, how did we match - with the SecOps CI Lookup Rules or the CMDB IRE Identifier Rules 
      B) If we created a CI in the CMDB - due to not having a match - how was it created, via the CMDB IRE or falling back to VR (e.g. IRE had an error, etc)
--> The Concept is Scenario 3 at 13:09

4. Is it good practice to abort insertion of new CIs through VR process? If we block them, do they get created in unclassed hardware table or unmatched table?
 -- Sorry, not sure what the end goal here is for blocking or aborting
    - If we bring in a host from a 3rd party scanner, we need to either match to an existing CMDB CI or create a new CI to track with if one does not exist (we could not successfully lookup a CI)

View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎03-29-2023 06:25 PM

Hey there,

Would suggest reviewing the content we posted here:

The video and illustrations presented will help with some of the questions you posed...

-------------------------------------------------------------------

1. What is the logic that differentiates unmatched CIs [sn_sec_cmn_unmatched_ci] from unclassed CIs [cmdb_ci_unclassed_hardware] ?

  --> See 5:31
  --> See 10:52
     - The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
    - Unmatched CI Class, is used when IRE has an Error (in the current model)
    - Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)

2. How IRE decides which CI should be in unmatched [sn_sec_cmn_unmatched_ci] table and which one should be in unclassed [cmdb_ci_unclassed_hardware] table?
  --> See 5:31
  --> See 10:52
     - The illustration walks through the order of the target CMDB CI Class, when we create a CI (when there is no match)
    - Unmatched CI Class, is used when IRE has an Error (in the current model)
    - Unclassed HW is used when we have a minimum set of attributes from the incoming host (IP + something else)

3. What does it mean by 'Created by VR' & 'Created by IRE' choices in 'Matching type for the DI' field of Discovered Item table?
  --> Those are only a portion of the options 
     -> What this represents is either 
       A) If we matched to a CI in the CMDB, how did we match - with the SecOps CI Lookup Rules or the CMDB IRE Identifier Rules 
      B) If we created a CI in the CMDB - due to not having a match - how was it created, via the CMDB IRE or falling back to VR (e.g. IRE had an error, etc)
--> The Concept is Scenario 3 at 13:09

4. Is it good practice to abort insertion of new CIs through VR process? If we block them, do they get created in unclassed hardware table or unmatched table?
 -- Sorry, not sure what the end goal here is for blocking or aborting
    - If we bring in a host from a 3rd party scanner, we need to either match to an existing CMDB CI or create a new CI to track with if one does not exist (we could not successfully lookup a CI)

0 Helpfuls

Go to solution
Abhinandan Pati
Giga Guru
In response to andy_ojha

‎03-30-2023 10:24 AM

Thanks @__andy-b2poYQ_ for the quick and detailed response. Your response and the video have cleared most of my doubts. I will get back to you if I have any further doubts on this topic.

0 Helpfuls

Go to solution
Abhinandan Pati
Giga Guru
In response to andy_ojha

‎04-05-2023 02:43 AM

Hi @andy_ojha ,

 

I went through the video that you shared, and I have one more query related to VR updating existing CI attributes. Please refer attached snapshot from the video.Capture.JPG

 

Could you please let me know the scenarios during which VR System updates attributes of existing CI.

 

Thanks,

Abhinandan

0 Helpfuls

Go to solution
Saumya1594
Tera Contributor
In response to Abhinandan Pati

‎05-12-2023 09:37 AM

Even I am curious to know the answer of this one ?? @andy_ojha  Do you have any answer to this ? Under what scenario the VR will update the existing CIs in CMDB ??

Thanks,
Saumya

 

0 Helpfuls