Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Steps to Help Prevent Duplicate or Orphaned Records After Running Vulnerability Response CI Lookup Rules

    This guide provides essential steps for ServiceNow customers to prevent duplicate or orphaned records after executing Vulnerability Response Configuration Item (CI) lookup rules. Proper management of vulnerability data is crucial to maintain system performance and accurate CI matching within the Configuration Management Database (CMDB).

    Show full answer Show less

    Key Features

    • Testing with Small Data Subsets: Use small, specific subsets for testing CI Lookup Rules to minimize processing strain.
    • Activating CI Lookup Rules: Set all CI Lookup Rules, except the one being tested, to inactive to focus on specific behavior.
    • Matched and Unmatched CI Review: Analyze matched and unmatched CIs to ensure appropriate matching and identify any naming or field issues.
    • Removing Test Data: Once expected behavior is observed, delete test data and rerun CI matching rules.
    • Data Deletion Methods: Utilize specific methods for deleting data from tables, ensuring expertise is applied to avoid errors.

    Key Outcomes

    By following these steps, customers can achieve effective CI matching, reduce the risk of performance issues, and maintain a clean and accurate CMDB. This proactive approach ensures better vulnerability management and enhances overall system efficiency.

    Take steps to help prevent duplicate or orphan records resulting from matching (configuration items (CIs) within the CMDB.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. Thorough testing and debugging of processing scripts in the rules helps alleviate the potential of issues later in the process.

    Preventing duplicate or orphaned records

    • Use small subsets of data that are specific to the CI Lookup Rule being tested.
      • Set all CI Lookup Rules, other than the one being tested, to Inactive.
      • Analyze the imported CIs to ensure that you are observing the expected behavior and matching is occurring properly.
    • Review Matched CIs
      • Examine the count of matched vs unmatched CIs. Ensure that the percentage is acceptable. Don’t just look at the first page, that is likely the first one inserted.
      • Manually search for some CIs.
      • Check to see if there are any naming or field problems (such as searching for a specific domain).

        If it seems appropriate, add additional matching rules.

    • Review Unmatched CIs
      • Navigate to the Unmatched CIs table.
      • Group by Configuration Item class.
      • Review any classes that don’t look right (certificates, network cards, images).
        • Figure out why didn’t they match the correct CI?
        • Should the class be excluded?
        • Should the class be elevated to a related class?
    • Review CI states such as Retired.
    • Remove Test Data
      • Once you begin to observe the correct or expected behavior in CI matching, start over.
      • Start over by: Deleting the data used for testing: (see the Deleting data from tables section)
        • Discovered Items
        • Vulnerable Items
        • Remediation tasks
      • Manually rerunning all the CI Matching rules.

    For more information on CI Lookup Rules and Qualys, see the KB0750656 article.

    For more information on CI Lookup Rules and Rapid7, see the KB0818096.

    Deleting data from tables

    Sometimes you have imported data and realize something is wrong. If something is wrong in a development or performance environment, you could reclone from a better environment, but that isn’t always an option.
    Note:
    Performing these actions requires ServiceNow expertise.
    There are four options for deleting data from tables:
    • Using Delete All Records on Table Configuration.
    • Configure the Table Cleaner by navigating to Auto Flushes (sys_auto_flush.list) and creating a new Auto-flush record.
    • Truncate the gs.truncateTable using a background script.

      Using truncateTable requires turning off the record for rollback check box in the background scripts. Otherwise, a copy of the table and related cascade tables are created, take too long, and most likely fail.

      Note:
      Never use truncateTable in a production environment. Consult you Support representative before executing large deletions in production or shared environments.