Configuring lookup rules

릴리스 버전: Australia

업데이트 날짜 2026년 03월 12일

소요 시간: 13분

By configuring lookup rules, you can map security exposure data to the correct configuration items (CIs) in the CMDB. This mapping is a critical function because associating exposure findings with the right assets is essential for proper risk assessment, assignment, and remediation workflows.

Create lookup rule

Create lookup rules to automatically and accurately associate incoming exposure findings data with the correct configuration items (CIs) in the Configuration Management Database (CMDB) This is essential for enabling the rest of the vulnerability management process to function correctly.

시작하기 전에

Role required: sn_vul.vulnerability_admin

이 태스크 정보

Creating lookup rules requires advanced ServiceNow and Unified Security Exposure Management (USEM) expertise. Rather than modifying one of the existing lookup rules, consider copying it and modifying the copy. When you are satisfied that the new rule does what you want, deactivate the original.

주:

Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

프로시저

Navigate to Workspaces > Security Exposure Management Workspace.
Select Administration in the navigation pane.
Select Review on the Look-up rules tile.
On the Rules page, select Look-up in the navigation pane.
Select New.

On the form, fill in the fields.

표 1. Look-up rule form
Field	Description
Details
Name	Name of the rule.
Lookup method	Method used for matching. Choices are: Script: Pre-built (IP address, DNS name, and so on) or custom script. Field matching: Search on table or field in the CMDB.
Type	Type used with the Script Lookup method.
Order	Order of precedence for the rule. Rules with the lowest order are evaluated first.
Active	Check box for whether the rule is active or disabled.
Source	Source used as input to this rule.
Source field	Source field used as input to this rule. Select any field, but it is treated as a string value.
Description	Description of the new look-up rule.
Lookup target	Lookup approach you want to follow. Select from: Configuration item Product model
If condition is met
Condition	Condition based on which the lookup rule is applied. This condition depends on the attribute from the third-party scanner. 주: The asset attribute is a part of the payload. It is received from the third-party scanner. See the Discovered Items table for payload examples.
Then set this value
Lookup method	Method used for matching. Choices are: Script: Pre-built (IP address, DNS name, and so on) or custom script. Field matching: Search on table or field in the CMDB.
Search on CI table	Table to search within the CMDB. Used with field matching Lookup Method.
Search on product table	If you choose the Product model Lookup target, the default value is Application Model.
Search on CI field	Field that contains information that can be used to locate a CI. Used with the field matching Lookup method. This field may be on the CI record, or on a related record, such as a network adapter.
Search on product model field	If you choose the Product model Lookup target, the default value is Name.
Type	Type used with the Script Lookup method.
Script	Editable sample script, based on the Type, is shown. Implement the custom script following the comments included in the template of the default function. 주: The process function has three parameters: rule, sourceValue, and sourcePayload

Select Save.

For more implementation information for lookup rules see, Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules.

그림 1. Example of a CI lookup rule using a condition builder for V12.0

그림 2. Example of a CI lookup rule using a script prior to V12.0

Ignore CI classes

To ignore some configuration item (CI) classes, for example Load Balancer [cmdb_ci_lb], when running lookup rules, set the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property.

시작하기 전에

Role required: admin

주:

The ignoreCIClass system property is available starting with Vulnerability Response v9.0. However, the property functionality is not available upon upgrade from any previous version.

If you have upgraded from any Security Operations application, prior to version 9.0, see KB0788209 for instructions on how to enable this functionality.

프로시저

Enter sys_properties.list in the left navigation bar.
Click Enter.
In the Search menu, under Name enter sn_sec_cmn.ignoreCIClass.
In the Value text box, enter the CI classes to exclude in a comma-separated list.
Click Update.
This list is used by CI Lookup Rules during the next import. Vulnerable items created during import are not associated to a CI of any type listed in the Value field of the sn_sec_cmn.ignoreCIClass system property.

Reapply lookup rules

Reapply lookup rules to ensure updated or existing rules are applied to relevant items. This helps maintain accurate data mapping and consistency after rule changes or additions.

시작하기 전에

Role required: sn_vul.vulnerability_admin, sn_vul_cmn.usem_admin, sn_vul.app_sec_manager, sn_vul_container.admin, sn_vulc.admin

이 태스크 정보

Reapplying lookup rules is useful when:

Look-up rules are updated or newly created.
Findings were previously unassigned or incorrectly assigned.
You must reassign ownership based on updated business logic or CI ownership changes.

프로시저

Navigate to Workspaces > Security Exposure Management Workspace.
Select Administration in the navigation pane.
Select Review on the Look-up rules tile.
On the Rules page, select Look-up rules in the navigation.
Select Reapply.

주:
All the rules are reapplied regardless of any filters.

Reapply lookup rules on selected discovered items

Reapply the lookup rules on selected discovered items from the discovered item list view select actions. If the configuration item (CI) changes after you reapply the rules, the discovered items are updated with the new CI and impacted detections. Vulnerable items are also updated.

시작하기 전에

Roles required: admin

이 태스크 정보

For more information, see CI changes for discovered items.

For more information on the concepts of CI matching and the CMDB, discovered item lookup, rule-based identification, see the CI matching in Vulnerability Response [KB0998706] article in the HI Knowledge Base.

프로시저

Navigate to All > Security operations > CMDB > Discovered Items.
Select the required discovered items and select Action on selected rows.
From the list, select Reapply CI lookup rules.

주:
You can skip the reapplication of lookup rules on discovered items with the substate ‘CI Decommissioned’ by enabling the system property sn_sec_cmn.skipItemsWithCIDecommissioned.

The rules are reapplied on these discovered items.
Select View status in the message.

The status displays on the background job form.

주:
In the Notes field, the Discovered items could not be process due to exception attribute with a non-zero value indicates that there’s an error or exception while reapplying a look-up rule. Check the system logs for more details.
Reapply only applies to items scanned within the last 90 days based on the last_scan_date, last_comp_scan_date, non_infra_last_scan_date, non_infra_last_comp_scan_date column.
Added ci_lifecycle_status_source (scope = sn_sec_cmn) system property for configuring CI lifecycle status columns (for example, Install Status, Operational Status). You can configure additional columns for retiring CIs.
Columns are added to the background job list view:
- Elapsed Time(ms): The time required for processing the background job.
- Items Processed: The number of items processed until now.
- Total Items to be Processed: The total number of items remaining to be processed.
- Time Until Completion(ms): The time remaining until the background job is processed. These columns provide visibility into job progress. These columns are available for each form view for you to add according to requirement.